WebMux User Manual v9.2 (CAI Networks
Contents
1. Server 1 Server 2 Server 3 Server IP 10 3 1 10 erver IP 10 3 1 20 Server IP 10 3 1 30 Gateway 10 1 1 1 Gateway 10 1 1 1 Gateway 10 1 1 1 A d e The installation requires two WebMux units One will be the primary and the other the secondary They connect together with the Ethernet cable that is either cross over or through a hub or switch The primary s Backup interface IP address is 192 168 255 253 the secondary s Backup interface IP address is 192 168 255 254 They cannot be changed 17 e Both WebMux units connect to the Router LAN and to the Server LAN Each WebMux interface has a unique IP address e The registered Internet IP address range is a class C address range es The IP address of the WebMux units Virtual Farms must be in the same network range as the Internet router The WebMux translates the Router LAN IP addresses to an internal non routable class A address In this example the subnet mask is 255 0 0 0 The IP address of the WebMux interfaces attached to the Server LAN are 10 1 1 10 and 10 1 1 20 e The Default Gateway for all the servers is 10 1 1 1 e Farm 1 IP address is 205 133 156 200 Servers and 2 serve Farm 1 e Farm 2 IP address is 205 133 156 210 Servers 2 and 3 serve Farm 2 e Changes to the servers change default the gateway to 10 1 1 1 as well as the IP addresses to the 10 3 1 10 20 30 addresses If on the server there is a service attached to the IP address2. have added a new farm server but the changes are not showing up on the STATUS screen The web browser cache may be the cause of this If the new configuration does not appear after clicking on Reload or Refresh then clear the cache or temporary files on the browser Will my web server be able to communicate to a credit card validation service like Cybercash Yes Any communication initiated from the internal or private network the WebMux will substitute the IP address of its router LAN interface for the IP address of the host initiating the conversation For any service that requires a specific IP address to allow communication into their network the IP address of the router LAN interface must be the one provided We have had CyberCash engineers work with us to test this Can I use the WebMux as a proxy server for other hosts in my internal network Yes The function that allows the web servers to talk to services such as the credit card validation allows the WebMux to function as a proxy server for any host in the internal network The WebMux will translate all internal addresses to the IP address of the first farm defined This is the farm that is created when answering the question WebMux Router LAN IP address Configuring other computers using the WebMux unit s proxy function is easy just point the gateway IP address to the WebMux backend IP address Do I need to have a firewall in front of the WebMux In most cas
3. 2012 AVANU LLC All rights reserved Two options extra options are available Match Pattern Pattern is anchored Match Pattern This is the pattern that will need to match the client request data to access this server It is in extended regular expression format In previous version the pattern is restricted to 50 bytes in length From version 8 6 firmware the match pattern length enlarged to 100 bytes Please refer to Appendix G for some match pattern examples 69 Pattern is Anchored This means that the match pattern will be checked against the very beginning of the string following the http Note If you chose Layer 7 URL load directing with cookies or URL cookie load directing with cookies as the scheduling method the match pattern is also compared to the host MIME header In other words you can use a host name as a match pattern criterion Virtual Host Load Directing If you selected Layer 7 virtual host load directing with cookies as the scheduling method the add server screen will look slightly different webmux1 avanu com AVANU CPU 0 mem 4 amp IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 23 23 2012 up since Aug 20 11 58 20 2012 WebMux e add server farm 192 168 12 101 80 IP address 192 168 11 port number same label weight 1 run state virtual host name 2012 AVANU LLC All rights reserved
4. External Gateway IP address 205 133 156 1 Remake home WebMux conf passwd Y 85 Administration HTTP Port Number 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary Y WebMux running solo without backup Y Reboot Y You will also need to change the Web server IP address to 192 168 199 10 and its default gateway to 192 168 199 1 Add a farm for 205 133 156 200 and add a server to the farm at 192 168 199 10 You can then add more servers at 192 168 199 20 and 192 168 199 30 You can also add additional farm at 205 133 156 210 and add above three servers to the 2 farm 9 2 2 Standalone WebMux Transparent Mode Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration After WebMux Installation Question Entry Host Name WebMux Domain Name avanu com NAT Transparent Single Network or Out of Path Transparent Bridge Information Bridge IP Address 205 133 156 210 Bridge IP Network Mask 255 255 255 0 WebMux farm IP Address 205 133 156 200 front Router LAN VLAN ID optional 101 back Server LAN VLAN ID optional 102 Administration Setup Information External Gateway IP address 205 133 156 1 Remake home WebMux conf passwd Y Administrati
5. Primary WebMux WebMux s IP on Router LAN 205 133 156 220 External Router IP 205 133 156 1 Server LAN IP 192 168 199 251 Server Lan Netmask 255 255 255 0 Server LAN Gateway 192 168 199 1 Server 1 Server 2 Server 3 Server IP 192 168 199 10 Server IP 192 168 199 20 Server IP 192 168 199 30 Gateway 192 168 199 1 S 192 168 199 1 Gateway 192 168 199 1 This installation requires one WebMux e One WebMux interface Internet connects to the Router LAN The other interface connects to the Server LAN The WebMux translates the Router LAN IP addresses to an internal non routable class C address In this example the netmask is 255 555 255 0 The IP address of the WebMux interface on the Router LAN is 205 133 156 220 The IP address of the WebMux interface attached to the Server LAN is 192 168 199 251 e The Default Gateway for all the servers is 192 168 199 1 e Farm 1 IP address is 205 133 156 200 Servers 1 and 2 serve Farm 1 e Farm 2 IP address is 205 133 156 210 Servers 2 and 3 serve Farm 2 16 e Changes to the server change the default gateway to 192 168 199 1 as well as the IP address to the 192 168 199 xxx subnet If on the server there is a service attached to the IP address HTTP S FTP etc please make sure the service will run on the new IP address Note Although the WebMux can work with any IP address range all server IP addresses should be Internet non routable address so that the sou
6. The default passwords are ID Password superuser superuser webmux webmux It is recommended to change the passwords periodically No new user ID can be added 36 Login After entering the correct password click Login Note For first time setup please login as superuser and go to the Administration Setup by clicking the Setup button It is important to set up the Server Farm Gateway IP address and network mask first If only HTTPS management login is allowed go to setup and make the first port number for HTTP HTTPS management port to 0 35 Note For customers who have configured TACACS support the login screen will display the TACACS user login field and password WebMux will validate the user to the specified TACACS server specified in the Setup screen Please refer to that section for details a 6 2 Main Management Console webmux1 avanu com i AVANU CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 11 33 2012 up since Aug 20 11 10 18 2012 WebMux main type service IP address port status conn conn s pkt s WRR farm http 192 168 12 10080 3 servers ALIVE 0 0 0 server 192 168 11 10 same weight 1 ALIVE 0 0 0 server 192 168 11 11 same weight 1 ALIVE 0 0 0 server 192 168 11 12 same weight 1 ALIVE 0 0 0 2012 AVANU LLC All rights reserved Once logged in to the Management Console the main screen will show To continue config
7. AVANU WebMux Load Balancers User Guide Version 9 2 for Models 4 and 5 IPv4 to IPv6 Ready Flood Control CYBERCRIMES NOTICE This is notification that AVANU has recently acquired CAI Networks WebMux and DNSMux Load Balancer and Application Delivery Controller Product Line Please be advised AVANU will now cover all product warranty firmware updates and technical support 1 888 248 4900 Extension 202 US Toll Free Telephone 1 408 248 8960 International techsupport avanu com 8 00 am to 5 00 pm PT Monday to Friday except US Holidays If you purchased the Premium Annual Support along with your product you should have received information on a separate document AVANU has been involved in supporting CAI Networks load balancers for many years You can be assured that you will receive the same high quality service and support Thank you for purchasing WebMux About AVANU LLC Based in the Silicon Valley of California and established in 1997 with a satellite office in the Washington DC area AVANU is a network infrastructure product manufacturer and worldwide value added supplier of networking products and services AVANU s focus is on products for IT network infrastructure and data center environments including network design and product implementation services AVANU is a certified participant in the U S SBA s 8 a SDB development program DoD CCR and IAE s ORCA certified Web
8. Custom Defined 57 default 17 18 20 22 26 31 32 33 36 39 41 42 43 45 47 48 61 79 82 86 87 94 95 98 101 105 115 116 117 118 Default Gateway 16 18 29 84 85 86 87 88 diagnostic ports 42 Download 53 email notification 10 41 End to End SSL 131 End to End SSL Load Balancing 131 expire 58 65 farm 14 17 18 21 23 24 27 32 39 43 54 55 56 57 58 65 66 67 68 69 73 86 87 90 91 92 94 97 fault tolerance 9 Firewall 9 84 85 86 88 Flood Control 1 10 12 50 51 gateway 17 18 21 27 29 30 31 39 41 54 61 86 87 88 91 92 96 Gateway Farms 74 generate 63 64 Hardware Setup 24 health check 9 57 78 IPv6 10 40 95 105 106 IPV6 10 13 22 40 58 59 105 Layer 7 10 22 31 41 58 67 70 87 loopback 21 30 87 97 Loopback 94 Lync 58 59 management console 32 34 35 41 42 47 91 MAP 11 MIB 106 109 MIME 10 58 61 67 70 74 Modify 35 65 71 NAT 9 14 26 27 29 31 See See netmask 16 47 87 network 9 10 14 15 18 19 20 21 22 23 24 25 27 28 29 30 31 32 37 41 42 43 45 47 49 54 55 56 83 90 91 95 97 98 101 102 105 112 113 114 115 116 117 118 Nexthop 74 NTP 43 53 57 nwconfig 11 101 113 115 116 117 out of path 21 61 94 Out of Path 10 15 21 22 26 30 31 43 OVERLOAD 99 100 Overview 9 13 14 15 pager 10 39 passwd 32 85 86 87
9. PFX P12 Cryptographic Message Syntax Standard PKCS 7 Certificates P7B Microsoft Serialized Certificate Store SST Learn more about certificate file formats vi Open Open Be sure to select the Personal Information Exchange p12 format Ss DEE gp m Li f New Folder Type i Favorite Links Name Date modified E Documents E cient 5 Recently Changed RW Desktop More Folders v fail Recent H a Saved Games B Searches fa SendTo D J squid J ss Certificate Trust List Cal Certificate Revocation List F i Microsoft Serialized Certificate Store sst PKCS 7 Certificates spc p7b Al Fles C 127 vii Enter the password you created at 7a Password To maintain security the private key was protected with a password Type the password for the private key Password Enable strong private key protection You will be prompted every time the private key is used by an application if you enable this option Mark this key as exportable This will allow you to back up or transport your keys at a later time Indude all extended properties Learn more about protecting private keys viii Click the Next button Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for the certificate Automatically select the certifica
10. To activate the configuration immediately without rebooting nwconfig I newISP If you need to assign VLAN ID for the additional network use the v option nwconfig A newISP i 192 168 14 21 g 192 168 14 1 v 200 In NAT mode if you do not specify a gateway IP the new network will be put on the Server LAN side If you will be pairing up WebMux units in a failover configuration we recommend that you perform these preliminary configurations first before attempting to connect the two units together K 1 Important Considerations Pertaining Only to Additional Network Configurations NAT Mode VLAN and Server LAN Gateway IP In NAT mode the interface assigned for the additional network depends on whether or not you specify a gateway IP If you specify a gateway IP the additional network IP will be configured on the Router Internet LAN interface for multiple uplink Otherwise it will be used on the Server LAN interface to create additional networks for the server LAN side We recommend that you set up different tagged VLANs for each additional network you set up for the WebMux If you already have a VLAN ID configured for your original network configuration and you do not specify a VLAN ID for your additional network configuration with nwconfig the additional network will use the same VLAN ID that you specified for your original network configuration Even though the WebMux allows for this kind of configuration it is generally not re
11. connection timeout NTP time server IP address 15min 164 67 62 194 reset stranded TCP connections route returning layer 4 load balanced traffic whence original client traffic came YES YES front proxy addresses t SNAT NO e insert X Forwarded For SNAT only 2012 AVANU LLC All rights reserved NO IPv6 96 bit Address Prefix To load balance in IPV6 you will set the option field of an IPv6 address prefix The IPv4 addresses will be appended to this prefix For example if you assigned 192 168 12 21 for the WebMux unit s server LAN IP and you assigned fec0 as the IPv6 prefix the WebMux unit s complete IPv6 address will be fec0 192 168 12 21 or fec0 c0a8 c15 See also Appendix H for extra info on using IPv6 40 Server for email notification The WebMux can send email notifications Enter the IP address of the email server that will forward the notifications Note Because the WebMux does not resolve names this entry must be an IP address Also you must allow relaying from the WebMux IP on your email server in order to accept emails from the WebMux Addresses for email notification Enter the email addresses to be notified Separate multiple addresses with a colon For example johndoe anywhere com janedoe anywhere com UDP syslog server IP address notification The WebMux can be configured to send syslog messages to a remote syslogd server Enter the syslogd server IP
12. layer 7 check management Please enter values for layer 7 HTTP checks The items with take effect on next restart cookie name use session cookies web service management cookie 2012 AVANU LLC All rights reserved Cookie Name By default Layer 7 persistence cookies the WebMux creates are named WEBMUX_ SID Use this field to enter the cookie name that is required for your environment Use Session Cookies By default the cookies that the WebMux issues for Layer 7 persistence follow the same expiration parameters as the original cookies issued by the servers themselves Setting this parameter to YES will cause the WebMux to issue cookies that have no expiration These cookies will remain active only during the browser session Closing the browser will delete the cookie Web Service Management Cookie By default the WebMux will issue a Layer 7 persistence cookie only if the server originally created its own cookie first This option will cause the WebMux to always issue Layer 7 persistence cookie regardless of whether or not the server originally issued its own 80 7 12 Monitor Traffic History Chart To monitor the traffic history WebMux keep some of its statistics information in the memory during running Please note these inforamtion will be lost once WebMux is rebooted webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 IP 192 168 11 25 MAC 00 22 12 Aug 20 12 42 52 2012 up s
13. make indicated changes address mask gateway 192 168 255 252 255 255 255 252 0 0 0 0 192 168 12 0 255 255 255 0 0 0 0 0 192 168 11 0 255 255 255 0 0 0 0 0 127 0 0 0 255 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 168 12 1 2012 AVANU LLC All rights reserved Routes displayed that are grayed out cannot be modified To add a route make sure make indicated changes is selected in the drop down menu click the add checkbox and fill in the remaining fields Click the confirm button Your new route should appear along with a delete checkbox You can click on the delete checkbox and click confirm to delete the selected route Please remember that even though a new route is immediately active once you click the confirm button it is not automatically saved and will get lost if the WebMux is rebooted or powered off To save your settings select save displayed table from the drop down menu and click the confirm button If you made unsaved changes and want to quickly revert back to your previously saved settings select restore last saved table from the drop down menu and click the confirm button To get to the CLI you can either telnet or ssh in to the WebMux diagnostic port By default it is port 77 for ssh and port 87 for telnet Login as superuser Issue the route command to modify the routing table The network interfaces are as
14. 1024bit RSA terminations sec Round trip Max Layer 7 Connections s Max SSL Certificates Supported HTTP Compression TCP Optimization Load Balancing Methods Traffic Management Methods Fault Tolerance Security Topology 10 100 1000 Ethernet 481SD 1 440 000 a 592SGQ 2 880 000 a 690PG 5 760 000 a 65 000 100 000 200 000 1 7 GBits 2 7 GBits 4 GBits 2 000 MB s 3 000 MB s 4 000 MB s 300 600 4 000 1 600 b 2 600 c 50 000 100 000 144 000 32 d 32 d 32 d Yes Yes Yes Yes Yes Yes Cookie content based URL based Round robin Persistent round robin Weighted round robin Persistent weighted round robin Least connections Persistent least connections Weighted least connections Persistent weighted least connection URL based content switch Cookie based content switch Diskless design Port aggregation Failover via network connection optional on all models Failover via Multiple ISP links Failover via Ethernet link Service aware Server aware Backup server Flood Control IP level protection for DDoS Attacks Network Address Translation NAT SNAT TCP SYN protection Address Mapping Port mapping TCP DoS protection Smart DDos protection HTTPS SSH management IPv4 and IPv6 Support Yes x3 20 Ports Built in switch 12 Device Support Interface to switches Management Service Support Physical Rack Mount Form Factor Redundant Power Supply Power Consumption Max 11
15. 255 DESCRIPTION The assigned name of this WebMux unit 1 3 6 1 4 1 27182 3 1 1 1 13 0 caiWebMuxPrimary 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION The value of this object is true 1 if this WebMux is the primary partner of a redundant pair or is running solo The value of this object is false 2 if this WebMux is the secondary partner of a redundant pair 1 3 6 1 4 1 27182 3 1 1 1 6 0 caiWebMuxSerialNumber 0 SYNTAX OCTET STRING 0 255 DESCRIPTION The unique serial number of this unit 1 3 6 1 4 1 27182 3 1 1 4 1 4 x y caiWebMuxServerAddressIPv4 x y SYNTAX IpAddress DESCRIPTION The IPv4 address of this server 1 3 6 1 4 1 27182 3 1 1 4 1 5 x y caiWebMuxServerAddressIPv6 x y SYNTAX OCTET STRING 16 DESCRIPTION The IPv6 address of this server 1 3 6 1 4 1 27182 3 1 1 4 1 9 x y caiWebMuxServerConnections x y SYNTAX Counter32 DESCRIPTION The current number of connections being serviced by this server The total number of connections serviced by this server XXX delete as appropriate 109 1 3 6 1 4 1 27182 3 1 1 4 1 10 x y caiWebMuxServerConnectionsPerSec x y SYNTAX Gauge32 DESCRIPTION The current rate of connections being serviced by this server 1 3 6 1 4 1 27182 3 1 1 4 1 14 x y caiWebMuxServerError x y SYNTAX Integer32 DESCRIPTION most recent error code for server if available 1 3 6 1 4 1 27182 3 1 1 4 1 7 x y caiWebMuxServerL7
16. 88 Pattern 70 persistent 42 43 58 65 66 67 97 132 PIN 48 primary 17 Proxy 9 27 84 85 86 88 public key 64 Reboot 25 33 54 85 86 87 88 94 re encryption 15 59 route 21 31 42 56 87 94 97 102 Router LAN 14 16 17 18 23 24 25 27 84 85 86 88 91 routes 14 44 97 scheduling 58 66 secondary 17 Server LAN 8 14 16 17 18 24 27 28 29 30 31 84 85 87 88 90 server return code 79 Single Network 10 Single network mode 10 15 SNAT 10 44 121 SNMP 106 Spanning Tree Protocol 20 SSL 9 31 56 61 62 SSL termination 22 31 38 56 59 61 62 67 73 74 87 startup 102 121 superuser 36 40 sysinit 102 121 syslogd 41 Tag 67 tagged 11 113 116 timeout 38 39 41 43 Timeout 39 43 TLS 62 Transparent 10 19 31 56 84 85 86 87 88 uplink 115 116 Upload 52 53 URL 36 57 78 79 82 98 version 25 43 55 68 Virtual Farm 14 23 Virtual Host Load Directing 71 VLAN 11 28 29 30 31 84 85 86 87 88 92 102 112 113 114 115 116 117 119 120 weight 68 69 72 76 79 90 99 100 X FORWARD FOR 20 X WebMux SSL termination 59 61 67 74 Rev 100612 PRODUCTS amp PRODUCT SPECIFICATIONS SUBJECT TO CHANGE WITHOUT NOTICE Copyright 2012 AVANU LLC All rights reserved AVANU is a registered trademark of AVANU LLC AVANUAdvantage AVANews BAM DNSMux Flood Control MAP and WebMux are trademarks
17. A 2 Configuring the MS Loopback Adapter If not there already goto Start gt Settings gt Control Panel gt Network gt Protocols tab Select TCP IP and click the Properties button You should be at the Microsoft TCP IP Properties dialog box Be sure the MS Loopback Adapter is the Adapter selected Enter your farm IP address for IP address Subnet should be match your servers change it if not Make sure not enter Default Gateway or DNS for this loopback adapter Click Apply then OK then Yes when prompted to restart the computer For Windows 2003 Server make sure the metric is the highest number in routing table stop here Note The highest number meaning 1000 is higher than 100 You need to make sure that the Loopback Adapter has the highest number in the routing table Giving a lower number means a higher priority You want the Loopback Adapter to have the lowest route priority therefore a higher number value For Windows 2000 NT Systems please proceed to the Appendix B for remove the route entry in the routing table If you are noticing that the Loopback Adapter is picking up or creating NetBIOS chatter you will need to turn off anything related to Client for Microsoft Networks File and Printer Sharing for Microsoft Networks and WINS Right click on the Loopback Adapter icon and click on Properties In the Networking tab unselect Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks Ne
18. HTTP S FTP etc please make sure the service will run on the new IP address Note Although the WebMux can work with any IP address range all server IP addresses should be Internet non routable address so that the source address from the Internet does not conflict with the IP addresses on the Server LAN Note If there is a firewall between the WebMux and the Internet Router a rule must be defined in the firewall to allow the IP address of the WebMux interfaces on the Router LAN in addition to the farm IP address could be same as the WebMux Router LAN IP address to communicate out to the Internet on all ports Since the WebMux is doing Network Address Translation of the farm address to a non routable address the farm addresses on the WebMux must be able to communicate outbound on all ports defined in the farms 18 4 3 Installation without IP Address Change Two Armed Transparent Mode Transparent Mode with Redundant WebMux Installation amp Public IP 65 25 35 156 NATed to FARM IP 192 168 112 35 Private Network 192 168 112 0 irewall Router Netmask 255 255 255 0 Gateway IP 192 168 112 1 Switch with STP Enabled Terminal 1 IP 192 168 112 40 Gateway 192 168 112 1 Crossover cable connected to WebMuxes backup ports Primary WebMux Secondary WebMux WebMux s IP on the network WebMux s IP on the Network S 192 168 112 38 192 168 112 39 Terminal 2 A IP 192 168 112 41 Gateway 192 168
19. In this screen you will need to specify the virtual host name of the server you are adding The WebMux will use this host name when it does the server health check and as the match pattern to direct clients to the correct site 7 7 Modify Server Modify Server can be invoked by clicking on the server IP address on the Status screen webmux1 avanu com CPU 0 mem 4 e C AVAN U IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 24 47 2012 up since Aug 20 11 58 20 2012 WebMux hep f modify server 192 168 11 10 port same This server is currently ACTIVE DEAD Currently there are no connections through this server label weight 1 runstate STANDBY 2012 AVANU LLC All rights reserved 70 Destination server IP address and port number These parameters are set in the Add Server screen Once set these fields cannot be modified To correct this setting delete the server and add a new one Label The label can be changed at any time The change will not affect how server is performing in the farm rather it is for description purpose only Weight Scheduling priority weight Valid integer numbers are between 0 and 100 Changing the weight to zero will stop the incoming connections while all existing connections continue until time out or connection is terminated by client and server Although all numbers from 1 to 100 will allow traffic to go through using a smaller w
20. It does allow SNAT L4 and L7 operations as well as SSL termination It also allows incoming IP V6 traffic being load balanced to internal IPV4 based servers However for traffic initiated behind the WebMux not load balanced it does not translate IPV4 to IPv6 105 Appendix H WebMux SNMP MIB Query ID 1 3 6 1 4 1 27182 3 1 1 1 11 0 caiWebMuxActive 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION Whether this WebMux unit is active 1 3 6 1 4 1 27182 3 1 1 1 7 0 caiWebMuxCPUSpeed 0 SYNTAX Integer32 UNITS MHz DESCRIPTION The clock speed of the CPU s in this unit 1 3 6 1 4 1 27182 3 1 1 1 9 0 caiWebMuxCPUUsage 0 SYNTAX Unsigned32 UNITS DESCRIPTION The current CPU usage expressed as a percentage 1 3 6 1 4 1 27182 3 1 1 1 8 0 caiWebMuxCPUs 0 SYNTAX Unsigned32 DESCRIPTION The number of CPUs in this unit 1 3 6 1 4 1 27182 3 1 1 3 1 9 x y caiWebMuxFarmAddressBlockNonSSL x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1 then connections to the IP address given for this row that are not using SSL will not be accepted 1 3 6 1 4 1 27182 3 1 1 3 1 5 x y caiWebMuxFarmAddressIPv4 x y SYNTAX IpAddress DESCRIPTION An IPv4 address used to access the service provided by this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 6 x y caiWebMuxFarmAddressIPv6 x y SYNTAX OCTET STRING 16 DESCRIPTION An IPv6 address us
21. The first port is ssh and second is telnet If only one port specified only ssh login is possible You will need to notify us the port numbers before obtaining support from us WebMux failover ports The WebMux allows configuration of fail over ports being used by primary and backup WebMux units Default port numbers are 2000 and 2001 You will only need to change the port numbers unless there conflict with other services Least significant bits in client IP address to ignore for persistent connections This feature allows persistent connections to be handled properly when communicating with America Online s bank of cache servers With AOL s cache servers the IP address of the cache server becomes the source address Since an end user can be sent through multiple cache servers it is possible the requests for one HTML page are being routed to different web servers in the same session Therefore applications such as shopping carts that require persistent and secure connections will not work properly This feature will treat multiple cache servers as one source thus the WebMux can properly handle the persistent requests from browsers From customers feedback number three 3 is good enough for most AOL requests The WebMux will use this entry to determine how to load balance the traffic It calculates based on two to the power of the entry as the number of IP addresses to combine When too large a mask applied it will defeat the loa
22. WebMux v Is this WebMux running solo without a secondary X Server LAN gateway IP address on WebMux not same as server LAN IP address above required for NAT optional for OOP use 0 0 0 0 to omit Reinitialize configuration with admin entries only destroys existing configuration Reboot immediately after submitting this form M Submit when satisfied or cancel and log out Click the mouse into a field or use the TAB key to move the cursor into a field to see the current values The user may change it based on new information obtained from ISP or network engineers Once you press on the submit button the WebMux will save all the changes to its internal solid state storage and reboot itself with the new value v 3 Section 9 Sample Configurations and Worksheets 9 1 Initial Configuration Worksheets Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address Webserver s Default Gateway Web Site IP Addresses Configuration After WebMux Installation Entry Question Primary Secondary Host Name Domain Name NAT Transparent Single Network or Out of Path Router LAN Information NAT ONLY Router LAN WebMux Proxy IP Address Router LAN Network IP Address Mask Router LAN VLAN ID optional Server LAN Information NAT and OOP Server LAN WebMux IP Address Server LAN Gateway IP Address optional for OOP S
