WebMux User Manual wms8300_man
Contents
1. STP Spanning Tree Protocol Transparent Mode is another WebMux configuration that allows you to keep the existing IP addresses of your servers Like Out of Path mode the servers and the WebMux will be on the same IP network However physically the servers will be connected to the WebMux in the same way they would be for NAT mode on the server LAN port The internet port on the WebMux is connected towards the Firewall Router In this mode the WebMux functions as an Ethernet bridge Anything connected to its back interface server LAN is on the same network as its front interface internet router LAN If you look at the diagram above you will see that the terminals are on the same network as the servers even though the servers are behind the WebMux The terminals can communicate with the servers IP directly as if the WebMux was not there and vise versa Copyright 1997 2007 CAI Networks Inc 17 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x When creating a farm choose a unique farm IP address in the network and then add the server IP address under that farm Load balancing occurs when the Farm IP is accessed instead of the servers actual IP There are no configuration changes that need to be made on the servers only the way they are physically connected to the network The diagram also gives an example of a redundant WebMux setup In this case it is2. DESCRIPTION If this interface is up and running the value of this object will be true 1 1 3 6 1 4 1 27182 3 1 1 1 16 1 3 x caiWebMuxIfMaxLinkSpeed x SYNTAX Unsigned32 UNITS Mbps DESCRIPTION The maximum link speed of this interface in megabits per seconds Mbps 1 3 6 1 4 1 27182 3 1 1 1 5 0 caiWebMuxManufactured 0 SYNTAX OCTET STRING 8 11 DESCRIPTION The date and time of manufacture of this unit 1 3 6 1 4 1 27182 3 1 1 1 10 0 caiWebMuxMemoryUsage 0 SYNTAX Unsigned32 UNITS DESCRIPTION The current memory usage expressed as a percentage 1 3 6 1 4 1 27182 3 1 1 1 4 0 caiWebMuxModel 0 SYNTAX OBJECT IDENTIFIER DESCRIPTION An object identifier uniquely identifying which model of WebMux this is The possible set of identifiers is given under the caiWebMuxFamily sub tree Note that the SNMPv2 MIB object sysObjectID 0 will have the same value as this object in all cases 100Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x 1 3 6 1 4 1 27182 3 1 1 1 1 0 caiWebMuxName 0 SYNTAX OCTET STRING 0 255 DESCRIPTION The assigned name of this WebMux unit 1 3 6 1 4 1 27182 3 1 1 1 13 0 caiWebMuxPrimary 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION The value of this object is true 1 if this WebMux is the primary partner of a redundant pair or is running solo The value of this object is false 2 if this WebMux is the secondary partne
3. Public IP 65 25 35 156 Ni ed to FARM IP 192 168 112 35 Private Network 192 168 112 0 Netmask 255 255 255 0 Gateway IP 192 168 112 1 Server LAN interface Server LAN interface rossover Cable to Backup port Primary WebMux Secondary WebMux WebMux IP 192 168 112 38 WebMux IP 192 168 112 39 Extemal Router IP default External Router IP default gateway 192 168 112 1 gateway 192 168 112 1 Server 1 Server 2 Server 3 For SSL termination or Server IP 192 168 112 30 Server IP 192 168 112 341 Server IP 192 168 112 32 Layer 7 you will will need Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 to create a Loopback Adapter IP Loopback Adapter IP Loopback Adapter IP Server LAN gateway IP 192 168 112 35 192 168 112 35 192 168 112 35 192 168 112 37 If WebMux is doing SSL termination or Layer 7 load balancing you need to set the server s default gateway IP to the WebMux Server LAN gateway IP 192 168 112 37 The above diagram is an example about how to configure the WebMux in out of path mode without changing the IP addresses of the web servers and other servers that already exist on the network This is particularly helpful when the changing of an existing network of servers causes problems In this configuration all the servers still remain on the same IP network and can communicate From the servers view the WebMux is on the same network as the servers On the We
4. Version 8 3 x management software from any IP address It is recommended to set this up for security reasons If wrong IP addresses are entered management console login might not be possible Use the push button controls on the WebMux to clear the allowed host list This field is blank by default IPv6 96 bit Address Prefix In Out of Path mode you will see the option to create an IPv6 address prefix The IPv4 addresses will be appended to this prefix For example if you assigned 192 168 12 21 for the WebMux s server LAN ip and you assigned fec0 as the IPv6 prefix the WebMux s complete IPv6 address will be fec0 192 168 12 21 or fec0 c0a8 c15 See also Appendix 8 for extra info on using IPv6 TACACS Server Configuration The WebMux allows you to control the user passwords for the superuser group logins with a TACACS server so that password changes can be administered to several WebMux machines instantly through a central authentication server In this field you will need to specify the TACACS server IP with server xxx xxx xxx xxx Other arguments include secret if the TACACS server requires a password to be accessed and encrypt Each argument must be separated with a space If for some reason the TACACS server is not working the WebMux will default back to the passwords configured in its password setup screen Dialout prefix Some phone systems require a prefix for outside phone nu
5. WebMux Bridge IP Network Mask Administration Setup Information External Gateway Address Remake home WebMux conf passwd Y N Y N Administration HTTP Port Number Secure Administration HTTP Port Is this WebMux primary WebMux running solo without backup Y N Reboot Y N Y N Copyright 1997 2007 CAI Networks Inc 75 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Sample Configuration Worksheets Standalone WebMux NAT Mode Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration After WebMux Installation Question Entry Host Name webmux Domain Name cainetworks com NAT Transparent or Out of Path NAT Router LAN Information Router LAN WebMux Proxy IP Address 205 133 156 200 Router LAN Network IP Address Mask 255 255 255 0 Server LAN Information Server LAN WebMux IP Address 192 168 199 251 Server LAN Gateway IP Address 192 168 199 1 Server LAN Network IP Address Mask 255 255 255 0 Administration Setup Information External Gateway IP address 205 133 156 1 Remake home WebMux conf passwd Y Administration HTTP Port Number 24 Secure Administration HTTPS Port Number 35
6. Max Layer 7 connections s 10 000 30 000 50 000 Number of SSL certificates 32 32 32 Load Balancing Methods Cookie content based Yes Yes Yes URL based Yes Yes Yes Round robin Yes Yes Yes Persistent round robin Yes Yes Yes Weighted round robin Yes Yes Yes Persistent weighted round robin Yes Yes Yes Least connections Yes Yes Yes Persistent least connections Yes Yes Yes Weighted least connections Yes Yes Yes Persistent weighted least connections Yes Yes Yes Traffic Management Methods URL based content switch Yes Yes Yes Cookie based content switch Yes Yes Yes Fault Tolerance Diskless Design Yes Yes Yes Port aggregation Yes Yes Yes Failover via network connection Optional Optional Optional Failover via Ethernet link Yes Yes Yes 6 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Service aware Yes Yes Yes Server aware Yes Yes Yes Backup server Yes Yes Yes Security Network Address Translation NAT Yes Yes Yes TCP SYN protection Yes Yes Yes Address mapping Yes Yes Yes Port mapping Yes Yes Yes TCP DoS protection Yes Yes Yes HTTPS SSH management Yes Yes Yes Topologies IPV4 IPV6 support Yes Yes Yes GB Ethernet 1000Base TX Yes Yes Yes Rackmount 1U form factor Yes Yes Yes Device Support Interface to switches Gigabitx2 Gigabitx2 Gigabit x8 Device s role in the network Bridge router Bridge router Bridge router UDP
7. e In Path or Out of Path Load Balancing In normal setup the WebMux can be configured In Path to act as firewall in addition to the load balancer and health checker However if outbound traffic is much larger than inbound traffic and you already have a firewall in place or change of IP address causes problems consider using Out of Path configuration Out of Path load balancing is also called direct routing or one leg operation e Transparent Mode In this mode the WebMux behaves as an Ethernet bridge between the servers and the Router LAN The main advantage is that the network settings in the servers do not have to be changed no loopback adapters or IP address changes needed The servers will be connected behind the WebMux but will appear to be on the same LAN that the WebMux is connected to e Layer 7 Load Balancing WebMux can direct traffic to specific groups of servers within a farm according to a match pattern in HTTP MIME header This allows you for example to group servers that serve only a specific type of content while serving other types of content on another group of servers WebMux Layer 7 load balancing also includes URI load directing with host name MIME header matching and cookies in order to memorize the user browser session and the server session and send the same user to the same server This is important for sites using shopping cart and dynamically generated pages e Informs you of the status of
8. is needed to define the Router LAN and the Server LAN We talk other modes in details at later chapters The side of the WebMux that connects to the Router LAN is to send and receive all the IP packets from the router to the Internet The side of the WebMux that connects to the Server LAN is to send and receive IP packets to and from the servers in the farms By properly configuring the WebMux one can create one or more Virtual Farms on top of physical hardware Hardware Setup Collect Information e Make a drawing of the existing network and note all the configuration settings This will help you to fall back to the existing configurations if needed e Make a new drawing for the new setup with the WebMux and the web farm in place This will be used as a guide for setup and preparation of all the necessary material and equipment e Collect all the IP addresses their network masks network addresses and broadcast addresses for the Server LAN and Router LAN WebMux interfaces The IP address of the Internet router is also needed e Label all the cables Prepare additional cables if needed e Make sure there are enough electrical or UPS outlets for all the new equipment Hardware Setup Setup the new network e Power down all the devices on the network e If you have a secondary WebMux connect the WebMuxes with a cross over Ethernet cable e Connect the servers to the Server LAN e Connect the WebMux es t
9. In Out of Path mode only one network in the setup that is the server LAN is connected to the Internet through the firewall and router Internet traffic or local connections can both be directly sent to the WebMux which routes the packets to the proper server s then the server routes the return traffic back to the remote or local clients directly Crossover Cable to Backup O Primary WebMux Secondary WebMux Server 1 Server 3 Server 4 Virtual Farm In most situations the i incoming traffic is in small requests and return traffic from servers back to clients is large amount of data pictures or documents Using out of path mode will allow up to 100 times more traffic to be handled by the Copyright 1997 2007 CAI Networks Inc 9 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x WebMux load balancer The disadvantage for OOP direct responding is that the firewall protections built in to the WebMux will no longer function Users then must provide their own firewall for incoming and outgoing traffic 10 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Sample Configurations Single WebMux Public IP 65 25 35 156 NATed to Farm 1 IP 205 133 156 200 Public IP 65 25 35 157 NATed to Farm 2 IP 205 133 156 210 NAT Mode Single WebMux Installation Router Network 2
10. One 1 Warranty registration card The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Main Components Front View Web Mu Toggle Power Switch This switch toggles power on and off To power off the switch must be pressed and held for 5 seconds Reset Button Press and release the reset button to reset the WebMux This process may take several minutes to complete Up Arrow Button Down Arrow Button When each button is pressed the value on the cursor location increases or decreases It goes through lower case letters upper case letters numbers and symbols When the cursor is located at the left most position on the LCD the up and down arrow allows the user to select a different item to setup Left Arrow Button and Right Arrow Button When each button is pressed the cursor moves to the left and right Check Mark Button and Cross Button Check Mark Button confirms the selection Cross Button cancels the selection At any time when the system is running holding down to the Check Mark Button will invoke the configuration menu where you can change IP addresses and other settings Copyright 1997 2007 CAI Networks Inc 1 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Rear View AC INPUT External To Router Backup To Server WebM LAN Hub 90 230VAC Modem LAN Hub lebMux a Server LAN Port Connect this port to the Server LAN switch or hub This port connect
11. Si jE eja This will enable you to restrict SSL connections that do not follow the minimum protocol Changing the setting for this section will require you to reboot the WebMux if there are already active farms using SSL Termination If you decide not to reboot existing farms will run under the previous criteria and new farms will follow the new criteria Rebooting the WebMux will ensure that ALL the farms with SSL Termination will adhere to the new protocol requirement Copyright 1997 2007 CAI Networks Inc 49 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x You can click manage key1 or manage key2 to generate keys copy and paste signed certificates A SSL key 1 management Microsoft Internet Explorer File Edt View Favorites Tools Help v CAF Networks Inc SSL key 1 management This key and certificate chain are not currently used for SSL termination You may change this key or certificate chain using the dropdown menus You may either let WWebMux generate a new key or paste in a new private key You may paste in a new certificate chain If you wish to let WWebMux generate a new private key please select the key length from the dropdown menu You may not use a new key until you have pasted in a matching signed certificate chain You may paste a new certificate chain any time before the key is put into use Some certification authorities issue a certificate chain consisting of a single c
