Web Dispatcher - Reverse Proxy and Load Balancing

Similar Messages

• Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application

  Hi Expert,
  I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
  My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
  Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
  I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
  Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
  I would know if the NGINX must be used also for SMP 2.3.
  Any suggestion/information is appreciated.
  Thanks in advance
  g.

  Please see Agentry Network Landscapes

• Forms/Reports with Reverse Proxy and Load Balance

  Hello Guys,
  I want to setup an environment with apache as reverse proxy for uses with Forms and Reports.
  Is there any special configuration? Or just config rewrite rules?
  Something like this:
  Users -----> NLB Device -----> Reverse Proxy (Apache - 2 machines) -----> Oracle Application Server (Forms/Reports - N machines)
  Best Regards

  I haven't made one, but I think it should work, just dont forget to use proxypass and prosypassreverse.
  Regards

• Web Dispatcher not doing the load balancing on the portal

  Hi Experts
  I am having a production issue where the SAP web dispatcher is not doing the load balancing on the portal.
  We have ESS/MSS portal with 1 Message server and 2 Application servers. The Web dispatcher is installed on the message server itself. Here is my Web disp profile file
  Profile generated by sapwebdisp bootstrap
  unique instance number
  SAPSYSTEM = 16
  add default directory settings
  DIR_EXECUTABLE = .
  DIR_EXECUTABLE = F:\usr\sap\<SID>\sapwebdisp
  DIR_INSTANCE = .
  Accessibility of Message Servers
  rdisp/mshost = <hostname>.com
  ms/http_port = 8111
  #Log and Trace
  rdisp/TRACE = 2
  SAP Web Dispatcher Parameter
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/shm_attach_mode = 6
  configuration as per SAP note 538405
  icm/max_conn      = 7000
  icm/max_sockets   = 14000
  icm/req_queue_len = 6000
  icm/min_threads   = 100
  icm/max_threads   = 300
  mpi/total_size_MB = 500
  mpi/max_pipes       = 14000
  wdisp/HTTPS/max_pooled_con = 7000
  SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=HTTP,PORT=8888
  SSL
  icm/server_port_1 = PROT=ROUTER,PORT=443, TIMEOUT=60
  SAP Web Dispatcher Web Administration
  icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt
  wdisp/enable_j2ee_groups = TRUE
  wdisp/HTTPS/sticky_mask = 255.255.255.255
  In my Web dispatcher Admin page, I see all the three application servers, however the requests are going to only 1 App server. We are using ENd to End SSL configuration for the web dispatcher.
  We also have a reverse proxy in the landscape and reverse proxy is forwarding all the requests to the Web dispatcher. In Web disp Admin page>Dispatching Module>SSL End to END dispatching, I see only ONE table entry in the dispatching table and it is our Reverse Proxy.
  As all the requests are coming from only one source (Reverse proxy), it seems to me that the sap web dispatcher  is forwarding those to the same Application server every time.
  Can anyone please advise ?
  I also tried to configure logon group in NWA, the web dispatcher is detecting the logon group and all the app servers in the logon group. It still not doing the load balancing.
  I would greatly appreciate any help.
  Thanks
  Viny

  Vincent, can you please elaborate more ?  Is the web dispatcher not able to recognize stateful and stateless application requests ?
  I saw that the procedure for configuring SSL Termination on Web dispatcher is long and complicated and looks like SAP web dispatcher needs to have SSL certificate of its own. As we have no ABAP servers and only Java servers, I can not even create the PSEs using STRUST (as described in SAP help -http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/99c388d7c46bb9e10000000a42189d/frameset.htm
  We already have SSL certificates for Java App servers.
  I suppose there should be a way for web dispatcher to identify the incoming requests and forward to appropriate application servers.
  Any help is much appreciated.
  Thanks
  Viny

• Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection

  Hi,
  I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
  I have configured a context root to be forwarded to weblogic:
  Web Server: www.server.com
  URI: /path
  Reverse Proxy URL: wlserver:9000
  When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
  If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
  Would appreciate it very much if someone can help me troubleshoot this issue.
  Thanks in advance!
  Edited by: agent_orange on Jul 29, 2010 2:30 AM
  Edited by: agent_orange on Jul 29, 2010 2:31 AM

  I am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
  - create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
  - select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
  that is all it should need.
  your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
  <Object name="default">
  AuthTrans..
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </object>
  <Object name="reverse-proxy-/">
  Route fn=....
  Service ..
  </Object>
  this is all you should need..
  However, if you wanted to add complexity to your configuration, you could do some thing like
  <Object name="default">
  Auth..
  <If defined $security>
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </If>
  </Object>
  <Object name="reverse-proxy-/">
  Route...
  </Object>