23. fe em en vm vm em vm em vm namnam w 05 a 22 2 ee 2 ee ee eS om m ona gf 5 2 Network Terminology A Virtual Farm includes the WebMux and the servers under it Functionally it acts as a single unit on a network For example http www you com is one virtual server farm https www me com is another farm and ftp ftp avanu com is the third farm The first farm works on a set of servers on port 80 the second farm consists of another set of servers on port 443 and the third farm works on a set of servers on port 21 The WebMux supports combining 80 443 ports as one single farm so that same client browsing the site in HTTP mode will be sent to the same server for HTTPS requests In the combined configuration you must select HTTP S as the farm service Ports 80 443 will then be combined into one farm To serve the Internet there must be at least one Internet Router The local area network that connects the router and the WebMux is called the Router LAN In this LAN the WebMux 93 takes the Internet traffic and distributes it to the servers behind it The LAN connecting the WebMux and real servers together is called Server LAN WebMux has four modes 2 Arm NAT Mode 2 Arm Transparent Mode 1 Arm Single Network Mode and 1 Arm Out of Path Mode In NAT mode the WebMux boxes are connected to both Router LAN and Server LAN At least one WebMux is needed to define the Router LAN and the Server LAN We will explain other modes i
24. not HTTPS servers field e By default the farm will still allow non SSL connection on the front end but the connections between the WebMux and servers will always be SSL You can restrict clients from connecting non SSL by selecting Yes in the block non SSL access to farm main farms Ifthe port number is omitted and the service pertains to a particular application level protocol the well known port for this protocol will be used for example port 80 for HTTP If the port number is omitted and no such protocol pertains to the service for example the generic TCP service the farm will handle all ports for the IP address and transport layer protocol in question except those handled specifically by other webmux1 avanu com IP 492 168 12 25 MAC 00 22 12 10 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 59 06 2012 up since Aug 20 12 58 08 2012 add farm IP address 192 168 12 label port number service HTTP hypertext transfer protocol TCP sl scheduling method layer 7 HTTP URL load directing with cookies KH SSL termination 1 BEGIN RSA PRIVATE KEY SSL port 443 block non SSL access to farm NO tag SSL terminated HTTP requests NO v servers are HTTPS servers reencryption YES servers only serve IPv4 not IPv6 NO connection throttling watermarks low high compress HTTP traffic NO SNAT NO HTTP server response
25. E E A ET E dereen dE AE 38 6 2 2 Pause ROSUMG deed aieiai NEEN AEN NENNEN RE SE 39 6 2 3 Adjusting Timeout for Each Gervice eee eeneeeeeetiieeeeeeteeeerenieeeeenenea 39 6 3 Network Setups E PE A EEA A OE 40 6T Adding Static Routes ninine aerea a EEEE AERE AAE A R EEO EEE 44 6 3 2 RECOU E e rae rA aAA Ea A TA 46 6 4 Security SOUINGS EE 47 GZ Change PASSWOMd asser enge eet EENEG Ae dels ee AANA 48 O42 Change PUN EE 48 6 4 3 Activating the Anti Attack Feature 0 eccececeeeeee erent reese entieeeeee tenes eetaeeeeeetaeeeeertea 49 6 4 4 Activating Flood Control teature 50 6 4 5 Flood Control Display ode ninrin ENER 51 6 5 Miscellaneous Seting Saren n naa addled an eee eae 52 6 5 SHOW EVENS ian hoes eae ed ea tate Sind aah eee eens 52 Ge TTT 52 6 5 3 Upload Download Backup Restore c cccccecceeeeeeeeeeeeeeeeneeeeeeteeeeeetaeeeereneeeeereea 52 6 54 Set Clock geet eebe edel ead EE Ee ee Deeg ees 53 625 SULA OWN WEE 54 Ee eege e ge Sedan 54 Section 7 Setting Up Load Balancing cececeeeeeeneee eee etcne teste eteeeeeeeaeeeeeeeiaeeeeeeeaeeeeessicaeeeenenaees 55 MAA BIL EE 55 7 2 Enabling SSL Terminato seansi Erer Eee A AeA AT TETE AAA 61 Ta SSL TEE 62 TAMON Farin traa a E E E bes dtechadbavtecea et 65 RE 67 1 6 Add L7 SENE EE 69 TI Modi SaO E 70 TBA MAR ties eater ce twit La ard ed i e a a a aaa aat 71 7 9 Add Gateway Fam e ee ENEE EERSTEN 73 ZE Modify Health Che etee EA efege tect cee ege eet geen reg be
26. Standby The gateway will be put into STANDBY or backup mode after it is added The WebMux will change a STANDBY gateway to ACTIVE when one or more ACTIVE gateways fail Last Resort Standby The gateway will be put into STANDBY state Unless all other gateways are out of services this gateway will not be switch in webmux1 avanu com CPU 0 i Q AVANU IP 192 168 12 25 MAC 00 22 12 f0 03 5b LS E IP 192 168 11 25 MAC 00 22 12 10 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 WebMux main type service IP address port status conn conn s pkt s E WRR GW P farm nh nexthop routes 0 0 0 0 2 gateway gateway 192 168 12 1 weight 10 ALIVE gateway 192 168 12 2 weight 10 ALIVE E o WRR farm http 192 168 12 30 80 1 server 0 0 0 server 192 163 11 30 same weight 1 ALIVE 0 0 0 2012 AVANU LLC All rights reserved Back at the main status page of the web GUI you will notice that the farm IP addresses are now shown in grey Before creating a nexthop gateway farm the farm IPs were shown in blue with the ALIVE status or red with the DEAD status The farm IP status was an indication of the availability of the default external route of your WebMux Now that you have created a gateway farm the status of your external route is determined by the availability of any one of the gateways in your gateway farm As with a single default 76 gateway the type of health checking done on the router IPs is d
27. VLAN ID optional 29 Enter Server LAN VLAN ID optional Note The VLAN ID is used for full 802 1q VLAN support In Single Network Mode the Router LAN VLAN ID and Server LAN VLAN ID still pertain to the specific ports on the WebMux and they cannot be the same value Even though you only need to use one of the ports in Single Network Mode it is important that your switch setting matches the value of the port you are connecting to If you entered a non zero value for the VLAN IDs you will see an additional screen Bond rtr svr NI Bond router and server Network Interfaces This option will allow you to use the Internet rtr port and Server svr port as a single bonded interface also known as Port Channel or Link Aggregation Group allowing substantially more data throughput than a single physical interface Please refer to Appendix N for details Please continue to the Common Configuration section 5 9 Out of Path Related Configuration Enter Server LAN WebMux IP Address gt syr LAN iP addr 8192 168 199 251 In Out of Path Mode at minimum you only need to connect the Server LAN interface This is the IP address of the WebMux Server LAN interface This IP address must also be unique for each WebMux The purpose of this IP address is to allow the WebMux to check the network and server health Even for the backup WebMux this address must be unique It is highly recommended to add
28. VLAN IDs in NAT Transparent or Out of Path Mode In NAT mode you have the option to have a VLAN ID for both the Router Internet LAN interface and the Server LAN interface Even though the WebMux will allow for both sides to have the same VLAN ID it is still recommended that you have a different VLAN ID for each to ensure complete network separation between both sides In Transparent mode you will only have one Bridge IP address but you will need to create a VLAN ID on both the Router Internet LAN interface and the Server LAN interface The WebMux will allow you to create the same VLAN ID on both interfaces but this is not recommended unless each physical side is on a separate switch completely isolated from each other Be careful of Ethernet Bridge loops 113 In Out of Path Mode you only have one VLAN ID to assign for the original network since the WebMux only uses one network for both incoming traffic from clients and outgoing traffic to the servers In Out of Path Mode the Internet LAN interface and Server LAN interface are bonded in a Link Aggregation Group and both interfaces have identical configuration unless the port bonding is specifically disabled see Appendix J 114 Appendix K Multiple Uplink VLAN Support As of version 8 5 00 the WebMux support load balancing multiple uplink capabilities You can configure this feature using the command line interface command nwconfig additional network configuration
29. WebMux generates a new key for you it will also generate a matching certificate request not an actual certificate Please be prepared to fill in the necessary information for such a request You may not use a new key until you have pasted in a matching signed certificate chain You may paste a new certificate chain any time before the key is put into use Some certification authorities issue a certificate chain consisting of a single certificate Some certification authorities issue a chain consisting of multiple certificates Often the certificate chain consists of a server certificate and an intermediate certificate In this case the server certificate should come first and then the intermediate certificate The root certificate for the certification authority itself need not be included The certificate authority CA certificate is only used for client certificate verification It need not be supplied if the clients will not be asked to supply their certificates private key Aug 16 2012 21 40 03 GMT no change M MITEpQIBAAKCAQEAz8EeKBNmBYKNAJwICf tx9U47jE123 5F GzBJilYWEGBqKV nAIv0icdBvzBOxLh1jPsBdvv6ZEOVV900gSECuflhkJoiiRZtyQLaKkdjW1iQvyhWN fsfowEu xZs tbSAAbNisjCcVaAshI F80ZTpFhID e98VHMazRMsT4xkoXFKIV2X certificate Aug 16 2012 21 40 08 GMT no change H MIIDgj CCAmoCAQEWDQYJKoZ InvcNAQEFBQAwGYYxCZAJBgNVBAYTA1VIMQswCQYD VQQIEWIDQTERMASGA1UEBxMIU2FulEpvc2UxDjAMBgNVBAOTBUFWQUSVMQ8wDQYD VQQLEwZXZWINdXgxF j AUBGNVB
30. a query string that can be passed to your custom health check script For example the actual request from the WebMux will include the query string custom farm lt IP gt lt PORT gt amp server lt IP gt lt PORT gt amp alive 1 amp standby 0 amp favorite 0 amp lastresort O amp weight 1 farm and server each consist of a dotted quad IP address followed by a colon and a port number a server port of 0 means the port is the same as what is specified on the farm IP weight is the numerical weight The remaining items are either 0 for false or 1 for true You can have your script access the query string elements for further processing 99 Also the MIME header of the custom health check request will include the Host and User Agent The Host MIME header will be the label you used for the farm not the label you use for the server The User Agent MIME header will show WebMux health check for lt farm IP gt lt port gt Note The HTTP server will also have its own environment variables that you can utilize for your custom health check script Please refer to your HTTP server manual and the manual for your scripting language for more information about environment variables If you select Custom Defined Generic TCP service for a farm the health checking process is a bit different The health check script will pass for the following responses OK server service is alive no weight c
31. a secondary The two WebMux units will automatically sync the configuration datum Easy management It can be managed via a secured web browser session from anywhere in the world By using https 128 bit encryption to the management web console secure remote management of server farms is truly possible Operating System independent No software or agent to load on the servers Non intrusive load failure detection and management Provides Proxy function When communication is initiated from behind the WebMux the WebMux will substitute its own address for the internal address This allows the web servers to initiate communication for services such as credit card validation and mapping services Note This function only works in NAT mode Built in Firewall Protections layer 4 5 only Stop possible hacker intrusion into your network from Internet All IP addresses and ports are blocked except the farm IP address Built in functions will detect any possible denial of service attack and make your services always available Note This function only works in NAT mode with act as IP router set to no See Administration Setup section 6 3 for details Built in Anti Attack Security Function Automatic protection against Denial of Service DoS and Distributed Denial of Service DDoS attacks Automatically block IP addresses that exceed the maximum threshold of concurrent connections for a specified amount of time Works in NAT Transp
32. a value in the high field will control the maximum number of concurrent connections allowed on a farm The low field will control when to resume allowing more connections For example with a high set to 20 and a low set to 10 the WebMux stop allowing more connections when the number of concurrent connections hit 20 and new connections will not be allowed until the number of concurrent connections drop to 10 or below SNAT Selecting YES in this field will enable SNAT for this farm only This option is not available when SNAT is enabled system wide in the network management or when running in Single Network Mode Compress HTTP traffic Enable or disable HTTP compression When enabled the MIME header X WebMux Compression true will be appended to the server response MIME header NOT supported in Out of Path Mode except when used in a Layer 7 Farm Delete 7 5 Click this button to delete the entire farm CAUTION This function also deletes ALL the servers under this farm Add Server In the Modify Farm screen click on the Add Server button to add a new server to this farm Or you can select the radio button of the farm from the main screen and click on the add server button on the left help webmux1 avanu com AVANU CPU 0 mem 4 amp d IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 0 03 5a Aug 20 12 17 01 2012 up since Aug 20 11 58 21 2012 WebMux main n
33. a web browser to connect to the WebMux The web browser interface does all of the WebMux management The following sections explain each of the easy ways to use the management console screens Login e Administration Setup Page e Change Password e Set Clock e Status e Add Farm e Modify Farm e Add Server e Modify Server 35 6 1 Login Start Login Page Start a web browser from your management workstation Set URL to https Avebmuxip webmuxport webmuxip is the IP address of the WebMux on the server LAN webmuxport is the management port address of the WebMux The default ports are 24 for an unsecured connection and 35 for the secured connection Use http instead of https on the URL line if you decide to use port 24 for unsecured communications The port number can be changed per your specification in the setup section the network screen The following login page will appear Note In order to use a browser to manage the WebMux the browser must be set to accept all cookies AVANU welcome to webmux1 avanu com login level superuser v password Joginf 2012 AVANU LLC All rights reserved User ID There are two preset user IDs Superuser Allows access to all screens and functions provided by the WebMux WebMux Does not allow the user to access or change any settings allows viewing only Password Fill in the correct password for the selected User ID The password is case sensitive
34. add list delete install tool With multiple uplink you can configure the WebMux to use multiple ISPs and gateways The WebMux uses source based routing to be sure that packets that came in from one ISP will return through the same ISP All uplinks are useable simultaneously Once you have configured farms on both networks the WebMux will monitor the default gateways of the different uplinks and failover to any available ISPs should one ISP go down To set up multiple uplinks first log into the command line interface via telnet on port 87 or ssh on port 77 We will refer to the main network configuration of the WebMux the IP addresses created via the LCD setup or the rec page in the web GUI or rec_cmdline from the CLI as the original network Networks created with the nwconfig command will be referred to as additional networks Usage nwconfig A add NAME i ipaddr IPADDR other options nwconfig D delete NAME nwconfig I install NAME nwconfig L list PATTERN nwconfig R replace NAME i ipaddr IPADDR other options nwconfig U uninstall NAME For the A or add case the i or ipaddr option is required but other options are optional Whatever information they supply is used and what information they don t supply is calculated from the supplied information as best possible However if an external gateway address for routing is to be used it must be supplied with g or g
35. address to use this feature The syslogd server must be configured to accept remote UDP syslog connections The facility for WebMux syslog messages is LOCAL6 The notification levels of the syslog messages are as follows Level Search Key Description INFO STATS LCD display messages NOTICE LOGIN Successful browser login logout excludes timeout logout NOTICE SETUP Significant access and changes to setup and configuration items NOTICE EVENT Same as pager mail messages WARNING LOGIN Unsuccessful browser login Server gateway IP address The WebMux appears to all the servers in the farms as a gateway or router This is the IP address for the WebMux acting as a router for the servers This is the IP address that should be used as the default gateway IP address in the web or other servers It is highly recommend adding it to the etc hosts file on your servers Only apply for the NAT mode or for Out of Path Mode that requires the WebMux to do the SSL termination or Layer 7 load balancing Normally this is optional for Out of Path Mode Note For first time setup it is very important to set up this address and the Server Farm network mask below first Also when setting up the servers you may be asked to fill in the default gateway IP address for the server Use this IP address to setup all the servers under it The WebMux will not function properly if this IP address is not set correctly for both WebMux and the servers WebMux http control
36. comparison string HTTP server URI 2012 AVANU LLC All rights reserved 130 2 Click the submit button and you should be back at the main console screen with the newly added farm showing 3 Click on the farm IP and add servers as you normally would You can just add the server IP address and leave the rest of the fields as is CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 13 05 32 2012 up since Aug 20 12 58 08 2012 add server farm 192 168 12 101 80 IP address 192 168 11 port number 443 label weight 1 run state ACTIVE match pattern d pattern is anchored NO 2012 AVANU LLC All rights reserved 4 Click the submit button type service IP address port SSL status conn conn s pkt s EL HTTP L7 farm http 192 168 11 30 80 443 server ALIVE 0 0 0 P server 192 168 11 31 443 weight 1 ALIVE 0 0 0 1997 2011 CAI Networks All rights reserved 5 Be sure to click the save button so you do not lose your farm configuration 131 Index 128bit 62 ACTIVE 69 77 90 Add 35 38 55 66 67 70 71 86 94 Add Gateway Farm 74 Allowed 32 34 47 See Anti Attack 10 49 arp 48 101 Bond All Interfaces 11 119 certificate 65 Certificate Signing Request 64 Client Side SSL 11 122 Compliance 93 cookie expire 58 cookies 10 36 58 67 70 71 80 81 90 CSR 64
37. cross over Ethernet cable or with a hub or switch in between Note Under normal Out of Path operations you will only need to set the external gateway IP address for the WebMux However if you are going to have the WebMux do SSL termination or Layer 7 load balancing you must set a server LAN gateway IP in the WebMux and have the servers default gateway point to that IP address 4 6 IPV6 Consideration WebMux can load balance IPV4 and IPV6 traffic in all above modes Both IPV4 and IPV6 can work in L4 and L7 Simply specifying the IPV6 prefix will enable WebMux load balance IPV6 only or IPV6 IPV4 mixed traffic However if public side is IPV6 and local side is IPV4 load balancing farm must be L7 If the protocol is not in the list please select L7 generic TCP load directing 22 Section 5 Configuring the WebMux 5 1 Before you Start Please collect the information about names and IP addresses designated by the arrows in the network topology below Router LAN Internet Router IP Network IP address address D P Network mask Da cts Broadcast IP address ed Router Rouler LAN Weblux IP address Router LAN WebMux IP address WebMux WebMux Name Name Somer WebMux IP Address Server LAN Webhiux IP Address wm mm mm mm mm em mm mm mm pm mm mm mm mm em zm mm zm zm A Webhux Pro only Server LAN Network IP address Network mask Broadcast IP address S cl by Server 1 Sever Serve 3 Serei N
38. follows ethf0 Interface labeled Internet ethsO Interface labeled Backup ethb0 Interface labeled Server In Single Network or Transparent modes the main interface is br0 Modifications to the routing table issued through the CLI are automatically saved after issuing the command Note If you are running a backup WebMux unit you need to make sure you ALSO click the save button on the main console screen in order to propagate the changes made to the backup unit 45 6 3 2 Reconfigure The reconfigure button will bring you to the initial network settings page More details about this are covered in Section 8 Initial Setup Change Through Browser webmux1 avanu com AVANU CPU 0 mem 4 D IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 17 22 2012 up since Aug 20 11 10 19 2012 WebMux e igure ation to reconfigure your WebMux reconfigure language English host name without domain webmux1 domain name avanu com Is this WebMux a primary WebMux YES Is this WebMux a solo WebMux NO dispatch method two armed server LAN NAT router LAN IP address 192 168 12 25 router LAN network mask 24 router LAN gateway IP address 192 168 server LAN IP address 192 168 server LAN network mask 24 server LAN gateway IP address 192 168 router LAN VLAN tag o server LAN VLAN tag o bond all server LAN and network LAN interfaces together NO clea
39. port Since the WebMux is load balancing incoming HTTP traffic the HTTP port for the management console must be set to a different port By default the port is 24 You can change the port to any port that is not being load balanced if so desired The font push buttons can also change this 41 WebMux https control port Since the WebMux is load balancing incoming HTTPS traffic the HTTPS port for the management console must be set to a different port By default the port is 35 You can change the port to any port that is not being load balanced if so desired The front push buttons can also change this SNMP UDP Port SNMP on the WebMux is active and uses port 161 by default You can change the port here Or you can enter 0 or none or leave blank to disable SNMP altogether SNMP Community String WebMux uses SNMP v1 and the community string webmux by default WebMux diagnostic ports The WebMux allows diagnostic sessions from remote access for factory technical support or trained network engineers through ssh or telnet Access is also subject to the restriction of the Allowed Host setting earlier superuser can login with its password using ssh to run certain diagnostic tools help shows the commands how to use these commands are not supported When this entry is blank any diagnostic access is denied This entry should remain blank under normal operations Default port numbers are 77 87
40. server 0x0020 If bit set always try to use this server if it is available 0x0040 If bit set only try to use this server if no other server in the farm is available 1 3 6 1 4 1 27182 3 1 1 4 1 13 x y caiWebMuxServerWeight x y SYNTAX Unsigned32 1 100 DESCRIPTION The current rate of packets being sent to this server 1 3 6 1 4 1 27182 3 1 1 1 12 0 caiWebMuxSolo 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION The value of this object is true 1 if this WebMux is running solo or false 2 if this WebMux is part of a redundant pair 1 3 6 1 4 1 27182 3 1 1 1 2 0 caiWebMuxVersion 0 SYNTAX OCTET STRING 0 255 DESCRIPTION The WebMux firmware version running this WebMux unit 111 Appendix Special Details about Out of Path Mode Since firmware version 8 2 03 the WebMux bonds the Internet and Server ports in a Link Aggregation Group If you have switch that has LAG or Ether Channel or Port Channel capabilities the Internet and Server interfaces will behave as a single interface and effectively double the amount of data throughput Prior to version 8 2 03 the Internet port was deactivated in Out of Path Mode It may be desirable to use the Internet port for a completely separate network i e for internal management but because of port bonding it is not possible without direct modification to the WebMux Starting with version 8 4 00 a comma
41. status You can use the Pause button to freeze the auto refresh After clicking the Pause button the button will change to Resume and the auto refresh will stop Click the Resume button to restart the auto refresh 6 2 3 Adjusting Timeout for Each Service Clicking on the service type under the service column for the farm or clicking on the modify health check button on the left of the main screen will allow you to change the timeout value of layer 7 protocol healthcheck for each different service Please note this change is global and will affect all the farms using the same type of service For example the default timeout to check the HTTP protocol is 5 seconds If the web server does not respond to the WebMux protocol chat within 5 seconds the WebMux will declare that server is dead and switch that server out from service and notify the operator through email or pager Note WebMux will declare a server dead only if it fails the health check 3 consecutive times If your web server is not really dead but for some reason is not responding to the checking request within the given timeout the WebMux will false alarm To avoid this the user can change the timeout value to a larger value Many times servers cannot resolve the IP address of WebMux server LAN interface and could cause the server to not respond to the WebMux unit s protocol checking Adding the WebMux server LAN IP address and server LAN gateway address to the name resolu
42. that the primary was disconnected or powered down purposely by operator Why can t VLAN IP address be used as farm IP in OOP WebMux WebMux uses VLAN IP to forward the packets to the servers in OOP mode If that VLAN IP address is also the farm address then the loopback adapter on the server will have the same IP address During healthcheck from WebMux server will not be able to send the reply back to WebMux since server finds the same IP address on itself 92 Section 12 Regulations 12 1 Notice to the USA Compliance Information Statement Declaration of Conformity Procedure DoC FCC Part 15 This device complies with part 15 of the FCC Rules Operation is subject to the following conditions C 1 This device may not cause harmful interference and 2 This device must accept any interference received including interference that may cause undesired operation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and the receiver Plug the equipment into an outlet on a circuit different from that of the receiver e Consult the dealer or an experienced radio television technician for help 12 2 Notice for Canada This apparatus complies with the Class B limits for r
43. the server returns error code 401 then the WebMux will consider that server dead For both IIS and Apache servers doing virtual hosting the farm name label must be an existing web site name on the server For more information on Virtual hosting please go to Appendix D for details Farm scheduling method Eight different methods are supported Least connections Least connections persistent Round robin Round robin persistent Weighted least connections Weighted least connections persistent Weighted round robin Weighted round robin persistent Weighted fastest response Weighted fastest response persistent Faster Layer 7 HTTP URI load directing no compression Layer 7 HTTP URI load directing Layer 7 HTTP URL load directing with cookies Layer 7 HTTP cookie load directing with cookies Layer 7 virtual host load directing with cookies SSL Termination You can change the SSL key certificate pair used for this farm All current connections for this farm will be reset if you change the key certificate pair selection Block non SSL Access to farm If you do not want to allow non encrypted traffic connecting to the farm select Yes 66 Tag SSL terminated HTTP requests If SSL termination is active for this farm choosing Yes for this option will add an X WebMux SSL termination true MIME header in the decrypted http request going to the real server Connection throttling watermarks Setting
44. this command netstat rn Please note for Windows 2003 servers the route for the loopback adapter cannot be deleted However since Windows 2003 server automatically sets a high metric number the route does not need to be deleted 97 Appendix C Virtual Hosting Issues Servers serving more than one web site may do virtual hosting The WebMux supports virtual hosting by checking the virtual server s response There are three different situations for the WebMux to handle If the service is HTTPS there is no way to do virtual hosting on the same IP address However each HTTPS farm can be on a different IP address on the same server The reason that each HTTPS server must have its own IP address is that any web server software IIS or Apache can not see the URL in the HTTPS packets since they are encrypted The HS or Apache server only decrypts the URL after the packet is sent to a particular process Since no web server software supports virtual hosting HTTPS on the same IP address the WebMux does not need to do anything extra other than load balancing all the packets for that particular farm If the service is HTTP then any web server software IIS or Apache can host almost unlimited virtual farms on each IP address Many hosting centers handle this situation by putting all the servers serving each virtual host on a server farm on the WebMux The WebMux will load balance the traffic for all the incoming traffic for that IP
