Web Dispatcher - Reverse Proxy and Load Balancing
I'm finding limited docs on Web Dispatcher with regard to reverse proxy and load balancing. Are you aware of some recent presentations or docs in this area? The info on help.sap.com is not what I'm looking for.
Thanks.
Hi,
best thing is that you look at your scenarios and test the web dispatcher against each of it, like:
- SSL
- Portal only
- Web Dynpro ABAP / Java
- BSP
- Different backend systems like SRM, MDM
- Several backends with 1 Web Dispatcher
After getting a list of use cases that you can test quite easily (installation of Web Dispatcher is done fast and can be done on a local PC), you can contact SAP Support and ask them about the specific problems and questions you encountered. This way, you'll get the official answer, sometimes they will even inform you about "secret" parameters and options.
As of the reverse proxy functionality: there are several version of Web Dispatcher available that differ from the functionality offered. The latest version - 7.2 - is the one that offers the most, i.e. allows you to create rewrite rules like Apache.
SAP Note 908097 - SAP Web Dispatcher: Released releases and applying patches
br,
Tobias
Similar Messages
-
Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application
Hi Expert,
I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
I would know if the NGINX must be used also for SMP 2.3.
Any suggestion/information is appreciated.
Thanks in advance
g.Please see Agentry Network Landscapes
-
Forms/Reports with Reverse Proxy and Load Balance
Hello Guys,
I want to setup an environment with apache as reverse proxy for uses with Forms and Reports.
Is there any special configuration? Or just config rewrite rules?
Something like this:
Users -----> NLB Device -----> Reverse Proxy (Apache - 2 machines) -----> Oracle Application Server (Forms/Reports - N machines)
Best RegardsI haven't made one, but I think it should work, just dont forget to use proxypass and prosypassreverse.
Regards -
Web Dispatcher not doing the load balancing on the portal
Hi Experts
I am having a production issue where the SAP web dispatcher is not doing the load balancing on the portal.
We have ESS/MSS portal with 1 Message server and 2 Application servers. The Web dispatcher is installed on the message server itself. Here is my Web disp profile file
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 16
add default directory settings
DIR_EXECUTABLE = .
DIR_EXECUTABLE = F:\usr\sap\<SID>\sapwebdisp
DIR_INSTANCE = .
Accessibility of Message Servers
rdisp/mshost = <hostname>.com
ms/http_port = 8111
#Log and Trace
rdisp/TRACE = 2
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration as per SAP note 538405
icm/max_conn = 7000
icm/max_sockets = 14000
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 300
mpi/total_size_MB = 500
mpi/max_pipes = 14000
wdisp/HTTPS/max_pooled_con = 7000
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=8888
SSL
icm/server_port_1 = PROT=ROUTER,PORT=443, TIMEOUT=60
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt
wdisp/enable_j2ee_groups = TRUE
wdisp/HTTPS/sticky_mask = 255.255.255.255
In my Web dispatcher Admin page, I see all the three application servers, however the requests are going to only 1 App server. We are using ENd to End SSL configuration for the web dispatcher.
We also have a reverse proxy in the landscape and reverse proxy is forwarding all the requests to the Web dispatcher. In Web disp Admin page>Dispatching Module>SSL End to END dispatching, I see only ONE table entry in the dispatching table and it is our Reverse Proxy.
As all the requests are coming from only one source (Reverse proxy), it seems to me that the sap web dispatcher is forwarding those to the same Application server every time.
Can anyone please advise ?
I also tried to configure logon group in NWA, the web dispatcher is detecting the logon group and all the app servers in the logon group. It still not doing the load balancing.
I would greatly appreciate any help.
Thanks
VinyVincent, can you please elaborate more ? Is the web dispatcher not able to recognize stateful and stateless application requests ?