• SAP Web Dispatcher & Reverse Proxy

  Hello,
  We are currently using Novell's iChain product for our reverse proxy (RP) to our EP7 Portal which in turn is connected to BW, CRM, & R/3.  Can SAP's Web Dispatcher (WD) perform the same RP functions as iChain in this type of scenario?
  For example, we have one iChain server which performs RP functions for EP7 which is also connected to BW, CRM, & R/3.  We like to replace our iChain product and have been looking at WD.  But, it doesn't look like a single WD instance can act as a RP for more than one system at a time.  In other words, I setup a test WD system and pointed it at our EP7 system.  It works fine for anything coming from EP7.  But, for any iviews that point to BW, CRM, or R/3, it doesn't work, which makes sense since there doesn't seem to be anywhere I can define those systems in the WD.  But could WD do this and I'm just not reading the documentation correctly? (Yes, I have been all over help.sap.com in regards to WD)
  I did find the following SAP note, 740234, that discusses this to an extent, but it is mostly about load balancing across disparate systems, not RP functionality across disparate systems.  Thus, I'm not sure this applies.  Assuming this note is correct from a RP viewpoint, can I just run multiple WDs all on the same standalone system?  Also, if that is the case, how is it that when I call a BW iView from the Portal, it knows to go through the other WD setup on that system?
  Bottom line is, does/will SAP's WD perform the same functions as iChain or should we be looking elsewhere?
  Hope that all made sense!
  Thanks,
  Tom

  Hello Benny,
  For the sake of simplicity, lets say I have a portal called 'ABC' and a BW system called 'XYZ'.  So, to access the portal directly, without going through the iChain RP, I would enter http://abc.company.com/  but going through the RP, I would enter something like http://MyPortal.company.com/ and iChain knows it should direct the traffic to ABC.
  In the portal, I have a XYZ defined in the System Landscape.  Then in the portal, I create an iView that uses the BW system defined in the System Landscape.
  Again, without going through the RP, if I click on the XYZ iView in the portal, it connects to XYZ to get whatever info it needs from XYZ and presents it back, through the portal.  But, the URL behind that iView, goes to http://xyz.company.com.  But, if I do all the same things, this time going through the RP, it understands that it needs to be the RP for both ABC and XYZ and acts accordingly.
  Does that make more sense?  Can WD also act in this fashion?  As far as user management goes, that is done with LDAP.
  Thanks,
  Tom

• Using reverse proxy for load balancing

  Hello,
  i have succesfully configured a reverse proxy ( Sun Web Server 7 ) to balance load between two application servers ( Sun Application Server 9.1), however i do not want randon assignment of requests using a round robin algorithm ( default option in Sun Web Server 7) but rather i want to apply a 80/20 rule so that one application server will receive 80% of the requests and the other will receive 20%.
  Is there a way of performarming such a task.
  your help is really appreciated.
  thank you

  thank you for the reply,
  actually i tried it yesterday and it seems to work.
  in my reverse proxy settings i added one server two times and the other once and 66% of the requests were forwarded to the first server.
  now i have enabled the scenario that you are mentioning above and i so far requests seem to be proceced using the 80% 20% scenario.

• Web Dispatcher - Portal & Backend systems load balancing

  Good Day,
  I am currently in the process of setting up a web dispatcher for the Backend systems via the Portal.
  I have already installed a web dispatcher to handle the Portal load balancing and this works perfect.
  The SAP system landscape will be created using load balancing, currently it is set to Dedicated.
  Question:
  Do i change the ITS and WAS settings to point to the web dispatcher or leave them currently pointing to the backend systems?
  ITS = hostname :8000
  WAS = hostname : 8000
  Many thanks,
  Morgan Moodley

  Hi Morgan,
  You point them at the web dispatcher.
  Paul

• Reverse Proxy plug in and Load Balancer Plug in

  Hi,
  Can anyone please provide me with an example obj.conf file showing how to combine the reverse proxy plug-in and Load Balancer plug-in.
  I would like to use the reverse proxy plug in to detect when static content is requested and provide this from the web server. Requests for dynamic content would then be forwarded to an Application server via the Load balancer plug-in. I have found plenty of documentation on how to configure these plug-in separately but nothing on how to combine the two.

  smiking
  reverse proxy plugin - its job is to forward the requests to another server for a specific task. you can use the webserver 7 . it does forward and limited load balancing (using round robin ) based on the number of servers you provide in the configuration. i would say this is a poor man's setup.
  load balancer plugin - some app servers like sun java system app server or web logic provide this plugin so that you can effectively use the back end app server
  with both these setup, you can <if> constructs to determine which requests need to be forwarded to the back end server.
  I wonder, why do you need both - if both of them is designed to do the same thing.

• Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests

  Hi,
  I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
  However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
  I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?

  Hi Gilles,
  I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
  A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
  However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
  Thanks, David.