45. those packets Your server side VLAN ID is 200 You will need to configured port 7 8 9 and 10 to participate or include VLAN 200 and make sure that you specify that itis UNTAGGED Next you will need to make these ports accept all frames AND you must assign them the PVID of 200 Again please refer to your switch user manual for specific commands At this point any device connected to port 7 8 9 or 10 and assuming that it already has a 192 168 11 0 24 address you should now be able to ping the WebMux svr LAN IP address of 192 168 11 21 119 Appendix M How to Add Commands to WebMux Startup Sequence Sometimes there is a need to add commands to the WebMux startup sequence so that certain commands can be reboot persistent In 8 5 02 firmware release and later there is a new superuser command sysinit provided for the user to add iptables command or other commands to the startup sequence Please note that adding a wrong command to the startup sequence may render the WebMux not accessible thus it is always a good practice to test the commands first before adding it to the WebMux startup sequence For example if you want an SMTP server at 192 168 10 98 always appear to be sent from one of your public IP addresses i e 66 1 1 98 on the WebMux you can use this iptables command iptables t nat I POSTROUTING s 192 168 10 98 d 192 168 10 98 m multiport p tcp destination ports 25 j SNAT to s
46. to use the values of the time SSL termination was activated To make the new list effective for a farm with SSL termination presently activated either deactivate and reactivate its SSL termination or reboot which restarts everything encryption protocols SSLv2 SSLv3 TLSv1 256 bits 168 bits 128 bits 56 bits 40 bits cypher strengths allowed IEF S88 2012 AVANU LLC All rights reserved The WebMux supports SSL V2 SSL V3 and TLS V1 with RSA key length from 512 1024 and 2048 For each WebMux one can have 32 SSL certificates Any key can be active or not active The first line of the private key is the comment See included two sample keys for details If there is no comment line in the key it will be blank If there is no key it will display key and certificate unset Key length can be from 512 to 2048 RSA key length 1024 is also called 128bit strong encryption 2626 At the bottom of the screen you will see the option to choose encryption protocols allowed Or choose encryption protocols and cypher strengths allowed Changes in the list of allowed encryption protocols or cypher strengths only take effect for SSL termination for farms for which SSL termination is activated after the change SSL traffic for farms for which SSL termination is already activated continue to use the values of the time SSL termination was activated To make the new list effective for a farm with SSL t
47. 1 b Select an unused key slot key 4 for example ef WebMux main Gegen esc ss lease note that 0 51 60 61 7 BEGIN RSA PRIVATE KE key and certificate unset certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset c Open the ca crt file created in step 1 as a text file d Copy and paste the text in to the CA certificate text box Be sure to select use new CA certificate pasted in and add the line CAFILE level 2 on the very top CA certificate modification time unknown use new CA certificate pastedin v CAFILE level 2 a ZIIIIBEGIN CERTIFICATE MIICITCCAf4CCQDxkMx FVogEZANBgkqhkiG9wWOBAQQFADCBjjELMAKGA1LUEBhMC VVMXxEZARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBACTCVNhbnRhIEFuYTEbMBkG v Contirm Cancel e Click the confirm button 3 Create a private key and generate a certificate request a Using OpenSSL i Create the private key openssl genrsa out webmux key 1024 ii Open the webmux key file and copy and paste into the private key text box of the key slot you imported the CA certificate Be sure to select use new private key pasted in private key modification time unknown use new private key pasted in X 7 DXO KTHUQIONShDPqarK6IwIERTrinyLnxXKdmK91Al1jHjdir xQ o0tQq2Poykd sHp9 ihrjxOkXTKIWFkCQEH4hdmtiv3zHDoPBBxdSbd
48. 112 1 Server 4 Server 1 Server 3 Server IP 192 168 112 30 Server IP 192 168 112 31 Server IP 192 168 112 32 Server IP 192 168 112 33 Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 STP Spanning Tree Protocol Transparent Mode is another WebMux configuration that allows you to keep the existing IP addresses of your servers Like Out of Path Mode the servers and the WebMux will be on the same IP network However physically the servers will be connected to the WebMux in the same way they would be for NAT mode on the server LAN port The internet port on the WebMux is connected towards the Firewall Router In this mode the WebMux functions as an Ethernet bridge Anything connected to its back interface server LAN is on the same network as its front interface internet router LAN If you look at the diagram above you will see that the terminals are on the same network as the servers even though the servers are behind the WebMux The terminals can communicate with the servers IP directly as if the WebMux was not there and vise versa When creating a farm choose a unique farm IP address in the network and then add the server IP address under that farm Load balancing occurs when the Farm IP is accessed instead of the servers actual IP There are no configuration changes that need to be made on the servers only the way they are physically connected to the
49. 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 70 03 5a Aug 20 12 04 43 2012 up since Aug 20 11 58 20 2012 WebMux main network security add farm 7 If the port number is omitted and the service pertains to a particular application level protocol the well known port for this protocol will be used for example port 80 for HTTP If the port number is omitted and no such protocol pertains to the service for example the generic TCP service the farm will handle all ports for the IP address and transport layer protocol in question except those handled specifically by other farms IP address 192 168 12 label port number service HTTP hypertext transfer protocol TCP H scheduling method weighted round robin SSL termination none X SSL port block non SSL access to farm NO tag SSL terminated HTTP requests NO servers are HTTPS servers reencryption servers only serve IPv4 not IPv6 NO connection throttling watermarks low high compress HTTP traffic NO SNAT NO HTTP server response comparison string HTTP server URI 2012 AVANU LLC All rights reserved In the Add Farm screen select HTTP hypertext transfer protocol TCP in the service section In the SSL Termination section choose from any key other than none see the SSL Keys section about importing your SSL keys This will enable SSL termination on the HTTP farm All t
50. 20 2012 WebMux main network security miscellaneous _ help modify farm 192 168 12 100 port 80 SSL termination not active no HTTP compression label scheduling method weighted round robin X SSL termination none X SSL port 443 block non SSL access to farm NO tag SSL terminated HTTP requests NO connection throttling watermarks low high SNAT NO compress HTTP traffic NO HTTP server response comparison string HTTP server URI 2012 AVANU LLC All rights reserved 65 Farm IP address and port number This displays the current farm IP that is being modified These fields are set in the Add Farm screen Once set they are not changeable If they must be changed delete the farm and then add a new one Label The label is displayed on the column to the left of the corresponding IP addresses in the main status screen Although labels can be anything it is better to have meaningful and unique label for each farm The label field is also used as the host name in HOST MIME header to when checking HTTP servers The HOST MIME header is essential in virtual hosting as that will determine which site is being accessed The format of the farm label should be the site host name i e www xyz com max length 75 bytes Without a label specified a 401 Unauthorized error code is still considered a live server If you have a label specified and
51. 24 will allow all hosts in 192 168 12 network to access it From version 6 4 00 192 168 12 will be allowed for class C allowed host If this field is left blank you can access the management software from any IP address It is recommended to set this up for security reasons If the wrong IP addresses are entered management console login might not be possible Use the setup mode on the LCD panel to clear the allowed host list This field is blank by default TACACS Server Configuration The WebMux allows you to control the user passwords for the superuser group logins with a TACACS server so that password changes can be administered to several WebMux machines instantly through a central authentication server In this field you will need to specify the TACACS server IP with server xxx xxx xxx xxx Other arguments include secret if the TACACS server requires a password to be accessed and encrypt Each argument must be separated with a space If for some reason the TACACS server is not working the WebMux will default back to the passwords configured in its password setup screen Connection warning threshold The WebMux monitors the number of connections established When the number of connections is greater than the value entered the WebMux will page the designated numbers For example if a DoS attack is occurring the number of connections to the site would be extremely high Assuming they exceeded the value s
52. 4 the WebMux can sync its internal clock with any UDP NTP server By default it points to a tier 2 NTP server You can also set it to your Internet NTP server or wipe out the entry to not sync to any NTP server 43 Reset Stranded TCP Connections When a server failed to function there could be many TCP connections still in TCP_WAIT state If this set to Yes when client tries to access the failed server the WebMux will pretend the server is sending TCP Reset to the client thus freeing all the TCP_WAIT state connections Default setting is Yes to conserve resources Route Returning Layer 4 Load Balanced Traffic Whence Original Client Traffic Came For configurations where you have multiple gateways your originating connections may come from the server side You may have returning connections from the internet side that you may want to be sure to be routed through the same gateway that the originating server side client used to reach the destination Default setting is Yes Front Proxy Addresses By default the WebMux will use the main IP address you configured in the router internet LAN interface or Bridge IP as the source IP for outgoing connections You may want to specify a different IP address instead You can list more than one IP address by separating them with a colon If you have more than one front proxy address the WebMux will choose a proxy address in a round robin fashion This option is not availabl
53. 5VAC Current Heat Production Power Requirements 50 60Hz Operating Temp Range Ship Weight Compliance amp Certification Other 3 1 Topology Overview Multiple Tag based VLANS on all models Gigabit x2 Gigabit x3 in bond mode Gigabit 20 4 Up to 65 532 Real Servers Unlimited Virtual Servers ridge Router Role in Network plus switch in 690PG UDP based service support Secure web browser access In service Not in service SNMP Phone Pager alarm notification Email notification Configuration access Persistent connections Port specific services One year product warranty Parts amp Labor firmware updates and technical support telephone email Pre configuration prior to shipment no additional cost Optional Annual Premium Support covers 24x7 technical support with overnight exchange unit option 1U 19 x14 x1 75 2U Yes 120w 200w 350w 2 5A 3 5A 5A 350BTU H 550BTU H 800BTU H 95 130VAC or 195 235VAC 0 40 C 0 40 C 0 40 C 20 Ibs 20 Ibs 45 lbs 6 Ibs Part 15 FCC US Class B Canada CE Mark Europe FIPS 140 2 standard NIST latest industry standard Open SSL modules RoHS 30 Day Money Back Guarantee Subject to restocking fee contact AVANU for details The WebMux has four modes 2 Arm NAT Mode 2 Arm Transparent Mode 1 Arm Single Network Mode and 1 Arm Out of Path Mode IP V4 and IP V6 work in all those modes Each mode has its advantages and disadvantages 3 2 Two ar
54. 7 you will will need Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 to create a Loopback Adapter IP Loopback Adapter IP Loopback Adapter IP Server LAN gateway IP 192 168 112 35 192 168 112 35 192 168 112 35 J 192 168 112 37 Ke If WebMux is doing SSL termination or Layer 7 load balancing you need to set the server s default gateway IP to the WebMux Server LAN gateway IP 192 168 112 37 The above diagram is an example about how to configure the WebMux in Out of Path Mode without changing the IP addresses of the web servers and other servers that already exist on the network This is particularly helpful when the changing of an existing network of servers causes problems In this configuration all the servers still remain on the same IP network and can communicate From the servers view the WebMux is on the same network as the servers On the WebMux only the server LAN cable is connected since there is only one network in Out of Path Mode The WebMux takes at least two IP addresses to work in this mode the server LAN Interface IP address and the farm IP addresses If you are connected to a manageable switch that allows you to create Link Aggregation Groups LAG sometimes called Ether Channel or Port Channel the Internet port and Server port on the WebMux can be connected to the switch and will behave as one logical port with about twice the bandwidth capabilities It is important t
55. AMTDXd3dyShdmFudS53b20xHjAcBgkahkiGow0B CA certificate for client verification only no change H 2012 AVANU LLC All rights reserved 63 You can view copy and paste keys into the two windows You should backup your private key and save in a secure place Each private key and public key pair must match to be able to work properly If you plan to generate new keys click on the drop down box above the private key window to select the use newly generated item with the desired key length and then click on the Submit button This process is also known as generating a CSR Certificate Signing Request It is the process where you generated a key pair and send the public key to the CA for signing Once your public key signed and pasted into the key management screen all the browsers over Internet will accept it without complaint during the lifetime assigned to the key You can visit www thawte com or www verisign com for more information safes AE Ge uproar ma aiaia is iai awh iiaa ia aaia oi certificates private key no change H no change use new private key pasted in delete use newly generated 512 bit RSA key use newly generated 1024 bit RSA ke certificate no change X CA certificate for client verification only no change X 2012 AVANU LLC All rights reserved After submitting the selection you wi
56. Active again through the browser interface This will give system administrator time to fix the system or reboot the server once some software hardware update is completed Favorite Active The server will be put into services immediately after it is added If a Favorite Active server failed once it is operational the WebMux will automatically put it back to the Active state Standby The server will be put into STANDBY or backup mode after it is added The WebMux will change a STANDBY server to ACTIVE when one or more ACTIVE servers fail The weights will also have an effect on the number of standby servers that are activated The if the failed active server had a weight of 20 and there are two standby servers with the weight of 10 the WebMux will activate the two standby servers to make up the difference Last Resort Standby The server will be put into STANDBY state Unless all other servers are out of services this server will not be switch in This will allow the last server to show a different web page from others 7 6 Add L7 Server If setting up a Layer 7 farm the add server screen will be similar to this webmux1 avanu com IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 20 42 2012 up since Aug 20 11 58 21 2012 add server farm 192 168 12 101 80 IP address 192 168 11 port number same label weight 1 run state ACTIVE match pattern w pattern is anchored
57. Complete stores previous entries on webpages and suggests matches for you Feeds and Web Slices e Feeds and Web Slices provide updated content from websites that can be read in Internet Explorer and other programs x J wen 125 iii In the Certificates windows click on the Personal tab Certificat lt All gt Personal Other People Intermediate Certification Authorities Trusted Root Certification gt Issued To Issued By Expiratio Friendly Name Import Export Certificate intended purposes Learn more about certificates iv Click on the Import button You will see this screen Click the Next button Hficate Import War Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from your disk to a certificate store A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue dick Next 126 v Click the Browse button Certificate Import Wizard File to Import Specify the file you want to import Note More than one certificate can be stored in a single file in the following formats Personal Information Exchange PKCS 12
58. HTTPS 61 The WebMux allows SSL termination from any port to the farm port If your SSL TLS traffic is other than the standard HTTPS traffic you may want to specify the SSL traffic port in the SSL port field The WebMux will listen to that SSL port terminate the encrypted traffic from that port into the farm port and re encrypt the return traffic from the server to the clients 7 3 SSL Keys webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 0 03 5a Aug 20 12 06 51 2012 up since Aug 20 11 58 20 2012 SSL termination management SSL keys Se 8 lease note that key 1 marked with is used for HTTPS access to the webmux itself although it may 0 51 60 61 70 71 80 81 90 91 100 description BEGIN RSA PRIVATE KEN key and certificate unset certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset P D ojojojojojojojojojo 2 3 4 5 6 I 8 9 10 Or choose encryption protocols and cypher strengths allowed Changes in the list of allowed encryption protocols or cypher strengths only take effect for SSL termination for farms for which SSL termination is activated after the change SSL traffic for farms for which SSL termination is already activated continue
59. IP interface configuration and routing utility iptables allows you to create custom packet filtering for the WebMux The changes made here are not reboot persistent ip6tables version of iptables for IPv6 netstat display network connections routing tables interface statistics etc nwconfig allows you create additional networks for use in multiple ISP configurations and or for multiple server subnets in NAT mode See Appendix K for more details ping send ICMP ECHO_REQUEST packets to network hosts ping6 version of ping command for IPv6 101 poweroff initiates the proper shutdown sequence putconfig restore farm server settings from your PC to WebMux reboot initiates a soft reboot restart restarts the WebMux unit s internal processes without rebooting the hardware rec allowing configure basic WebMux IP without using pushbutton route manipulate or display the routing table Settings made here ARE reboot persistent sysinit allows you to create a custom startup script Useful for making custom iptables rules reboot permanent etc tcpdump capture and display network traffic traceroute print the route packets take to network host upgrade superuser upgrade the firmware to a newer version It can not be used for downgrade vconfig manipulate VLAN configurations Most commands can be found on Unix for detailed usage please refer to any Unix man pages Our support center does not support
60. LCD panel By default there is no PIN You can unset the PIN by submitting blank fields 48 webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 48 05 2012 up since Aug 20 11 10 18 2012 security change four digit PIN change PIN Leave blank to use 0 new PIN new PIN again 2012 AVANU LLC All rights reserved 6 4 3 Activating the Anti Attack Feature To get to the Anti Attack settings of the WebMux hover the mouse over the security menu on top and then click on the AAD link You will see this screen webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 automatic att Please enter information below Use or as the divider for multiple as the divider for multiple entries in the IPv6 whitelist Multiple entries are not allowed for attack threshol TCP connection attack threshold 0 IPv4 client whitelist for TCP attacks IPv6 client whitelist for TCP attacks duration to block attackers 2hr oa 2012 AVANU LLC All rights reserved TCP Connection Attack Threshold This will set the maximum number of concurrent connection a client can make before the WebMux will consider it an attack You do not want to set this value too low because most of time servers will experience several concurrent connec
61. Mux and DNSMux Documentation Notice of Rights All rights reserved No part of any related WebMux or DNSMux documents may be reproduced or transmitted in any form by any means without the prior written permission of AVANU the publisher and copyright holder For information on getting permission for reprints and excerpts send an email to customerservice avanu com Notice of Liability The information in any WebMux or DNSMux documents are distributed as is and without warranty While every precaution has been taken in the preparation AVANU nor its resellers and representatives shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information and instructions contained in any of these documents or by any computer software and hardware described within Trademarks Throughout these WebMux and DNSMux documents trademarks are used AVANU states that we are using any and all trademarked names in an editorial fashion and to the benefit of the trademark owner with no intention of infringement of the trademark All trademarks and registered trademarks are the property of their respective owner s Update Information AVANU will always work to insure that the data contained in any WebMux and DNSMux documents are kept up to date As such please visit our website at http www avanu com support htm to retrieve the l
62. Mux In case the wrong command caused user no longer able to login into WebMux use the LCD factory reset to reset the sysinit table to blank 120 Appendix N Using Client Side SSL Certificate Authentication on the WebMux WebMux can authenticate visiting browsers by installing client side SSL certificates With client side SSL certificate authentication unauthrourized visitor can be dropped or directed to a different page 1 Create the Certificate Authority using OpenSSL openssl req new key ca key out ca csr a Generate a private key openssl genrsa out ca key 1024 b Generate a certificate request Fill in all the proper fields c Self sign the certificate request openssl x509 req days 365 in ca csr signkey ca key out ca crt 2 a Import the CA root certificate into the Webmux Click on the SSL Keys button to go to the SSL Management page AVANU WebMux add farm modify farm delete farm add server modify server main main console SSL keys health check scheduling management webmux1 avanu com IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 492 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 49 02 2012 up since Aug 20 11 58 20 2012 network security z IP address port status conn conn s pkt s 192 168 12 100 80 1 server ALIVE 0 0 0 192 168 11 10 same weight 1 ALIVE 0 0 0 192 168 12 10180 0 servers ALIVE 0 0 0 E 2012 AVANU LLC All rights reserved 12
63. P 192 168 11 25 MAC 00 22 12 10 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 modify farm 0 0 0 0 label nexthop routers 2012 AVANU LLC All rights reserved Click on the Add Gateway button to add more gateways IPs to your gateway farm webmuxt avanu com CPU 0 mem 4 IP 192 168 1225 MAC 00 22 12 10 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 add gateway farm 0 0 0 0 IP address 192 168 12 2012 AVANU LLC All rights reserved IP Address Enter the IP address of your gateway 75 Label The label here is used only for reference purposes Weight Scheduling priority weight Valid integer numbers are between 1 and 100 Run State Active The gateway will be put into service immediately after it is added If there are gateways in the farm in Standby WebMux will activate a Standby gateway in its place if it goes out of service When the original gateway comes back in service it will stay Standby mode until manually setting its run state to Active again through the browser interface This will give system administrator time to fix the system or reboot the gateway once some software hardware update is completed Favorite Active The gateway will be put into service immediately after it is added If a Favorite Active gateway failed once it is operational the WebMux will automatically put it back to the Active state
64. Pattern x y SYNTAX OCTET STRING 0 255 DESCRIPTION The layer 7 pattern to match a request against for this server 1 3 6 1 4 1 27182 3 1 1 4 1 8 x y caiWebMuxServerL PatternAnchored x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1 then the layer 7 pattern to be matched has the leading included 1 3 6 1 4 1 27182 3 1 1 4 1 3 x y caiWebMuxServerLabel x y SYNTAX OCTET STRING 0 255 DESCRIPTION The mnemonic label assigned to this server 1 3 6 1 4 1 27182 3 1 1 4 1 11 xy caiWebMuxServerPacketsPerSec x y SYNTAX Gauge32 DESCRIPTION The current rate of packets being sent to this server 1 3 6 1 4 1 27182 3 1 1 4 1 6 x y caiWebMuxServerPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION The TCP or UDP port number used to access the service on the provided address 1 3 6 1 4 1 27182 3 1 1 4 1 2 x y caiWebMuxServerRowStatus x y SYNTAX INTEGER active 1 notInService 2 notReady 3 createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 110 1 3 6 1 4 1 27182 3 1 1 4 1 12 x y caiWebMuxServerState x y SYNTAX Unsigned32 DESCRIPTION The current state of this server The bits have the following meaning Bit Meaning 0x0001 If bit set server is available 0x0002 If bit set WebMux will send traffic to this
65. Port Channel or Link Aggregation Group When this option is enabled the traditional front and back LAN of the WebMux is no longer partitioned on the WebMux itself rather on the network SWITCH using tagged and untagged VLAN ID settings Specific concepts need to be followed when setting up the WebMux with VLAN IDs One is that the ports on the switch connected to the WebMux MUST be configured to be using tagged VLAN 802 1q VLAN IDs configured on the WebMux for any mode NAT Transparent or Out of Path is a tagged VLAN 802 1q specification For the rest of the network there are two ways to configure the switch and devices in order for them to be able to communicate with each other One way is to make all the devices in the local network use 802 1q VLAN tagging since only devices using 802 1q VLAN tagging will be able to communicate with each other However that option depends on the actual network interface in the device and whether or not it supports 802 1q VLAN tagging The other option is to leave the network interface configuration on the other devices alone and configure the switch to do the VLAN tagging This will be the option that we will be using in our example All manageable switches with VLAN capabilities have these features but since the switch configuration commands vary from brand to brand we will only lay out the main configuration concepts and leave it up to you to refer to your switch user manual for s
66. Pq0JA4ISW23sSaTGo8vmR PmtOGf GF6EWrcdII vtXRWsmcz7pSSgqQWwX1W GgjvM iii Generate a certificate request openssl req new key webmux key out webmux csr Fill in the appropriate fields 122 iv Your certificate request is saved in the file webmux csr 4 Self sign the certificate request and import the certificate into the WebMux a Use openssl to sign the certificate request with the CA using the ca key and ca crt created in step 1 openssl x509 req days 365 CA ca crt CAkey ca key CAcreateserial in webmux csr out webmux crt b Open webmux crt as a text file and copy and paste into the certificate text box certificate modification time unknown use new certificate pasted in v ZE BEGIN CERTIFICATE A MIICnDCCAgUCCQOCVSEXZz4Z187jANBgkqh hkiG9w0OBAQUFADCBjjELMAkGA1LUEBhMC VVMXEZARBgNVBAgTCkNhbGlmb3JuaWEXEjAQBgNVBACTCVNhbnRhIEFuYTEbMBKG AIUEChMSQOFJIES5S1dHdvcmtzLCBJbmMuMRAwDgYDVQQLEwWdADQSBSb290MQ8wDQYD c Click the Confirm button 5 Generate the client key and certificate request a Generate the client key using OpenSSL openssl genrsa out client key 1024 b Generate the client certificate request openssl req new key client key out client csr 6 Sign the certificate request openssl x509 req days 365 CA ca crt CAkey ca key CAcreateserial in client csr out client crt 7 Convert client certificate to PKCS 12 format a Using the client key created
