Understanding DirectAccess and external load balancer

Similar Messages

• UAG External Load Balancing and ISATAP

  Hi Experts,
  I am deploying a UAG Array to be used for Direct Access. The Array will consist of two servers and use an F5 External Load Balancer. In addition and in similarity
  to 90% of the other corporate intranets out there, the internal network is IPv4 with no IPv6 transition technologies deployed. The article
  http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx
  isgreat but to my mind has no information to support ‘Manage Out’ and throws up a number of questions: (Note that I want to enable ‘Manage Out’ capability and as far as I am aware that is achieved by using ISATAP)
  The article describes that you have to generate and configure your own IPv6 address for the internal interface when using an external load balancer. Does anyone know why? Why not let UAG assign
  the addresses as per the default?
  UAG by default configures itself as an ISATAP router when there is no IPv6 infrastructure deployed on the internal network
  to facilitate ‘manage out’. This still applies when using Windows NLB. Why does this no longer apply when using an external load balancer? I.e. Why does UAG no longer configure itself as a ISATAP router?
  In relation to question 2; you therefore need to move your ISATAP router to a different device (http://technet.microsoft.com/en-us/library/ee690463.aspx),
  in doing so how do you configure the ISATAP environment to traverse the UAG servers without some sort of load balancing on the internal interfaces? I’m assuming that you can only tell the ISATAP router to use the one default gateway i.e. either one UAG server
  or the other. This means that you would have all your outbound internally initiated traffic going via one server only – not very good for performance or fault tolerance.
  In relation to question 3; I thought therefore that NLB could be used on the internal interface to solve the above problem, except that I have read that you can’t mix and match external load
  balancing and NLB even though they are on separate networks due to bidirectional affinity. What does this actually mean and why does this not occur when load balancing is mixed in this manor?
  Therefore when you wish to use external load balancers, do you:
  A) Except the fact that you can’t use UAG as a ISATAP router and you do indeed need two devices
  and deploy it as described here (http://technet.microsoft.com/en-us/library/ee690463.aspx)
  or
  B) Except the fact that that you can’t use UAG as a ISATAP router and any internal outbound
  traffic travels via the one UAG server only.
  Apologies for the long post, but I wanted to make sure that I get my thoughts down concisely so that it may help others who come up with the same questions
  J
  Thanks for your time everyone
  Gary

  I am also facing the same issue.  I have UAG1 and UAG2, which are in an array, and externally load balanced.  I've configured an external ISATAP router according to: 
  http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html.  However, as mentioned by others, the ISATAP router has to have either UAG1 or UAG2 as the next hop for IP-HTTPS traffic.  As
  a result, communication between the DirectAccess client and management devices will only work if the client is tunneling through the same UAG server that the ISATAP router has as the next hop for the IP-HTTPS prefix.  From what I can tell, my configuration
  is supported, but I can't figure out how to have the ISATAP router determine which UAG server a client is tunneling through.  I thought about having two separate IP-HTTPS prefixes for each UAG server, but this would get overwritten when activating
  the DirectAccess configuration.  Maybe some type of internal load balancing?

• Enable External Load Balancing error

  Hello,
  I'm trying to create a DirectAccess farm with 2 external Load balancers (Step 3.1.1 http://technet.microsoft.com/en-us/library/jj134166.aspx)
  The first server is configured (Behind a Edge with 2 NICs) and working but when trying to enable External Load Balancing, I immediately receive this error when applying the settings:
  Initializing operations before applying configuration
   Backing up GPOs...
  Updating cluster settings
   Retrieving server GPO details...
   Opening the server GPO...
   Error: The configuration data for this product is corrupt. Contact your support personnel.
  Finishing operations after applying configuration
   Information: Attempting to roll back the configuration...
  The DirectAccess dashboard shows that all services are fine, the DC is available and no errors are logged in the Event Viewer.
  I can't find any explanation about a possible corrupted configuration.

  Ok... Found the problem... You can't mix Internet IP and LAN IP to create the VIP...