12. and 680PG User Guide Version 8 3 x Set Clock Click this button to go to the Set the Clock page The time and date of the WebMux then can be set Please note that the WebMux internally uses GMT time zone not your local time zone per W3C HTTP protocol If the timezone is not set correctly the browser access could be denied due to cookie time out If the UDP NTP server is set up correctly there is no need to set the clock anymore since the WebMux automatically sets its clock periodically r EA Eat ae ride Tool ae eee i Oo B toot 2 non ta a a ee Se al Back nn Home Search Favorites History Print Edit Discuss neice N92 a time 3 60 gt set the clock UTC recommended month 1 12 day of the month year eg 2000 hour 0 23 minute 0 59 time zone 0700 MST PDT 1997 2001 CA Networks All righis reserved Month Enter the number of the month 1 through 12 Leading zeroes are not necessary Day of the Month Enter the day of the month 1 through 31 Year Enter the year Enter all 4 digits Hour Enter the hour of the day Use the 24 hour clock or military time Minute Enter the minute of the hour 44 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x NOTE It is recommended to set the WebMux clock to UTC GMT time Time Zone Select the time or hour offset to t
13. another by using the up down button on the left most LCD position For example if you configured the Allowed Hosts wrong and lock yourself out you can go to the push buttons and select Clr Allowed Hosts option save changes and reboot which will allow all the IP address to access the management console through browser You can clear the allowed hosts but not reset the password or change one option and not change the others 30 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Management Console After the Initial Configuration the user should be able to connect a web browser to the WebMux The web browser does all of the WebMux management The following sections explain each of the easy to use management console screens e Login e Administration Setup Page o Change Password o Set Clock Status Add Farm Modify Farm Add Server Modify Server Copyright 1997 2007 CAI Networks Inc 31 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Login Start Login Page e Start a web browser from your management workstation e Set URL to https webmuxip webmuxport cgi bin login o webmuxip is the IP address of the WebMux on the server LAN webmuxport is the management port address of the WebMux The default ports are 24 for an unsecured connection and 35 for the secured connection Use http instead of https on the URL line i
14. caiWebMuxCPUUsage 0 SYNTAX Unsigned32 UNITS DESCRIPTION The current CPU usage expressed as a percentage 1 3 6 1 4 1 27182 3 1 1 1 8 0 caiWebMuxCPUs 0 SYNTAX Unsigned32 DESCRIPTION The number of CPUs in this unit 1 3 6 1 4 1 27182 3 1 1 3 1 9 x y caiWebMuxFarmAddressBlockNonSSL x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1 then connections to the IP address given for this row that are not using SSL will not be accepted 1 3 6 1 4 1 27182 3 1 1 3 1 5 x y caiWebMuxFarmAddressIPv4 x y SYNTAX IpAddress DESCRIPTION An IPv4 address used to access the service provided by this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 6 x y caiWebMuxFarmAddressIPv6 x y SYNTAX OCTET STRING 16 DESCRIPTION An IPv6 address used to access the service provided by this server farm Copyright 1997 2007 CAI Networks Inc 97 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x 1 3 6 1 4 1 27182 3 1 1 3 1 3 x y caiWebMuxFarmAddressLabel x y SYNTAX OCTET STRING 0 255 DESCRIPTION The mnemonic label assigned to this address and port for a server farm 1 3 6 1 4 1 27182 3 1 1 3 1 7 x y caiWebMuxFarmAddressPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION A TCP or UDP port number used to access the service provided by this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 2 x y caiWebMuxFarmAddressRowStatus x y SYNTAX INTEGER active 1 notInService 2 notReady 3
15. the port is 24 You can change the port to any port that is not being load balanced if so desired The font push buttons can also change this WebMux https control port Since the WebMux is load balancing incoming HTTPS traffic the HTTPS port for the management console must be set to a different port By default the port is 35 You can change the port to any port that is not being load balanced if so desired The front push buttons can also change this 38 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x SNMP UDP Port SNMP on the WebMux is active and uses port 161 by default You can change the port here Or you can enter 0 or none or leave blank to disable SNMP altogether WebMux diagnostic ports The WebMux allows diagnostic sessions from remote access for factory technical support or trained network engineers through ssh or telnet Access is also subject to the restriction of the Allowed Host setting earlier superuser can login with its password using ssh to run certain diagnostic tools help shows the commands how to use these commands are not supported When this entry is blank any diagnostic access is denied This entry should remain blank under normal operations Default port numbers are 77 87 The first port is ssh and second is telnet If only one port specified only ssh login is possible You will need to notify
16. 1 13 x y caiWebMuxServerWeight x y SYNTAX Unsigned32 1 100 DESCRIPTION The current rate of packets being sent to this server 1 3 6 1 4 1 27182 3 1 1 1 12 0 caiWebMuxSolo 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION The value of this object is true 1 if this WebMux is running solo or false 2 if this WebMux is part of a redundant pair 1 3 6 1 4 1 27182 3 1 1 1 2 0 caiWebMuxVersion 0 SYNTAX OCTET STRING 0 255 DESCRIPTION The WebMux firmware version running this WebMux unit Copyright 1997 2007 CAI Networks Inc 103 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Index 1 128bit 51 A ACTIVE 65 87 Add 32 35 38 48 57 62 64 68 69 80 91 Allowed 29 31 37 See arp 41 98 C certificate 53 59 Certificate Signing Request 53 Compliance 90 cookie expire 60 cookies 4 33 60 63 68 87 CSR 53 Custom Defined 59 D Default Gateway 12 14 24 77 79 81 82 84 diagnostic ports 40 Download 36 55 E email notification 5 38 expire 54 60 F farm 9 12 14 15 19 20 23 29 36 41 42 57 58 59 60 62 63 64 65 80 81 82 83 87 88 89 91 93 fault tolerance 3 Firewall 4 77 79 81 82 84 G gateway 12 14 15 24 26 27 36 39 42 49 80 83 84 88 89 92 94 generate 52 104Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version
17. 481S 591SG and 680PG User Guide Version 8 3 x Out of Path Related Configuration Enter Server LAN WebMux IP Address This is the IP address of the WebMux interface that connects to the Server LAN This IP address must also be unique for each WebMux The purpose of this IP address is to allow the WebMux to check the network and server health Even for the backup WebMux this address must be unique It is highly recommended to add this IP address to your servers etc hosts file along with the gateway IP address to allow faster name resolution especially on Linux Unix Please also refer to Appendix for adding loopback to servers In an installation with a primary and secondary WebMux one unique IP address is required for each WebMux interface that connects to the Server LAN Those two unique IP addresses are in addition to the farm IP address that is floating between the primary and secondary WebMux Enter Server LAN Network IP Address Mask This is the network mask of the Server LAN For a class A network it may be 255 0 0 0 For a class C network it may be 255 255 255 0 Enter Server LAN Gateway IP address optional This is an optional configuration that is used only if you are going to do SSL termination or Layer 7 load balancing Keep in mind this is an IP address assigned to the Server LAN network interface Be sure to use a unique IP address or duplicate IPs on the network will occur
18. 8 3 x H Hardware Setup 20 21 health check 3 42 59 I IPv6 5 38 92 101 102 L Layer 7 4 6 16 26 27 39 60 61 63 68 82 83 loopback 15 26 82 83 93 Loopback 91 M management console 29 31 32 37 39 40 88 MAP 5 66 MIB 102 105 MIME 4 49 58 60 63 67 68 Modify 32 62 69 N NAT 4 8 21 22 23 24 27 See netmask 11 38 83 NTP 42 46 59 O out of path 15 49 91 Out of Path 4 8 9 15 16 17 22 26 27 42 OVERLOAD 97 Overview 3 8 P pager 5 36 38 94 paging 38 passwd 29 77 79 81 82 84 Pattern 68 persistent 40 41 60 61 62 63 93 PIN 45 primary 13 Proxy 4 23 77 79 81 84 public key 52 53 R Reboot 21 30 42 43 78 80 81 83 85 91 Copyright 1997 2007 CAI Networks Inc 105 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Round Robin 6 route 16 27 41 58 83 91 93 98 Router LAN 2 8 11 12 13 14 20 21 22 23 77 79 81 84 88 S scheduling 60 62 secondary 13 Server LAN 2 8 11 12 13 14 20 21 23 24 26 77 79 82 84 87 SNMP 102 Spanning Tree Protocol 18 SSL 3 27 48 50 59 SSL termination 16 26 35 48 49 50 59 61 63 67 82 83 STP 18 superuser 34 37 syslogd 39 T Tag 63 timeout 35 36 39 41 42 Timeout 36 41 42 TLS 50 Transparent 4 8 17 21 22 23
19. Enter 0 0 0 0 if not needed 26 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Common Configuration For NAT Transparent and Out of Path Mode Enter External Gateway external Gateway BisZ i68 11 2 This is the common setup for NAT Transparent and Out of Path modes This is an address on the firewall or router local interface In NAT mode the WebMux needs to know this to route the server replies back to the clients Although in Out of Path mode this is not being used to route return traffic back to the Internet clients the WebMux does check the connectivity to the incoming side on this gateway or through this gateway to the ISP side routers However for SSL termination or Layer 7 load balancing servers need to route traffic back to the WebMux via the server LAN gateway previously mentioned The WebMux then forwards it to the client through the external gateway If health check on extermal gateway is enabled by default WebMux will turn the farm listing red to indicate the external gateway failure Is this a Primary WebMux Primary webmux VES NO If this is the Primary answer Yes If this is the Secondary WebMux answer No The secondary WebMux automatically gets configuration information from the Primary once it sets up If this is the only WebMux answer Yes Primary WebMux Information This question is not asked fo
20. Guide Version 8 3 x Activating the Anti Attack Feature To get to the Anti Attack settings of the WebMux first log in as superuser in the Web Admin Once logged in enter this address in your web browser you may need to click on the pause button on the status page to stop the automatic refresh http webmux ip address 24 cgi bin sec alternately you can use https and specify port 35 You will see this screen alot Ce a le http 192 168 12 31 24 cgi bin sec f X Live Search w a security settings gt BD Gh gt Page G Toos GAZ Networks Inc security settings for webmux cainetworks com Please enter information below Use as divider for multiple entries in whitelist Multiple entries are not allowed for attack threshold TCP connection attack threshold client whitelist for TCP attacks duration to block attackers 2hr Y 1997 2007 CAI Networks All rights reserved TCP connection attack threshold This will set the maximum number of concurrent connection a client can make before the WebMux will consider it an attack You do not want to set this value too low because most of time servers will experience several concurrent connections during normal operations Usually a DoS or DDoS connection attack comes in by the hundreds Set this value according to your needs Client Whitelist for TCP attacks It may be necessary to allow certain IPs to make connectio
21. Jan 14 2005 23 05 34 GMT no change X no change use new key pasted in use new 512 bit RSA ke use new 1024 bit RSA key use new 2048 bit RSA key delete ke certificate Jan 14 2005 23 06 50 GMT no change X sample 2046 bit R54 private key NHITEpAIBALKC LOE AV ZaxSLermOFr 8dql2TFUux40 UTZe6tLeta sample certificate with public key for sample 2046 bit R54 privat a key valid until Jan 18 18 10 21 2036 GMT This certificate is self signed and should not be used when If you have existing signed keys from a Windows IIS server or a Linux server you can transfer them into the WebMux and continue using them until they expire Please contact us for how to convert your existing keys 52 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Upload Download upload download Microsoft Internet Explorer Eile Edit View Favorites Tools Help Gi Bak v OAD Asearch Favorites PMedia S dy 3m A Address Go Links Norton Antivirus amp CAI Networks Inc upload download The exact download method is browser dependent A left click should display the configuration on screen for cut and paste A right click should bring up a menu allowing saving the contents directly by choosing say Save Link As or Save Target Please be sure to use the correct file For example do not attempt to save only the farm configur
22. Loopback Adapter Configuring the MS Loopback Adapter 1 If not there already goto Start gt Settings gt Control Panel gt Network gt Protocols tab 2 Select TCP IP and click the Properties button 3 You should be at the Microsoft TCP IP Properties dialog box Be sure the MS Loopback Adapter is the Adapter selected Enter your farm IP address for IP address Subnet should be match your servers change it if not 4 Click Apply then OK then Yes when prompted to restart the computer For Windows 2003 Server make sure the metric is the highest number in routing table stop here For Windows 2000 NT Systems please proceed to the Appendix 2 for remove the route entry in the routing table For Linux HP UX and FreeBSD perform the following For Linux 2 4 2 6 Systems Login as root and add this command to the bootup script iptables t nat A PREROUTING d lt farm_ip gt j DNAT to dest lt server_ip gt For IP based virtual hosting with multiple IPs repeat the command for each farm IP on all the servers Don t forget to add the proper farm IP to each virtual host configuration 86 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x With IPv6 addresses add the IPv6 address of the FARM to lo adaptor Also be sure that the routing table has an IPv6 entry for the network and a default gateway entry for the real interface of the server You can check b