67. THE WEBMUX PRODUCT OR THE FAILURE OF THE PRODUCT TO PERFORM INCLUDING ANY LOST PROFITS OR SAVINGS OR SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES AVANU IS NOT LIABLE FOR ANY CLAIM MADE BY A THIRD PARTY OR MADE BY YOU FOR A THIRD PARTY THIS LIMIATION OF LABILITY APPLIES WHETER DAMAGES ARE SOUGHT OR A CLAIM MADE UNDER THIS LIMIED WARRANTY OR AS A TORT CLAIM INCLUDING NEGLIGENCE AND STRICT PRODUCT LIABILITY A CONTRACT CLAIM OR ANY OTHER CLAIM THIS LIMITATION OF LIABLITY CANNOT BE WAIVED OR AMENDED BY ANY PERSON THIS LIMITATION OF LIABLITY WILL BE EFFECTIVE EVEN IF YOU HAD ADVISED AVANU OR AN AUTHORIZED REPRESENTATIVE OF AVANU OF THE POSSIBLITY OF ANY SUCH DAMAGES THIS LIMITATION OF LIABLITY HOWEVER WILL NOT APPLY TO CALIMS FOR PERSONAL INJURY Exclusions AVANU DOES NOT WARRANT THAT THE OPERATION OF THIS PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE AVANU IS NOT RESPONSIBLE FOR DAMAGE THAT OCCURS AS A RESULT OF THE CUSTOMER S FAILURE TO FOLLOW THE INSTRUCTIONS INTENDED FOR THE WEBMUX PRODUCT About the Support Disclaimer The Support provision covers product configuration and basic remote installation support up to the first sixty days 60 from purchase date AVANU has the right to request a proof of purchase document Technical support applies to WebMux performance only and current version firmware updates There will be a fee for any firmware version request other than the current available version and any request for support outside
68. Termination Selecting an SSL key in this section will enable SSL termination for this farm The HTTP service and POP3 service terminate to ports 443 and 995 respectively and will allow you to choose any port for the clear traffic to the servers When using the generic or custom services specifying the clear traffic port for the service in the port number section causes the WebMux to automatically assume the secure port for the following services Clear Traffic Port Secure Port Service HTTP POP3 Telnet SMTP NNTP IMAP IRC LDAP SSL Port If the SSL traffic is not standard secure port listed above user can specify his own Block non SSL access to farm If the incoming traffic is not encrypted drop the packet tag SSL terminated HTTP requests Adding a tag to MIME header to distinguish the incoming traffic was encrypted By default no tag Tag format X WebMux SSL termination true Servers are HTTPS servers not HTTP server Enable SSL end to end re encryption by default no Only allowed on farm doing SSL termination Lync and Exchange server may need this feature Servers only server IPV4 not IPV6 If the incoming traffic is IPV6 WebMux can map them into IPV4 servers Connection throttling watermarks If specified traffic will be stopped at the high watermark and allowed again below low watermark 59 Compress HTTP Traffic Selecting yes to this option will activate the WebMux HTTP com
69. View 1 1 1 Toggle Power Switch This switch toggles power on and off To power off the switch must be pressed and held for 5 seconds However it is recommended that you do not regularly use this power switch to shut down the unit Please use the LCD panel web interface or command line interface to issue a proper shut down 1 1 2 Reset Button Press and release the reset button to reboot the WebMux This is a hard reboot not a factory reset This will not reset your settings Please allow several minutes for the WebMux to completely reboot 1 1 3 Up Arrow Button Down Arrow Button When each button is pressed the value on the cursor location increases or decreases It goes through lower case letters upper case letters numbers and symbols When the cursor is located at the left most position on the LCD the up and down arrow allows the user to select a different item to setup 1 1 4 Left Arrow Button and Right Arrow Button When each button is pressed the cursor moves to the left and right 1 1 5 Check Mark Button and Cross Button Check Mark Button confirms the selection Cross Button cancels the selection At any time when the system is running holding down to the Check Mark Button will invoke the configuration menu where you can change IP addresses and other settings 1 2 Rear View LH e External To Router Backup To Server Modem LAN Hub WebMux LAN Hub AC INPUT 90 230VAC 1 2 1 Server LAN Port Co
70. a custom developed CGI code by your software developer on your server and place it on the path Upon success the page should return HTTP response code 200 and a plain text page beginning with one of the allowed responses The URL is truncated to 255 bytes to be a string of at most 256 bytes with a terminating null The response from the server must fit in 4k including all non display tag and headers etc This custom CGI code must complete within 15 seconds or the server 1s considered dead The custom defined service also allows for CGI code responses that allow the server to change its own weight and announce such change to a remote syslog daemon Please see Appendix E for a sample code and a list of allowed responses TCP Port for Custom Service Check By default the WebMux will do its custom service check on port 80 no matter what port you set up for the farm If you wish to change this you can specify a port here This is a global setting and will be used for all farms using the custom health check service HTTP Check Management By default HTTP servers return code 200 indicating successful result Sometimes a different return code or groups of numbers are desirable 78 To modify the HTTP respond code click the HTTP check button on the left You can modify the acceptable valid HTTP return codes in this screen AVAN ue CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Au
71. ada Toll Free Extension 202 1 408 248 8960 International Extension 202 Monday to Friday excluding US Holidays 8 00am to 5 00pm PT Note A RMA number is required for all warranty repair service or sales returns AVANU has the right to refuse any shipment without an issued RMA number 89 Section 11 FAQs can t login with my browser It always says you are not logged in To use your browser to manage the WebMux it must be set to accept all cookies Because the cookie is set to expire in 8 hours you also need to make sure your system clock set correctly using GMT The message is an indication that your system clock is off Please refer to page 84 on how to set the system clock of the WebMux can t login with my browser because the WebMux does not respond Your IP address is not on the allowed host list or the wrong IP addresses were entered by accident Use the LCD panel setup to clear that list If have multiple servers assigned as STANDBY how does the WebMux choose which server to use if an ACTIVE server goes down The WebMux checks the standby servers in order and activates each one until their total weight meets or exceeds the server that is unavailable Will a server with weight 0 act as a STANDBY No A weight of 0 indicates that the server will not accept any new connections The state is considered neither ACTIVE nor STANDBY This is to quiet the new connections for the server so that it can be taken out of
72. address to different servers in that farm During farm setup the label for the farm could be one of the virtual farm s base URL say www mydomain com the WebMux actually periodically reads a page from this URL If server that serves that URL does not response correctly the WebMux will mark that server dead Since every server in that farm serves all the virtual farms the WebMux expects the problem with one server in one URL will affect all the URLs in that farm Another situation is the server that serves HTTP virtual sites using a single private IP address already before load balancing After adding load balancer some the sites want to have their own IP addresses The WebMux allows set up separate farm for each site having its own public IP address but point to the same sets of servers in the private network In this situation each separate farm could have its own label as www site com and www site2 com etc The WebMux will actually do health check on each URL by periodically read a default page from that site In the virtual hosting situation the label and response from the web servers are critical for reliable services The WebMux checks the label and checks the server for its health situation based on the URL supplied in the label If the server response is 500 or greater which is an error code indicating server internal error the WebMux will exclude that server from serving the farm If server responses 402 which indicating access i
73. adio interference as specified in the Canadian Department of Communications Radio Interference Regulations Cet appareil est conforme aux norms de Classe B d interference radio tel que specifie par le Ministere Canadien des Communications dans les reglements d ineteference radio 12 3 Notice for Europe CE Mark This product is in conformity with the Council Directive 89 336 EEC 92 31 EEC EMC CAUTION Lithium battery included with this device Do not puncture mutilate or dispose of batter in fire Danger of explosion if battery is incorrectly replaced Replace only with the same or equivalent type recommended by manufacture Dispose of used Battery according to manufacture instruction and in accordance with your local regulations 93 Appendix A How to Add a Loopback Adapter For Out of Path Mode a loopback adapter or device similar in function is required This appendix lists a few different ways to add such a device for different OSes A 1 Installing the MS Loopback Adapter 1 Click Add Hardware gt Add a new device gt No I want to select the hardware from a list and select Microsoft Loopback Adapter from the list and click OK 2 At the MS Loopback Adapter Card Setup screen hit OK to the default of 802 3 3 You should be prompted for the path to the NT setup files Click Continue once the path is correct 4 Click Close Reboot maybe necessary Go to step below for Configuring the MS Loopback Adapter
74. ake Route Delete Reboot Perslstent nnn 97 Appendix G Virtual Hosting ISSUCS gies ie cedendoneededands AERCH 98 Appendix D Sample Custom CGI Code tt ttnrt ttt Anrt ttr Annt EE Annt EEEn E EEEn aneen nenne EEn 99 Appendix E Access CLI Commands cccccccccccsessceeeecseeceeeecsneaeeesceeeeeeesceneaaeesseessaeesscseaeeessseesaees 101 Appendix F Extended Regular Expressions ttrt tt ttre ttttnstttt rnet trt rnst t rn rnnnt rennene 103 Appendix G Notes om IPVO eege a a aAa aA E ra eed a ae eat cae a 105 Appendix H WebMux SNMP MIB Query ID 106 Appendix Special Details about Out of Path Mode ccccceccsccecssenteeeeseseeeeeseeeeeeeesseeeeeesseeeaaees 112 Appendix J Tagged VLAN and WebMus nentet nent 113 Appendix K Multiple Uplink VLAN Support cccccccccsesceeceeseeeeeeeceeeeeeeesceseeaeesseeeeaeeeseseeaeesseeeaaees 115 K 1 Important Considerations Pertaining Only to Additional Network Configurations 116 Appendix L Bond All Interfaces Setup Guide 118 Appendix M How to Add Commands to WebMux Startup Sequence ccccceeeeteeeeeeettteeeeeeeeaees 120 Appendix N Using Client Side SSL Certificate Authentication on the WebMus 121 Appendix O Configuring End to End SSL Load Balancing esseeseeeeeeeieeeeeresrrrerrsstrnsernnrrrerne e 130 ill iv Packing List e One 1 WebMux unit e One 1 Power Cord e One 1 Product Registration Document Section 1 Main Components 1 1 Front
75. arent and OOP modes Flood Control Feature This feature is an added security against Denial of Service DoS and Distributed Denial of Service DDoS attacks While the Anti Attack function blocks IP with excessive concurrent connections flood control will block single connection IPs with excessive packets rates e In Path or Out of Path Load Balancing In normal setup the WebMux can be configured In Path to act as firewall in addition to the load balancer and health checker However if outbound traffic is much larger than inbound traffic and you already have a firewall in place or change of IP address causes problems consider using Out of Path configuration Out of Path load balancing is also called direct routing or one leg operation Transparent Mode In this mode the WebMux behaves as an Ethernet bridge between the Server LAN and the Router Internet LAN The main advantage is that the network settings in the servers do not have to be changed no loopback adapters or IP address changes needed The servers will be connected behind the WebMux but will appear to be on the same LAN that the front network the WebMux is connected to Single Network Mode Allows you to set up load balancing in existing network without any change to the server configuration Single network mode changes both the source and destination IP addresses in the IP packets e Layer 7 Load Balancing WebMux can direct traffic to specific groups of servers w
76. atest version of our documents All products and specifications are subject to change without notice AVANU WebMux Product Limited Product Warranty and Support Performance Guarantee About the Performance Guarantee The Performance Guarantee is an expression of the confidence we have in our products and services AVANU Limited Product Warranty and Support The WebMux product line comes with a one year 1 coverage for Product warranty Parts and Labor Customer responsible for shipping to AVANU Service Center Software firmware updates Monday to Friday except US Holidays 8 00am to 5 00pm PT Technical support by telephone and email Monday to Friday except US Holidays 8 00am to 5 00pm PT WebMux products have a thirty day 30 money back guarantee Money back guarantee claims must be processed through the original point of purchase Restocking fees may apply Customer or point of purchase must contact AVANU to disclose reason for return prior to thirty days 30 of receiving product A RMA number will be issued by AVANU Customer Service for the return and must be visible on the outside shipping container Return freight and insurance are the responsibility of the customer or point of purchase Customer or point of purchase is responsible for any damage or loss during transit time until received by AVANU Product must be received in a brand new condition Customer will be responsible for any other costs incurred due to p
77. ateway Options A add NAME add new network configuration NAME D delete NAME delete existing network configuration NAME I install NAME install network described by network configuration NAME R teplace NAME like A except allows configuration to already exist U uninstall NAME uninstall network described by network configuration NAME b broadcast BROADCAST broadcast address is BROADCAST e g 192 168 14 255 gl gateway GATEWAY address of gateway router on the network is GATEWAY e g 192 168 14 1 help usage print this usage message i ipaddr IPADDR WebMux unit s IP address on the network is IPADDR e g 192 168 14 22 L list PATTERN list existing additional network configurations whose name match the given pattern s If no pattern is given list all additional network configurations 115 m netmask NETMASK network mask for the network is NETWORK e g 255 255 255 0 n network NETWORK address of the network is NETWORK e g 192 168 14 0 r router vid VID VLAN ID for the network for the router in transparent mode s server vid VID VLAN ID for the network for the servers in transparent mode p prefix PREFIX network mask as a prefix width is PREFIX e g 24 v vid VID VLAN ID for the network is VID default original VLAN tag For example nwconfig A newISP i 192 168 14 21 g 192 168 14 1 The IP you specify will be the WebMux unit s main IP on the additional network
78. ations needed when using the IPv6 address in a web browser because the colon is also used to denote a port number i e 192 168 12 21 24 Because accessing the WebMux unit s web management requires access to port 24 you cannot simply put the IPv6 address in the address bar of the browser like you would for an IPv4 address You must enclose the address in brackets For example if the IPv6 address of the WebMux is fec0 c0a8 c15 then you would enter http fec0 c0a8 c15 24 to get to the web management There are also IPv6 versions of some basic networking tools such as ping6 traceroute6 and tcpdump with the IPv6 flag ip f inet6 route inet6 etc Please be sure that network software client is indeed IPv6 capable or is the correct IPv6 version to use before assuming that your network is not working Also when adding an IPv6 address to your server s NIC network interface card your server s OS might not automatically add a default gateway in its routing table for the IPv6 address Please double check the routing tables and make sure the proper entries are there If your servers are not accessible from the outside but are accessible within the subnet you might want to check and make sure that the default gateway was set up correctly From firmware version 9 0 0 WebMux IPV6 supports all modes operation It can operate in two arms NAT mode Transparent mode as well as one arm Single Network mode and OOP Out of Path mode
79. cdageaa EE tapas 77 7 11 Layer 7 Check Management T9 7 12 Monitor Traffic History Chart 81 siis Section 8 Initial Setup Change Through Browser 82 Section 9 Sample Configurations and Worksheets AAA 84 9 1 Initial Configuration Worksheets sssssssnsensseesertntttnrensstettttntttnttnnstttsttttntnnnn msnnen nnn EEn Ennn enne 84 9 2 Sample Configuration Worksheets A 85 9 2 1 Standalone WebMux NAT Mode tent 85 9 2 2 Standalone WebMux Transparent Mode ccccceceeeeeeeeeececeeceeeeeeeeeseeeeeanneeaeeeeeeentes 86 9 2 3 Out of Path Installation of WebMus 86 9 2 4 A Redundant Installation ccccccececceeeeeeeeeeceeeeeeeeeeeeeeeecccacaeeeeeeeeeeeeeseecsecaecaeeeeeeeeeees 88 Section 10 Contact Information eae ce eee eeeetee ee ceaeaaeeeeeeeeeeeeesececccasaeeeeeeeeeeeseeeeeeeaea 89 Section 11 FAQS seen oe Deg Ebbe ee ee Ee EE 90 Section 12 Regulations eege geste EAR EEGENEN 93 1241 Notice tothe SA ae faci ahh sai fetes tates ed st enacted Coe han esl elite nasa ge Ee E 93 12 2 Notice for Canadas E 93 12 3 Notice for Europe CE Mark 93 Appendix A How to Add a Loopback Adatter ettres ttrtrstttttnrtttt tnnt tr rnst t rr nnnne ernennen 94 A 1 Installing the MS Loopback Adapter ccccceceeeeeeeeeeeencacaeeceeeeeeeeteteeccnaeceeeeeeeeeseeteeseees 94 A 2 Configuring the MS Loopback Adapter 0 ecccceeeeeceeeeeeeeeneeeeeeeenaeeeseeeaeeeeeesnaeeeeeeeenaeeeeeneaees 94 Appendix B How to M
80. ce Aug 20 11 58 20 2012 WebMux modify timeouts modify service timeout Please enter the number of seconds to wait for a server s response To omit checking servers using this service altogether enter 0 new timeout as https existing timeout neis R dns default timeout ftp Idap Ics_mgmt_tcp Ics_mgmt_tls mmcc 2012 AVANU LLC All rights reserved udp_nohe ip_nohc aT To modify the custom healthcheck webmux1 avanu com 4 AVANU CPU 0 mem 4 K d IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 39 14 2012 up since Aug 20 11 58 20 2012 Webmux main network senn miscellaneous custom check management custom check URI for custom service check cgi bin bortzoil hep TCP port for custom service check 80 ignore contents of custom check page NO 2012 AVANU LLC All rights reserved URL for Custom Service Check Sometimes the WebMux built in server health check is not enough for special needs When a ASP JSP server s output depends on the database server and the database server connection is down one might want to reduce the incoming traffic to the server suspend new traffic to the server or totally redirect incoming traffic to a different server To accomplish that the WebMux allows a farm set up using custom defined service It will then call the CGT s URL on the server defined in this field This will involve
81. commended We suggest that all separate networks be on separate VLAN IDs Also you cannot create an additional network with a VLAN ID unless the original network is also configured with a VLAN ID This is true for all modes NAT Transparent and Out of Path Generally it is not recommended that you create additional networks unless you are using VLANs If you are pairing up two WebMux units in a failover configuration you can use the same Router Internet LAN and Server LAN IP address for the additional networks in both the 116 primary and secondary units In NAT mode the Router Internet LAN and Server LAN interfaces are deactivated when the unit is in standby to eliminate duplicate IP address issues and to allow you to conserve available IP addresses In the original network configuration you had to specify a server LAN gateway IP to be used as the servers default gateway IP address The server LAN gateway IP is a floating IP address that is available only on the active WebMux in a WebMux pair When creating additional network configurations on the server side you do not have the option to create a server LAN gateway IP like the original network configuration In this case you will need to configure your additional server networks using the same IP addresses on the secondary as with the primary The IP address you create for you additional server network will be used as the server s default gateway IP Since
82. d This feature allows the SAVED not necessarily the active configuration to be saved at the Administrative Browser workstation Be sure you have saved your farm configurations from the main screen before exporting your configuration to ensure that you are getting your most recent changes Click on the Click Here to display the configuration Choose File gt Save As from the browser menu to save it as a text file Changes can be made to this file and uploaded to the WebMux DO NOT change the first comment line 3 Upload Upload allows a configuration file that has been saved at the browser workstation to be uploaded to the WebMux Enter the full path of the configuration file or click on Browse to search for the file Click Upload to upload the file to the WebMux This file will IMMEDIATELY become the saved and active configuration Upload ALL Settings to WebMux will actually upload settings including IP addresses farms and information you entered in the Administration Setup If you want to replace the WebMux with a new unit you could save the configuration and upload all settings to the WebMux so that you do not need to go through step by step configuration requires both WebMux units on the same firmware revision 6 5 4 Set Clock Click this link to go to the Set the Clock page The time and date of the WebMux can then be set Please note that the WebMux internally uses GMT time zone not your local time zone per W3C HTTP pr
83. d e Second a farm on the WebMux is defined with Server 1 and Server 2 in it The servers would be setup to either share the traffic or setup as a primary server and standby server In either case if Server 1 goes down then all traffic will be automatically directed to Server 2 by the WebMux 3 3 Two armed Transparent Mode In Two Armed Transparent Mode the servers need to be isolated from rest the network with the WebMux in between even though they are in the same network segment All communication from servers to other servers or clients must flow through the WebMux The WebMux will load balance any traffic targeted to the farm address and let all other traffic flow through like a network cable This simplifies some network configuration but the server isolation is an additional requirement 14 3 4 One armed Single Network Mode In One Arm mode the WebMux supports both Single Network Mode and Out of Path Mode For Single Network Mode there are no changes to the network or servers Traffic from clients send to the farm address on the WebMux which will in turn send to the servers through load balancing methods Server replies to the WebMux will be sent back the clients Single Network Mode has a limitation that only 65000 concurrent connections are allowed in one farm 3 5 One armed Out Of Path Mode In Out of Path Mode only one network in the setup the server LAN is connected to the Internet through the firewall and router In
84. d Y Administration HTTP Port Number 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary Y WebMux running solo without backup Y Reboot Y There is no change to each server s IP address netmask and gateway address except if using the WebMux for SSL termination or Layer 7 load balancing See next paragraph You will need to add a loopback adapter to each server and assign the farm address to the loopback adapter For MS Windows it always adds a route for the loopback adapter which will need to be removed please refer to Appendix B In the virtual farm add each server using its real IP address For SSL termination or Layer 7 load balancing you must set server LAN gateway IP address and set the servers default gateway to that IP 87 If using multiple VLAN configuration please note the VLAN IP address cannot be used for FARM address FARM address must be an address within that VLAN and other than the VLAN IP address 9 2 4 A Redundant Installation Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration After WebMux Installation Entry Question Primary Secondary Host Name webmux1 webmux2 Domain Name avanu com avanu com NAT Transparent Single Network or Out NAT NAT of Path R
85. d balancing function of the WebMux Act as IP Router Yes The WebMux will route IP packets both directions The WebMux will not act as a firewall in this mode 42 No The WebMux will NOT route incoming IP packets through the WebMux except IP packets for farm IP port This is the default setting Front Network Verification The WebMux checks the availability of the front network by checking on the IP address you configured as your external gateway ip your router IP The selection here determines the protocol used to check the connectivity of that IP address It can be none ARP TCP Connection or ping Depending on the front end router this can be changed For example most Cisco routers will talk to the WebMux through ARP and TCP Connection however most Cisco DSL modems will only talk to the WebMux through Ping Changes to this verification method will take effect after the WebMux has been rebooted If you have configured a farm on the WebMux and the farm IP itself is showing dead please verify that your router responds to the method you have specified in this field Front Network Verification IP Address You can specify a different IP address for the WebMux to use to check the front network It can be the router in front of the WebMux or a router in your ISP s WAN It can be any address that is reachable on your Internet side The protocol specified in the above field is used If you see the far
86. d in order to change farm settings Please choose Generic TCP and specify port number if service is not listed below If multiple ports to be used please also select Generic TCP and specify port number 0 Service Well Known Port DNS Domain Name Service TCP 53 FTP File Transfer Protocol TCP 21 HTTP Hypertext Transfer Protocol TCP 80 HTTPS Secure Hypertext Transfer Protocol TCP 443 HTTP HTTPS Combined Ports 80 443 LDAP Lightweight Directory Access Protocol 389 MMCC Multimedia Conference Control TCP 5050 NNTP Network News Transfer Protocol TCP 119 NTP Network Time Protocol 123 POP3 Post Office Protocol 110 SMTP Simple Mail Transfer Protocol TCP 25 SNPP Simple Network Paging Protocol TCP 444 Generic TCP User Specify Generic UDP User Specify Generic TCP UDP User Specify Generic no health check TCP User Specify Generic no health check UDP User Specify Generic no health check TCP UDP User Specify Custom Defined TCP Services User Specify Custom Defined Generic TCP User Specify Custom Defined UDP Services User Specify Custom Defined TCP UDP Services User Specify Custom Defined Paired HTTP and HTTPS TCP Service User Specify 57 Scheduling method The scheduling method is the way in which traffic is distributed among the servers in the farm Eight different methods are supported If you are using a shopping cart service a persistent scheduling method is r
87. e in 1 Arm Out of Path Mode SNAT By default the WebMux will not change the source IP address of the originating client from the internet router LAN side of the network when sending packets to the destination server When the server receives these packets it will see that the client is external from its network In some cases as in OCS 2007R2 you may need to enable SNAT so that the destination server see that the request is coming from a local client Enable this option so that the WebMux will substitute its own IP address as the originating client 6 3 1 Adding Static Routes You can add static routes to the WebMux using the Web GUI or through the Command Line Interface CLI From the Web GUI hover the mouse over the network menu then click on the routing table button 44 You should see this screen webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 15 43 2012 up since Aug 20 11 10 18 2012 main network routing table DEE z i This screen shows the current roui The dropdown gives three choices to change the table by specifying addition or deletion to save it so t n restoration requests or to restore the last previously saved routing table Changes to the routing table take effect immediately but they do not persist past reboots unless the table has been subsequently saved Routes shown in grey may not be deleted routing table
