Understanding DirectAccess and external load balancer
Hi,
I'm trying to understand the concept of DIPs with a external load balancer. We're trying to create a Directaccess cluster with to DA-servers in edge. I'm at the wizard for creating load balancer and choose external. Then it asked me to enter the DIPs. But
why is that? Should it not be sufficient with the current IP-address, since they are configured in the external LB. Or do I need to add a secondary IP-address and enter that in the wizard and enter them has the VIPs inte the external LB. Same goes for the
internal one.
Does that mean that i could choose any IP-address in the private range, despite that i have an edge configuration with one public ip-address and one internal address? Or do i need to allocate another public IP-adress?
Edit:
http://blogs.technet.com/b/mspfe/archive/2013/01/24/how-to-configure-directaccess-in-windows-server-2012-to-work-with-an-external-hardware-load-balancer.aspx
When following the guide, I use the current IP-address of the first nods external NIC. And get an warning I can't use that IP. Should I use the VIP that we have for the load balancer?
Similar Messages
-
UAG External Load Balancing and ISATAP
Hi Experts,
I am deploying a UAG Array to be used for Direct Access. The Array will consist of two servers and use an F5 External Load Balancer. In addition and in similarity
to 90% of the other corporate intranets out there, the internal network is IPv4 with no IPv6 transition technologies deployed. The article
http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx
isgreat but to my mind has no information to support ‘Manage Out’ and throws up a number of questions: (Note that I want to enable ‘Manage Out’ capability and as far as I am aware that is achieved by using ISATAP)
The article describes that you have to generate and configure your own IPv6 address for the internal interface when using an external load balancer. Does anyone know why? Why not let UAG assign
the addresses as per the default?
UAG by default configures itself as an ISATAP router when there is no IPv6 infrastructure deployed on the internal network
to facilitate ‘manage out’. This still applies when using Windows NLB. Why does this no longer apply when using an external load balancer? I.e. Why does UAG no longer configure itself as a ISATAP router?
In relation to question 2; you therefore need to move your ISATAP router to a different device (http://technet.microsoft.com/en-us/library/ee690463.aspx),
in doing so how do you configure the ISATAP environment to traverse the UAG servers without some sort of load balancing on the internal interfaces? I’m assuming that you can only tell the ISATAP router to use the one default gateway i.e. either one UAG server
or the other. This means that you would have all your outbound internally initiated traffic going via one server only – not very good for performance or fault tolerance.
In relation to question 3; I thought therefore that NLB could be used on the internal interface to solve the above problem, except that I have read that you can’t mix and match external load
balancing and NLB even though they are on separate networks due to bidirectional affinity. What does this actually mean and why does this not occur when load balancing is mixed in this manor?
Therefore when you wish to use external load balancers, do you:
A) Except the fact that you can’t use UAG as a ISATAP router and you do indeed need two devices
and deploy it as described here (http://technet.microsoft.com/en-us/library/ee690463.aspx)
or
B) Except the fact that that you can’t use UAG as a ISATAP router and any internal outbound
traffic travels via the one UAG server only.
Apologies for the long post, but I wanted to make sure that I get my thoughts down concisely so that it may help others who come up with the same questions
J
Thanks for your time everyone
GaryI am also facing the same issue. I have UAG1 and UAG2, which are in an array, and externally load balanced. I've configured an external ISATAP router according to:
http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html. However, as mentioned by others, the ISATAP router has to have either UAG1 or UAG2 as the next hop for IP-HTTPS traffic. As
a result, communication between the DirectAccess client and management devices will only work if the client is tunneling through the same UAG server that the ISATAP router has as the next hop for the IP-HTTPS prefix. From what I can tell, my configuration
is supported, but I can't figure out how to have the ISATAP router determine which UAG server a client is tunneling through. I thought about having two separate IP-HTTPS prefixes for each UAG server, but this would get overwritten when activating
the DirectAccess configuration. Maybe some type of internal load balancing? -
Enable External Load Balancing error
Hello,
I'm trying to create a DirectAccess farm with 2 external Load balancers (Step 3.1.1 http://technet.microsoft.com/en-us/library/jj134166.aspx)
The first server is configured (Behind a Edge with 2 NICs) and working but when trying to enable External Load Balancing, I immediately receive this error when applying the settings:
Initializing operations before applying configuration
Backing up GPOs...
Updating cluster settings
Retrieving server GPO details...
Opening the server GPO...
Error: The configuration data for this product is corrupt. Contact your support personnel.