23. Model 481S 591SG and 680PG User Guide Version 8 3 x Label The label field can be changed to make it fit better for describing the farm Change this will not affect how load balancing works Port Number You can specify a port number that doesn t duplicate any existing IP port combinations A port number of all will enable all port ranges but excluding any already existing ports associated with the specified IP address Please see the note at the end of this section regarding the behaviors of the additional IP port in conjunction with SSL termination Service This allows you to specify the type of health checking you want the WebMux to perform for this MAP instance SSL termination You can enable the WebMux to do the SSL termination of this MAP instance SSL port The known secure port for the type of service you selected will be automatically filled in You can manually change it if you are using a different port for that service Block non SSL access to farm Prohibits non SSL connection to this MAP instance Tag SSL terminated HTTP requests This will enable the WebMux to add an X WebMux SSL termination true MIME header in the decrypted http request sent to the server Copyright 1997 2007 CAI Networks Inc 65 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Add L7 Server If setting up a Layer 7 farm the add server screen will be similar to this 3
24. Model 481S 591SG and 680PG User Guide Version 8 3 x VO or computers behind WebMux WebMux does not have the management functionality for restricting which IP address or services an internal host can reach to the outside If such restriction is desirable then additional firewall is needed What can do if the service that want to load balance is not in the list WebMux as is already supports many different services In the case if your service is not in the list you could use generic TCP and or UDP to set your farm If that is still not good enough you may contact us for developing a special service aware module for you In most cases there is a very reasonable fee to be charged Why secondary WebMux did not take over when powered down Primary WebMux 1 Two WebMux not on the same version of firmware Or 2 Secondary WebMux monitors primary WebMux as well as few other things Before it takes over it makes sure it can reach to the router LAN gateway as well as at least one server defined in any farm If secondary WebMux cannot reach to the front router LAN gateway or it cannot see any server in any farm then it will consider the primary disconnect or power down was done purposely by operator Why my Fastlron Switch set to 100MB fix speed does not work with WebMux WebMux uses Intel network chipsets internally Intel chipsets follows all industrial standards and have good performance and r
25. User Specify Generic no health check TCP UDP User Specify Custom Defined TCP Services 80 or User Specify Custom Defined UDP Services User Specify Custom Defined TCP UDP Services User Specify Custom Defined Paired HTTP and HTTPS User Specify TCP Service Scheduling method Copyright 1997 2007 CAI Networks Inc 57 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x The scheduling method is the way in which traffic is distributed among the servers in the farm Eight different methods are supported If you are using a shopping cart service a persistent scheduling method is recommended e Least connections Least connections persistent Round robin Round robin persistent Weighted least connections Weighted least connections persistent Weighted round robin Weighted round robin persistent Weighted fastest response Weighted fastest response persistent Layer 7 HTTP URI load directing Layer 7 HTTP URI load directing with cookies Layer 7 hashed URI load directing Layer 7 scheduling methods can only be used with the HTTP Hypertext Transfer Protocol TCP service These scheduling methods allow you to direct traffic to a specific group of servers depending on a match pattern that is compared to the URI in the clients GET request header Layer 7 HTTP URI load directing with cookies allows the WebMux to direct traffic from the same client to the same server in the farm This scheduling method also
26. WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x For WebMux Primary Only e 66 Secondary is not responding For WebMux Secondary Only e 71 Primary failed Secondary took over from Primary e 72 Primary went back up Control returns to the Primary 90 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 4 Virtual Hosting Issues Servers serving more than one web site may do virtual hosting The WebMux supports virtual hosting by checking the virtual servers response There are three different situations for the WebMux to handle If the service is HTTPS there is no way to do virtual hosting on the same IP address However each HTTPS farm can be on a different IP address on the same server The reason that each HTTPS server must have its own IP address is that any web server software IIS or Apache can not see the URL in the HTTPS packets since they are encrypted The IIS or Apache server only decrypts the URL after the packet is sent to a particular process Since no web server software supports virtual hosting HTTPS on the same IP address the WebMux does not need to do anything extra other than load balancing all the packets for that particular farm If the service is HTTP then any web server software IIS or Apache can host almost unlimited virtual farms on each IP address Many hosting centers handle this situatio
27. a Address 2 http 192 168 12 21 24 cgi bin modi_dst DCO480B04000000010002000000230001 GAs Networks inc modify server 192 168 11 10 port 0 This server is currently FAVORITE ACTIVATED ALIVE Currently there are O connections through this server label weight fi run state ACTIVE FAVORITE 7 Je e ed cel 1997 2005 CAI Networks All rights reserved Destination server IP address and port number These parameters are set in the Add Server screen Once set these fields cannot be modified To correct this setting delete the server and add a new one Label The label can be changed at any time The change will not affect how server is performing in the farm rather it is for description purpose only Weight Scheduling priority weight Valid integer numbers are between O and 100 Changing the weight to zero will stop the incoming connections while all existing connections continue until time out or connection is terminated by client and server Although all numbers from 1 to 100 will allow traffic to go through using a smaller weight number in each server will have the best load distributing result Copyright 1997 2007 CAI Networks Inc 67 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Running state e Active e Favorite Active e Standby e Last Resort Standby 68 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User
28. based service support Yes Yes Yes Management Secure web browser access Yes Yes Yes In service Not in service Phone pager alarm notification ext modem req Hien modemed o ouuu e eo Remote telnet SSH access Yes Yes Yes Persistent connections Yes Yes Yes Port specific services Yes Yes Yes Miscellaneous Factory warranty 3 years 3 years 3 years Free telephone and email support 3years 3years 3years Free factory pre configuration Yes Yes Yes Overnight pre sent exchange unit Optional Optional Optional 24x7 Gold Premium Suppot Optional Optional Optional 30 day money back guarantee Yes Yes Yes NAT in path mode Much higher performance in Out Of Path mode With CAI RSA3500 option card With CAI RSA7000 option card Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Network Overview The WebMux has three modes In Path or NAT Network Address Translation Out of Path mode and Transparent NAT Ethernet Bridge Mode Each mode has its advantage and disadvantages Lets look the NAT mode first Internal Server Router Primary WebMux server LAN D Server 1 Server 2 Server 3 Server 4 Virtual Farm The main purpose of the WebMux is to balance the traffic among multiple web or other servers The diagram above shows an NAT installation with two WebMu
29. bin rec For example if your webmux_ip is 192 168 12 1 and your webmux_manage_port is 24 your URL will be http 192 168 12 1 24 cgi bin rec http 192 168 12 21 24 cgi bin rec Microsoft Internet Explorer iol xj File Edit View Favorites Tools Help Pa n AA S f 5 4 a _ Er E Back gt x a al y Search avorites E bo Se vel Address a http 192 168 12 21 24 cqi bin rec x Go ie WebMux initialization 8 0 00 You are not logged in as superuser Please enter your WebMux superuser s password current GMT setting 23 40 01 06 30 2006 lf incorrect please enter correct GMT as hh mm ss mm dd yyyy Use 24 hour time not a m or p m Set time only YES NO i E Done CEE EOE Etene The first screen in rec reconfiguration asks for the superuser s password The default superuser s password is superuser however the actual superuser s password may had been changed by the system administrator If you could not remember the superuser s password someone has to go to the keypad to reset the password See page 22 for more details The next question on the screen asks to set the time in the WebMux The WebMux uses its clock to set the cookie for the management browser When a WebMux manager is logged in for more than 8 hours without activity the WebMux will log out the user based on the cookie However if the clock is off b
30. mask of the Router LAN network It is usually 255 255 255 0 for class C networks Enter Server LAN pera IP Address vr LAN ip Soo tee 198 251 This is the IP address of the WebMux interface that connects to the Server LAN This IP address must also be unique for each WebMux This address must be different from the server LAN gateway address The purpose of this IP address is to allow WebMux to check the network and server health situation Even for the backup WebMux this address must be unique It is highly recommended to add this IP address to your servers etc hosts file along with the gateway IP address to allow faster name resolution especially on Linux Unix In an installation with a primary and secondary WebMux one unique IP address is required for each WebMux interface that connects to the Server LAN Those two unique IP addresses are in addition to the gateway IP address that is floating between the primary and secondary WebMux Copyright 1997 2007 CAI Networks Inc 23 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x These IP addresses cannot be your Internet registered addresses They must be Internet non routable For example you can assign addresses in a 10 0 0 0 network address range or a 192 168 199 0 etc Enter Server LAN Network IP Address Mask sur LAN net mask This is the network mask of the Server LAN For a class A network it may be 255 0 0 0 For a clas
31. sone e ee eeeeas 19 Hardware Setup Collect Information 02 ssssessseesseeeeeeee esse nesesesseeeeeeenaes 20 Hardware Setup Setup the new network 1 s sseseseeete eee eee eens cece etee ee ee eee e eee seen ees 20 Hardware Setup Configuration Summary sssss0ee sees ete eees ness sees eee eee eee eeees 1 Initial Configuration sssseeeeeeeee ete eees cess eee sees nse nee eeaseeneeeeannee anes eesbeneaeeeeaas 1 NAT Mode Related Configuration 1 ss seeseeeteeeeeeeeseeeeeeeeesenaeeteeeesue nee see tans 23 Trasnparent Mode Related Configuration 0s s essesseeesseeeeseeeeeeeeeeeseeeseeeneans 24 Out of Path Related Configuration 62 sseeeeseeeeeeeeeee eee n ee eeeeeeeen sence e seen eneees 26 Common Configuration essseeeesestetttststtttrrstttttrrstttrsrsttttsrrrtttrerrtererereennrreteett 27 For NAT Transparent Bridge and Out of Path Mode sss ssessssttsststtttssrsrerterrrstet gt 27 What if I made mistake in my configuration sessssee esse sees eee e ents esse even eee eans 30 Management Console 2 sssseseeeeeeeeeseees eee eeeeeetn rene eeseeee ne eee saab eneeessaeeneeeenaeaees 31 LOIN Ree EEL EEE E EE EC EESOSA EES EEDAN S EESE Ceer rer eceecer ieee eeecerereeree 32 Main Management Console 2 s sssseeessessese neces tee eeseeses eee eeee anne esse seeee ee eeeenae 34 Download Upload 100 sssseeeesee eee eeeeeeeec
32. the farm IP itself is showing dead please verify that your router responds to the method you have specified in this field Front Router Connection Verification IP Address It can be the router in front of the WebMux or a router in your ISP s WAN It is recommended to have the router IP address as the verification IP address However it can be any address that is reachable on your Internet side When farm listing turning red it is an indication that this address failed check Persistence Timeout The WebMux will keep track the clients browser connections if the persistent farm is defined and accessed Within the timeout time period the WebMux will send any request from the browser IP address to the same server Our survey shows 5 6 minutes is the best value for most cases The larger the persistence timeout value the less chance user connection get lost However by keeping a lot of connections in the WebMux memory the maximum number of available connections for new clients will drop Outbound Connection Timeout The WebMux keeps track the outbound connections This outbound proxy function provides communication tunnels for servers behind it to talk to other computers on the Internet side This type of connection is different from the connections from outside through server farms to the servers After the connection closed from the servers to the outside computer it will wait this timeout minutes before it removes that
33. then the layer 7 pattern to be matched has the leading included 1 3 6 1 4 1 27182 3 1 1 4 1 3 x y caiWebMuxServerLabel x y SYNTAX OCTET STRING 0 255 DESCRIPTION The mnemonic label assigned to this server 1 3 6 1 4 1 27182 3 1 1 4 1 11 x y caiWebMuxServerPacketsPerSec x y SYNTAX Gauge32 DESCRIPTION The current rate of packets being sent to this server 1 3 6 1 4 1 27182 3 1 1 4 1 6 x y caiWebMuxServerPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION The TCP or UDP port number used to access the service on the provided address 1 3 6 1 4 1 27182 3 1 1 4 1 2 x y caiWebMuxServerRowStatus x y SYNTAX INTEGER active 1 notInService 2 notReady 3 createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 1 3 6 1 4 1 27182 3 1 1 4 1 12 x y 102Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x caiWebMuxServerState x y SYNTAX Unsigned32 DESCRIPTION The current state of this server The bits have the following meaning Bit Meaning 0x0001 If bit set server is available 0x0002 If bit set WebMux will send traffic to this server 0x0020 If bit set always try to use this server if it is available 0x0040 If bit set only try to use this server if no other server in the farm is available 1 3 6 1 4 1 27182 3 1 1 4