88. eader line added 1 3 6 1 4 1 27182 3 1 1 2 1 4 x caiWebMuxFarmConnections x SYNTAX Counter32 DESCRIPTION The current number of connections being serviced by this server farm The total number of connections serviced by this server farm XXX delete as appropriate 1 3 6 1 4 1 27182 3 1 1 2 1 5 x caiWebMuxFarmConnectionsPerSec x SYNTAX Gauge32 DESCRIPTION The current rate of incoming server connections for this server farm 1 3 6 1 4 1 27182 3 1 1 2 1 6 x caiWebMuxFarmPacketsPerSec x SYNTAX Gauge32 DESCRIPTION The current rate of incoming packets for this server farm 107 1 3 6 1 4 1 27182 3 1 1 2 1 2 x caiWebMuxFarmRowStatus x SYNTAX INTEGER active 1 notInService 2 notReady 3 createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 1 3 6 1 4 1 27182 3 1 1 2 1 3 x caiWebMuxFarmScheduling x SYNTAX OCTET STRING 0 255 DESCRIPTION The load balancing algorithm used to distribute incoming connections amongst the servers of this farm 1 3 6 1 4 1 27182 3 1 1 1 3 0 caiWebMuxFirmwareDate 0 SYNTAX OCTET STRING 8 11 DESCRIPTION The date and time the current firmware version was built 1 3 6 1 4 1 27182 3 1 1 1 16 1 4 x caiWebMuxlfCurrentLinkSpeed x SYNTAX Unsigned32 UNITS Mbps DESCRIPTION The current link speed of this inter
89. ecommended Least connections Least connections persistent Round robin Round robin persistent Weighted least connections Weighted least connections persistent Weighted round robin Weighted round robin persistent Weighted fastest response Weighted fastest response persistent Faster Layer 7 HTTP URI load directing no compression Layer 7 HTTP URI load directing Layer 7 HTTP URL load directing with cookies Layer 7 HTTP cookie load directing with cookies Layer 7 HTTP virtual host load directing with cookies Layer 7 generic TCP load directing Layer 7 scheduling methods can only be used with TCP service These scheduling methods allow you to direct traffic to a specific group of servers depending on a match pattern that is tested against the URI in the client s GET request header When selecting any of L7 scheduling method user can also enable IPV6 to IPV4 translation Layer 7 HTTP URI load directing is your basic Layer 7 load balancing method The Faster Layer 7 HTTP URI load directing no compression option is the original basic Layer 7 load balancing feature that was not built with the HTTP compression logic Although both selections will load balance exactly the same way selecting the Faster method may free up more resources than the normal Layer 7 HTTP URL load directing option even if HTTP compression is not being used Layer 7 HTTP URL load directing with cookies allows the WebMux to maintain clien
90. ed to access the service provided by this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 3 xy caiWebMuxFarmAddressLabel x y SYNTAX OCTET STRING 0 255 DESCRIPTION The mnemonic label assigned to this address and port for a server farm 106 1 3 6 1 4 1 27182 3 1 1 3 1 7 x y caiWebMuxFarmAddressPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION A TCP or UDP port number used to access the service provided by this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 2 x y caiWebMuxFarmAddressRowStatus x y SYNTAX INTEGER active 1 notInService 2 notReady 3 createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 1 3 6 1 4 1 27182 3 1 1 3 1 8 x y caiWebMuxFarmAddressSSLPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION A port number used to access the service provided by this server farm securely using the secure sockets layer SSL 1 3 6 1 4 1 27182 3 1 1 3 1 4 x y caiWebMuxFarmAddressService x y SYNTAX OCTET STRING 0 255 DESCRIPTION The type of service provided by this address and port for this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 10 x y caiWebMuxFarmAddressTagSSL x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1 then HTTP requests to the IP address given for this row that are using SSL will have the following h
91. eight number in each server will have the best load distributing result Running state see the Add Server section for details Active Favorite Active Standby Last Resort Standby 7 8 Add MAP Use the MAP feature to create additional IP address port protocol combinations for the farm When using a persistent scheduling method the same client will also be sent to the same server no matter which port it accesses within that MAP Click on the radio button next to the farm you want to modify and click on the add MAP button on the left Or click on the farm IP address and click on the add addr port button in the modify farm screen You will see this screen 71 webmux1 avanu com 4 AVANU CPU 0 mem 4 K r IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 26 51 2012 up since Aug 20 11 58 20 2012 WebMux add IP address port farm 192 168 12 100 80 IP address 192 168 12 label port number service HTTP hypertext transfer protocol TCP SSL termination none D SSL port block non SSL access to farm NO tag SSL terminated HTTP requests NO compress HTTP traffic NO 2012 AVANU LLC All rights reserved Farm IP and Port This displays the current farm you are modifying These fields are set in the Add Farm screen Once set they are not changeable If they must be changed delete the farm and then add a new
92. er help for list of commands Enter cmd help give help for the command cmd Enter exit or logout to end this session Following are commands available in CLI about displays WebMux model serial number and firmware version information arp manipulate the system ARP cache arping ping lt address gt on device lt interface gt by ARP packets using source address lt source gt brctl manually manipulate Ethernet bridge properties when the WebMux is in Transparent Mode checkssl verifies key and certificate For example checkssl 1 will check the key and certificate in slot 1 from the SSL Termination Management page of the web GUT If no messages are returned the test passed date displays current system date and time Allows you to adjust system date and time ethtool allows you to display the status or manipulate the settings of the Ethernet hardware factory_reset reset WebMux settings to original settings clear all current setting getallsettings save all WebMux settings from WebMux to your PC getconfig save all farm server settings from WebMux to your PC hwclock displays current hardware date and time Allows you to adjust hardware date and time ifcfg eth In Out of Path Mode you can use this command to set a reboot permanent IP address on the Internet port ethf0 See Appendix J for details ifconfig display and configure a network interface s ip TCP
93. ermination presently activated either deactivate and reactivate its SSL termination or reboot which restarts everything encryption protocols SSLv2 SSLv3 TLSv1_ d 256 bits 168 bits cypher strengths allowed d 128 bits 56 bits 40 bits 2012 AVANU LLC All rights reserved This will enable you to restrict SSL connections that do not follow the minimum protocol If there are already active farms using SSL Termination then changing this setting will require you to reboot the WebMux to activate changes If you decide not to reboot existing farms will run under the previous criteria and new farms will follow the new criteria Rebooting the WebMux will ensure that ALL the farms with SSL Termination will adhere to the new protocol requirement You can click a key number to generate keys copy and paste signed certificates webmuxt avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 492 168 11 25 MAC 00 22 12 10 03 5a Aug 20 12 09 55 2012 up since Aug 20 11 58 20 2012 SSL key 1 management This key and certificate chain are not currently used for SSL termination You may change this key or certificate chain using the dropdown menus You may either let WebMux generate a new key or paste in a new private key You may paste in a new certificate chain If you wish to let WebMux generate a new private key please select the key length from the dropdown menu When the
94. erver LAN Network IP Address Mask Server LAN VLAN ID optional Bridge Settings For Transparent Mode Only WebMux Bridge IP Address WebMux Bridge IP Network Mask Router LAN VLAN ID optional 84 Entry Question Server LAN VLAN ID optional Administration Setup Information External Gateway Address Remake home WebMux conf passwd Administration HTTP Port Number Secure Administration HTTP Port Is this WebMux primary WebMux running solo without backup Reboot Configuration Before WebMux Installation Primary Y N 9 2 Sample Configuration Worksheets 9 2 1 Standalone WebMux NAT Mode Secondary Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration After WebMux Installation Question Entry Host Name webmux Domain Name avanu com NAT Transparent Single Network or Out of Path NAT Router LAN Information Router LAN WebMux Proxy IP Address 205 133 156 200 Router LAN Network IP Address Mask 255 255 255 0 Router LAN VLAN ID optional 101 Server LAN Information Server LAN WebMux IP Address 192 168 199 251 Server LAN Gateway IP Address 192 168 199 1 Server LAN Network IP Address Mask 255 255 255 0 Server LAN VLAN ID optional 102 Administration Setup Information
95. es no In NAT mode the WebMux blocks all the incoming traffic from router LAN to your internal network Unless there is a farm defined for a port number the outside traffic will not be able to reach to any server or computers behind the WebMux The WebMux does not have the management functionality for restricting which IP address or services an internal host can reach to the outside If such restriction is desirable then additional firewall is needed A firewall is recommended if running the WebMux in Transparent Mode or Out of Path 9 What can do if the service that I want to load balance is not in the list The WebMux already supports many different services If your service is not in the list you could use generic TCP and or UDP to set your farm If that is still not good enough you may contact us for developing a special service aware module for you In most cases there is a very reasonable fee to be charged Why didn t the secondary WebMux take over when powered down Primary WebMux Possible reasons 1 The two WebMux units are not running on the same version of firmware or 2 The secondary WebMux not only monitors the primary WebMux but a few other things as well Before it takes over it makes sure it can reach to the router LAN gateway as well as at least one server defined in any farm If the secondary WebMux cannot reach to the front router LAN gateway or if it cannot see any server in any farm then it will consider
96. esult as an by itself in a command line you must use in Extended Regular Expressions meaning match any character being the wildcard character occurring zero or more times in the string as dictated by the quantifier Here are other example patterns An item which has the string Compiler in it Compiler Items with various spellings of Dijkstra with the j replaced by any character Di kstra Items with various spellings of Dijkstra with the ijk replaced by any number of characters D stra An item with either Compiler or compiler in it cC ompiler String like bananas banananas bananananas etc bana na s Items with the strings regular and expression on the same line with anything or nothing between them regular expression Items with either regular or expression or both regular expression 103 Items with either OO or Object Oriented or Object Oriented on one line OO oO bject oO Jriented To search for characters other than letters or digits put a in front of them SVSL These examples were taken from the following web page http www csci csusb edu dick samples egrep html You can also find helpful information at http en wikipedia org wiki Regular_expression 104 Appendix G Notes on IPv6 Because IPv6 uses the colon symbol in the address there are special consider
97. et for the connection warning threshold the designated numbers would be paged 47 ICMP Packet input policy Accept The WebMux will allow all ICMP packets to travel through the WebMux For CLI arp commands working properly this must be accept Deny The WebMux will NOT allow any ICMP packets to travel through the WebMux Note During installation having the ability to PING the other hosts on the networks is typically useful When the installation is complete setting the ICMP packet policy to DENY is recommended as a security precaution 6 4 1 Change Password webmuxt avanu com AVANU CPU 0 mem 4 IP 192 168 1225 MAC 00 22 12 10 03 5b IP 192 168 11 25 MAC 00 22 12 10 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 WebMux ee ee TE change change password level WebMux new password new password again 2012 AVANY LLC All rights reserved Name Select the login name for which the password is to be changed New Password Enter the new password This is the password to which the login will be changed New Password Again Enter the same password as in the previous box Confirm Cancel Click Confirm to execute the change Click Cancel to return to the previous screen WITHOUT changing the password 6 4 2 Change PIN To protect the WebMux from unauthorized changes from the front LCD panel a PIN can be entered here to prevent saving any changes from the front
98. etermined by the front network verification protocol setting in the Administrator Setup page see section 6 3 If you click on the nh link under the service column you will get to the modify service timeout page CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 10 03 5b IP 192 168 11 25 MAC 00 22 1210 03 5a Aug 20 11 50 28 2012 up since Aug 20 11 10 19 2012 main modify service timeout changing health check timeout for servers in all farms which use the serice nh Please enter the number of seconds to wait for a server s response To omit checking servers using this serice altogether enter 0 new timeout H existing timeout default timeout 2012 AVANU LLC All rights reserved The setting in this page will determine how long or how short the WebMux will wait to be able to verify if the gateway IP is still valid or not You can disable the checking altogether by setting the timeout value to 0 or you can set the front network verification protocol to none in the Network Setup page see Section 6 3 7 10 Modify Health Check User may change the healthcheck behavior by modify and enable custom healthck modifying the HTTP server respond code behavior and change the healthcheck TCP timeout value To modify the healthcheck timeout webmux1 avanu com AVAN Ur CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 37 31 2012 up sin
99. etwork security miscellaneous add server farm 192 168 12 100 80 IP address 192 168 11 port number same label weight 1 run state ACTIVE EELER 2012 AVANU LLC All rights reserved 267 Server IP Address This is the IP address of the server to be added Label Since version 4 0 3 the WebMux allows adding a label to each server s IP address The purpose of labeling a server is only to help identify the server in the farm It has nothing to do with the name resolution of the server Although label can be anything it is always better to have meaningful and unique label for each server CAUTION Once the server is added the IP address cannot be changed To correct the IP address the server must be deleted and a new one be created Server Port Number If the port number specified in the farm setup is the same as the real server s port number you can leave this as same In NAT mode the WebMux can perform port forwarding from the farm IP port to the server IP port if you specify a server port that is different from the farm port CAUTION Like the IP address once created the port number cannot be changed To correct the port number the server needs to be deleted and a new one to be created Weight Scheduling priority weight Valid integer numbers are between 1 and 100 A server that has a weight of 2 will be directed twice as much traffic as a server with a weigh
100. face in megabits per seconds Mbps 1 3 6 1 4 1 27182 3 1 1 1 16 1 x y caiWebMuxlflPv4Address x SYNTAX IpAddress DESCRIPTION The IPv4 address of this interface 1 3 6 1 4 1 27182 3 1 1 1 16 1 2 x caiWebMuxlflPv6Address x SYNTAX OCTET STRING 16 DESCRIPTION The IPv6 address of this interface 1 3 6 1 4 1 27182 3 1 1 1 16 1 5 x caiWebMuxlfLinkUp x SYNTAX INTEGER true 1 false 2 DESCRIPTION If this interface is up and running the value of this object will be true 1 1 3 6 1 4 1 27182 3 1 1 1 16 1 3 x caiWebMux fMaxLinkSpeed x SYNTAX Unsigned32 UNITS Mbps DESCRIPTION The maximum link speed of this interface in megabits per seconds Mbps 1 3 6 1 4 1 27182 3 1 1 1 5 0 caiWebMuxManufactured 0 SYNTAX OCTET STRING 8 11 DESCRIPTION The date and time of manufacture of this unit 108 1 3 6 1 4 1 27182 3 1 1 1 10 0 caiWebMuxMemoryUsage 0 SYNTAX Unsigned32 UNITS DESCRIPTION The current memory usage expressed as a percentage 1 3 6 1 4 1 27182 3 1 1 1 4 0 caiWebMuxModel 0 SYNTAX OBJECT IDENTIFIER DESCRIPTION An object identifier uniquely identifying which model of WebMux this is The possible set of identifiers is given under the caiWebMuxFamily sub tree Note that the SNMPv2 MIB object sysObjectID 0 will have the same value as this object in all cases 1 3 6 1 4 1 27182 3 1 1 1 1 0 caiWebMuxName 0 SYNTAX OCTET STRING 0
101. ficate The one whose subject and issue are identical is the CA root The third one is called the intermediate certificate Please paste your site certificate first followed by your intermediate certificate If you have existing signed keys from a Windows IIS server or a Linux server you can transfer them into the WebMux and continue using them until they expire You should be able to directly transfer your existing key and certificate from your Linux server For Windows IIS keys and certificates you will need to convert them to PEM format Please refer to our support site for instructions http www avanu com techtips techtip US bm You can get OpenSSL for Windows at http www slproweb com products Win32OpenSSL html If you would rather you may contact us at techsupport avanu com and we can do the conversion for you Note The CA certificate field is only for client side SSL authentication It is not for the intermediate certificate Please see Appendix O for details about setting up client side SSL authentication 7 4 Modify Farm Modify farm can be invoked from the main management console screen by clicking on the farm IP address or selecting a radio button of a farm and clicking the modify farm button on the left side of the screen webmux1 avanu com AVANU CPU 0 mem 4 amp ts IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 15 59 2012 up since Aug 20 11 58
102. g 20 12 41 27 2012 up since Aug 20 11 58 20 2012 WebMux HTTP check management Please enter list of valid HTTP status codes for example200 299 400 403 407 HTTP check valid status codes 2012 AVANU LLC All rights reserved 7 11 Layer 7 Check Management This section will allow you to modify some parameters on how the cookies the WebMux issues for Layer 7 load directing are created The Layer 7 Check Management is optional and should only be used if your application requires it Otherwise no changes in this section are required To get to this screen click the scheduling management from the main drop down menu aaa CPU 0 mem 6 IP 192 168 13 21 MAC 00 22 12 f0 03 d9 IP 192 168 14 21 MAC 00 22 12 f0 03 d8 backed up by 192 168 14 22 Oct 19 12 30 53 2012 up since Oct 19 11 48 47 2012 main console IP address port status conn conn s pkt s 0 0 0 0 2 gateway 192 168 13 1 weight 10 ALIVE z 192 168 13 2 weight 10 ALIVE scheduling management ER venir cr ry iam mp 192 168 13 100 80 1 server serer 192 168 14 6 same weight 1 ALIVE E WRR farm tcp nohc 192 168 13 10123 1 server server 192 168 14 6 same weight 1 ALIVE 2012 AVANU LLC All rights reserved 79 Change parameters in this screen aaa CPU 0 mem 6 IP 192 168 13 21 MAC 00 22 12 f0 03 d9 IP 192 168 14 21 MAC 00 22 12 70 03 d8 backed up by 192 168 14 22 Oct 19 11 42 06 2012 up since Oct 19 11 26 18 2012
103. hange OVERLOAD set weight to 0 to quiesce same as WEIGHT 0 QUIESCE set weight to 0 to quiesce same as WEIGHT 0 WEIGHT n set weight to integer n WEIGHT n subtract integer n from the weight WEIGHT n add integer n to the weight However if the custom health check script returns an unknown response or if it is missing altogether the WebMux will fall back to Generic TCP port checking If the port for the custom check is different from the server port in the farm configuration the WebMux will do Generic TCP port check on the server port As long as the port is open and responding to TCP connect the server will be considered alive The conditions where the WebMux is consider the server dead will be if the custom health check script explicitly returns NOT OK or if the service port goes completely offline 100 Appendix E Access CLI Commands Once the diagnose ports set superuser could use ssh or telnet to access the CLI commands to help troubleshoot network problems or server problems There are maximum two diagnose ports By default they are 77 87 The first one will be SSH and second one will be Telnet If there is only one port specified only SSH access is allowed ssh superuser p port number WebMux_ip_ address Can be issued from any Linux Unix computer For Windows computer PuTTY can be freely downloaded over Internet Once logged into the CLI the following screen will be shown Ent
104. hat you configure the switch properly before connecting both interfaces Please refer to your switch s user manual about creating Link Aggregation Groups Two simple changes must be made to each server in the farm 1 Have a new loopback adapter installed and have its address set to the farm address Do not set the gateway on the loopback adapter Please refer to Appendix A and Appendix B for how to configure a loopback adapter as well as how to remove the route from the servers Please note for Out of Path Mode to work properly the loopback adapter must route the return traffic a through the real network interface In other words the loopback adapter cannot have the gateway specified Please refer to Appendix A and B for more details on how to configure the loopback adapter on servers In case the server is running Windows 2003 2008 the route created when adding loopback adapter cannot be deleted please make sure the loopback adapter metric has a higher number 2 If your service binds to any specific IP address add the loopback adapter s IP address to that service The firewall configuration must be changed to point to the new farm address on the WebMux Since the WebMux always uses one IP address in the server LAN the farm address must be a different IP address in the server LAN in Out of Path Mode Out of Path Mode also allows two WebMux units to fully backup each other The two WebMux units are connected to each other through a
105. he HTTPS incoming traffic will be sent terminated to farms on HTTP port 80 Please set the port number to a clear port since after the WebMux terminates the SSL traffic only clear traffic will go to servers When the servers return traffic back the WebMux will re encrypt the data and send encrypted back to client If you are using Out of Path Mode please make sure your servers gateway points to the WebMux server LAN gateway IP address not the router so that the WebMux has the chance to re encrypt the data before replying back to clients Block non SSL access to farm One can also block non encrypted incoming traffic so that only encrypted traffic can reach your server This might be useful when you only want encrypted traffic to reach your servers Tag SSL terminated HTTP requests Because traffic between the WebMux to your servers is unencrypted traffic your servers will not be able to tell if the originating connection was HTTPS or HTTP This may be important if the application on the server requires that kind of information You can turn on tag SSL terminated HTTP requests By selecting Yes the decrypted traffic to the servers will have the added MIME header X WebMux SSL termination true It is up to you how you want the server to process this information For example you can write a script on your server to identify if the original traffic was HTTPS or HTTP and then properly redirect the traffic to the
106. ides protection to the servers it can handle large amounts of data as noted in the specification It provides the best security for isolating servers from any other part of the networks Two Armed Transparent Mode or One Armed Single Network Mode provides the convenience of preserving your server IPs but may require physical relocation of the network connection or modifying the default gateways Out of Path provides better performance when huge amounts of data need 26 to go back to clients up to 100X more than on the specification chart it also does not require a change to the server IP address The screens will cycle among the modes until you select yes on one of them Once one is selected it will continue to the next setup screen Continue on to the related mode in the following pages 5 7 NAT Mode Related Configuration Enter Router LAN WebMux Proxy IP Address This is the IP address that the WebMux uses as the external IP address when it functions as a proxy This IP address can be also be used as a farm IP When any server behind the WebMux on the Server LAN initiates communication with another host the WebMux substitutes the servers IP address with this address This is true for all services except FTP services which uses the FTP farm IP address for passive FTP connection In a redundant setup the secondary WebMux can also be the same IP address for this entry as the primary unit This address floats between primary a
107. ightness of the LCD backlight The setting will default at 50 Valid values are from 0 to 100 The setting is activated when you press the check mark button Going back to this screen will bring the value back to the default of 50 Factory Reset 5 11 Pressing the down button or the check mark button from the LCD Brightness screen will bring you to the factory reset option You will see This option will clear all current settings and reset the WebMux to original factory settings Press and hold the check mark button for at least 20 seconds to activate the factory reset The process will take a few minutes and the WebMux will reboot itself What if made mistake in my configuration You can always make changes to the hardware settings by press the Check Mark button for three seconds when the statistic screen showing It will start the prompt questions which will allow you to navigate from one prompt to another by using the up down button on the left most LCD position For example if you configured the Allowed Hosts wrong and lock yourself out you can go to the push buttons and select Clr Allowed Hosts option save changes and reboot which will allow all the IP address to access the management console through browser You can clear the allowed hosts but not reset the password or change one option and not change the others Te Section 6 Management Console After the Initial Configuration you should be able to use
108. in step 5a and the client crt created in step 6 openssl pkcs12 export clcerts in client crt inkey client key out client p12 8 Import the Client Certificate a For Firefox 123 i Go back to the Certificate Manager and click on the Your Certificates tab Click on Import Your Certificates People Servers Authorities Others You have certificates from these organizations that identify you Certificate Name Security Device Serial Number Expires On R Backup Backup All Delete ii Your Certificates People Servers Authorities Others You have certificates from these organizations that identify you Certificate Name Security Device Serial Number Expires On D 4CAI Networks Inc server com Software Security 00 AF 48 4C 73 E1 9D 12 11 2010 Backup Backup All Import iii Click the OK button b For Internet Explorer i Go to the Tools menu and select Internet Options 124 ii Click on the Content Tab then click on the Certificates button Parental Controls Control the Internet content that can Parental Controls be viewed Content Advisor Ratings help you control the Internet content that can be viewed on this computer Gta Same i Certificates wi Use certificates for encrypted connections and identification AutoComplete Auto
109. ince Aug 20 11 show graphs show graphs for various rates and time intervals conn s Mon Aug 6 20 28 50 2012 Mon Aug 20 20 28 50 2012 UTC j T T T T fug 7 Aug 8 Aug 9 fug 10 Aug11 Aug12 Aug 13 Aug 14 agin AUg 16 Aug 17 AUg 18 AUg 19 Aug 20 time period to display 2weeks rate to display conn s 2012 AVANU LLC All rights reserved 81 Section 8 Initial Setup Change Through Browser You may want to change the basic settings for the WebMux through browser interface for example when the WebMux located in a hosting center across the country If one has information about the WebMux current basic settings one could change those parameters through browser On the browser enter the following URL https webmux_ip webmux_ manage _port cgi bin rec For example if your webmux_ip is 192 168 12 1 and your webmux_manage port is 24 your URL will be http 192 168 12 1 24 cgi bin rec WebMux initialization 9 2 00 You are not logged in as superuser Please enter your WebMux superuser s login name superuser Please enter your WebMux superuser s password current GMT setting 20 53 37 10 23 2012 If incorrect please enter correct GMT as hh mm ss mm dd yyyy Use 24 hour time not a m or p m Set time only YES NO continue The first screen in rec reconfiguration asks for the superuser s password The default superuser s password is supe