• External Load Balancing OAM11g Servers

  With OAM 11g, DB 11.2.0.1, RHEL5.6, and WLS 10.3.5... we have clustered the managed servers and all that displays, starts, stops as expected -- hosts are H1 and H2. We also have an external load balancer (haproxy). By "external", I mean that the host (PRHost) where the protected resource (PR) resides is outside the LB and all of the OAM infrastructure is inside the LB. We actually have 2 layers of LB because we are also trying to create a disaster recovery site, but for now we'll concentrate on the just the webgate and the LB.
  We have installed WLS 10.3.5, OHS 11.1.1.2, and have deployed a PR on the PRHost. We then installed the 11g webgate on PRHost and instantiated the webgate within the OAM Server on H1 and moved the artifacts to the PRHost.
  The question is fairly simple -- at least from my perspective -- the webgate gets its connection information from the ObAccessClient.xml artifact created when the webgate was added to the OAM Server. The only connection the webgate understands is the listing of the primary/secondary OAM Servers within that artifact.
  QUESTION:+ When we access the protected resource, how will it know to go through the external LB if the only connection information it has is the OAM Server? We realize that there is LB information within the OAM Server setup, but this means that in order to determine where the LB is, we need to first access the OAM Server setup. We require the PR to first go through the LB to find an available OAM server, but there appears to be nothing on the PR webgate to inform it how to find the LB.

  Luis,
  you need the command 'portmap disable' available in 5.01 and 5.03
  gilles.

• Portal Drive not working with external load balancer

  Hi,
  We have a portal cluster and we are using external Load balancer from
  Juniper for load balancing the portal cluster. When given the direct
  portal URL (Central instance URL or Dialog instance URL), Portal Drive
  is able to connect to portal and shows the KM documents properly. But
  when given the Load balancer URL, it gives error saying "Can
  not connect to host using WebDAV protocol". Load balancer URL works
  fine from the browser without any problems. Any help is highly appreciated.
  Helpful points will be rewarded.
  Regards,
  Chandra

  Hi Steve,
  For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
  (in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
  ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
  Also read through SAP NOTE 1084683 for further clarifications.
  Regards,
  Shailesh

• H-REAP and Client Load-Balancing

  I'm told by Cisco that H-REAP does not support client load-balancing.
  We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
  Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
  We can't re-write the application so we are looking for a wireless solution.
  Anyone hear about how other organizations have dealt with this type of situation?
  I'll be glad to supply more details if I am not being clear in my description of the problem.
  Thanks in advance. All responses will be rated.
  Paul

  This is the functionality which is missing in H-REAP: Client and Network Load Balancing
  "Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
  Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
  I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• BPEL End Point URL using External Load Balancer URL

  Hi All,
  We have Oracle SOA Suite installed in a clustered environment as per the Enterprise Deployment Guide 10g Release 310.1.3.3.0 E10294-02.
  I have deployed a BPEL process to the clustered environment and the end point refers to the internal url of the load balancer e.g. http://internallink:8001/orabpel/default/testService/1.0
  When we just paste this end point in a browser, enter the parameters and click on invoke, the BPEL Process gets invoked.
  However, if we try to use the external url(which is on https) of the load balancer as the enpoint url eg https://externallink/orabpel/default/testService/1.0 to invoke the same BPEL process, the page which is used to accept the parameters and the used to invoke the BPEL process is successfully displayed. However, when we try to invoke the service, the connection times out.
  Please note that internallink and externallink are the internal and external VIPs, respectively.
  Does someone have an idea of what may be wrong or what needs to be corrected to be able to invoke the BPEL process using the external VIP, please?
  Thanks in advance.

  Check if the port of ESB in your server is open.
  I think that the port is: 7777
  try from ESB server:
  wget WSDLURI
  if you got the file then the port is closed.

• Wlp and apache load balancing

  Hi,
            I have been trying to understand webloigc clustering and load balancing capabilities. I have been through the edocs but it does not explain how things work, instead they only emphasis on how to configure.
            Consider the following scenario:
            --------cisco firewall/load balancer------------
            apatche1 apache2 apache3
            -------------------firewall-------------------------
            WLP1 WLP2 WLP3 WLP4
            My questions are:
            (1) how apache servers load balance incoming requests amongst the four portal instances? I understand that it will use weblogic proxy plug-in. the httpd.config also should be configured to proxy requests to WLP instances by adding the corresponding address:prot entries for each instance, using WebLogicCluster keyword.
            (2) Weblogic cluster will have nothing to do with load balancing? The only benefit I get of configuring weblogic cluster is session replication, right?
            (3) even failover is going to be handled by apache servers?
            (4) if I need to use SSL and I need to have my SSL encryption/decryption to be done on WLP instances; apache servers will only forward requests, no encryption/decryption to be done on the web tier. Is this possible?
            See in WebSphere the edge component will handle the load balancing and through it I can assign load weights for each appserver instance.
            (5) Are there any best practice to implement load balancing and failover on weblogic portal?
            I appreciate any input in this regards.