34. 05 133 156 0 Sn Netmask 255 255 255 0 Gateway IP 205 133 156 1 Router LAN Switch Firewall Router To WebMux Internet port Primary WebMux WebMux s IP on Router LAN 205 133 156 220 External Router IP 205 133 156 1 Server LAN IP 192 168 199 251 Server Lan Netmask 255 255 255 0 Server LAN Gateway 192 168 199 1 Server 1 Server 2 Server 3 Server IP 192 168 199 10 Server IP 192 168 199 20 Server IP 192 168 199 30 Gateway 192 168 199 1 Gateway 192 168 199 1 Gateway 192 168 199 1 4 4 e This installation requires one WebMux e One WebMux interface Internet connects to the Router LAN The other interface connects to the Server LAN e The WebMux translates the Router LAN IP addresses to an internal non routable class C address In this example the netmask is 255 555 255 0 The IP address of the WebMux interface on the Router LAN is 205 133 156 220 The IP address of the WebMux interface attached to the Server LAN is 192 168 199 251 e The Default Gateway for all the servers is 192 168 199 1 e Farm 1 IP address is 205 133 156 200 Servers 1 and 2 serve Farm 1 Copyright 1997 2007 CAI Networks Inc 11 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x e Farm 2 IP address is 205 133 156 210 Servers 2 and 3 serve Farm 2 e Changes to the server change the default gateway to 192 168 199 1 as well as the IP address to the 192 168 199 xxx address If on the se
35. 1 6 x caiWebMuxFarmPacketsPerSec x SYNTAX Gauge32 DESCRIPTION The current rate of incoming packets for this server farm 1 3 6 1 4 1 27182 3 1 1 2 1 2 x caiWebMuxFarmRowStatus x SYNTAX INTEGER active 1 notInService 2 notReady 3 createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 1 3 6 1 4 1 27182 3 1 1 2 1 3 x caiWebMuxFarmScheduling x SYNTAX OCTET STRING 0 255 DESCRIPTION The load balancing alhorithm used to distribute incoming connections amongs the servers of this farm 1 3 6 1 4 1 27182 3 1 1 1 3 0 caiWebMuxFirmwareDate 0 SYNTAX OCTET STRING 8 11 DESCRIPTION The date and time the current firmware version was built 1 3 6 1 4 1 27182 3 1 1 1 16 1 4 x caiWebMuxIfCurrentLinkSpeed x SYNTAX Unsigned32 UNITS Mbps DESCRIPTION The current link speed of this interface in megabits per seconds Mbps Copyright 1997 2007 CAI Networks Inc 99 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x 1 3 6 1 4 1 27182 3 1 1 1 16 1 x y caiWebMuxIfIPv4Address x SYNTAX IpAddress DESCRIPTION The IPv4 address of this interface 1 3 6 1 4 1 27182 3 1 1 1 16 1 2 x caiWebMuxIfIPv6Address x SYNTAX OCTET STRING 16 DESCRIPTION The IPv6 address of this interface 1 3 6 1 4 1 27182 3 1 1 1 16 1 5 x caiWebMuxIfLinkUp x SYNTAX INTEGER true 1 false 2
36. 27 58 77 79 81 82 84 U Upload 36 55 URL 33 42 59 75 96 V version 21 42 57 64 89 Virtual Farm 8 19 W weight 42 65 69 87 97 106Copyright 1997 2007 CAI Networks Inc
37. 5 133 156 230 External Router IP 205 133 156 1 Server LAN IP 10 1 1 20 Server LAN Netmask 255 0 0 0 Server LAN Gateway 10 1 1 1 Primary WebMux WebMuy s IP on Router LAN 205 133 156 220 External Router IP 205 133 156 1 Server LAN IP 10 1 1 10 Server Lan Netmask 255 0 0 0 Server LAN Gateway 10 1 1 1 Server 1 Server 2 Server IP 10 3 1 10 Berver IP 10 3 1 20 Gateway 10 1 1 1 Gateway 10 1 1 1 Server 3 Server IP 10 3 1 30 Gateway 10 1 1 1 e The installation requires two WebMuxes One will be the primary and the other the secondary They connect together with the Ethernet cable that is either cross over or through a hub The primary redundant interface IP address is 192 168 255 253 the secondary redundant interface IP address is 192 168 255 254 They can not be changed e Both WebMuxes connect to the Router LAN and to the Server LAN Each WebMux interface has a unique IP address e The registered Internet IP address range is a class C address range e The IP address of the WebMuxes Virtual Farms must be in the same network range as the Internet router e The WebMux translates the Router LAN IP addresses to an internal non routable class A address In this example the subnet mask is Copyright 1997 2007 CAI Networks Inc 13 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x 255 0 0 0 The IP address of the WebMux interfaces attached to the
38. 9 636 LDAP Copyright 1997 2007 CAI Networks Inc 59 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Modify Farm Modify farm can be invoked from the main management console screen by clicking on the farm IP addresses or labels modify farm Microsoft Internet Explorer File Edit View Favorites Tools Help Qax J x a TN J Search 5p Favortes Ol dwj Address Fay http 192 168 12 22 24 cqi bin modi_src 5COA80C640050090001 GA Networks Inc modify farm 192 168 12 100 port 80 SSL termination not active label scheduling method weighted round robin persistent z port 80 gt port 443 SSL termination for this farm block non SSL access to farm via 192 168 12 100 80 tag SSL terminated HTTP requests CE CEECEE Enee N Farm IP address and port number These numbers are displayed here for reference purposes These fields are set in the Add Farm screen Once set they are not changeable If they must be changed delete the farm and then add a new one Label The label field can be changed to make it fit better for describing the farm Change this will not affect how load balancing works Farm scheduling method Eight different methods are supported e Least connections Least connections persistent Round robin Round robin persistent Weighted least connections Weighted least connections persistent Weighted rou
39. 997 2005 CAI Networks All rights reserved internet WebMux model 481S 591SG 680PG support SSL termination For models that do not support SSL termination please ignore this section WebMux supports SSL V2 SSL V3 and TLS V1 with RSA key length from 512 1024 and 2048 For each WebMux one can have 32 SSL certificates Any key can be active or not active The first line of the private key is the comment See included 48 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x two sample keys for details If there is no comment line in the key it will be blank If there is no key it will display key and certificate unset Key length can be different from 512 to 2048 RSA key length 1024 also called 128bit strong encryption At the bottom of the screen you will see the option to choose encryption protocols allowed SSL termination management Windows Internet Explorer O O I ES CH http 192 168 12 21 24 cgi bin ssl sec 118652466 1 amp usec 78709 e a SSL termination management gt BD gt deb Pae Toos key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset Or choose encrpyption protocols allowed encryption protocols SSLv2 SSLv3 TLSv1 7 1997 2007 CAI Networks All rights reserved
40. AT Transparent or Out of Path NAT NAT Router LAN Information Router LAN WebMux Proxy IP Address 205 133 156 200 205 133 156 200 Router LAN Network IP Address Mask 255 255 255 0 255 255 255 0 Server LAN Information Server LAN WebMux IP Address 10 1 1 10 10 1 1 20 Server LAN Gateway IP Address 10 1 1 1 1 Server LAN Network IP Address Mask 255 0 0 0 255 0 0 0 Server LAN Network IP Address 10 0 0 0 10 0 0 0 Server LAN Network Broadcast Address 10 255 255 255 10 255 255 255 Administration Setup Information External gateway IP address 205 133 156 1 205 133 156 1 Remake home WebMux conf passwd Y Y Administration HTTP Port Number 24 24 Secure Administration HTTPS Port 35 35 Is this WebMux primary Y N WebMux running solo without backup N Reboot y y 80 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Contact Information For latest product and support information please visit our web site at http www cainetworks com To reach us by e mail Support support cainetworks com Sales sales cainetworks com To reach us by phone Support 714 550 0901 X2 Copyright 1997 2007 CAI Networks Inc 81 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x DO DO DO DO FAQs can t login with my
41. Is this WebMux primary Y WebMux running solo without backup Y Reboot y You will also need to change the Web server IP address to 192 168 199 10 and its default gateway to 192 168 199 1 Add a farm for 205 133 156 200 and add a server to the farm at 192 168 199 10 You can then add more servers at 192 168 199 20 and 192 168 199 380 You can also add additional farm at 205 133 156 210 and add above three servers to the 2 farm 76 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Standalone WebMux Transparent Mode Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration After WebMux Installation Question Entry Host Name WebMux Domain Name Cainetworks com NAT Transparent or Out of Path Transparent Bridge Information Bridge IP Address 205 133 156 210 Bridge IP Network Mask 255 255 255 0 WebMux farm IP Address 205 133 156 200 Administration Setup Information External Gateway IP address 205 133 156 1 Remake home WebMux conf passwd Y Administration HTTP Port Number 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary Y WebMux running sol
42. L Settings to WebMux will actually upload settings including IP address and farm setups If you want to replace the WebMux with a new unit you could save the configuration and upload all settings to the WebMux so that you do not need to go Copyright 1997 2007 CAI Networks Inc 53 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x through step by step configuration requires both WebMuxes on the same firmware revision 54 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x More about Add Farm GAZ Networks Inc add farm The services tcp udp and ip both of tcp and udp are generic Bad server detection is less rigorous for such services A blank port number default means to use the default well known port for the specified service For the generic services a port number of 0 or all denotes the wild specification of all ports The wild port specification is not allowed for other services IP address 192 168 12 taf label port number service HTTP hypertext transfer protocol TCP _ ee weighted round robin persistent X SSL termination none M SSL port block non SSL access to farm tag SSL terminated NO HTTP requests 1997 2007 CAI Networks All rights reserved Farm IP address This is the IP address of the new farm For SSL terminated traffic eac
43. Network IP address Network mesk Broadcast IP address Server 1 Server 2 Serve 3 Serer N Virtual Ss SS a en ea Network Terminology A Virtual Farm includes the WebMux setup and the servers under it Functionally it acts as a single unit on a network For example http Awww you com is one virtual server farm https www me com is another farm and ftp ftp cainetworks com is the third farm The first farm works on a set of servers on port 80 the second farm consists of another set of servers on port 443 and the third farm works on a set of servers on port 21 Please note that the WebMux does support combining 80 443 ports as one single farm so that same client browsing the site in HTTP mode will be send to the same server for HTTPS requests In the combined mode ports 80 443 will be combined into one farm Copyright 1997 2007 CAI Networks Inc 19 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x To serve the Internet there must be at least one Internet Router This local area network that connects the router and the WebMux is called the Router LAN In this LAN the WebMux takes the Internet traffic and distributes it to the servers behind it The LAN connecting the WebMux and real servers together is called Server LAN WebMux has three mode NAT mode OOP mode and transparent mode In NAT mode only the WebMux boxes are connected to both Router LAN and Server LAN At least one WebMux
44. OP use 0 0 0 0 to omit Reinitialize configuration with admin entries only destroys 4 existing configuration z Reboot immediately after submitting this form Submit when satisfied or cancel and log out cancel When the mouse moved over a field the current value will be automatically filled The user may change it based on new information obtained from ISP or network engineers Once you press on the submit button the WebMux will save all the changes to its internal solid state storage and reboot itself with the new value 74 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Initial Configuration Worksheets Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address Webserver s Default Gateway Web Site IP Addresses Configuration After WebMux Installation Question Entry Primary Secondary Host Name Domain Name NAT Transparent or Out of Path Router LAN Information NAT ONLY Router LAN WebMux Proxy IP Address Router LAN Network IP Address Mask Server LAN Information NAT and OOP Server LAN WebMux IP Address Server LAN Gateway IP Address optional for OOP Server LAN Network IP Address Mask Bridge Settings For Transparent Mode Only WebMux Bridge IP Address
45. Server LAN are 10 1 1 10 and 10 1 1 20 e The Default Gateway for all the servers is 10 1 1 1 e Farm 1 IP address is 205 133 156 200 e Servers 1 and 2 serve Farm 1 e Farm 2 IP address is 205 133 156 210 e Servers 2 and 3 serve Farm 2 e Changes to the servers change default the gateway to 10 1 1 1 as well as the IP addresses to the 10 3 1 10 20 30 addresses If on the server there is a service attached to the IP address HTTP S FTP etc please make sure the service will run on the new IP address NOTE Although the WebMux can work with any IP address range all server IP addresses should be Internet non routable address so that the source address from the Internet does not conflict with the IP addresses on the Server LAN NOTE If there is a firewall between the WebMux and the Internet Router a rule must be defined in the firewall to allow the IP address of the WebMux interfaces on the Router LAN in addition to the farm IP address could be same as the WebMux Router LAN IP address to communicate out to the Internet on all ports Since the WebMux doing Network Address Translation of the farm address to a non routable address the farm addresses on the WebMux interface must communicate outbound on all ports defined in the farms 14 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Installation without IP Address Change OOP Out of Path Mode