Finishing operations after applying configuration
Information: Attempting to roll back the configuration...
The DirectAccess dashboard shows that all services are fine, the DC is available and no errors are logged in the Event Viewer.
I can't find any explanation about a possible corrupted configuration.Ok... Found the problem... You can't mix Internet IP and LAN IP to create the VIP...
-
External Load Balancing OAM11g Servers
With OAM 11g, DB 11.2.0.1, RHEL5.6, and WLS 10.3.5... we have clustered the managed servers and all that displays, starts, stops as expected -- hosts are H1 and H2. We also have an external load balancer (haproxy). By "external", I mean that the host (PRHost) where the protected resource (PR) resides is outside the LB and all of the OAM infrastructure is inside the LB. We actually have 2 layers of LB because we are also trying to create a disaster recovery site, but for now we'll concentrate on the just the webgate and the LB.
We have installed WLS 10.3.5, OHS 11.1.1.2, and have deployed a PR on the PRHost. We then installed the 11g webgate on PRHost and instantiated the webgate within the OAM Server on H1 and moved the artifacts to the PRHost.
The question is fairly simple -- at least from my perspective -- the webgate gets its connection information from the ObAccessClient.xml artifact created when the webgate was added to the OAM Server. The only connection the webgate understands is the listing of the primary/secondary OAM Servers within that artifact.
QUESTION:+ When we access the protected resource, how will it know to go through the external LB if the only connection information it has is the OAM Server? We realize that there is LB information within the OAM Server setup, but this means that in order to determine where the LB is, we need to first access the OAM Server setup. We require the PR to first go through the LB to find an available OAM server, but there appears to be nothing on the PR webgate to inform it how to find the LB.Luis,
you need the command 'portmap disable' available in 5.01 and 5.03
gilles. -
Portal Drive not working with external load balancer
Hi,
We have a portal cluster and we are using external Load balancer from
Juniper for load balancing the portal cluster. When given the direct
portal URL (Central instance URL or Dialog instance URL), Portal Drive
is able to connect to portal and shows the KM documents properly. But
when given the Load balancer URL, it gives error saying "Can
not connect to host using WebDAV protocol". Load balancer URL works
fine from the browser without any problems. Any help is highly appreciated.
Helpful points will be rewarded.
Regards,
ChandraHi Steve,
For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
(in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
Also read through SAP NOTE 1084683 for further clarifications.
Regards,
Shailesh -
H-REAP and Client Load-Balancing
I'm told by Cisco that H-REAP does not support client load-balancing.
We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
We can't re-write the application so we are looking for a wireless solution.
Anyone hear about how other organizations have dealt with this type of situation?
I'll be glad to supply more details if I am not being clear in my description of the problem.
Thanks in advance. All responses will be rated.
PaulThis is the functionality which is missing in H-REAP: Client and Network Load Balancing
"Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access. -
Hi,
I am configuring 2 ASA5540 for internet trafic inside to outside ,
outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
In the doc I can configure them for internet trafic as Active/Standby or Active/active.
for vpn : I can use vpn load balancing
But no information if I want to use the active/passif and vpn load balancing together.
Any thoughts on which way to go? what is the best thing to do ?
RegardsHi,
I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps -
BPEL End Point URL using External Load Balancer URL
Hi All,
We have Oracle SOA Suite installed in a clustered environment as per the Enterprise Deployment Guide 10g Release 310.1.3.3.0 E10294-02.
I have deployed a BPEL process to the clustered environment and the end point refers to the internal url of the load balancer e.g. http://internallink:8001/orabpel/default/testService/1.0
When we just paste this end point in a browser, enter the parameters and click on invoke, the BPEL Process gets invoked.
However, if we try to use the external url(which is on https) of the load balancer as the enpoint url eg https://externallink/orabpel/default/testService/1.0 to invoke the same BPEL process, the page which is used to accept the parameters and the used to invoke the BPEL process is successfully displayed. However, when we try to invoke the service, the connection times out.
Please note that internallink and externallink are the internal and external VIPs, respectively.
Does someone have an idea of what may be wrong or what needs to be corrected to be able to invoke the BPEL process using the external VIP, please?
Thanks in advance.Check if the port of ESB in your server is open.
I think that the port is: 7777
try from ESB server:
wget WSDLURI
if you got the file then the port is closed. -
Hi,
I have been trying to understand webloigc clustering and load balancing capabilities. I have been through the edocs but it does not explain how things work, instead they only emphasis on how to configure.