  1. yes, configure the apache plugin. put your 4 servers in the WeblogicCluster property (host:port,host:port...). The proxy will round robin requests between the servers in the cluster, although sessions are pinned to a single server. So if a request with a session (jsessionid cookie) comes in, it will read the primary server from the cookie and route it to that server.
  note that we have had trouble with keep alives ON and load balancing. we had to turn keep alives off to get load balancing working.
  2. right, the cluster allows failover by replication. apache plugin will perform the failover.
  3. the plugin will keep a dynamic server list so if a server goes down, it will update the cluster list and not route to it. it will also retry requests on another server on an error or timeout connecting. you can tweak timeout settings like WLSocketTimeoutSecs and ConnectTimeoutSecs. and keep idempotent ON which allows failover, unless you aplpication can't handle this.

• SSL Cetificate and F5 load balancer.

  Hi All,
  I need to created SSL certificate to enable SSL on the HTTP server can you please give me the steps for that also i need to configure SSL on the load balancer how would i do that, i will be thankful if anybody can provide me detail steps, thanks in advance.
  Thanks,
  Virendra

  Hi,
  What is the application release?
  For SSL, please see these documents.
  Note: 123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
  Note: 300969.1 - Troubleshooting SSL with Oracle Applications 11i'
  Note: 376700.1 - Enabling SSL in Release 12
  For Load Balancing, please refer to:
  Note: 380489.1 - Using Load-Balancers with Oracle E-Business Suite Release 12
  Note: 727171.1 - Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware
  Note: 601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
  Note: 603325.1 - Using Cisco ACE Series Application Control Engine with Oracle E-Business Suite Release 12
  Regards,
  Hussein

• CSS on multiple subnets and separate load balancing

  Hello,
  I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
  But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
  Basically I want to use the CSS for 3 different load balancing operations.
  Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
  Any help appreciated
  Regards Tony

  you can have as many vlan as you want.
  So yes you can do what you want.
  Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
  Gilles.

• CSS and Oracle Load Balancing

  Hi,
  I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
  Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
  real server http://192.168.17.12/irs.htm
  real server http://192.168.17.14/irs.htm
  real server http://192.168.10.37/irs.htm
  VIP
  http://192.168.200.58/irs.htm
  Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
  I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
  Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
  ==========================================================================================
  http://tptest.enoc.com/forms/frmservlet?config=tp  (This is working fine).
  ========================================================================
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  =============================================================================
  service IRC_1
    ip address 192.168.17.12
    keepalive type tcp
    keepalive port 80
    active
  service IRC_2
    ip address 192.168.17.14
    keepalive type tcp
    keepalive port 80
  service IRC_DR
    ip address 192.168.10.37
    keepalive type tcp
    keepalive port 80
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  owner ENOC_GIT
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  group ENOC_IRC
    add destination service IRC_1
    add destination service IRC_2
    add destination service IRC_DR
    vip address 192.168.200.58
    active
  ===================================================================================================
  ENOCDC-CSS01(config)# show service summary
  Service Name                     State     Conn  Weight  Avg   State
                                                           Load  Transitions
  IRC_1                            Alive         0      1     2            0
  IRC_2                            Suspended     0      1   255            1
  IRC_DR                           Suspended     0      1   255            1
  ENOCDC-CSS01(config)# show summary
  Global Bypass Counters:
     No Rule Bypass Count:     0
     Acl Bypass Count:         0
  Owner            Content Rules    State     Services         Service Hits
  ENOC_GIT        
                ENOC_IRC         Active    IRC_1            103
                                              IRC_2            10
                                              IRC_DR           7
  =======================================================================================================
  Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
  Kindly let me know what I am missing and how to fix the problem.
  I have also attached the full configuration of CSS.