46. T mode if you use the WebMux for your intranet then the farm IP address will be the IP address of the original web or application server The web or application servers must be changed their IP addresses so that the WebMux can translate farm IP address to the server IP address You can use the WebMux Router LAN IP address as your farm address to save IP address You can add multiple farms to this IP address as long as the port number is different In the NAT not TM mode the WebMux acts as a firewall also all ports except farm port s are blocked All servers behind the WebMux can reach to the outside through the WebMux From outside the traffic can be seen all come from the WebMux router LAN IP address or proxy address If a WebMux is placed behind a firewall please add a rule on firewall for WebMux router LAN address to anywhere anyport All farm IP addresses should have rules to allow incoming traffic mapped to the address and port number as well as return traffic for each farm IP address from any port to anywhere In Transparent TM or bridge mode there is no firewall protection from WebMux All servers talk to each other freely cross WebMux Only the farm IP port address is being load balanced using any selected scheduling method In Out of Path mode farm s must be a different IP address than the WebMux Server LAN IP address At this mode only server LAN cable is connected Multiple farms can be added t
47. Table of Contents Table of Contents siccitercs kiii rie n rer eiir EE ETENEE Feeds eke Seb eed dedi casey siebaece bbe EA EEEE ias i Packing List 2 00sseeteeeeeeseseeeeeeees TRE E KARENE ESERE a EE ANELEE EENS EE RAPERE Ek iii Main Components 2 11 sssssssseeeeeeee seat eens sees eee sees seat eneessene eee eeeebaeneeeeesseueeeeeenns 1 Front Wiewisesaiaien sd a eare N E a buco a Ee peat a andar a A iaaa 1 Rear Vie Wieinaeiissateeeeihesete e a idee a E E ada oes 2 WebMux Overview i seseev ede betes bess eee cig Seed basta bs EE E EEEE EEEE EEA EAR EEEN 3 Key Feat r sesean enpiri a a aee nE E a A a S E a E aai 3 The WebMux Family sseeeseesstssstssttrtssrrrtrterssseettsrssentessreneteerreernteretenrereetmt 6 Network Overvicwers tcctceececc ene ESE E a pEi E EEE aa TAEAE EEEE EE EE E 8 Sample Configurations lt esseeseeeteestestrereeesretrerreesrerssenseessesseereensreseeereesrerreessensees 11 Single WebMuxT sssssssssssseseersrstettrrsrntttrrrinttnsrretnrerennsrreeennnrenennrsenennnrnent 11 Redundant Installation lt lt eese setete teeter cnet stetetseseererssssererssseerereessereesesseserressesers 13 Installation without IP Address Change OOP 2 sssesessseeeseesee seen eteeeeenee ee eeeeaas 15 Installation without IP Address Change TM lt es sseeseseesseeeeeeeeeeeneeeesseeeeeeeeeans 17 Before you Start sssseseeeeseeeeeee settee ceeee nese ees es seen ceeeeesee ve eeee nanan tee
48. WebMux syslog messages is LOCAL6 The notification levels of the syslog messages are as follows INFO LCD display messages N2OTICE Successful browser login logout exludes timeout logout NOTICE Significant access and changes to setup and configuration items NOTICE Same as pager mail messages WARNING Unsuccessful browser login Server gateway IP address The WebMux appears to all the servers in the farms as a gateway or router This is the IP address for the WebMux acting as a router for the servers This address should be the gateway IP address in the web or other servers It is highly recommend adding it to the etc hosts file on your servers Only apply for the NAT mode or for Out of Path mode that requires the WebMux to do the SSL termation or Layer 7 load balancing Normally it this is optional for Out of Path mode PLEASE NOTE For first time setup it is very important to set up this address and the Server Farm network mask below first Also when setting up the servers you may be asked to fill in the default gateway IP address for the server Use this IP address to setup all the servers under it The WebMux will not function properly if this IP address is not set correctly for both WebMux and the servers WebMux http control port Since the WebMux is load balancing incoming HTTP traffic the HTTP port for the management console must be set to a different port By default
49. absolutely required that the WebMuxes are connected in between two switches that have Spanning Tree Protocol STP enabled STP controls the path where packets go in the existence of redundant Ethernet bridges according to bridge priority so that loops do no occur Without this packets will loop endlessly between the WebMuxes and saturate their network path During a failover situation you may immediately notice that the backup becomes unreachable even though the LCD shows that it is active This is a temporary situation as the switches detect new bridge priorities This failover time usually takes about 1 30 seconds depending the switch and different STP protocol selected This also happens when the primary comes back online and the secondary returns back to standby mode For single WebMux setup any kind of switch will work since there is only one bridge path exist on the network No Spanning Tree Protocol is required 18 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Configuring the WebMux Before you Start Please collect the information about names and IP addresses designated by the arrows in the network topology below Router LAN Internel Router IP Network IP address address D Network mask th Broadcast P address Name Router Router LAN Webhiux IP address Router LAN WebMux IP address WebMux WebMux Pro only Server LAN
50. adding server Microsoft Internet Explorer File Edit View Favorites Tools Help Qx bd gt 7 x a i y Search g Favantes kiad 2 http 192 168 12 22 24 cqi binjadd_dst SCO480C1FO0500D0004 High Availability Solution webserver loadbalancer CAs Networks Inc add server farm 192 168 12 31 80 IP address 192 168 fii label i al port number same weight fi S run state acme H match pattern Es pattern is anchored NO 1997 2006 CAJ Networks All rights reserved x Epen o a SS Two options extra options are available e Match Pattern e Pattern is anchored Match Pattern This is the pattern the URI will be compared to It is stated in extended regular expressions format Please refer to Appendix 7 for some examples Pattern is Anchored Will include checking the portion of the URL right after the http NOTE If you chose Layer 7 URI load directing with cookies as the scheduling method the match pattern is also compared to the host MIME header In other words you can use a host name as a match pattern criterion 66 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Modify Server Modify Server can be invoked by clicking on the server IP address on the Status screen E modify server Microsoft Internet Explorer File Edit View Favorites Tools Help
51. arm 192 168 12 200 80 IP address 192 fes nm i a label weight run state 1997 2005 CAI Networks All rights reserved Server IP Address This is the IP address of the server to be added Since version 4 0 3 the WebMux allows adding a label next to each server s IP address The purpose of labeling a server is only to help identify the server in the farm It has nothing to do with the name resolution of the server Although label can be anything it is always better to have meaningful and unique label for each server CAUTION Once the server is added the IP address cannot be changed To correct the IP address the server must be deleted and a new one be created Server Port Number Enter the port number of the server to be added CAUTION Like the IP address once created the port number cannot be changed To correct the port number the old server needs to be deleted and a new one to be created 62 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Weight Scheduling priority weight Valid integer numbers are between 1 and 100 A server that has a weight of 2 will be directed twice as much traffic as a server with a weight of 1 A special zero weight setting is provided for a graceful shut down of a server When the weight is changed to zero the WebMux will not send new connections but will maintain all current co
52. art Scheduled Task in control panel Click add Scheduled Task then next Browse to the bat file we created like WebMux bat under c Choose Perform this task when my computer starts NDARA That will delete the route every time the Windows computer reboots Please make sure after route delete the only route left in the routing table for the loopback adapter is this one your actual IP address and netmask maybe different 10 1 1 255 255 255 255 255 10 1 1 200 10 1 1 200 1 All other routes for the loopback adapter must not show in the routing table On both Windows and Unix routing table can be seen by execute this command netstat rn Please note for Windows 2003 servers the route for the loopback adapter can not be deleted However since Windows 2003 server automatically taking a highest metric number the route does not need to be deleted 88 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 3 Phone Paging Codes When an error occurs the WebMux will send an error code to the regular numerical pager assigned in the Administration Setup page Please refer to the Management Browser Administration Setup section on setting up phone pager numbers To be as compatible as possible to different types of pagers only numeric error codes are used The minimum requirement is the pager should be able to display up to 18 digi
53. ation and use that file to restore all settings After a file has been successfully downloaded please push Cancel button below if you are finished Download farm server information from WebMux Click here to download farm and server configuration Upload farm server configuration to WebMux Use this form to upload farm server configuration New farm server configuration goes into effect immediately Eo a Browse Upload Download all settings from WebMux Click here to download all saved configurable settings Upload all settings to WebMux Use this form to upload all saved configurable settings Most settings do not go into effect until next reboot Browse Upload Cancel 1997 2003 CAI Networks All rights reserved Download This feature allows the SAVED not necessarily the active configuration to be saved at the Administrative Browser workstation Click on the Click Here to display the configuration Choose File gt Save As from the browser menu to save it as a text file Changes can be made to this file and uploaded to the WebMux without changing the first comment line Upload Upload allows a configuration file that has been saved at the browser workstation to be uploaded to the WebMux Enter the full path of the configuration file or click on Browse to search for the file Click Upload to upload the file to the WebMux This file will IMMEDIATELY become the saved and active configuration Upload AL
54. ations If m running a Unix based FTP such as wuftp how can get the ftp server in the farm to resolve the WebMux IP addresses The IP addresses typically will not be able to be resolved since the servers in the farm are typically using non routable or private network addresses In order for wuftp to resolve the IP addresses and stop complaining place the non routable IP address entries in the etc hosts file on those servers 82 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x vO DP Q VO How come my servers in the farm showing in red color from time to time even the servers are okay Your servers are trying to resolve WebMux s IP address to name so it could log them into log file To avoid this problem set the servers not resolve the IP addresses also adding all the IP address to the etc hosts file on your servers For example www mydomain com 1 2 3 4 use your real IP address webmuxgw 192 168 199 1 server lan gateway webmuxip 192 168 199 254 server lan WebMux How many browsers can simultaneously access the WebMux management console The limit is 4 have added a new farm server but the changes are not showing up on the STATUS screen The web browser caching pages may cause this If the new configuration does not appear after clicking on Reload or Refresh then clear the cache or temporary files on the browser Will my web server
55. bMux only the server LAN cable is connected since there is only one network in direct routing mode The WebMux takes at least two IP addresses to work in this mode server LAN Interface IP address and farm IP address Out of path mode also allows two WebMuxes to fully backup each other The two WebMuxes are connected to each other through a cross over Ethernet cable Two simple changes must be made to each server in the farm 1 Have a new loopback adapter installed and have its address set to the farm address Do not set the gateway on the loopback adapter Please refer to Appendix 1 and Appendix 2 for how to configure a loopback adapter as well as how to remove Copyright 1997 2007 CAI Networks Inc 15 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x the route from the servers Please note for Out of Path to work properly the loopback adapter must route the return traffic through the real network interface In other words the loopback adapter cannot have the gateway specified Please refer to Appendix 1 and 2 for more details on how to configure the loopback adapter on servers In case the server is running Windows 2003 the route created during adding loopback adapter cannot be deleted please make sure the loopback adapter has much higher metric 2 If your service is bind to any specific IP address add the loopback adapter s IP address to that service The firewall configuration must be changed t
56. be able to communicate to a credit card validation service like Cybercash Yes Any communication initiated from the internal or private network the WebMux will substitute the IP address of its router LAN interface for the IP address of the host initiating the conversation Any service that requires a specific IP address to allow communication into their network the IP address of the router LAN interface must be the one provided We have CyberCash engineers worked with us to test this is working fine Can use the WebMux as a proxy server for other hosts in my internal network Yes The function that allows the web servers to talk to services such as the credit card validation allows the WebMux to function as a proxy server for any host in the internal network The WebMux will translate all internal addresses to the IP address of the first farm defined This is the farm that is created when answering the question Enter Router LAN WebMux proxy IP address Configuring other computers using WebMux s proxy function is easy just point the gateway IP address to the WebMux backend IP address Do need to have a firewall in front of WebMux In most cases no WebMux blocks all the incoming traffic from router LAN to your internal network Unless there is a farm defined for a port number the outside traffic will not be able to reach to any server Copyright 1997 2007 CAI Networks Inc 83 The WebMux