Consider the following scenario:
--------cisco firewall/load balancer------------
apatche1 apache2 apache3
-------------------firewall-------------------------
WLP1 WLP2 WLP3 WLP4
My questions are:
(1) how apache servers load balance incoming requests amongst the four portal instances? I understand that it will use weblogic proxy plug-in. the httpd.config also should be configured to proxy requests to WLP instances by adding the corresponding address:prot entries for each instance, using WebLogicCluster keyword.
(2) Weblogic cluster will have nothing to do with load balancing? The only benefit I get of configuring weblogic cluster is session replication, right?
(3) even failover is going to be handled by apache servers?
(4) if I need to use SSL and I need to have my SSL encryption/decryption to be done on WLP instances; apache servers will only forward requests, no encryption/decryption to be done on the web tier. Is this possible?
See in WebSphere the edge component will handle the load balancing and through it I can assign load weights for each appserver instance.
(5) Are there any best practice to implement load balancing and failover on weblogic portal?
I appreciate any input in this regards.1. yes, configure the apache plugin. put your 4 servers in the WeblogicCluster property (host:port,host:port...). The proxy will round robin requests between the servers in the cluster, although sessions are pinned to a single server. So if a request with a session (jsessionid cookie) comes in, it will read the primary server from the cookie and route it to that server.
note that we have had trouble with keep alives ON and load balancing. we had to turn keep alives off to get load balancing working.
2. right, the cluster allows failover by replication. apache plugin will perform the failover.
3. the plugin will keep a dynamic server list so if a server goes down, it will update the cluster list and not route to it. it will also retry requests on another server on an error or timeout connecting. you can tweak timeout settings like WLSocketTimeoutSecs and ConnectTimeoutSecs. and keep idempotent ON which allows failover, unless you aplpication can't handle this. -
SSL Cetificate and F5 load balancer.
Hi All,
I need to created SSL certificate to enable SSL on the HTTP server can you please give me the steps for that also i need to configure SSL on the load balancer how would i do that, i will be thankful if anybody can provide me detail steps, thanks in advance.
Thanks,
VirendraHi,
What is the application release?
For SSL, please see these documents.
Note: 123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
Note: 300969.1 - Troubleshooting SSL with Oracle Applications 11i'
Note: 376700.1 - Enabling SSL in Release 12
For Load Balancing, please refer to:
Note: 380489.1 - Using Load-Balancers with Oracle E-Business Suite Release 12
Note: 727171.1 - Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware
Note: 601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
Note: 603325.1 - Using Cisco ACE Series Application Control Engine with Oracle E-Business Suite Release 12
Regards,
Hussein -
CSS on multiple subnets and separate load balancing
Hello,
I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
Basically I want to use the CSS for 3 different load balancing operations.
Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
Any help appreciated
Regards Tonyyou can have as many vlan as you want.
So yes you can do what you want.
Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
Gilles. -
Hi,
I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
real server http://192.168.17.12/irs.htm
real server http://192.168.17.14/irs.htm
real server http://192.168.10.37/irs.htm
VIP
http://192.168.200.58/irs.htm
Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
==========================================================================================
http://tptest.enoc.com/forms/frmservlet?config=tp (This is working fine).
========================================================================
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
=============================================================================
service IRC_1
ip address 192.168.17.12
keepalive type tcp
keepalive port 80
active
service IRC_2
ip address 192.168.17.14
keepalive type tcp
keepalive port 80
service IRC_DR
ip address 192.168.10.37
keepalive type tcp
keepalive port 80
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
owner ENOC_GIT
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
group ENOC_IRC
add destination service IRC_1
add destination service IRC_2
add destination service IRC_DR
vip address 192.168.200.58
active
===================================================================================================
ENOCDC-CSS01(config)# show service summary
Service Name State Conn Weight Avg State
Load Transitions
IRC_1 Alive 0 1 2 0
IRC_2 Suspended 0 1 255 1
IRC_DR Suspended 0 1 255 1
ENOCDC-CSS01(config)# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
ENOC_GIT
ENOC_IRC Active IRC_1 103
IRC_2 10
IRC_DR 7
=======================================================================================================
Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
Kindly let me know what I am missing and how to fix the problem.
I have also attached the full configuration of CSS.Hi,
My point of concern is that I did the same for Oracle server and this is working fine
http://192.168.200.95/forms/frmservlet?config=tp
only when I am doing the load balancing for
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
I am doing almost 8 differenceservers load balancing in this CSS.
your expert opinion will definately help me. -
Web dispatcher and J2EE load balancing
I have portal DBCI on one server and DI on multiple servers. I implemented Web dispatcher in front of the DI and it does the load balancing across all DI and CI. What I want to do though is not to route any users to CI instance - ie take CI server processes out of load balancing.