110. ithin a farm according to a match pattern in the HTTP MIME header This allows you for example to group servers that serve only a specific type of content while serving other types of content on another group of servers WebMux Layer 7 load balancing also includes URI load directing with host name MIME header matching and cookies in order to memorize the user browser session and the server session and send the same user to the same server This is important for sites using shopping cart and dynamically generated pages e SNAT and load balancing gateways WebMux has two kinds of SNAT support One is SNAT on top the NAT or Transparent mode Another SNAT is for load balancing uplink gateways firewalls or edge servers Informs you of the status of your network It provides phone pager and email notification so that the network administrator can be paged or emailed whenever a server or WebMux goes down and when it returns online This feature could reduce server room night shift operator costs or timely repair should the server go down unexpectedly e SNMP Support Remotely monitor various WebMux parameters in real time via SNMP s IPV6 Support WebMux is ready for the next generation of internet protocol IPV6 Version 9 firmware fully supports IPV6 in all modes 10 Multiple Address and Port MAP farm to integrate multiple ports and IPs as one virtual service HTTP Compression Reduces amount of data to be transferred for HTTP object
111. l firmware updates parts amp labor CA depot repair advanced replacement available Note Any lapsed time in coverage period will incur a re certification fee prior to any renewal of the Gold or Premium Annual Support Program Contact AVANU or your point of purchase representative for current fee schedule About the Limited Warranty Disclaimer AVANU warrants to the end user customer that the WebMux products will be free from defects in material or workmanship under normal use during the Limited Warranty period AVANU shall have no obligation to repair or replace until the customer returns the defective WebMux unit to AVANU s Service Center AVANU will at its sole discretion repair or replace any component or hardware product that manifests a defect in materials or workmanship during the Limited Warranty period All component parts or hardware products removed under this Limited Warranty become the property of AVANU In the unlikely event that the WebMux product has recurring failures AVANU at its sole discretion may elect to provide you with a replacement unit selected by AVANU provided that it has functionality at least equal to the product being replaced The Limited Warranty is a specified fixed period commencing on the date of purchase from AVANU The date on the sales receipt is the date of purchase unless AVANU or your point of purchase informs you otherwise in writing Customer Responsibilities In order to avoid the risk of charge
112. l for each farm Since version 5 6 the label field is also used as the host name in HOST MIME header to when checking HTTP servers The HOST MIME header is essential in virtual hosting as that will determine which site is being accessed The format of the farm label should be the site host name i e www xyz com max length 75 bytes Without a label specified a 401 Unauthorized error code is still considered a live server If you have a label specified and the server returns error code 401 then the WebMux will consider that server dead For both IIS and Apache servers doing virtual hosting the farm name label must be an existing web site name on the server For more information on Virtual hosting please go to Appendix D for details In NAT mode if you use the WebMux for your intranet the farm IP address will be the original IP address of the web or application server The web or application server must have its IP address in the address range of the Server LAN subnet The WebMux will translate farm IP address to the server IP address You can use the IP address used as the Route LAN IP of WebMux as your farm addresses to save an IP address You can create more farms with the same IP address as long as the port number is different In the NAT mode the WebMux also acts as a firewall All ports except the farm port s are blocked All servers behind the WebMux will still be able to reach to the outside through the WebMux Traffic f
113. last reboot The event includes server failure or state change 6 5 2 Logout It is not recommended to leave the management browser logged in unattended Click the Logout button to close the session The Login screen will re appear 6 5 3 Upload Download Backup Restore amp AVANU WebMux webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 01 36 2012 up since Aug 20 11 58 20 2012 miscellaneous load d load upload download a Eat The exact download method is browser dependent A left click should display the configuration on screen fo should bring up a menu allowing saving the contents directly by choosing say Save Link As or Save Tari correct file For example do not attempt to save only the farm configuration and use that file to restore all s successfully downloaded please push cancel button below if you are finished download farm server information from WebMux click here to download farm and se upload farm server configuration to WebMux Use this form to upload farm server co configuration goes into effect immediately download all settings from WebMux click here to download all saved configurable settings upload all settings to WebMux Use this form to upload all saved configurable settings Most settings do not go into effect until next reboot E Browse_ upload 2012 AVANU LLC All rights reserved 52 Downloa
114. ll not require setting up an admin farm IP Discard Changes Made If you select Yes at this point all the changes made will be discarded and you will exit the setup mode By default the answer is NO all the changes will be saved Only when you select NO do not discard changes changes will be saved to the internal solid state storage Changes will take effect after next reboot The next question will be Reboot Now Reboot Now This is the end of initial configuration Most of the setup or changes require a reboot to take effect Press and hold the center Check Mark button to make the WebMux reboot Use the UP arrow button to return to Discard Changes and select Yes to exit without change Press the DOWN arrow or Cross Button to continue to the Factory Reset option see Factory Reset below After the WebMux is rebooted the statistics of the incoming packets outgoing packets etc will be displayed on LCD periodically Power Off Pressing the down button at the Reboot screen will bring you to the Power Off screen We recommend that you always power down the WebMux via the LCD panel Web GUI or Command Line Interface If at all possible avoid powering off the unit using the switch on the front or back of the unit AA LCD Brightness Pressing the down button at the Power off screen will bring you to the LCD Brightness screen This screen will allow you adjust the br
115. ll see this next screen webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 14 05 2012 up since Aug 20 11 58 20 2012 SSL private key and certificate request generation Please enter information to make new private key and its matching certificate request If you do not fill in all fields the certificate authority may reject your certificate request country C state province etc ST city etc L organization O organization unit OU domain CN email address emailAddress 2012 AVANU LLC All rights reserved Enter all the necessary information Click on the Confirm button to complete the key generation A certificate request will be generated BE SURE TO COPY AND SAVE THIS BEFORE YOU CONTINUE When you are done saving the certificate request you can click on the Confirm button You will be taken back to the dialog boxes that will display the newly created private key You should make a backup copy of that as well 64 lt Submit the certificate request to the CA of your choice to sign Once they send you back the signed certificate you will need to paste that into the certificate dialog box select use new certificate pasted in and click on the Confirm button to save it into the WebMux Generally you will receive three certificates The one whose identity is your e mail address is the site certi
116. m IP turning red it is an indication that this address failed the check Leaving this field blank will cause the WebMux to use the IP address you specified as the external gateway ip when you first set up the WebMux Persistence Timeout The WebMux will keep track the clients browser connections if the persistent farm is defined and accessed Within the timeout time period the WebMux will send any request from the browser IP address to the same server Our survey shows 5 6 minutes is the best value for most cases The larger the persistence timeout value the less chance user connection get lost However by keeping a lot of connections in the WebMux memory the maximum number of available connections for new clients will drop Connection Timeout Outbound The WebMux keeps track the outbound connections This outbound proxy function provides communication tunnels for servers behind it to talk to other computers on the Internet side This type of connection is different from the connections from outside through server farms to the servers After the connection closed from the servers to the outside computer it will wait this timeout minutes before it removes that from the tracking table Setting this too long will cause the WebMux to allocate too much memory thus reduce the memory for other functions The default value is 15 minutes This function has no effect in Out of Path Mode UDP NTP Time Server IP Address Since version 5
117. med NAT Mode Let us look at NAT mode first Transparent Mode refers to the same diagram 13 P y Internal PC Internal Server Router Firebafe sover Cable to Backup Port Primary WebMux Secondary WebMux Server LAN Server 1 Server 2 Server 3 Server 4 Virtual Farm The main purpose of the WebMux is to balance the traffic among multiple SES or other servers The diagram above shows a NAT installation with two WebMux units In this configuration one WebMux is serving as the primary and the other is serving as the secondary or backup providing a fault tolerant solution In order for the web servers to share the incoming traffic the WebMux must be connected to the network There are two interfaces on the WebMux One interface Internet connects to the Router LAN This is the network to which the Internet router is connected The other interface server is connected to the Server LAN This network connects to all the web servers The WebMux routes traffic between these two networks Next a Virtual Farm or multiple farms must be configured on the WebMux A virtual farm is a single representation of the servers to the clients A farm consists of a group of servers that service the same domain website or services For example to configure a farm or virtual farm to serve www avanu com e First Server 1 and Server 2 would each need the website www avanu com configured on them and HTTP HTTPS services started an
118. mmand to the bootup script iptables t nat A PREROUTING d lt farm_ip gt j DNAT to dest lt server_ip gt For IP based virtual hosting with multiple IPs repeat the command for each farm IP on all the servers Don t forget to add the proper farm IP to each virtual host configuration With IPv6 addresses add the IPv6 address of the FARM to lo adaptor Also be sure that the routing table has an IPv6 entry for the network and a default gateway entry for the real interface of the server You can check by issuing the route inet6 command See Appendix H for other IPv6 related information If your server requires that you have an actual IP address on an interface to bind to you can use this method requires arptables ip addr add lt farm_ip gt eth0 add farm IP address on eth0 arptables t filter A IN d lt farm_ip gt j DROP keep it from responding to ARP 95 For SUSE Enterprise Linux 9 You can use YAST to set up a Virtual Interface and add the farm IP Login as root and add this command to the bootup script iptables t nat A PREROUTING d lt farm_ip gt j DNAT to dest lt server_ip gt For HP UX 11 00 and 11i Please make sure PHNE_26771 and related patches applied first Login as root and add this command to the bootup script ifconfig lo0 1 farm ip address up For FreeBSD ifconfig lo0 inet fam mp address netmask 255 255 255 255 alias For Solaris ifconfig l00 1 FARM_IP_ADDR ifconfig l
119. n Name H domain A m avanu col This is for identification only this has no effect for network operation Although it can be any name we suggest using the primary domain name of the Router LAN network If you have only one domain use that domain name Note the left most position on the LCD has changed to an up and down arrow allowing the user to go back and forth for questions and answers 25 Is this a Primary WebMux Primary webmux SZ YES NO If this is the Primary answer Yes If this is the Secondary WebMux answer No The secondary WebMux automatically gets configuration information from the Primary once it sets up If this is the only WebMux answer Yes 5 6 1 Primary WebMux Information This question is not asked for the Secondary WebMux Is this WebMux running solo without a backup WebMux running solo YES WHO If the Primary WebMux is running in a standalone configuration see sample configuration Standalone WebMux answer Yes If you plan to add 2nd WebMux in the future you may answer NO even there is only one WebMux at the time When you add second WebMux later on WebMux will automatically detect the backup and start functioning Choose the WebMux Mode This is where to choose which mode you want to run the WebMux Two Armed NAT Two Armed Transparent One Armed Single Network or One Armed Out of Path Mode is a default or selected option Two Armed Network address translation prov
120. n detail in later chapters The side of the WebMux that connects to the Router LAN sends and receives all the IP packets from the router to the Internet The side of the WebMux that connects to the Server LAN sends and receives IP packets to and from the servers in the farms By properly configuring the WebMux one can create one or more Virtual Farms on top of the physical hardware 5 3 Hardware Setup Collect Information Make a drawing of the existing network and note all the configuration settings This will help you to fall back to the existing configurations if needed Make a new drawing for the new setup with the WebMux and the web farm in place This will be used as a guide for setup and preparation of all the necessary material and equipment Collect all the IP addresses their network masks network addresses and broadcast addresses for the Server LAN and Router LAN WebMux interfaces The IP address of the Internet router is also needed Label all the cables Prepare additional cables if needed Make sure there are enough electrical or UPS outlets for all the new equipment 5 4 Hardware Setup Setup the new network Power down all the devices on the network If you have a secondary WebMux connect the WebMux units with a cross over Ethernet cable Connect the servers to the Server LAN Connect the WebMux to the uplink switch Power up all devices in the network Verify that all the devices are up and running Y
121. n in the off position the front panel power switch is disabled 1 2 6 Power Cord Please use the supplied power cord to connect the WebMux to the power source 1U WebMux has a 115V 230V AC universal power supply Section 2 WebMux Overview 2 1 Key Features The WebMux is a standalone network appliance designed primarily to load balance IP traffic to multiple servers The WebMux includes the following key features Improves performance by distributing the traffic for a site or domain among multiple servers No one server will be bogged down trying to service a particular site SSL Termination to reduce the cost of multiple certificates Also be able to regulate the minimum acceptable SSL encryption protocol version Provides high availability by tracking which servers are functioning properly and which servers are out of service If a server unexpectedly goes down the WebMux will automatically re direct the traffic to other servers or will bring a standby or backup server online to service the traffic The WebMux does application level health check to many network protocols on servers Provides Persistent Connections by memorizing the user browser session and the server session and sending the same user to the same server This is important for sites using shopping cart and dynamically generated pages like BroadVision ASP and JSP sites Provides fault tolerance This installation requires two WebMux units a primary and
122. nd secondary WebMux units This is not true in Transparent Single Network or OOP modes Doing so will create duplicate IPs Enter Router LAN Network IP Address Mask This is the network mask of the Router LAN network It is usually 255 255 255 0 for class C networks Enter Server LAN WebMux IP Address This is the IP address of the WebMux interface that connects to the Server LAN This IP address must also be unique for each WebMux This address must be different from the server LAN gateway address The purpose of this IP address is to allow the WebMux to check the network and server health situation Even for the backup WebMux this address must be unique It is highly recommended to add this IP address to your servers etc hosts file along with the gateway IP address to allow faster name resolution especially on Linux Unix In an installation with a primary and secondary WebMux a unique IP address is required for each WebMux interface that connects to the Server LAN Those two unique IP addresses are in addition to the gateway IP address that is floating between the primary and secondary WebMux 297z These IP addresses cannot be your Internet registered addresses They must be Internet non routable For example you can assign addresses in a 10 0 0 0 network address range or a 192 168 199 0 ete Enter Server LAN Network IP Address Mask sur LAN net mask 255 255 255 0 This is the network mask of the Server LAN Fo
123. nd utility ifcfg eth has been introduced to allow the end user to re assign the Internet port effectively disabling the link aggregation and allowing these changes to be reboot persistent The general usage of this command is ifcfg eth v vtag eth netaddr netmask vtag optional is the VLAN ID for the interface eth is interface you want to reassign Internet port ethf0 netadadr is the IP address you want to assign netmask is automatic according to the IP block or you can specifically assign it here PLEASE REBOOT THE WEBMUX WITH THE reboot COMMAND TO COMPLETE THE CHANGES 112 Appendix J Tagged VLAN and WebMux VLANs may be untagged and tagged To use untagged VLANs also known as port based VLANs no additional configuration of the WebMux is necessary To the WebMux it appears as if no VLANs are used and VLAN configuration is done on the switches This appendix will discuss using tagged VLANs also known as 802 1q VLANs for the original networks configured on the WebMux When you configure the WebMux original network addresses and masks whether with the front keypad and LCD see Initial Configuration page 25 the browser screen see Initial Setup Change through Browser page 84 or through the superuser s command line interface with rec_cmdline see Appendix F you may also specify VLAN tagging for these networks VLAN tagging is optional If it is used the switches to which the WebMux is con
124. nected must also be configured correctly to use these tags When additional networks are configured for the WebMux using the superuser s command line utility nwconfig you may also arrange for their VLAN tagging at that time See Appendix L Besides configuring the WebMux to use VLAN tags the switches to which the WebMux is connected must be configured to use these tags In most switches there are three items to be addressed when setting up VLANs the VLAN name the port participation and if it will be tagged or untagged First a VLAN must be chosen and named Choosing a VLAN name on the switch does not automatically determine whether its VLAN is tagged or untagged It merely specifies its name Once the VLAN name has been chosen you must next select which ports participate in this VLAN If the port selection does not match the physical connectivity traffic will not pass The third and very important setting to make sure is that the port on the switch connected to the WebMux will accept correctly tagged VLAN packets only In some switches you must first configure the port to use general mode and then specify that the port will be tagged If you plan to use more than one VLANs you may configure the switch port to be trunk port or add multiple VLAN tags to it At this point you should be able to access the WebMux from other devices that are also using the same tagged VLAN ID There are some specific considerations when configuring
125. network The diagram also gives an example of a redundant WebMux setup In this case it is absolutely required that the WebMux units are connected in between two switches In the earlier version firmware WebMux depends on STP spanning tree protocol to avoid packet looping From 8 7 xx WebMux does not require switches supporting STP anymore During a failover situation you may immediately notice that the backup becomes unreachable though the Internet LAN side In firmware older than 8 7 09 you may notice the server LAN side not accessible 19 For single WebMux setup any kind of switch will work since there is only one bridge path exist on the network No Spanning Tree Protocol is required 4 4 Installation without IP Address Change One Armed Single Network Mode Ga Pubic IP 66 128 vn e Private IP 192 168 14 1 FrewalRouter SS Farm IP 192 168 1440 Server 2 430 IP 192 1431 D GW 192 168 14 1 GW Single Network Mode configuration is simple with only one interface connected to the network You can use either the Internet Port or the Server Port of the WebMux but only ONE of them The WebMux and the servers are also all on the same subnet In Single Network Mode connections being load balanced and going to the real servers will appear to come from the WebMux itself You will not need to make any changes on your servers since the servers will always reply back to the WebMux when sending back their
126. nnect this port to the Server LAN switch or hub This port connects to the servers and your local computers It is the right most RJ45 socket In Out of Path configuration this is the only port that needs to be connected If your switch is capable of LACP or port channel you can connect both the Internet and Server ports and they will behave as a single port Out of Path mode ONLY 1 2 2 Backup WebMux Port Optionally you may connect another WebMux to this port so that you can have redundancy Connect them using a cross over cable or a regular cable with a hub or switch in between 1 2 3 Router LAN Internet Port Connect this port to the Router LAN switch or hub In most situations this port connects to the Internet side network in NAT mode It is the left most RJ45 Socket Note The Router LAN and Server LAN port are not interchangeable 1 2 4 External Modem Connect Port To utilize the phone pager function of the WebMux please connect the external modem to this port In some cases if you prefer support engineers to not use diagnostic ports over the Internet our support engineers can also connect through the modem to assist you with setup issues A US Robotics V Everything modem is required US Robotics part number 3CP3453 Modem dip switch has 3 8 and 10 down rest up A standard external modem cable is also needed Check with your modem supplier for the cable 1 2 5 Main Power Switch This switches the WebMux on and off Whe
127. nown services see below you do not have to specify anything in this field However if the service you choose is not listed in the list below you will need to specify a port number here For example for MS Terminal Services use port number 3389 If you enable SSL termination see Enabling SSL Termination section then specify port 80 for the farm and servers in the farm choosing HTTP hypertext transfer protocol will automatically specify port 80 for the farm The WebMux will terminate all SSL traffic on port 443 and send them to port 80 DO NOT specify port 443 if you enable SSL termination 56 Service The service selection determines the type of service running on the servers in the farm and how the WebMux will check the server health status The service type selection will create a farm using the well known port for that service type If a port other than a well known port for TCP or UDP service is to be used then choose one of the Generic selections and enter the port number in the PORT NUMBER field You do will not need to specify the port number if the service protocol is on the list The WebMux has level 7 protocol checks for the known ports in the list For Custom Defined TCP Service custom health check please specify the URL for the CGI code in the Administration Setup screen CAUTION Once a farm is created the port number cannot be changed Like the IP address the farm must be deleted and a new one create
128. nts Although in Out of Path Mode this is not being used to route return traffic back to the Internet clients the WebMux uses this IP address to check the connectivity of the external network on this gateway or through this gateway to the ISP side routers For SSL termination or Layer 7 load balancing servers must route traffic back to the WebMux via the server LAN gateway previously mentioned The WebMux then forwards it to the client through the external gateway If health check on external gateway is enabled by default WebMux will turn the farm listing red to indicate the external gateway failure 31 Clear Allowed Host File The allowed host file prevents any unauthorized access to the WebMux Management Console If a workstation s IP address is not in the allowed host file that computer will not be able to reach the WebMux management console through the network However sometimes a wrong IP address is entered so that no computer can access the browser management console At that point clearing the allowed host file will allow any browser to access it By default the allowed host list is empty so that any IP address can access WebMux We do encourage adding only host IP addresses that you do allow to manage WebMux into the list See configuration through browser interface for more details Remake passwds This function is provided in case you have forgotten the passwords to access the Management Console Please use a browser t
129. o access Management Console for normal password changes The factory default password is the same as the login ID on the screen Answer Y to reset the Passwords to factory default Answer N to leave them unchanged Enter Admin HTTP Port Number This is the http port number for accessing Management Console in non secure mode Any unused port number can be used Factory default port number is 24 one could choose to use any unused port below 1024 or port number above 1024 for this Using a port number above 1024 will require you to set up an admin farm Basically this is just a farm configured with that port without any servers in it Creating the admin farm reserves that port for use to that farm only and prevents port collision in case passive FTP is one of the other farms Using port number below 1024 will not require setting up an admin farm Enter Admin HTTPS Port Number This is the https port number for accessing Management Console in secure mode Factory default port number is 35 one could choose to use any unused port below 1024 or port number above 1024 for this Using a port number above 1024 will require you to set up an admin farm IP Basically this is just a farm configured with that port without any servers in it Creating the admin farm IP reserves that port for use to that farm only and prevents SE port collision in case passive FTP is one of the other farms Using port number below 1024 wi
130. o0 1 FARM IP ADDR FARM IP ADDR ifconfig l00 1 netmask 255 255 255 255 ifconfig lo0 1 up For Apple Servers ifconfig lo0 inet farm _ip_addr netmask 255 255 255 255 alias route delete gateway_ip farm ip_addr netmask Where Jo is the loopback adapter 96 Appendix B How to Make Route Delete Reboot Persistent These instructions are for Windows 2000 NT systems This is not necessary for 4 5 6 7 Windows 2003 or 2008 systems In a Windows system go to boot drive root by cd CH Use a text editor to create a text file in which it contains one line route delete 10 1 0 0 mask 255 255 0 0 10 1 1 200 In above file 10 1 0 0 is the network destination 255 255 0 0 is the Netmask for the network and 10 1 1 200 is the farm address also is the address for the loopback adapter address Start Scheduled Task in control panel Click add Scheduled Task then next Browse to the bat file we created like WebMux bat under ch Choose Perform this task when my computer starts That will delete the route every time the Windows computer reboots Please make sure after route delete the only route left in the routing table for the loopback adapter is this one your actual IP address and netmask maybe different 10 1 1 255 255 255 255 255 10 1 1 200 10 1 1 200 1 All other routes for the loopback adapter must not show in the routing table On both Windows and Unix the routing table can be seen by execute