I saw that the procedure for configuring SSL Termination on Web dispatcher is long and complicated and looks like SAP web dispatcher needs to have SSL certificate of its own. As we have no ABAP servers and only Java servers, I can not even create the PSEs using STRUST (as described in SAP help -http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/99c388d7c46bb9e10000000a42189d/frameset.htm
We already have SSL certificates for Java App servers.
I suppose there should be a way for web dispatcher to identify the incoming requests and forward to appropriate application servers.
Any help is much appreciated.
Thanks
Viny -
Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection
Hi,
I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
I have configured a context root to be forwarded to weblogic:
Web Server: www.server.com
URI: /path
Reverse Proxy URL: wlserver:9000
When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
Would appreciate it very much if someone can help me troubleshoot this issue.
Thanks in advance!
Edited by: agent_orange on Jul 29, 2010 2:30 AM
Edited by: agent_orange on Jul 29, 2010 2:31 AMI am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
- create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
- select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
that is all it should need.
your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
<Object name="default">
AuthTrans..
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</object>
<Object name="reverse-proxy-/">
Route fn=....
Service ..
</Object>
this is all you should need..
However, if you wanted to add complexity to your configuration, you could do some thing like
<Object name="default">
Auth..
<If defined $security>
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</If>
</Object>
<Object name="reverse-proxy-/">
Route...
</Object> -
SAP Web Dispatcher & Reverse Proxy
Hello,
We are currently using Novell's iChain product for our reverse proxy (RP) to our EP7 Portal which in turn is connected to BW, CRM, & R/3. Can SAP's Web Dispatcher (WD) perform the same RP functions as iChain in this type of scenario?
For example, we have one iChain server which performs RP functions for EP7 which is also connected to BW, CRM, & R/3. We like to replace our iChain product and have been looking at WD. But, it doesn't look like a single WD instance can act as a RP for more than one system at a time. In other words, I setup a test WD system and pointed it at our EP7 system. It works fine for anything coming from EP7. But, for any iviews that point to BW, CRM, or R/3, it doesn't work, which makes sense since there doesn't seem to be anywhere I can define those systems in the WD. But could WD do this and I'm just not reading the documentation correctly? (Yes, I have been all over help.sap.com in regards to WD)
I did find the following SAP note, 740234, that discusses this to an extent, but it is mostly about load balancing across disparate systems, not RP functionality across disparate systems. Thus, I'm not sure this applies. Assuming this note is correct from a RP viewpoint, can I just run multiple WDs all on the same standalone system? Also, if that is the case, how is it that when I call a BW iView from the Portal, it knows to go through the other WD setup on that system?
Bottom line is, does/will SAP's WD perform the same functions as iChain or should we be looking elsewhere?
Hope that all made sense!
Thanks,
TomHello Benny,
For the sake of simplicity, lets say I have a portal called 'ABC' and a BW system called 'XYZ'. So, to access the portal directly, without going through the iChain RP, I would enter http://abc.company.com/ but going through the RP, I would enter something like http://MyPortal.company.com/ and iChain knows it should direct the traffic to ABC.
In the portal, I have a XYZ defined in the System Landscape. Then in the portal, I create an iView that uses the BW system defined in the System Landscape.
Again, without going through the RP, if I click on the XYZ iView in the portal, it connects to XYZ to get whatever info it needs from XYZ and presents it back, through the portal. But, the URL behind that iView, goes to http://xyz.company.com. But, if I do all the same things, this time going through the RP, it understands that it needs to be the RP for both ABC and XYZ and acts accordingly.
Does that make more sense? Can WD also act in this fashion? As far as user management goes, that is done with LDAP.
Thanks,
Tom -
Using reverse proxy for load balancing
Hello,
i have succesfully configured a reverse proxy ( Sun Web Server 7 ) to balance load between two application servers ( Sun Application Server 9.1), however i do not want randon assignment of requests using a round robin algorithm ( default option in Sun Web Server 7) but rather i want to apply a 80/20 rule so that one application server will receive 80% of the requests and the other will receive 20%.