In ABAP environment you could create a logon group and not put CI in the group and users coming through the logon group do not go to the CI. I would like to do the same with Portal Java processes. In help.sap.com I found that web dispatcher uses default !J2EE group if there are no groups defined - to distribute users but I can not find anyway to define a logon group for J2EE java.
Does anybody out there know how to do this - define a logon group and include only DI and not CI in that?> Raj,
>
> Which versions are you on J2EE? EP?
> If you are on EP SP14 or NW01 you can do workload
> distribution within the portal.
>
> James
We are using NW 04 based EP 6 SP 16. I am looking for to use web dispatcher to distribute users on the DI servers and not distribute any users on the CI server. What can I do so that if admin user enter http://CI_server:50000/irj then they can login to the CI server if users come through webdispatcher then they are not put on the CI but go to one of the DI servers only. By default web dispatcher would send some users to CI and I don't want that. -
Lync 2010 and ACE load balancing
Hi there,
Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
regards,
Glenne.Hey Glenne,
It seems you got that working already but I wanted to share this simple sample:
parameter-map type http PARAMETER
set header-maxparse-length 65535
set content-maxparse-length 65535
============================================
interface vlan 112
ip address 10.198.16.71 255.255.255.192
alias 10.198.16.124 255.255.255.192
peer ip address 10.198.16.72 255.255.255.192
mac-sticky enable
access-group input anyone
nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
service-policy input ANS-MGT
service-policy input VIPS
no shutdown
============================================
policy-map multi-match VIPS
class LYNC_VIP
loadbalance policy LYNC_POLICY
ssl-proxy server SSL_LYNC_TERMINATION
loadbalance vip icmp-reply active
nat dynamic 25 vlan 112
appl-parameter http advanced-options PARAMETER
============================================
class-map match-all LYNC_VIP
2 match virtual-address 10.198.16.125 tcp eq https
============================================
ssl-proxy service SSL_LYNC_TERMINATION
key tac-key
cert tac-cert
chaingroup tac-chaingroup
============================================
policy-map type loadbalance first-match LYNC_POLICY
class class-default
sticky-serverfarm LYNC_COOKIE
============================================
sticky http-cookie ACE_COOKIE LYNC_COOKIE
timeout 30
replicate sticky
serverfarm LYNC_FARM
============================================
serverfarm host LYNC_FARM
rserver LYNC_SERVER1 80
inservice
rserver LYNC_SERVER2 80
inservice
============================================
rserver host LYNC_SERVER1
ip address 10.198.16.93
inservice
rserver host LYNC_SERVER2
ip address 10.198.16.113
inservice
===========================================
Jorge -
New ASA5512- 5515: content filter and WAN load balancing
Hi,
it's possible to make the content filter with the new models of asa?
One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
It' s possible also make the load balancing between 2 WAN?
Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
Thanks in advance,
Paolo.I saw that you can add CX feature:
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
Can somebody confirm that?
Have somebody already used and configured this features?
Thank you,
Paolo.
Maybe you are looking for
-
How can I get a clearer Movie for my web page when trying to export a slide show in iPhoto.
In iPhoto I am exporting a slide show in the display (size) 1280x800, the original images in the slide show are 600 dpi @ 11" x 8.96". I am using iPhoto 11 Version 9.4.2 on my MacBook Pro OSX version 10.8.2. I am using a wipe transition with a total
-
Portal PAR developments and IE8 comptability ?
Hello All, I have a number of portal JSPDynpage applications/components developed and running on portal as of date. However, with the introduction of the new browser IE8 usage in our company, will the existing portal components(HTMLB and other portal
-
Errors while trying to receive emails
I have been having trouble receiving emails on my Windows Mail software. I am running 64 bit Vista. I am seeing a server error. Server: 'incoming.yahoo.verizon.net' , Protocol: POP3, Server Response: '.' , Port 995, Secure (SSL): Yes, Error Number
-
Hi! I have 13 000+ BW images, some are ok, some are too dark and some are too light. Is there any way to separate file according their general darknes so i could run a different batch curve to images that need adjustmets. I know it's a rough way but
-
Assign Keyboard Layout to Application
Hi all, Is there a way to assign a specific keyboard layout to just one application so that only this one uses it and all others still use the default layout? Thank you very much for any idea!