57. browser It always says you are not logged into To use your browser to manage the WebMux it must be set to accept all cookies Because the cookie sets expired in 8 hours you also need to make sure your hardware clock set correctly using GMT The message indicates your system clock off Please refer to page 67 for how to set the internal clock can t login with my browser because the server does not respond Your IP address is not on the allowed host list or the wrong IP addresses were entered by accident Using front push button to clear that list If have multiple servers assigned as STANDBY how does the WebMux choose which server to use if an ACTIVE server goes down The WebMux checks the standby servers in order and activates each one until their total weight meets or exceeds the server that is unavailable Will a server with weight 0 act as a STANDBY No A weight of 0 indicates that the server will not accept any new connections The state is considered neither ACTIVE nor STANDBY This is to quiet the new connections for the server so that it can be taken out of service Is the Server LAN and the Router or Front LAN required to be on separate IP subnets It is required that the server LAN and the router LAN be separate IP subnets What notification services are compatible with the WebMux Airtouch and PageMart are the services that are currently supported Any SMTP server can be used for sending email notific
58. compares the match pattern against the host MIME header In other words a host name can be specified as a match pattern Also if the server generates a cookie the WebMux will generate its own cookie to keep track of which client session belongs to which server These are useful for shopping cart services for example so that a client will be directed to the same server and keep their shopping cart items valid The WebMux s cookie expire time matches the MAX_AGE setting specified in the cookie generated by the servers When MAX_AGE is not defined the cookie expire time is 30 minutes 58 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Layer 7 hashed URI load directing does a mod function on the URI string as part of its load balancing mechanism SSL Termination Selecting an SSL key in this section will enable SSL termination for this farm The HTTP service and POPS service terminate to ports 443 and 995 repectively and will allow you to choose any port for the clear traffic to the servers When using the generic or custom services specifying the clear traffic port for the service in the port number section causes the WebMux to automatically assume the secure port for the following services Clear Traffic Port Secure Port Service 80 443 HTTP 110 995 POP3 23 992 Telnet 25 465 SMTP 119 563 NNTP 143 993 IMAP 194 994 IRC 38
59. createAndGo 4 createAndWait 5 destroy 6 DESCRIPTION The status of this row As this table is read only the value of this object will always be active 1 at the present time 1 3 6 1 4 1 27182 3 1 1 3 1 8 x y caiWebMuxFarmAddressSSLPort x y SYNTAX Unsigned32 1 65535 DESCRIPTION A port number used to access the service provided by this server farm securely using the secure sockets layer SSL 1 3 6 1 4 1 27182 3 1 1 3 1 4 x y caiWebMuxFarmAddressService x y SYNTAX OCTET STRING 0 255 DESCRIPTION The type of service provided by this address and port for this server farm 1 3 6 1 4 1 27182 3 1 1 3 1 10 x y caiWebMuxFarmAddressTagSSL x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1 then HTTP requests to the IP address given for this row that are using SSL will have the following header line added 1 3 6 1 4 1 27182 3 1 1 2 1 4 x caiWebMuxFarmConnections x SYNTAX Counter32 DESCRIPTION The current number of connections being serviced by this server farm 98 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x The total number of connections serviced by this server farm XXX delete as appropriate 1 3 6 1 4 1 27182 3 1 1 2 1 5 x caiWebMuxFarmConnectionsPerSec x SYNTAX Gauge32 DESCRIPTION The current rate of incoming server connections for this server farm 1 3 6 1 4 1 27182 3 1 1 2
60. e It is not automatically saved Anything not match the above list will cause WebMux believing the server is not responding properly thus the server will be taken out from the services 92 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 6 Access CLI Commands Once the diagnose ports set superuser could use ssh or telnet to access the CLI commands to help troubleshoot network problems or server problems There are maximum two diagnose ports The first one will be SSH and second one will be Telnet If there is only one port specified only SSH access is allowed ssh l superuser p port_number WebMux_ip address Can be issued from any Linux Unix computer For Windows computer PUTTY can be freely downloaded over Internet Once login into CLI following screen will be shown Enter help for list of commands Enter cmd help give help for the command cma Enter exit or logout to end this session Following are commands available in CLI arp manipulate the system ARP cache arping ping lt address gt on device lt interface gt by ARP packets using source address lt source gt brctl manually manipulate Ethernet bridge properties when the WebMux is in Transparent Mode ethtool allows you to display the status or manipulate the settings of the Ethernet hardware factory_reset reset WebMux settings to original se
61. e eee cee sens eeeeesenee ee eeeesnee esse esneeneeeeeans 35 Change Password 0 sssssesseeeeeeee sete eeeeescee eee see sant eeeeesenee ee eeessnne eee eebeveeeeeeens 42 Change PIN rssi iiaa ana aa a ea a a a n aa a WREE eee 43 Add Farii ee 004 heeec ered vad pike i ob TETEE EEEE EEE geek ERA EE onl pela ETENE A aTa 46 Upload Download 2 0s s esssseeeeee sett eeeeeeseeee ee eee saan eens eeseae en eeeeenee see seees ea eeaeaas 53 More about Add Parmie ir e rnnr cece eee e eee A E E R E a Eana 55 Modify Farme eioi na ana a a aE a E E a E E AE e i 60 Add Serye eer eE a A os tats eee tte ae E EE AES eee 62 Add Address Pott 2st 2 s2se cake e iE EEEE E E E EEE sedis EEEE E ies nia AE ds 64 Add L7 Servants riese pen nei a e pena E eE e E a eR iE 66 Modify Server raia erna E RAEE E E EAE R A E ERS 67 Activating the Anti Attack Feature lt ssss eessssesserssstetsssstetttsttrtrertreeterrertenreneneerrrnent 69 Adding Static Routes ee sssetessstereessrseeserrsseeeerrsstrererserresrrreesssrrenssrereesrrereesrrrennt 71 Initial Configuration Worksheets 1sesssseseeeee eens cena eeeeessee eee eee etaeeneesesten ee eeeeaas 5 Sample Configuration Worksheets s sssee esse teee eee e ence eect eee teen eee teens een e tees 16 Standalone WebMux NAT Mode eeersecceceteceteeteet eee teeeeeeeeeeesenaenseeeeeeeeeenaeneeneeees 16 Standalone WebMux Transparent Mode sssseseeeseeeees eee eee eeeseee sees sesea vee
62. e managed via a secured web browser session from anywhere in the world By using https 128 bit encryption to the management web console secure remote management of server farms is truly possible e Operating System independent No software or agent to load on the servers Non intrusive load failure detection and management e Provides Proxy function When communication is initiated from behind the WebMux the WebMux will substitute its own address for the internal address This allows the web servers to initiate communication for Copyright 1997 2007 CAI Networks Inc 3 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x services such as credit card validation and mapping services Note this function only works in NAT mode e Built in Firewall Protections layer4 5 only Stop possible hacker intrusion into your network from Internet All IP addresses and ports are blocked except the farm IP address Built in functions will detect any possible denial of service attack and make your services always available Note this function only works in NAT mode with Forwarding Deny see setup for details e Built in Anti Attack Security Function Automatic protection against Denial of Service DoS and Distributed Denial of Service DDoS attacks Automatically block IP addresses that exceed the maximum threshold of concurrent connections for a specified amount of time Works in NAT Transparent and OOP modes
63. eees 77 Out of Path Installation of WebMux lt lt lt eeeesesseeeessssssresssseerrsesseserrrsssserersesserersso 78 A Redundant Installations eiii eraa EE a E r Ee A E Ed EE Ea ia iA Agi 80 Contact Information erre eana Moree EEE E E NEEE E EEEE 81 A sie eee a ee E A T 82 Regulations 2 sesseeeeeeeees sees ea pa eee PESE E e ERN ee E AE N EEES 85 Appendix 1 How to Add A Loopback Adapter sseeessssssesttssrtrtssssrteeerrrrenerrstetetsetet 86 Appendix 2 How to make route delete reboot persistent e e eettttettttttstttsttestrrsetterretett 88 Appendix 3 Phone Paging Codes 01s0sess eee eeeeeeeetee ents scene tence eesneeneeeeebe nee eeeeas 89 Appendix 4 Virtual Hosting Issues 11 ssss0ees sees ete ence e sce e seen eens anes esse see e ee eeeetas 91 Appendix 5 Sample Custom CGI Code 0 ss esses teeeeeeeeeeecten nee eeeeenee nese ecte eee eeees 92 Appendix 6 Access CLI Commands 1 sesseeeeee bene eeeeeseeee reeset enaeeneeeesten ee eeeenas 93 Appendix 7 Extended Regular Expressions s 1sssssseseeeseseeeeeee esse eee eseee ee eeeeeens 95 Appendix 8 Notes on IPV6 s0eseee teense cee e eens eee eee ence eee et ante eens tenants scent vent eeeeas 96 Appendix 9 WebMux SNMP MIB Query ID sst eesestesstsstttsssstrtsssrreserrsrteeerrsstetertetet 97 Tindex E E E E S S S 104 Packing List One 1 WebMux unit One 1 Power cord One 1 User Manual
64. eliability However we did discovered some of the Foundry Networks switches does not negotiate with Intel chipsets well To make them work together one will need to set the switch to auto negotiation on speed instead of fixed 100 They will communicate each other at 100BT or 1000BT Pro version only 84 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Regulations Notice to the USA C Compliance Information Statement Declaration of Conformity Procedure DoC FCC Part 15 This device complies with part 15 of the FCC Rules Operation is subject to the following conditions 1 This device may not cause harmful interference and 2 This device must accept any interference received including interference that may cause undesired operation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Plug the equipment into an outlet on a circuit different from that of the receiver Consult the dealer or an experienced radio television technician for help Notice for Canada This apparatus complies with the Class B limits for radio interference as specified in the Canadian Department of Communications Radio In
65. ertificate Some certification authorities issue a chain consisting of multiple certificates Often the certificate chain consists of a server certificate and an intermediate certificate In this case the server certifcate should come first and then the intermediate certificate The root certificate for the certification authority itself need not be included private key Jan 14 2005 23 05 24 GMT no change sample 1024 bit RSA private key NIICXQGIBAAKBGOC KOme lamd f L Z0UscfTVohIrqzJspmYf aVLr4p4yN3daNKHp f certificate Jan 14 2005 23 06 22 GMT no change sample certificate with public key for sample 1024 bit RSA privat key valid until Jan 18 16 10 21 2036 GMT This certificate is self signed and should not be used when You can view copy and paste keys into the two windows You should backup your private key and save in a secure place Each private key and public key pair must match to be able to work properly If you plan to generate new keys click on the drop down box above the private key window to select key length and then click on the Confirm button This 50 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x process is also known as generate a CSR Certificate Signing Request It is the process that you generated a key pair and send the public key to CA for signing Once your public key signed and pasted into the key manageme
66. f you decide to use port 24 for unsecured communications The port number can be changed per your specification under setup in main management console section e The following login page will appear NOTE In order to use a browser to manage the WebMux the browser must be set to accept all cookies F webmux login Microsoft Internet Explorer I Bile Edit View Favorites Tools Help ose Be ee ee a Back ad Stop Refresh Home Search Favorites History Print Eda 7 Discuss J Address fia https 41192 168 12 7 35 cgi bin login z eGo P Go Links Web Networks m welcome to webmux cainetworks com 1997 2001 CAI Networks AJI tights reserved A E nemet User ID There are two preset user IDs Super User Allows access to all screens and functions provided by the WebMux WebMux Does not allow the user to access or change any settings allows viewing only Password Fill in the correct password for the selected User ID The password is case sensitive 32 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x The default passwords are ID___ Password superuser superuser ebmux ebmux It is recommended to change the passwords periodically No new user ID can be added Login After entering the correct password click Login NOTE For first time setup please login as superuser and go to the Administration Se
67. from the tracking table Setting this too long will cause the WebMux to allocate too much memory thus reduce the memory for other functions The default value is 15 minutes This function has no effect in Out of Path mode 40 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x URL for Custom Service Check Sometimes the WebMux built in server health check is not enough for special needs When one ASP JSP server s output depends on the database server and the database server connection is down one might want to reduce the incoming traffic to the server suspend new traffic to the server or totally redirect incoming traffic to a different server To accomplish that the WebMux allows a farm being set using a custom defined service It will then call the CGl s URL on the server defined in this field This will involve a custom developed CGI code by your software developer on your server and place it on the path Upon success the page should return HTTP response code 200 and a plain text page beginning with one of the allowed responses The URL is truncated to 255 bytes to be a string of at most 256 bytes with a terminating null The response from the server must fit in 4k including all non display tag and headers etc This custom CGI code must complete within 15 seconds or the server is considered dead The custom defined service also allows for CGI code responses tha