Is there a way of performarming such a task.
your help is really appreciated.
thank youthank you for the reply,
actually i tried it yesterday and it seems to work.
in my reverse proxy settings i added one server two times and the other once and 66% of the requests were forwarded to the first server.
now i have enabled the scenario that you are mentioning above and i so far requests seem to be proceced using the 80% 20% scenario. -
Web Dispatcher - Portal & Backend systems load balancing
Good Day,
I am currently in the process of setting up a web dispatcher for the Backend systems via the Portal.
I have already installed a web dispatcher to handle the Portal load balancing and this works perfect.
The SAP system landscape will be created using load balancing, currently it is set to Dedicated.
Question:
Do i change the ITS and WAS settings to point to the web dispatcher or leave them currently pointing to the backend systems?
ITS = hostname :8000
WAS = hostname : 8000
Many thanks,
Morgan MoodleyHi Morgan,
You point them at the web dispatcher.
Paul -
Reverse Proxy plug in and Load Balancer Plug in
Hi,
Can anyone please provide me with an example obj.conf file showing how to combine the reverse proxy plug-in and Load Balancer plug-in.
I would like to use the reverse proxy plug in to detect when static content is requested and provide this from the web server. Requests for dynamic content would then be forwarded to an Application server via the Load balancer plug-in. I have found plenty of documentation on how to configure these plug-in separately but nothing on how to combine the two.smiking
reverse proxy plugin - its job is to forward the requests to another server for a specific task. you can use the webserver 7 . it does forward and limited load balancing (using round robin ) based on the number of servers you provide in the configuration. i would say this is a poor man's setup.
load balancer plugin - some app servers like sun java system app server or web logic provide this plugin so that you can effectively use the back end app server
with both these setup, you can <if> constructs to determine which requests need to be forwarded to the back end server.
I wonder, why do you need both - if both of them is designed to do the same thing. -
Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests
Hi,
I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?Hi Gilles,
I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
Thanks, David. -
Apache reverse proxy and SSL termination
Hi Guru's
Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
should i maitain any property. is there any documentation for it.
Please help me
TomThe majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
what level I need to configure SSL and how do I proceed in both scenarios?
Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
how do I proceed in both scenarios?
From a portal perspective, the configuration should remain the same.
Do I have to install SSL at portal, web dispatcher or at Apache level?
SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
See the following for possible SSL implementation options:
http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
https://cw.sdn.sap.com/cw/docs/DOC-115509
Will SSL termination work for scenario 2?
Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
I would recommend you to take a step by step (backward approach).
First, enable SSL on your portal and make sure it works - going directly to the server.
Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
Finally - you can test the end to end flow - with your Reverse proxy involved.
- Shanti -
Web Services Round Robin Service Load Balancer Event Endpoint Failure
I keep seeing these errors in the UlsTraceLogs:
SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: OWSTIMER Process ID: 3748 AppDomain Name: DefaultDomain AppDomain ID: 1 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
http://WFEserverName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
what do these errors mean?ok, thanks, I'll have a look at that.
Going back to my issue... Since I stopped the User Profile Service on the Application server, now I'm getting these non-stop messages in the log:
SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: w3wp Process ID: 6088 AppDomain Name: /LM/W3SVC/261708640/ROOT-1-130709594108226406 AppDomain ID: 2 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
http://ApplicationServerName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: OWSTIMER Process ID: 8304 AppDomain Name: DefaultDomain AppDomain ID: 1 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
http://ApplicationServerName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
This time, the messages are referring to the same server - the Application Server. In my original question, I should've differentiated the server names when I pasted the message. Originally the message was referring to the Application
Server and Affected Endpoint was referring to a WFE. I'll edit my original post to make it correct. -
Using ACE for proxy server load balancing
Hello groups,
I wanted to know your experiences of using ACE for proxy server load balancing.