131. of our normal business hours if not covered under a Premium Annual Support Program For assistance beyond our basic remote product configuration installation and product specific support professional consulting with our engineers is available based on our current professional services fee structure Contact AVANU or your point of purchase representative for current fee schedule Service Center AVANU LLC 1602 Belle View Blvd 110 Alexandria VA 22307 6531 techsupport avanu com 1 888 248 4900 US and Canada Toll Free Extension 202 1 408 248 8960 International Extension 202 Monday to Friday excluding US Holidays 8 00am to 5 00pm PT Note A RMA number is required for all warranty repair service or sales returns AVANU has the right to refuse any shipment without an issued RMA number AVANU has the right to offer promotional programs at any time where the Limited Product Warranty and Support coverage may differ Table of Contents at Lei v Section 1 Main Components iisi ad e aaien aat ea taapiri ahaa tiea aa doni e aeaaea Ernita 7 Tet FROnt MQW AEE E E T E T O E E A EE 7 1 1 1 Toggle Power Switch 7 Tali2 Reset Ce EEN 7 1 1 3 Up Arrow Button Down Arrow Button 7 1 1 4 Left Arrow Button and Right Arrow Button 00 0 2 eee eeeeeeeeeeeeeeeeeeeenneeeeeetnaeeeeeeenaeeeeenenaaes 7 1 1 5 Check Mark Button and Cross Button 7 MED Kee 8 1 271 Server LAN POM EE 8 1 2 2 Backup WebMUX Port 8 1 2 3 Router LAN Internet Portae
132. of AVANU LLC All other trademarks and registered trademarks are the property of their respective owner s 133
133. on HTTP Port Number 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary Y WebMux running solo without backup Y Reboot Y 9 2 3 Out of Path Installation of WebMux Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 10 1 1 1 86 Webserver s Default Gateway 10 1 1 1 Web Site IP Address 10 1 1 200 255 255 0 0 Configuration After WebMux Installation Question Entry Host Name webmux Domain Name avanu com NAT Transparent Single Network or Out of Path Out of Path WebMux Server LAN Information Server LAN WebMux IP Address 10 1 2 254 any Server LAN WebMux IP Address Mask 255 255 0 0 Server LAN WebMux farm IP Address 10 1 1 200 Server LAN VLAN ID optional 102 Server LAN gateway IP address 10 1 1 253 Necessary for WebMux SSL termination and for Layer 7 load balancing Each server s default gateway needs to be set to this IP Server Configuration Server IP address No Change Server NetMask No Change Server Default Gateway No Change Server Default Gateway 10 1 1 253 If using WebMux for SSL Termination or Layer 7 load balancing Server add loopback adapter 10 1 1 200 Route Deletion Refer to Appendix B 10 1 1 200 Administration Setup Information WebMux External Gateway IP address 10 1 1 1 Remake home WebMux conf passw
134. one IP Address Add an IP address to the current farm configuration The IP address can be the same as long as the port number does not duplicate any existing IP port combinations Label The label is displayed on the column to the left of the corresponding IP addresses in the main status screen Although labels can be anything it is better to have meaningful and unique label for each farm The label field is also used as the host name in HOST MIME header to when checking HTTP servers The HOST MIME header is essential in virtual hosting as that will determine which site is being accessed The format of the farm label should be the site host name i e www xyz com max length 75 bytes Without a label specified a 401 Unauthorized error code is still considered a live server If you have a label specified and the server returns error code 401 then the WebMux will consider that server dead For both IIS and Apache servers doing virtual hosting the farm name label must be an existing web site name on the server For more information on Virtual hosting please go to Appendix D for details Port Number You can specify a port number that doesn t duplicate any existing IP port combinations A port number of all will enable all port ranges but excluding any already existing ports associated with the specified IP address Please see the note at the end of this section regarding the behaviors of the additional IP port in c
135. onjunction with SSL termination 7 Service This allows you to specify the type of health checking you want the WebMux to perform for this MAP instance SSL termination You can enable the WebMux to do the SSL termination of this MAP instance SSL port The known secure port for the type of service you selected will be automatically filled in You can manually change it if you are using a different port for that service Block non SSL access to farm Prohibits non SSL connection to this MAP instance Tag SSL terminated HTTP requests This will enable the WebMux to add an X WebMux SSL termination true MIME header in the decrypted http request sent to the server CAUTION If your farm is already SSL terminated and you create an additional IP port combination using the main farm IP and specifying the same secure port or all the SSL termination by the WebMux will be bypassed and SSL will be done directly by the server 7 9 Add Gateway Farm Gateway Farms allow you to load balance outgoing traffic between multiple external gateways The gateways can be routers proxy servers firewalls or edge servers The gateways will be balanced in a Weighted Round Robin Persistent fashion By default incoming traffic will be replied through the gateway it came from To create a gateway farm click on the Add Farm button from the main status screen In the Add Farm screen click on the Add Gateway Farm b
136. only the active WebMux will have this IP enabled on its interface you will not have a duplicate IP address between both units If one unit goes out of service the IP address becomes available on the other unit and the servers can continue to communicate to the external network uninterrupted Transparent Mode VLAN In Transparent mode it is recommended that you assign a different VLAN ID for the physical front and back interfaces with the r router_vid and s server_vid flags For example nwconfig A tm_vlan i 192 168 14 21 g 192 168 14 1 r 200 s 300 If you use the v flag both the physical front and back interfaces will have the same VLAN ID It is not recommended that you use the same VLAN ID for the front and back interfaces in Transparent mode Out of Path Mode VLAN and Server LAN Gateway When creating an additional network in Out of Path Mode it is important that your farm IPs are different from the main IP address you create with the nwconfig tool This is important because the main IP address you create will be the IP address the WebMux unit s health checks will appear to come from You will have problems with Windows servers if you use a farm IP that is the same as the main IP This is because Windows utilizes the MS Loopback Adapter with the farm IP When the WebMux send its health check request coming from the main IP the Windows machine will see that the IP address is on its Loopback Adapter and will not
137. oot Changes to TACACS server configuration server gateway address server farm network mask WebMux http control port WebMux https control port WebMux SNMP UDP Port WebMux SNMP Community WebMux diagnostic ports least significant bits forwarding policy front network verification and persistence timeout require a reboot for the new configuration to take effect You can use the Reboot button to reboot the WebMux remotely Reboot button will require confirmation before proceeding with reboot 99 66 99 66 54 Section 7 Setting Up Load Balancing 7 1 Add Farm Back at the main screen of the Main Management console click the Add Farm button to add a virtual site for the services you want to provide The add farm screen will appear webmux1 avanu com 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 IP 192 168 11 25 MAC 00 22 12 f0 Aug 20 12 04 43 2012 up since Aug 20 11 Sa main network security miscellaneous add farm If the port number is omitted and the service pertains to a particular application level protocol the well known port for this protocol will be used for example port 80 for HTTP If the port number is omitted and no such protocol pertains to the service for example the generic TCP service the farm will handle all ports for the IP address and transport layer protocol in question except those handled specifically by
138. ork Terminology cccccccceceeeseeeeeeeeceeceeseeeneeeeeeeeeeeesseaueeneseaaueneeseecuaeeeseeeseeenesseneesneeees 23 5 3 Hardware Setup Collect Information cccceceeeeceeccecceeeeeeee eee eececcaeaeeeeeeeeeeeseeeensensnaeeees 24 5 4 Hardware Setup Setup the new network sssssssssrssssssserinrrrnrrnnstrtsttrtttnnnnnstnnettnnttnn nnnm enne 24 5 5 Hardware Setup Configuration SUMMALY 00 0 ec ecececeeeeeeceeeeeeeeeeeteeeeeeeeeeeeeaeeeeseeaeeeeeeeeeanenes 24 5 6 Initial Configuration neiseina iri once deeeteasecedeveaneeeedvbeaaaedvedeenseededtenseenedteedecetde 25 5 6 1 Primary WebMux Information cc cece eee Earn EEA EEE EAK REREKAI E 26 5 7 NAT Mode Related Configuration ccccceeeceteeeeeeeecneeeeeeenneeeeeeeaeeeeseeaaeeeeeeeiaeeeeseenaeeeeneenaees 27 5 8 Transparent Mode or Single Network Mode Related Confouratton 29 5 9 Out of Path Related Confouraton cc cccecceeeeeeeteeeeeeeeeneeeeeeecneeeeeeeaaeeeeeeeneeeeeesiaeeeeeeenaees 30 5 10 Common Configuration For NAT Transparent Single Network and Out of Path Mode EE 31 5 11 What if made mistake in my Configuration ssseseeseeeseresseerressrtrrrssttnrnssttnrnssttnnnsstenrenent 34 Section 6 Management Console eee enne eee ee eceeeeeeeeeeeeeeaaeeeseenaeeeeseeneeeeeeeiaeeeeesenaees 35 SARE UE 36 6 2 Main Management Console c cccceeceeeeee scene eee ee encneeeeeeeeeeeeeeaeeeeeeeeneeeeeeenieeeeseeniaeeeeeeenaees 38 GEM
139. other farms IP address 192 168 12 label port number service HTTP hypertext transfer protocol TCP scheduling method weighted round robin SSL termination none SSL port block non SSL access to farm tag SSL terminated HTTP requests servers are HTTPS servers reencryption servers only serve IPv4 not IPv6 connection throttling watermarks compress HTTP traffic SNAT HTTP server response comparison string HTTP server URI 2012 AVANU LLC All rights reserved Farm IP address This is the IP address of the new farm For SSL terminated traffic each farm must have its own IP address The farm address could be the Internet known address or the address has been translated by your firewall For example if you want to create an http farm for www mydomain com the farm IP address will be the IP address for www mydomain com from your DNS record If the IP address of www mydomain com is 205 188 166 10 then the Farm IP address is also 205 188 166 10 The WebMux will then translate the farm address to the web server address in your DMZ or internal network Label Since version 4 0 3 we introduced the label concept for the farms and servers Once the label is specified the WebMux will display the label for the farm on the column to the left of 55 the corresponding IP addresses in the status screen Although labels can be anything it is better to have meaningful and unique labe
140. otocol If the time zone is not set correctly the browser access could be denied due to cookie time out If the UDP NTP server is set up correctly there is no need to set the clock anymore since the WebMux automatically sets its clock periodically webmux1 avanu com IP 492 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 03 12 2012 up since Aug 20 11 58 20 2012 miscellaneous set the clock UTC recommended set clock month 1 12 Je day of the month 20 year e g 2010 2012 hour 0 23 12 minute 0 59 3 time zone 0800PST AKDT 2012 AVANU LLC All rights reserved Month Enter the number of the month through 12 Leading zeroes are not necessary Day of the Month Enter the day of the month through 31 53 Year Enter the year Enter all 4 digits Hour Enter the hour of the day Use the 24 hour clock or military time Minute Enter the minute of the hour Time Zone Select the time or hour offset to the UTC GMT time You can set the WebMux to your local time if your time zone is selected here Confirm Cancel Click Confirm to execute the date and time change Click Cancel to return to the previous screen WITHOUT making any date or time changes Note It is recommended to set the WebMux clock to UTC GMT time 6 5 5 Shutdown The shutdown button will bring you to a confirmation screen to power off the WebMux 6 5 6 Reb
141. ou are now ready to configure WebMux 5 5 Hardware Setup Configuration Summary CAUTION Do not proceed without collecting all necessary information Note The IP addresses in the following examples are general examples and are not meant for literal use in an actual setup 24 Turn on the WebMux Turn on the switch on the back of the WebMux and push the power on button in the front momentarily You will see the version number like this A OD nil S9 e After self test hold down the Check Mark button on the WebMux until the LCD displays the first question Enter WebMux host name During the initial configuration you will be asked to provide names and IP addresses See next section Each item is explained in the order it is asked e Answer the questions Reboot Note When reboot is complete the service statistics screen will appear e Run the Management Browser 5 6 Initial Configuration Enter WebMux Host Name host wzo domain ewebnull Enter the host name of the WebMux Use the right arrow to move the position the up and down arrows to select characters left arrow to move back in position check mark button to confirm the change This host name is for identification purposes You may call it webmux1 webmux2 etc You can hold down the up down button for more than a second to make quicker changes Note the left most down arrow on the LCD allows the user to move to other settings Enter WebMux Domai
142. ource 66 1 1 98 This command works the moment it is issued but when you reboot the WebMux it gets lost To make it reboot persistent you want to add it to the WebMux startup sequence You can use the sysinit command to add the above command to the sysinit table in the WebMux so that it will always be executed during the WebMux startup The sysinit command has following syntax sysinit help usage sysinit help quiet write help print help quiet skip prompts and confirmation write write stdin to superuser s sysinit script table without parameter will read existing table The superuser s sysinit table may contain any commands that are allowed at the superuser s command prompt At system startup it will be run after networking has been started If typing or pasting new input use control D for EOF sysinit write sysinit Enter new script up to EOF cntl D echo AAA gt dev console sysinit You entered 23 bytes done sysinit sysinit reading sysinit file echo AAA gt dev console sysinit sysinit file contains 23 bytes done For the purpose of the above example the echo AAA will be saved in the sysinit table If you want to add a new command it is always good idea to test them before adding to the sysinit table To clear the sysinit table use a space and control D to write a blank table into sysinit table Please note that sysinit table will not be send over to the backup Web
143. outer LAN Information Router LAN WebMux Proxy IP Address 205 133 156 200 205 133 156 200 Router LAN Network IP Address Mask 255 255 255 0 255 255 255 0 Router LAN VLAN ID optional 101 101 Server LAN Information Server LAN WebMux IP Address 10 1 1 10 10 1 1 20 Server LAN Gateway IP Address 10 1 1 1 1 Bare en Server LAN Network IP Address Mask 255 0 0 0 255 0 0 0 Server LAN Network IP Address 10 0 0 0 10 0 0 0 Server LAN Network Broadcast Address 10 255 255 255 10 255 255 255 Server LAN VLAN ID optional 102 102 Administration Setup Information External gateway IP address 205 133 156 1 205 133 156 1 Remake home WebMux conf passwd Y Y Administration HTTP Port Number 24 24 Secure Administration HTTPS Port 35 35 Is this WebMux primary Y N WebMux running solo without backup N Reboot Y Y 88 Section 10 Contact Information Email Sales amp Product Info sales avanu com Product Support techsupport avanu com Administration customerservice avanu com Online Form Request www avanu com contact htm Mailing Address AVANU LLC 5205 Prospect Rd Ste 135 143 San Jose CA 95129 5034 USA Telephone Numbers 1 888 248 4900 US amp Canada Toll Free 1 408 248 8960 Phone 1 408 248 8961 FAX Hours 8 00 am to 5 00 pm PT Service Center AVANU LLC 1602 Belle View Blvd 110 Alexandria VA 22307 6531 1 888 248 4900 US and Can
144. pecifics In the following example we will be configuring a WebMux in NAT Mode using the Bond rtr svr NI option enabled RTR LAN IP 192 168 12 21 RTR LAN mask 255 255 255 0 SVR LAN IP 192 168 11 21 SVR LAN mask 255 255 255 0 RTR LAN vlan id 100 SVR LAN vlan id 200 Bond svr rtr NI YES SVR LAN gateway IP 192 168 11 1 External Gateway IP 192 168 12 1 On the switch we will be connecting ports 1 and 2 to the Internet rtr port and Server svr ports of the WebMux We will designate ports 3 4 5 and 6 for the Front Internet LAN and ports 7 8 9 and 10 for the Back Server LAN First you will need to create a port channel or link aggregation group that includes physical ports 1 and 2 In most switches your real ports are designated by 0 1 0 2 and so on 118 When you create a port channel a new interface may be created designated by 1 1 for example Next you will assign the VLAN IDs to the PORT CHANNEL interface 1 1 First configure the port channel interface to participate or include VLAN 100 and make sure that itis TAGGED Then configure the port channel interface to participate or include VLAN 200 and make sure that it is TAGGED The port channel interface should now be part of both VLAN 100 and VLAN 200 using TAGGED VLAN Now configure the switch to use ports 3 4 5 and 6 for the Front Internet LAN The devices connected these port
145. pression If the client web browser sends out a MIME header that states that it accepts compressed data The WebMux will compress HTTP data to the client browser If the WebMux detects that the servers in the farm are already compressing the data the WebMux will not perform compression Instead it will let the compressed data from the servers pass through without additional processing When enabled the MIME header X WebMux Compression true will be appended to the server response MIME header The WebMux will also automatically disable compression should its CPU usage reach 50 Note Compression is NOT supported in Out of Path Mode except when used in a Layer 7 Farm SNAT Enable SNAT for this farm only In the Network Configuration screen user can specify the system wide SNAT or use this field to enable per farm based SNAT HTTP server response comparison string When a string is entered in this field WebMux HTTP healthcheck will search the first 1024 bytes in the HTTP content String is case sensitive match HTTP server URI By default WebMux healthcheck checks default page loading If specifying a URI here WebMux will use this URI instead of default page do healthcheck 60 7 2 Enabling SSL Termination By default the SSL termination is NOT on The following description is about enabling SSL termination for an HTTP farm webmux1 avanu com R AVAN ur CPU 0 mem 4 amp IP 192 168 12 25 MAC 00 22
146. r a class A network it may be 255 0 0 0 For a class C network it may be 255 255 255 0 Enter Router LAN VLAN ID optional This is the optional VLAN ID tag that will be used for the Router LAN Internet interface You may enter values from 1 4067 The cursor position will only go from 0 to 9 To enter a value greater than a single digit press the left arrow button to move the cursor to the next digit Enter zero 0 to disable the VLAN ID for the Router LAN Internet interface Enter Server LAN VLAN ID optional This is the optional VLAN ID tag that will be used for the Router LAN Internet interface You may enter values from 1 4067 The cursor position will only go from 0 to 9 To enter a value greater than a single digit press the left arrow button to move the cursor to the next digit Enter zero 0 to disable the VLAN ID for the Router LAN Internet interface Note The VLAN ID is used for full 8021q VLAN support This means that your switch must be configured to be using tagged VLAN Please see Appendix K for other details regarding using VLAN with WebMux If you entered a non zero value for the VLAN IDs you will see an additional screen Bond rtr svr NI Bond router and server Network Interfaces This option will allow you to use the Internet rtr port and Server svr port as a single bonded interface also known as Port Channel or Link Aggregation Group allowing
147. r list of allowed host IPs allowed to log into WebMux NO reset WebMux passwords to factory defaults NO port number used for HTTP access to WebMux 24 port number used for HTTPS access to WebMux 35 reboot after reconfiguration e 2012 AVANU LLC All rights reserved 46 6 4 Security Settings webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 70 03 5a Aug 20 11 20 04 2012 up since Aug 20 11 10 19 2012 main network security miscellaneous a security management security m Please enter information below Use as divider for multiple entries e sses Multiple entries are not allowed for the server gateway control ports mail server or warning thr allowed remote host IPs allowed remote host IPv6 IPs TACACS server configuration connection warning threshold 0 ICMP packet input policy accept 2012 AVANU LLC All rights reserved Allowed remote host IPs The WebMux management console and diagnostic login only allow logins from these IP addresses to establish a management session You can access from more than one IP address by specifying all the allowed IP addresses separated by a except use as divider for IPv6 addresses You can put the netmask following the IP address to specify the range of hosts that can access the management console For example 192 168 12 0
148. rari sianie a rii e i n aria iia 8 1 2 4 External Modem Connect Port 8 T29 Man POW Switch aa sede cdi a R EA Ed EE EA TRS 8 12 6 Power Cord EE TEE 8 Section 2 WebMux OVErViIeW cece ictee ian idian aiti si aa inaaianei ee eee aeee eee Aaina aaia 9 lb en Ettel ser asd eens 9 Section 3 The WebMUX Family 0 00 0 ceeeeeeeeeeeceeeeeeeeeeeeeeeeeeaaeeeeeeeaaeeeeeeseeaeeeeseaeeeeeeseeeaeeeeeeeeaaeeees 12 S21 Topology Ove rnlo W asena dd ip dtecentd A E AE ete eect eid de 13 3 2 Two armed NAT Mode meanen Aa AA Eaa a E EA AASR 13 3 3 Two armed Transparent Mode cecccceeeeeeeeeeeeenecaeceeeeeeeeeeeseccccceaeeeeseeeeteseteeesinniaeeees 14 3 4 One armed Single Network Mode AA 15 3 5 One armed Out Of Path Mode 00 cecceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaeeeseeeeaeeeeseeaeeeeseeeaeeees 15 Section A Sample Configurations cc cccceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeceeeaaeeeseeeeaeeeeeeeaeeeeeeeenaeeees 16 4 1 Single WebMux Two Armed NAT Mode 16 4 2 Redundant Installation Two Armed NAT Model 17 4 3 Installation without IP Address Change Two Armed Transparent Mode 19 4 4 Installation without IP Address Change One Armed Single Network Mode 20 4 5 Installation without IP Address Change One Armed Out of Path Mode 21 4 6 IPG Gebeier aleeden 22 Section 5 Configuring the WebkMus tuntuuu tnst t tunante tnnnattennnant ennaa 23 5 Before you Siaina e E A T a a A deca dei 23 5 2 Netw
149. rce address from the Internet does not conflict with the IP addresses on the Server LAN Note If there is a firewall between the WebMux and the Internet Router a rule must be defined in the firewall to allow the IP address of the WebMux interface on the Router LAN along with the farm IP address to communicate out to the Internet on all ports If you are doing Network Address Translation of the farm address to a non routable address then both the farm address and the WebMux interface address must be translated to communicate outbound on all ports 4 2 Redundant Installation Two Armed NAT Mode NAT Mode with Redundant WebMux Installation Public IP 65 25 35 156 NATed to Farm 1 IP 205 133 156 200 Public IP 65 25 35 157 NATed to Farm 2 IP 205 133 156 210 Router Network 205 133 156 0 Netmask 255 255 255 0 Gateway IP 205 133 156 1 Firewall Router To WebMux Intemet port To WebMux Internet port Crossover cable connected to WebMuxes backup ports To WebMux Server port To WebMux server por Primary WebMux Secondary WebMux WebMux s IP on Router LAN 205 133 156 220 WebMux s IP on Router LAN 205 133 156 230 External Router IP 205 133 156 1 Extemal Router IP 205 133 156 1 Server LAN IP 10 1 1 10 f Server LAN IP 10 1 1 20 Server Lan Netmask 255 0 0 0 Yi Server LAN Netmask 255 0 0 0 Server LAN Gateway 10 1 1 1 s 7 Server LAN Gateway 10 1 1 1 k Server LAN Switch y E AK f Ki FARM 1 IP 205 133 156 201 d
150. reply In this mode the client s real IP addresses will not be logged in your server log You have to use X Forwarded For XFF http header to find where the client s real IP address If the HTTP header already has X Forwarded For tag in it WebMux will not alter the tag If the traffic is not for HTTP port WebMux will not insert the XFF header for the traffic Enable XFF header insertion is optional on the per farm basis If your host software does not need this header it is better not insert it to reduce CPU usage If you are configuring a redundant configuration in Single Network Mode be sure you have selected the 1ARM Single Network option in both WebMux units initial configuration shown in the following section to ensure that the failover checking between the two WebMux units will be correct 20 4 5 Installation without IP Address Change One Armed Out of Path Mode Public IP 65 25 35 156 NATed to FARM IP 192 168 112 35 Private Network 192 168 112 0 Netmask 255 255 255 0 Gateway IP 192 168 112 1 Server LAN interface Server LAN interface rossover Cable to Backup ports Primary WebMux Secondary WebMux WebMux IP 192 168 112 38 WebMux IP 192 168 112 39 Extemal Router IP default External Router IP default gateway 192 168 112 1 gateway 192 168 112 1 Server 1 Server 2 Server 3 Far Sa Aeman a Server IP 192 168 112 30 Server IP 192 168 112 31 Server IP 192 168 112 32 Layer
151. roduct and or packaging damage internal components and external including scratches or dents or missing components Any damage or missing components will be charged to customer according to current repair or replacement costs along with a 15 restocking and handling fee Delinquent returns received beyond ten days 10 of the thirty days 30 period will not be honored for return Product purchase refunds less applicable freight charges restocking and handling fee repair or replacement cost are issued to original AVANU point of purchase in the same payment method as original purchase AVANU has the option to refund with a company check or credit memo after product inspection and diagnostic testing Extended Warranty and Support Programs Optional purchase Standard Annual Support Program for continued or extended coverage Covers one year 1 technical support by telephone and email and firmware updates Monday to Friday except US Holidays 8 00am to 5 00pm PT Gold Annual Support Program for continued or extended coverage Covers one year 1 technical support by telephone and email firmware updates and product warranty Parts and Labor Customer responsible for shipping to AVANU Service Center Premium Annual Support Program Must be purchased with the WebMux product or within the first thirty days 30 of purchase AVANU has the right to request a proof of purchase document Covers one year 1 24x7 technical support by telephone and emai
152. rom the servers to the outside network will be seen as coming from the WebMux unit s Router LAN IP address or proxy address If a WebMux is placed behind a firewall be sure to allow the WebMux Router LAN IP address to get to anywhere anyport All farm IP addresses should have rules to allow incoming traffic mapped to the address and port number as well as the return traffic for each farm IP address from any port to anywhere In Transparent Mode or Single Network Mode there is no firewall protection from the WebMux All servers talk to each other freely across the WebMux Load balancing occurs when the farm IP is accessed In Out of Path Mode only the Server LAN port is connected and the farm s must use a different IP address than the WebMux Server LAN IP address You can use reuse an IP address for more than one farm as long as the port number is different from each other In this mode each server must add a loopback adapter In a Windows server the route for the loopback adapter must be removed Please refer to Appendix A and B for more detailed procedures The WebMux has been tested extensively working with all versions of Windows Linux and HP UX 11 X under this mode Other OS should also work fine CAUTION Once anew farm is added the IP address of the farm cannot be changed To correct the IP address the farm has to be deleted and a new one created Port Number This is the port number for the farm If you are choosing one of the k
153. ruser however the actual superuser s password may had been changed by the system administrator If you could not remember the superuser s password someone has to go to the keypad to reset the password See page 22 for more details 82 The next question on the screen asks to set the time in the WebMux The WebMux uses its clock to set the cookie for the management browser When a WebMux manager is logged in for more than 8 hours without activity the WebMux will log out the user based on the cookie If the clock is off by more than 8 hours the manager will not be able to login in to the WebMux This section on the rec screen will allow the manager to correct the clock if it is off After entering proper password and setting the clock information optional the continue button will bring up this screen WebMxx initialization 9 2 00 language Engish lWebMur s host name without domain Web domain name dispatch method Router LAN gateway IP address WebMux s router LAN IP address Web router LAN IP network mask WebMux s server LAN IP address WebMurx s server LAN network mask WebMurx s router LAN VLAN tag 0 if none lWebMux s server LAN VLAN tag 0 if none Bond all server LAN and network LAN interfaces together x Remake password file with default passwords D lWebMux administration HTTP port WebMux administration HTTPS port iis this WebMux a primary or solo