• Apache reverse proxy and SSL termination

  Hi Guru's
      Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
  I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
  should i maitain any property. is there any documentation for it.
  Please help me
  Tom

  The majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
  You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
  what level I need to configure SSL and how do I proceed in both scenarios?
  Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
  how do I proceed in both scenarios?
  From a portal perspective, the configuration should remain the same.
  Do I have to install SSL at portal, web dispatcher or at Apache level?
  SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
  See the following for possible SSL implementation options:
  http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
  https://cw.sdn.sap.com/cw/docs/DOC-115509
  Will SSL termination work for scenario 2?
  Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
  However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
  I would recommend you to take a step by step (backward approach).
  First, enable SSL on your portal and make sure it works - going directly to the server.
  Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
  Finally - you can test the end to end flow - with your Reverse proxy involved.
  - Shanti

• Web Services Round Robin Service Load Balancer Event Endpoint Failure

  I keep seeing these errors in the UlsTraceLogs:
  SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: OWSTIMER Process ID: 3748 AppDomain Name: DefaultDomain AppDomain ID: 1 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
  Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
  http://WFEserverName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
  what do these errors mean?

  ok, thanks, I'll have a look at that.
  Going back to my issue...  Since I stopped the User Profile Service on the Application server, now I'm getting these non-stop messages in the log:
  SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: w3wp Process ID: 6088 AppDomain Name: /LM/W3SVC/261708640/ROOT-1-130709594108226406 AppDomain ID: 2 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
  Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
  http://ApplicationServerName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
  SharePoint Web Services Round Robin Service Load Balancer Event: EndpointFailure Process Name: OWSTIMER Process ID: 8304 AppDomain Name: DefaultDomain AppDomain ID: 1 Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:9b3095eda69947b299d2f873bbfee5ad#authority=urn:uuid:a01381a61b244525ab4fec30cde9dc5f&authority=https://ApplicationServerName:port/Topology/topology.svc
  Active Endpoints: 2 Failed Endpoints:1 Affected Endpoint:
  http://ApplicationServerName:port/9b3095eda69947b299d2f873bbfee5ad/ProfileService.svc
  This time, the messages are referring to the same server - the Application Server.    In my original question, I should've differentiated the server names when I pasted the message.  Originally the message was referring to the Application
  Server and Affected Endpoint was referring to a WFE.   I'll edit my original post to make it correct.

• Using ACE for proxy server load balancing

  Hello groups,
  I wanted to know your experiences of using ACE for proxy server load balancing.
  I want to load balance to a pool of proxy servers. Note: load-balancing should be based on the HTTP URL (i can't use source or dest. ip address) so that
  a certain domain always gets "cached/forwarded" to the same proxy server. I don't really want to put matching
  criteria in the configuration (such as /a* to S1, /b* to S2, /c* to S3,etc..), but have this hash calculated automatically.
  Can the ACE compute its own hash based on the number of "online" proxy servers ? ie. when 4 servers are online, distribute domains between 1,2,3,4 evenly.
  Should server 4 fail, recalculate hash so that the load of S4 gets distributed across the other 3 evenly. Also load-balancing domains of S1 ,S2 and S3 should not change if S4 fails.....
  regards,
  Geert

  This is done with the following predictor command:
  Scimitar1/Admin# conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Scimitar1/Admin(config)# serverfarm Proxy
  Scimitar1/Admin(config-sfarm-host)# predictor hash ?
    address         Configure 'hash address' Predictor algorithms
    content         Configure 'hash http content' Predictor algorithms
    cookie          Configure 'hash cookie' Predictor algorithms
    header          Configure 'hash header' Predictor algorithm
    layer4-payload  Configure 'hash layer4-payload' Predictor algorithms
    url             Configure 'hash url' Predictor algorithm
  Scimitar1/Admin(config-sfarm-host)# predictor hash url
  It does hash the url and the result takes into account the number of active proxies dynamically.
  This command has been designed for this kind of scenario that you describe.
  Gilles.

• Data Centre Interconnection - firewall and load balancer deployment

  Hi all,
  I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
  The services element seems to be a complete minefield here:
  - active/standby across sites, or deploy resilient pairs in each site?
  - how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
  - best practice suggestions ideally.
  Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
  If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
  Thanks
  Phil

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Need in depth knowledge about Certficate request and install for Reverse proxy and CAS role

  Hi,
  I have few confusions about Exchange 2010/13 certificate request and install. As per my understanding best practise is to assign public CA certificate to Reverse proxy and Local CA certificate to CAS servers but need to know that what should be the format
  of certificate request? Do we need to order public certificate just for mail.domain.com and add SAN for other web services URLs and is it required to add CAS array and server names to this certificate ? In what case we will add server names and what will happen
  if we don't add in it ? How the outlook clients connecting from internet will be using this certificate? I have very limited knowledge in certificates and it always pisses me off. Please help me with explanations and articles. I tried to google and gone through
  many articles but didn't get a fair idea. Thanks in advacnce. :) 

  Hi,
  Here are my answers you can refer to:
  1. Use the New-ExchangeCertificate cmdlet to generate a new certificate request:
  New-Exchangecertificate -domainname mail.domain.com, autodiscover.domain.com -generaterequest:$true -keysize 1024 -path "c:\Certificates\xxxx.req” -privatekeyexportable:$true –subjectname "c=US o=domain.com, CN=server.domain.com"
  2. CAS array name doesn’t need to be added in the certificate:
  http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
  3. It depends on the situation that you configured to add the server name.
  4. Outlook clients use certificate for authentication.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support