I want to load balance to a pool of proxy servers. Note: load-balancing should be based on the HTTP URL (i can't use source or dest. ip address) so that
a certain domain always gets "cached/forwarded" to the same proxy server. I don't really want to put matching
criteria in the configuration (such as /a* to S1, /b* to S2, /c* to S3,etc..), but have this hash calculated automatically.
Can the ACE compute its own hash based on the number of "online" proxy servers ? ie. when 4 servers are online, distribute domains between 1,2,3,4 evenly.
Should server 4 fail, recalculate hash so that the load of S4 gets distributed across the other 3 evenly. Also load-balancing domains of S1 ,S2 and S3 should not change if S4 fails.....
regards,
GeertThis is done with the following predictor command:
Scimitar1/Admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Scimitar1/Admin(config)# serverfarm Proxy
Scimitar1/Admin(config-sfarm-host)# predictor hash ?
address Configure 'hash address' Predictor algorithms
content Configure 'hash http content' Predictor algorithms
cookie Configure 'hash cookie' Predictor algorithms
header Configure 'hash header' Predictor algorithm
layer4-payload Configure 'hash layer4-payload' Predictor algorithms
url Configure 'hash url' Predictor algorithm
Scimitar1/Admin(config-sfarm-host)# predictor hash url
It does hash the url and the result takes into account the number of active proxies dynamically.
This command has been designed for this kind of scenario that you describe.
Gilles. -
Data Centre Interconnection - firewall and load balancer deployment
Hi all,
I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
The services element seems to be a complete minefield here:
- active/standby across sites, or deploy resilient pairs in each site?
- how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
- best practice suggestions ideally.
Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
Thanks
PhilYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Need in depth knowledge about Certficate request and install for Reverse proxy and CAS role
Hi,
I have few confusions about Exchange 2010/13 certificate request and install. As per my understanding best practise is to assign public CA certificate to Reverse proxy and Local CA certificate to CAS servers but need to know that what should be the format
of certificate request? Do we need to order public certificate just for mail.domain.com and add SAN for other web services URLs and is it required to add CAS array and server names to this certificate ? In what case we will add server names and what will happen
if we don't add in it ? How the outlook clients connecting from internet will be using this certificate? I have very limited knowledge in certificates and it always pisses me off. Please help me with explanations and articles. I tried to google and gone through
many articles but didn't get a fair idea. Thanks in advacnce. :)Hi,
Here are my answers you can refer to:
1. Use the New-ExchangeCertificate cmdlet to generate a new certificate request:
New-Exchangecertificate -domainname mail.domain.com, autodiscover.domain.com -generaterequest:$true -keysize 1024 -path "c:\Certificates\xxxx.req” -privatekeyexportable:$true –subjectname "c=US o=domain.com, CN=server.domain.com"
2. CAS array name doesn’t need to be added in the certificate:
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
3. It depends on the situation that you configured to add the server name.
4. Outlook clients use certificate for authentication.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support
Maybe you are looking for
-
for example: this option is available with jedit editor. jedit above cmd always opens a new jedit instance. jedit -reuseview above cmd checks if there is a existing jedit instance if yes brings it to focus else opens up a new one.
-
Created a book and now want to bring in other images to the strip below.
I have created my draft book but I found 25 images were missing from the file I created the book from so I now want to bring in those images which are on a memory stick. I tried importing and they are in a separate file in the catalog. I can't seem
-
Hi all, is there a possibility in 11g to load tables at database starttime from disk to memory and therefore all further "read"-access to this table will handled in memory? best regards georg
-
Hello Everybody, I am trying to restore Exchange 2007 database. I tried to do the soft recovery since my database was in the dirty shutdown and it ran very well since I had all the required logs but still it is in dirty shut down.
-
Exception when call makeNontransactional() on Transient Transactional instance
this fragment causes exception in Kodo v2.4.1 Court coo = Court.newInstance(); jdo.pm().makeTransactional(coo); jdo.pm().makeNontransactional(coo); // evict would causes the same error jdo.pm().evict(coo); javax.jdo.JDOUserException: The instance "cl