154. s NOT supported in Out of Path mode except when used with Layer 7 Load Balancing 802 1q VLAN ID WebMux can be used in networks that support tagged VLANs Switch port must be configured to use tagged VLAN Multiple Uplink VLAN Support Using the command line interface command nwconfig WebMux can be configured for use with Multiple ISPs You can also use this command line tool to create multiple server subnets Please see Appendix L for details Bond All Interfaces In combination with 802 1q VLAN and Port Channel or LAG Link Aggregation Group configurations on the switch you can configure the WebMux to use its Internet rtr and Server svr ports as a single bonded interface in NAT and Transparent Modes The traditional front and back networks will now be dependent on the VLAN configurations on the switch Note Out of Path mode already has both interfaces bonded automatically Client Side SSL Authentication WebMux can be set up to require Client Side SSL Authentication to provide another layer of client identification for added security Please refer to Appendix N for details Dk The WebMux family consists of three models They are e The WebMux 481SD e The WebMux 592SGQ e The WebMux 690PG Section 3 The WebMux Family WEBMUX MODELS AND SPECIFICATIONS Layer 4 Performance Concurrent connections Max Transactions sec Max Throughput sec Max Internet Link Speed Max Layer 7 and SSL Acceleration
155. s denied for that virtual farm the WebMux will mark that server dead We have checked with IIS server and Apache server they both follow the same rules 98 Appendix D Sample Custom CGI Code The custom cgi bin checking program may be written in Java VB C or Perl for example or it may be a WB or shell script Here is sample script written for the linux shell bash which sees if an SSH daemon is running as its check criterion bin bash echo Content type text plain echo blank line if ps C sshd amp gt dev null then echo OK response from server goes here see list below echo SSH service available else echo NOT OK echo SSH daemon not running fi The following is a list of valid CGI code responses OK server service is alive no weight change NOT OK server service is dead OVERLOAD set weight to 0 to quiesce same as WEIGHT 0 QUIESCE set weight to 0 to quiesce same as WEIGHT 0 WEIGHT n set weight to integer n WEIGHT n subtract integer n from the weight WEIGHT n _ add integer n to the weight The response must be in all capitals to be recognized The changes in weight count as an unsaved configuration change It is not automatically saved Anything not matching the above list will cause the WebMux to believe the server is not responding properly thus the server will be taken out of service When the WebMux sends its health check it will provide information in
156. s for issues not covered by your limited warranty issues that are not due to defects in materials and workmanship on AVANU WebMux products you will be asked to assist AVANU as follows a Verify configurations update and install most recent firmware b Implement temporary procedures or workarounds provided by AVANU while AVANU works on a permanent solution c Allow AVANU remote support where applicable If you choose not to deploy available remote support capabilities it may result in delays or you may incur additional costs due to increased support resource requirements d Cooperation with AVANU in the attempt to resolve the problem by method of telephone email or other form of mutually agreed communications This may involve performing routine diagnostic procedures installing additional firmware updates or patches e Make a backup copy of your WebMux product configuration file as a precaution against possible failures f Perform additional tasks as requested that AVANU may reasonable request in order to best perform the warranty support Limitations IF YOUR WEBMUX PRODUCT FAILS TO WORK AS WARRANTED ABOVE THE MAXIMUM LIABILITY OF AVANU UNDER THIS LIMITED WARRANTY IS EXPRESSLY LIMITED TO THE LESSER OF THE PRICE YOU HAVE PAID FOR THE PRODUCT OR THE COST OF REPAIR OR REPLACEMENT OF ANY HARDWARE COMPONENTS THAT MALFUNCTION IN CONDITIONS OF NORMAL USE EXCEPT AS INDICATED ABOVE IN NO EVENT WILL AVANU BE LIABLE FOR ANY DAMAGES CAUSED BYE
157. s omitted an address calculated as for routing will be used No gateway farm yet exists When this farm is created the following existing gateway addresses will be added automatically 192 168 12 1 IPaddress label 2012 AVANU LLC All rights reserved IP Address The main WebMux IP address will automatically be entered in this field This address serves no other purpose than to be what the WebMux will use as its source IP when checking the health status of the gateway IP address Label You can enter a label for reference purposes The use of the label for gateways is optional Click the Confirm button to create the gateway farm Your status screen will look something like this E webmux1 avanu com e CPU 0 8 AVAN U IP 192 168 12 21 MAC 00 22 12 10 03 21 e IP 192 168 11 21 MAC 00 22 12 10 03 2e Apr 4 13 11 23 2011 up since Apr 4 10 14 02 2011 WebMux main type service IP address port status conn conn s pkt s WRR GWP farmnh 000 0 1 gateway gateway 192 168 12 1 weight 10 ALIVE E a WRR farm http 192 168 12 3080 1 server 0 server 192 168 11 30 same weight 1 ALIVE 0 2012 AVANU LLC All rights reserved Your original default external gateway will be automatically added to the gateway farm Click on the gateway farm IP on the grey line above the router IP to add more gateways to the gateway farm webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b I
158. s will not be using any VLAN configurations The switch will be configured to accept incoming untagged packets and automatically assign a VLAN ID to those packets In this case you will be using VLAN ID 100 First you will configure ports 3 4 5 and 6 to participate or include VLAN 100 and make sure that you specify that it is UNTAGGED On some switches that means you have to first issue the command to have the port participate on VLAN 100 then you have no issue a no vlan tagging 100 command Next is very important to make this portion work properly you must make these ports accept all frames AND you must assign them the PVID of 100 If you are unsure where or how to set the PVID then please refer to your switch user manual This tells the switch that these ports are part of VLAN 100 the data from the devices connected will be untagged and it should accept it anyway and finally the switch will automatically assign a VLAN ID of 100 to these untagged packets At this point assuming that your device has a 192 168 12 0 24 address you should now be able to ping the WebMux rtr LAN IP address of 192 168 12 21 Finally on the server side you will configure the switch to use ports 7 8 9 and 10 for the Back Server LAN Again the devices on these ports will not be using any VLAN configurations The switch will be configured to accept incoming untagged packets and automatically assign a VLAN ID to
159. send back a reply since it believes it is coming from itself The WebMux will mark the server dead since it will not receive a reply To ensure that this will not occur do not use a farm IP that is the same as the main IP in Out of Path Mode It is important to remember that when you are doing SSL termination or Layer 7 load balancing that you must point your servers default gw back to the WebMux In the original network configuration you had an option to create a server LAN gateway IP The servers used this IP address as their default gateway IP This IP is a floating IP that transfers between WebMux units in a failover configuration Only the active WebMux will have that IP address available on its network interface to avoid duplicate IP address issues Additional network configurations do not have the option to create a server LAN gateway IP like the original network configuration In this case you will need to use the FARM IP as your servers default gateway IP address Since the FARM IPs are only available on the active WebMux they will effectively serve as the floating server LAN gateway IP 117 Appendix L Bond All Interfaces Setup Guide As of firmware version 8 5 04 when you specify a non zero VLAN ID in NAT Mode or Transparent Mode you will be given an additional option to Bond rtr svr NI This feature allows you to use the Internet and Server ports as a single bonded interface also known as
160. service Is the Server LAN and the Router or Front LAN required to be on separate IP subnets It is required that the server LAN and the router LAN be separate IP subnets What notification services are compatible with the WebMux Airtouch and PageMart are the services that are currently supported Any SMTP server configured to allow relaying from the WebMux can be used for sending email notifications If m running a Unix based FTP such as wuftp how can get the ftp server in the farm to resolve the WebMux IP addresses The IP addresses typically will not be able to be resolved since the servers in the farm are typically using non routable or private network addresses In order for wuftp to resolve the IP addresses and stop complaining place the non routable IP address entries in the etc hosts file on those servers 90 How come my servers in the farm are showing in red color from time to time even the servers are okay Your servers are trying to resolve the WebMux unit s IP address to name so it could log them into log file To avoid this problem set the servers not resolve the IP addresses You can also try adding all the IP address to the etc hosts file on your servers For example www mydomain com 1 2 3 4 use your real IP address webmuxgw 192 168 199 1 II server lan gateway webmuxip 192 168 199 254 H server lan WebMux How many browsers can simultaneously access the WebMux management console The limit is 4
161. substantially more data throughput than a single physical interface Please refer to Appendix N for details 28 Enter Server LAN Gateway IP address This IP address is on WebMux It will be the Default Gateway entry for all the servers on the Server LAN This address will float between the primary and secondary WebMux If the Primary went down the address entered here will float to the backup Please pay very careful attention that THIS IS NOT YOUR EXTERNAL ROUTER GATEWAY IP The IP address you put here will be assigned to the Server LAN interface Make sure it is a unique IP address In the single WebMux setup this address CANNOT be the same as the WebMux IP interface address on the Server LAN When configuring a backup unit this screen will not be displayed Please continue to the Common Configuration section 5 8 Transparent Mode or Single Network Mode Related Configuration Enter Bridge IP Address This will be the IP address of the WebMux on the network so that you can use browser to manage it Although the server and internet ports are interchangeable in transparent mode it is recommended that you stick with labeling scheme and connect the port labeled internet to the switch on the firewall router side and connect switch on the servers to the port labeled server Enter Bridge Net Mask This should match the net mask of the existing network the WebMux will be a part of Enter Router LAN
162. t of 1 A special zero weight setting is provided for a graceful shut down of a server When the weight is changed to zero the WebMux will not send new connections but will maintain all current connections to the server The connections will gradually reduce to zero as current clients sessions terminated When there are no connections the server is functionally dead or off line until the weight is changed back to a valid number Then the server can then be shutdown or taken out of service without affecting any users CAUTION Unlike a server that can go down unexpectedly the WebMux will not move a STANDBY server to ACTIVE when one or more server s weight is set to zero If the weight of all the servers in a farm were set to zero then the farm would be down because none of the servers are accepting new connections Note If your scheduling method is of the persistent type be aware that the WebMux will continue to honor those existing persistent sessions If you have clients that continue to return before the persistence timeout has expired then you will continue to see connections coming in Run State Active The server will be put into service immediately after it is added If there are servers in the farm in Standby WebMux will activate a Standby server in its place if it goes out of service When the original server comes back in service it will stay Standby mode until 68 manually setting its run state to
163. t server persistence This scheduling method also compares the match pattern against the host MIME header In other words a host name can be specified as a match pattern In order for client server persistence to occur the server will have to generate a cookie first The WebMux will generate its own cookie to keep track of which client session belongs to which server These are useful for shopping cart services for example so that a client will be directed to the same server and keep their shopping cart items valid The WebMux cookie expire time matches the MAX_AGE setting specified in the cookie generated by the servers When MAX_AGE is not defined the cookie expire time is 30 minutes If the server deletes the original cookie the WebMux will also delete its corresponding cookie Layer 7 HTTP cookie load directing with cookies tests the match pattern against the cookie MIME header content only Client to server persistence is also enabled in this scheduling method Lync and Exchange configuration may need to use this option Layer 7 HTTP virtual host load directing with cookies allows you to direct traffic to name based virtual hosts For other scheduling methods you cannot put the same server IP address 58 more than once in a single farm This scheduling method will allow you to have several name based virtual hosts on a single physical server with one IP address Client to server persistence is enabled in this scheduling method SSL
164. te store based on the type of certificate Place all certificates in the following store Certificate store Personal Learn more about certificate stores 128 ix Click the Finish button ara Completing the Certificate Import Wizard The certificate will be imported after you dick Finish C Users Carlo ssl die x The Certificate has been imported x Ci The import was successful 9 To enable client side certificate authentication on the WebMux a Create a farm with SSL termination using the key slot that has the CA certificate imported b Select tag SSL terminated HTTP requests 129 Appendix O Configuring End to End SSL Load Balancing End to End SSL Load Balancing allows you to enable SSL on the front end between the client and the WebMux farm but also on the back end between the WebMux and the real servers for added security This section shows you how to create a farm with End to End SSL Load Balancing 1 AVANU WebMux Create a farm as you normally would but be sure to select the following options for the farm a Use HTTP service b Select any Layer 7 scheduling method The most basic Layer 7 scheduling method would be URI load directing c Select an SSL termination key cert slot This is for the front end SSL termination between the WebMux farm and incoming clients d Select Yes for the servers are HTTPS servers
165. ternet traffic or local connections can both be directly sent to the WebMux which forwards the packets to the proper server s then the server routes the return traffic back to the remote or local clients directly Crossover Cable to Backup O Primary WebMux Secondary WebMux i lt wy S Server 1 Server 2 Server 3 Server 4 Virtual Farm E J In most situations the incoming traffic is in small requests and return traffic from servers back to clients is large amount of data pictures or documents Using Out of Path Mode will allow up to 100 times more traffic to be handled by the WebMux load balancer The disadvantage for OOP direct response is that the firewall protections built in to the WebMux will no longer function Users must provide their own firewall for incoming and outgoing traffic However in L7 and SSL termination configuration OOP mode does not gain any advantage due to the requirement that return traffic from servers must go back to WebMux for examination of the data headers and or re encryption the data packets 15 Section 4 Sample Configurations 4 1 Single WebMux Two Armed NAT Mode Public IP 65 25 35 156 NATed to Farm 1 IP 205 133 156 200 Public IP 65 25 35 157 NATed to Farm 2 IP 205 133 156 210 NAT Mode Single WebMux Installation N Router Network 205 133 156 0 Sn Netmask 255 255 255 0 gt Gateway IP 205 133 156 1 Router LAN Switch Firewall Router
166. the usage of these commands 102 Appendix F Extended Regular Expressions Extended Regular Expressions is powerful system for filtering and matching string patterns Although you may be familiar with the wildcard characters used in DOS or Linux command lines such as the and it is important to point out that these characters do not mean the same thing in Extended Regular Expressions The and are called quantifiers and they by themselves do not represent actual characters The wildcard character in Extended Regular Expressions is the period However the only represents a single instance of any character the way the is normally understood in command lines A quantifier in Extended Regular Expressions tells you how many times an element to its left is allowed to occur and still be considered a valid match A says that the element to its left is allowed to occur zero or one time For example colou r will match both color and colour because the u can either not occur at all or occur only one time in the string to be valid The string colouur will not be a valid match in this example The means that the element to its left can occur zero or more times So colou r will match color or colour or colouur or colouuuur and so on Quantifiers require that it is preceded with an element or character So to get the same r
167. this IP address to your servers etc hosts file along with the gateway IP address to allow faster name resolution especially on Linux Unix Please also refer to Appendix A for adding loopback to servers In an installation with a primary and secondary WebMux one unique IP address is required for each WebMux interface that connects to the Server LAN Those two unique IP addresses are in addition to the farm IP address that is floating between the primary and secondary WebMux 30 Enter Server LAN Network IP Address Mask This is the network mask of the Server LAN For a class A network it may be 255 0 0 0 For a class C network it may be 255 255 255 0 Enter Server LAN VLAN ID optional Note The VLAN ID is used for full 802 1q VLAN support Enter Server LAN Gateway IP address optional This is an optional configuration that is used only if you are going to do SSL termination or Layer 7 load balancing Keep in mind this is an IP address assigned to the Server LAN network interface Be sure to use a unique IP address or duplicate IPs on the network will occur Enter 0 0 0 0 if not needed 5 10 Common Configuration For NAT Transparent Single Network and Out of Path Mode Enter External Gateway This is the common setup for NAT Transparent and Out of Path modes This is an address on the firewall or router local interface In NAT mode the WebMux needs to know this to route the server replies back to the clie
168. tion table will help resolve this problem Please read the Q amp A section for more information 39 6 3 Network Setup After logging into management console as superuser click on the network menu You will come to this screen webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 12 44 2012 up since Aug 20 11 10 18 2012 network management Please enter information below Use as divider for multiple entries except use as divider for IPv6 addresses Multiple entries are not allowed for the server gateway control ports mail server or warning threshold The items with take effect on next restart Items marked with t are optional in single network mode IPv6 96 bit address prefix email server IP address for notification email addresses for notification UDP syslog server IP address for notification T server gateway IP address 192 168 11 1 WebMux http control port 24 WebMux https control port 35 WebMux SNMP UDP port 161 WebMux SNMP community webmux WebMux diagnostic ports 77 87 WebMux failover ports least significant bits in client IP address to ignore for persistent connections 2000 2001 0 specific IP address v act as IP router NO front network verification front network verification address request for updating MAC table for farms YES persistence timeout 10min v
169. tions during normal operations Usually a DoS or DDoS connection attack comes in by the hundreds Set this value according to your needs Client Whitelist for TCP Attacks It may be necessary to allow certain IPs to make connections that may appear to be attacks For example if you have a third party company that regularly benchmarks your services for maximum load handling you will need to allow that company uninterrupted access You can use a specific IP address or specify a network range i e xxx xxx xxx 0 24 Separate each entry with a colon 49 Duration to block attackers This sets the amount of time to block attacker IP addresses It may not be desirable to block specific IP addresses indefinitely because of the dynamic nature of IP addresses used by the general public You may end up blocking out potential customers in the future Therefore this setting allows you to set the IP blocking duration that suite your needs Changing the settings in this page will not require a reboot and is effective once you click the confirm button 6 4 4 Activating Flood Control Feature To get to the Flood Control settings of the WebMux hover the mouse over the security menu on top and then click on the flood control link aaa CPU 0 mem 6 IP 192 168 13 21 MAC 00 22 12 f0 03 49 IP 192 168 14 21 MAC 00 22 12 f0 03 48 backed up by 192 168 1 Oct 25 13 00 56 2012 up since Oct 25 11 59 47 2012 2012 AVANU LLC flood con
170. trol management You will get to this screen aaa CPU 0 mem 6 IP 192 168 13 21 MAC 00 22 12 f0 03 d9 IP 192 168 14 21 MAC 00 22 12 f0 03 d8 backed up by 192 168 14 22 Oct 25 13 02 25 2012 up since Oct 25 11 59 48 2012 main 1 network security flood control management Please enter values for flood control management Setting the timeout to 0 disables flood control packet rate hooo packet threshold 200 timeout in seconds 10 2012 AVANU LLC All rights reserved Packet Rate This will control the packets per second rate that will be allowed Packet Threshold This will set the maximum number of concurrent connection a client can make before the WebMux will consider it an attack You do not want to set this value too low because most of time servers will experience several concurrent connections during normal operations 50 Usually a DoS or DDoS connection attack comes in by the hundreds Set this value according to your needs Timeout in Seconds This will set the maximum number of concurrent connection a client can make before the WebMux will consider it an attack You do not want to set this value too low because most of time servers will experience several concurrent connections during normal operations Usually a DoS or DDoS connection attack comes in by the hundreds Set this value according to your needs 6 4 5 Flood Control Display The Flood Control Display screen
171. uring the WebMux the normal steps are Hover the mouse pointer over the four main menus on the top main network security and miscellaneous to navigate the different setup screens Hover the mouse pointer over the main menu and click on SSL keys link to manage SSL keys if SSL termination is desired Click on Add Farm button on the left to create a new server farm Click on the IP address portion of the farm display to add servers or select a radio button of a farm and click the add server button on the left Click on Save button to save the farm server configuration Click on modify health check button on the left to adjust the timeout for each kind of services Note that same protocol services between farms will share the same timeout value We will discuss those buttons and related features in greater detail in later sections Other buttons on the main management console screen are 6 2 1 Save On the main management console clicking on the Save button will cause the WebMux to save its configuration Changes made to the Farm and Server will take effect immediately without saving However changes are not saved permanently to the solid state storage until the Save button is clicked Unsaved farm server settings will be lost during power outage or WebMux reboot 338 6 2 2 Pause Resume The status screen automatically refreshes frequently to provide most up to date
172. utton on the left 73 CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 10 03 5a Aug 20 12 04 43 2012 up since Aug 20 11 58 20 2012 add farm If the port number is omitted and the service pertains to a particular application level protocol the well known port for this protocol will be used for example port 80 for HTTP If the port number is omitted and no such protocol pertains to the service for example the generic TCP service the farm will handle all ports for the IP address and transport layer protocol in question except those handled specifically by other farms IP address 192 168 12 label port number service HTTP hypertext transfer protocol TCP scheduling method weighted round robin a SSL termination none M SSL port block non SSL access to farm tag SSL terminated HTTP requests servers are HTTPS servers reencryption servers only serve IPv4 not IPv6 connection throttling watermarks compress HTTP traffic SNAT HTTP server response comparison string HTTP server URI 2012 AVANU LLC All rights reserved When you click on the link you will be brought to the Add Gateway Farm screen webmux1 avanu com AVANU CPU 0 mem 4 Q IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 12 29 21 2012 up since Aug 20 11 58 20 2012 WebMux we add gateway farm Ifthe address i
173. will show you the list if any of source IP addresses that are currently being blocked because of excessive activity To get this screen hover the mouse over the security menu on top and click on the flood control display link aaa CPU 0 mem IP 192 168 13 21 MAC 00 22 12 f0 03 49 IP 192 168 14 21 MAC 00 22 12 f0 03 48 backed up by 192 168 14 22 Oct 25 13 04 20 2012 up since Oct 25 11 59 47 2012 flood control display You will see the following screen aaa 8 CPU 0 mem 6 lt AVANU IP 192 168 13 21 MAC 00 22 12 f0 03 d9 C IP 192 168 14 21 MAC 00 22 12 f0 03 d3 backed up by 192 168 14 22 Oct 25 13 06 35 2012 up since Oct 25 11 59 47 2012 WebMux show blocked show blocked These sources are currently blocked because of excessive activity none 2012 AVANU LLC All rights reserved 51 6 5 Miscellaneous Settings The miscellaneous screen will show the events log by default webmux1 avanu com CPU 0 mem 4 IP 192 168 12 25 MAC 00 22 12 f0 03 5b IP 192 168 11 25 MAC 00 22 12 f0 03 5a Aug 20 11 59 42 2012 up since Aug 20 11 58 20 2012 man network security miscellaneous show events WebMux events Aug 20 11 58 55 2012 server 192 168 11 10 in http farm 192 168 12 100 80 not usable communication error Operation now in progress 2012 AVANU LLC All rights reserved 6 5 1 Show Events This button will display all the events since the WebMux unit s
174. xt click on Internet Protocol Version 4 TCP IP then click the Properties button In the General tab click the Advanced button Click on the WINS tab and unselect Enable LMHOSTS lookup and 94 select Disable NetBIOS over TCP IP Click OK in the various windows to make all the changes permanent Beginning with Windows Server 2008 the default networking has moved to the strong host model as outlined in RFC 1122 an You need to use the following command line netsh interface ipv4 set interface net weakhostreceive enabled netsh interface ipv4 set interface loopback weakhostreceive enabled netsh interface ipv4 set interface loopback weakhostsend enabled Obviously first you will need to rename the specific adapters from the default of Local Area Network Connection 1 to either net or loopback respectively i e Network Connections Pale Ce K v Network Co v Gd Search File Edit View Tools Advanced Help Organize v 5 Views v ID Name zl Status v Device Name Connectivity Network Category kW LAN or High Speed Internet 3 E Local Area Connection net a D 7 E lp e Network F Network cable unplugged x EZ Broadcom Netxtreme Giga E Broadcom Netxtreme Giga kee A w loopback Es Unidentified network e Microsoft Loopback Adapter For Linux HP UX and FreeBSD perform the following For Linux 2 4 2 6 Systems Login as root and add this co
Download Pdf Manuals
Related Search