  Hi,
  My point of concern is that I did the same for Oracle server and this is working fine
  http://192.168.200.95/forms/frmservlet?config=tp
  only when I am doing the load balancing for
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
  I am doing almost 8 differenceservers load balancing in this CSS.
  your expert opinion will definately help me.

• Web dispatcher and J2EE load balancing

  I have portal DBCI on one server and DI on multiple servers. I implemented Web dispatcher in front of the DI and it does the load balancing across all DI and CI. What I want to do though is not to route any users to CI instance - ie take CI server processes out of load balancing.
  In ABAP environment you could create a logon group and not put CI in the group and users coming through the logon group do not go to the CI. I would like to do the same with Portal Java processes. In help.sap.com I found that web dispatcher uses default !J2EE group if there are no groups defined - to distribute users but I can not find anyway to define a logon group for J2EE java.
  Does anybody out there know how to do this - define a logon group and include only DI and not CI in that?

  > Raj,
  >
  > Which versions are you on J2EE? EP?
  > If you are on EP SP14 or NW01 you can do workload
  > distribution within the portal.
  >
  > James
  We are using NW 04 based EP 6 SP 16. I am looking for to use web dispatcher to distribute users on the DI servers and not distribute any users on the CI server. What can I do so that if admin user enter http://CI_server:50000/irj then they can login to the CI server if users come through webdispatcher then they are not put on the CI but go to one of the DI servers only. By default web dispatcher would send some users to CI and I don't want that.

• Lync 2010 and ACE load balancing

  Hi there,
  Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
  The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
  regards,
  Glenne.

  Hey Glenne,
  It seems you got that working already but I wanted to share this simple sample:
  parameter-map type http PARAMETER
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  ============================================
  interface vlan 112
    ip address 10.198.16.71 255.255.255.192
    alias 10.198.16.124 255.255.255.192
    peer ip address 10.198.16.72 255.255.255.192
    mac-sticky enable
    access-group input anyone
    nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
    service-policy input ANS-MGT
    service-policy input VIPS
    no shutdown
  ============================================
  policy-map multi-match VIPS
    class LYNC_VIP
      loadbalance policy  LYNC_POLICY
      ssl-proxy server SSL_LYNC_TERMINATION
      loadbalance vip icmp-reply active
      nat dynamic 25 vlan 112
      appl-parameter http advanced-options  PARAMETER
  ============================================
  class-map match-all LYNC_VIP
    2 match virtual-address 10.198.16.125 tcp eq https
  ============================================
  ssl-proxy service SSL_LYNC_TERMINATION
    key tac-key
    cert tac-cert
    chaingroup tac-chaingroup
  ============================================
  policy-map type loadbalance first-match LYNC_POLICY
    class class-default
      sticky-serverfarm LYNC_COOKIE
  ============================================
  sticky http-cookie ACE_COOKIE LYNC_COOKIE
    timeout 30
    replicate sticky
    serverfarm LYNC_FARM
  ============================================
  serverfarm host LYNC_FARM
    rserver LYNC_SERVER1 80
      inservice
    rserver LYNC_SERVER2 80
      inservice
  ============================================
  rserver host LYNC_SERVER1
  ip address 10.198.16.93
  inservice
  rserver host LYNC_SERVER2
  ip address 10.198.16.113
  inservice
  ===========================================
  Jorge

• New ASA5512- 5515: content filter and WAN load balancing

  Hi,
  it's possible to make the content filter with the new models of asa?
  One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
  It' s possible also make the load balancing between 2 WAN?
  Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
  Thanks in advance,
  Paolo.

  I saw that you can add CX feature:
  CX - Context Aware Security Feature:
  Cisco  ASA CX Context-Aware Security is a modular security service that  extends the ASA platform with next-generation capabilities. It is  available with SSD purchase for model such as 5512-X, 5515-X, 5525-X,  55545-X and 5555-X.
  Application Visibility Control (AVC):
  This  is additional feature in CX. Activation of this feature require  seperate license. This is the feature that do deep packet inspection for  Application recognition. provide context-aware firewall security.
  Web Security Essentials (WSE):
  This  is additional feature in CX. Activation of this feature require  seperate license. It deliver features like "URL Filtering" and "Global  Threat Intelligence".
  Can somebody confirm that?
  Have somebody already used and configured this features?
  Thank you,
  Paolo.