68. g Add Farm action first select add HTTP farm then click on the Select SSL Termination Choosing from any key other than none will enable SSL termination on the HTTP farm All the HTTPS incoming traffic will be sent terminated to farms on HTTP port 80 Please set the port number to a clear port since after the WebMux terminates the SSL traffic only clear traffic will go 46 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x to servers When the servers return traffic back the WebMux will re encrypt the data and send encrypted back to client If you are using out of path mode please make sure your servers gateway points to the WebMux server LAN gateway IP address so that the WebMux has the chance to re encrypt the data before replying back to clients One can also block not encrypted incoming traffic so that only encrypted traffic can reach to your server This might be useful when you only want encrypted traffic reaching to your servers If you like to track on your server if the incoming traffic was HTTPS or HTTP you may turn on tag SSL terminated HTTP traffic By change that to Yes decrypted traffic will have the added MIME header X WebMux SSL termination true You can write script on your server to identify if the original traffic was HTTPS or HTTP and then properly redirect the traffic to the HTTPS WebMux a
69. h Availability Solution webserver loadbalancer GAs Networks Inc route management This screen shows the current routing table and allows its management The dropdown gives three choices to change the table by specifying addition or deletion to save it so that it will be used after reboots or upon restoration requests or to restore the last previously saved routing table Changes to the routing table take effect immediately but they do not persist past reboots unless the table has been subsequently saved Routes shown in grey may not be deleted routing table make indicated changes gt address mask gateway NIC 192 168 255 252 255 255 255 252 0 0 0 0 ethsO 192 168 12 0 255 255 255 0 0 0 0 0 brO 127 0 0 0 255 0 0 0 0 0 0 0 lo 0 0 0 0 0 0 0 0 192 168 12 1 brO add Ss fe Confirm 1997 2007 CAI Networks All rights reserved Routes displayed that are grayed out cannot be modified To add a route make sure make indicated changes is selected in the drop down menu click the add checkbox and fill in the remaining fields Click the confirm button Your new route should appear along with a delete checkbox You can click on Copyright 1997 2007 CAI Networks Inc 71 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x the delete checkbox and click confirm to delete the selected route Please remember that even though a new route is immediately active once you click
70. h farm must have its own IP address The farm address could be the Internet known address or the address has been translated by your firewall For example if you want to create an http farm for www mydomain com the farm IP address will be the IP address for www mydomain com from your DNS record If the IP address of www mydomain com is 205 188 166 10 then the Farm IP address is also 205 188 166 10 The WebMux will then translate the farm address to the web server address in your DMZ or internal network Since version 4 0 3 we also introduced label concept for the farms and servers Once the label is specified the WebMux will display in the Show Status screen the label for the farm and server instead of the IP addresses Although labels can be anything it is better to have meaningful and unique label for each farm or Copyright 1997 2007 CAI Networks Inc 55 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x server Since version 5 6 the name label is also being used to check HTTP layer 7 protocols as part of the MIME header in virtual hosting The format of the farm name label will be www xyz com max length 75 bytes If the server returns error code 401 the WebMux considers that server dead For both IIS and Apache servers doing virtual hosting the farm name label must be an existing web site name on the server For more information on Virtual hosting please go to Appendix 4 for details In NA
71. he UTC GMT time You can set the WebMux to your local time if your time zone is selected here Confirm Cancel Click Confirm to execute the date and time change Click Cancel to return to the previous screen WITHOUT making any date or time changes Copyright 1997 2007 CAI Networks Inc 45 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Add Farm Click Add Farm to add a virtual site for the services you want to provide The ADD FARM screen will appear _ High Availability Solution GaAs Networks Inc add farm The services tcp udp and ip both of tcp and udp are generic Bad server detection is less rigorous for such services A blank port number default means to use the default well known port for the specified service For the generic services a port number of 0 or all denotes the wild specification of all ports The wild port specification is not allowed for other services IP address 66 Pis 40 label port number service HTTP hypertext transfer protocol TCP scheduling isin I method weighted round robin persistent SSL Sy termination ad z Pek pon block non SSL access to farm tag SSL terminated HTTP Le requests 1997 2007 CAI Networks All rights reserved By default the SSL termination is NOT on The description here is for for the 481S model Other models can be configured similarly Durin
72. ike you would for an IPv4 address You must enclose the address in brackets For example if the IPv6 address of the WebMux is fec0 c0a8 c15 then you would enter http fecO c0a8 c15 24 cgi bin login to get to the web management There are also IPv6 versions of some basic networking tools such as ping6 traceroute6 and tcpdump with the IPv6 flag ip f inet6 route inet6 etc Please be sure that network software client is indeed IPv6 capable or is the correct IPv6 version to use before assuming that your network is not working Also when adding an IPv6 address to your server s NIC network interface card your server s OS might not automatically add a default gateway in its routing table for the IPv6 address Please double check the routing tables and make sure the proper entries are there If your servers are not accessible from the outside but are accessible within the subnet you might want to check and make sure that the default gateway was set up correctly 96 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 9 WebMux SNMP MIB Query ID 1 3 6 1 4 1 27182 3 1 1 1 11 0 caiWebMuxActive 0 SYNTAX INTEGER true 1 false 2 DESCRIPTION Whether this WebMux unit is active 1 3 6 1 4 1 27182 3 1 1 1 7 0 caiWebMuxCPUSpeed 0 SYNTAX Integer32 UNITS MHz DESCRIPTION The clock speed of the CPU s in this unit 1 3 6 1 4 1 27182 3 1 1 1 9 0
73. l address is the site certificate The one whose subject and issue are identical is the CA root Copyright 1997 2007 CAI Networks Inc 51 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x The 3rd one is called intermediate certificate Please paste your site certificate first followed by your intermediate certificate 2 SSL key 2 management Microsoft Internet Explorer File Edit View Favorites Tools Help SSL key 2 management This key and certificate chain are not currently used for SSL termination You may change this key or certificate chain using the dropdown menus You may either let WebMux generate a new key or paste in a new private key You may paste in a new certificate chain If you wish to let WebMux generate a new private key please select the key length from the drapdown menu You may not use a new key until you have pasted in a matching signed certificate chain You may paste a new certificate chain any time before the key is put into use Some certification authorities issue a certificate chain consisting of a single certificate Some certification authorities issue a chain consisting of multiple certificates Often the certificate chain consists of a server certificate and an intermediate certificate In this case the server certifcate should come first and then the intermediate certificate The root certificate for the certification authority itself need not be included private key
74. llows SSL termination from any port to the farm port If your SSL TLS traffic is other than the standard HTTPS traffic you may want to specify the SSL traffic port in the SSL port field WebMux will listen to that SSL port terminate the encrypted traffic from that port into the farm port re encrypt the return traffic from the server to the clients Copyright 1997 2007 CAI Networks Inc 47 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x SSL Keys z ahon Mdalidgennle MIICE erne XDIOTET AK File Edit View Favorites Tools Help Back gt 3 O G Asearch Favorites PMedia 4 Dr 2 mM H Address http 192 168 12 21 24 cgt bin ssl sec 1114 Go Links Norton AntiVirus 5 SSL termination management Click on its link to manage a key A a 3 a ey sample 1024 bit RSA private key sample 2048 bit RSA private key key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset key and certificate unset A JA IA JA JA AAJA CO wN D On o N A JA A JA JA A JA JA O O j D v M D m fsi e s ee amp U amp G N O ooo qoooocqoooqo aoooo 1
75. mbers If a prefix is required enter it here Leave it blank if a prefix is not required For most Analog PBX this will be 9 Do not enter anything in here if modem is not connected Pager phone numbers This is the pager phone number to be dialed when an abnormal condition occurs Enter the number without any special characters or spaces It should be in the format of a single long integer Add 1 and the area code if needed Do not use or or blank spaces Do not enter anything in here if modem is not connected Server for email notification In addition to paging the WebMux can send email notifications Enter the IP address of the email server that will forward the notifications Please note Because the WebMux does not resolve names this entry must be an IP address Changes to the email server allowing the WebMux to relay messages are necessary Addresses for email notification Enter the email addresses to be notified Separate multiple addresses with a colon For example johndoe anywhere com janedoe anywhere com Copyright 1997 2007 CAI Networks Inc 37 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x UDP syslog server IP address notification The WebMux can be configured to send syslog messages to a remote syslogd server Enter the syslogd server IP address to use this feature The syslogd server must be configured to accept remote UDP syslog connections The facility for
76. n by putting all the servers serving each virtual host on a server farm on the WebMux The WebMux will load balance the traffic for all the incoming traffic for that IP address to different servers in that farm During farm setup the label for the farm could be one of the virtual farm s base URL say www mydomain com the WebMux actually periodically reads a page from this URL If server that serves that URL does not response correctly the WebMux will mark that server dead Since every server in that farm serves all the virtual farms the WebMux expects the problem with one server in one URL will affect all the URLs in that farm Another situation is the server that serves HTTP virtual sites using a single private IP address already before load balancing After adding load balancer some the sites want to have their own IP addresses The WebMux allows set up separate farm for each site having its own public IP address but point to the same sets of servers in the private network In this situation each separate farm could have its own label as www site1 com and www site2 com etc The WebMux will actually do health check on each URL by periodically read a default page from that site In the virtual hosting situation the label and response from the web servers are critical for reliable services The WebMux checks the label and checks the server for its health situation based on the URL supplied in the label If the server
77. nd robin Weighted round robin persistent Weighted fastest response 60 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x e Weighted fastest response persistent e Layer 7 HTTP URI load directing e Layer 7 HTTP URI load directing with cookies this method also checks the host MIME header against the specified match pattern Key Selection You can change the SSL certification key pair used for this farm All current connection for this farm will be reset if the key changes Block Clear Port If you do not want to allow non encrypted traffic going to server change the No to Yes Tag SSL terminated HTTP requests If SSL termination is active for this farm choosing Yes for this option will add a X WebMux SSL termination true MIME header in the decrypted http request Delete Click this button to delete the entire farm CAUTION This function also deletes ALL the servers under this farm Copyright 1997 2007 CAI Networks Inc 61 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Add Server Click this button to add a new server to this farm Padding server microsoft internet Explorer fol File Edit view Favorites Tools Help aR Q sax a gt 7 x B i JO Search g Favorites E i 33 Address http 192 168 12 21 24 cgi bin add_dst scoasoccso0s0090001 GAs Networks Inc add server f
78. nless all other servers are out of services this server will not be switch in This will allow the last server to show a different web page from others Copyright 1997 2007 CAI Networks Inc 63 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Add Address Port Click this button using MAP feature to create additional IP address port protocol combinations for the farm The same client will also be sent to the same server no matter which port it access within that MAP High Availability Solution webserver loadbalancer GAs Networks Inc add IP address port farm XXX XXX XXX XXX XX IP address Ea a ee a ee SF et label a a port number service FTP file transfer protocol TCP SSL termination none lt SSLpot C block non SSL NO E access to farm tag SSL terminated NO HTTP requests Contirm 1997 2007 CAI Networks All rights reserved Farm IP and Port These numbers are displayed here for reference purposes the current farm you are modifying These fields are set in the Add Farm screen Once set they are not changeable If they must be changed delete the farm and then add a new one IP Address Add an IP address to the current farm configuration The IP address can be the same as long as the port number does not duplicate any existing IP port combinations 64 Copyright 1997 2007 CAI Networks Inc The WebMux
79. nnections to the server The connections will gradually reduce to zero as current clients sessions terminated When there are no connections the server is functionally dead or off line until the weight is changed back to a valid number Then the server can then be shutdown or taken out of service without affecting any users CAUTION Unlike a server that can go down unexpectedly the WebMux will not move a STANDBY server to ACTIVE when one or more server s weight is set to zero If the weight of all the servers in a farm were set to zero then the farm would be down because none of the servers are accepting new connections Run State e Active The server will be put into service immediately after it is added However once it is failed it will stay Standby mode until manually setting its run state to Active again through the browser interface This will give system administrator time to fix the system or reboot the server once some software hardware update is completed e Favorite Active The server will be put into services immediately after it is added If a Favorite Active server failed once it is operational the WebMux will automatically put it back to the Active state e Standby The server will be put into STANDBY or backup mode after it is added The WebMux will change a STANDBY server to ACTIVE when one or more ACTIVE servers fail e Last Resort Standby The server will be put into STANDBY state u
80. ns that may appear to be attacks For example if you have a third party company that regularly benchmarks your services for maximum load handling you will need to allow that company uninterrupted access You can use a specific IP address or specify a network range i e Xxx xxx Xxx 0 24 Separate each entry with a colon Copyright 1997 2007 CAI Networks Inc 69 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Duration to block attackers This sets the amount of time to block attacker IP addresses It may not be desirable to block specific IP addresses indefinitely because of the dynamic nature of IP addresses used by the general public You may end up blocking out potential customers in the future Therefore this setting allows you to set the IP blocking duration that suites your needs Changing the settings in this page will not require a reboot and is effective once you click the confirm button 70 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Adding Static Routes You can add static routes to the WebMux using the Web GUI or through the Command Line Interface CLI To use the Web GUI you must already be logged in as superuser for the web interface Then enter the following URL in your web browser http ip of webmux 24 cgi bin route Alternately you can use https and port 35 You should see this screen Hig
81. nt screen all the browsers over Internet will accept it without complaint during its life signed in the key You can visit www thawte com or www verisign com for more information Bisies File Edit View Favorites Tools Help B Back v BO A search Favorites PMedia 4 Av Mw A Address http 192 168 12 22 24 cgi bin ssl sp 131073 amp bits 1024 amp ssI 1 amp se Go Links Norton Antivirus El v Keil CAI Networks Inc SSL private key and certificate request generation Please enter information to make new private key 1 and its matching certificate request If you do not fill in all fields the certificate authority may reject your certificate request country C 2 bytes ij state province etc ST city etc L organization O organization unit OU domain CN email adddress emailAddress internet Enter all the information necessary Click on Confirm button to complete the key generation You will be taken back to the dialog boxes that will display the newly created private and public keys You will then copy and save both private and public keys submit the public key to the CA of your choice to sign Once they send you back the signed public key you will need to paste that into this certificate dialog box select using new key pasted in and click on confirm button to save it into the WebMux There should be 3 certificates The one whose identity is your e mai
82. o continue configuring the WebMux the normal steps are Click on the Setup button to change administration and setup related information Click on SSL keys button to manage SSL keys if SSL termination is desired Click on Add Farm button to add a server farm at a time Click on the IP address portion of the farm display to add servers Click on Save button to save the farm server configuration Click on services on each farm to adjust the timeout for each kind of services Note that same protocol services between farms will share the same timeout value We will discuss those buttons and related features in great details in later sections Other buttons on the main management console screen are Save On main management console click Save button will cause WebMux save its configuration Changes made to the Farm and Server will take effect immediately without save The changes however are not saved permanently to the solid state storage until the Save button is clicked Unsaved farm server settings will be lost during power outage or WebMux reboot 34 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Download Upload This button will allow the user to save and restore the WebMux configuration to and from their management workstation See later chapter for details Setup This button brings up the Administration Se
83. o one IP address as long as the port number is different from each other In this mode each server must add a loopback adapter and under Windows server the route for the loopback adapter must be removed Please refer to Appendix 1 and 2 for more detailed procedures WebMux has been tested extensively working with all versions of Windows Linux and HP UX 11 X under this mode Other OS should also working fine CAUTION Once a new farm is added the IP address of the farm cannot be changed To correct the IP address the old farm has to be deleted and a new one to be created Port This is the port number for the farm If you are choosing one of the known services below you do not have to specify anything in this field However if the service you choose is not listed in the list below you will need to specify a port number here For example for MS Terminal Services use port number 3389 If 56 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x you enabled SSL termination see last chapter select port 80 for the farm and servers in the farm The WebMux will terminate all SSL on port 448 traffic and send them to port 80 DO NOT select port 443 if you enabled SSL termination For example if you have five port 80 farms and your WebMux only allows one certificate the WebMux will use same certificate for all five farms Service This is the service of the new fa
84. o point to the new farm address on the WebMux Since the WebMux always uses one IP address in the server LAN the farm address must be a different IP address in the server LAN in Out of Path mode NOTE Under normal Out of Path operations you will only need to set the external gateway IP address for the WebMux However if you are going to have the WebMux do SSL termination or Layer 7 load balancing you must set a server LAN gateway IP in the WebMux and have the servers default gateway point to that IP address 16 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Installation without IP Address Change TM Transparent Mode Transparent Mode with Redundant WebMux Installation Public IP 65 25 35 156 NATed to FARM IP 192 168 112 35 SQ Private Network 192 168 112 0 Q frewallRouter Nemes 255252550 D gt y BOS Switch with STP Enabled Terminal 1 IP 192 168 112 40 Gateway 192 168 112 1 Primary WebMux WebMux s IP on the network 192 168 112 38 Secondary WebMux WebMux s IP on the Network 192 168 112 39 Terminal 2 IP 192 168 112 41 Gateway 192 168 112 1 s Server 1 Server 2 Server 3 Server 4 Server IP 192 168 112 30 Server IP 192 168 112 31 Server IP 192 168 112 32 Server IP 192 168 112 33 Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 Gateway 192 168 112 1 A
85. o the Server LAN 20 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x e Connect the WebMux es to the Router LAN NAT and Transparent mode e Power up all devices in the network e Verify that all the devices are up and running e You are now ready to configure WebMux Hardware Setup Configuration Summary CAUTION Do not proceed without collecting all necessary information NOTE The IP addresses in the following examples are general examples and are not meant for literal use in an actual setup e Turn on the WebMux Turn on the switch on the back of the WebMux and push the power on button in the front momentarily You will see the version number like this OB HSN x v e After self test hold down the Check Mark button on the WebMux until the LCD displays the first question Enter WebMux host name i 1 e During the initial configuration you will be asked to provide names and IP addresses See next section Each item is explained in the order it is asked e Answer the questions Reboot Note When reboot is complete the service statistics screen will appear Run the Management Browser Initial Configuration Enter WebMux Host Name E i rahe FA T Ta gn Copyright 1997 2007 CAI Networks Inc 21 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Enter the ho
86. o without backup Y Reboot Y Copyright 1997 2007 CAI Networks Inc 77 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Out of Path Installation of WebMux Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 10 1 1 1 Webserver s Default Gateway 10 1 1 1 Web Site IP Address 10 1 1 200 255 255 0 0 Configuration After WebMux Installation Question Entry Host Name webmux Domain Name cainetworks com NAT Transparent or Out of Path Out of Path WebMux Server LAN Information Server LAN WebMux IP Address 10 1 2 254 any Server LAN WebMux IP Address Mask 255 255 0 0 Server LAN WebMux farm IP Address 10 1 1 200 Server LAN gateway IP address 10 1 1 253 Necessary for WebMux SSL termination and for Layer 7 load balancing Each server s default gateway needs to be set to this IP Server Configuration Server IP address No Change Server NetMask No Change Server Default Gateway No Change Server Default Gateway 10 1 1 253 if using WebMux for SSL Termination or Layer 7 load balancing Server add loopback adapter 10 1 1 200 Route Deletion Refer to Appendix 2 10 1 1 200 Administration Setup Information WebMux External Gateway IP address 10 1 1 1 Remake home WebMux conf passwd Y Administration HTTP Port N
87. olid state storage Changes will take effect after next reboot The next question will be Reboot Now Reboot now This is the end of initial configuration Most of the setup or changes require a reboot to take effect Press and hold the center Check Mark button to make the WebMux reboot Use the UP arrow button to return to Discard Changes and select Yes to exit without change Press the DOWN arrow or Cross Button to continue to the Factory Reset option see Factory Reset below After the WebMux is rebooted the statistics of the incoming package outgoing ackage etc will be displayed on LCD periodically Factory Reset Pressing the down button or the x button at the Reboot Now screen will bring you to the factory reset option You will see This option will clear all current settings and reset the WebMux to original factory settings Press and hold the check mark button for at least 20 seconds to activate the factory reset The process will take a few minutes and the WebMux will reboot itself Copyright 1997 2007 CAI Networks Inc 29 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x What if made mistake in my configuration One can always make changes to the hardware settings by press the Check Mark button for three seconds when the statistic screen showing It will start the prompt questions which will allow the user to navigate from one prompt to
88. ombine When too large a mask applied it will defeat the load balancing function of the WebMux ICMP Packet input policy Accept The WebMux will allow all ICMP packets to travel through the WebMux For CLI arp commands working properly this must be accept Deny The WebMux will NOT allow any ICMP packets to travel through the WebMux Copyright 1997 2007 CAI Networks Inc 39 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x NOTE During installation having the ability to PING the other hosts on the networks is typically useful When the installation is complete setting the ICMP packet policy to DENY is recommended as a security precaution Forward Policy Accept The WebMux will route IP packets both directions The WebMux will not act as a firewall in this mode Deny The WebMux will NOT allow any incoming IP packet traveling through the WebMux except IP packets in farm IP port This is the default setting Front Router Connection Verification It can be none ARP TCP Connection or ping Depending on the front end router this can be changed For example most Cisco routers will talk to the WebMux through ARP and TCP Connection however most Cisco DSL modems will only talk to the WebMux through Ping The change to this verification method will take effect after the WebMux has been rebooted If you have configured a farm on the WebMux and
89. on 8 3 x Change Password ir Ee Edit View FAO Tools BiS Ie a a3 a Stop Refresh A a Search Favorites History Print change password name new password new password again Name Select the login name for which the password is to be changed New Password Enter the new password This is the password to which the login will be changed New Password Again Enter the same password as in the previous box Confirm Cancel Click Confirm to execute the change Click Cancel to return to the previous screen WITHOUT changing the password 42 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Change PIN To protect the WebMux from unauthorized changes from front push buttons a PIN can be entered here to prevent saving any change from the front panel By default there is no PIN lolx E change PIN Microsoft Internet Explorer File Edit View Favorites Tools Help Address http 192 168 12 1 24 cgi bin chg_pin v Go Links Back v B A A Asearch HFavorites GmMedia 3 av 3 w H CAF Networks Inc change 4 digit PIN for keypad reboot Leave blank to use 0000 the disabled pin new PIN k i new PIN again 1997 2006 CAI Networks All rights reserved aA ap E Done internet 7 Copyright 1997 2007 CAI Networks Inc 43 The WebMux Model 481S 591SG
90. quire a change to the server IP address If choosing NAT continue to the next setting otherwise skip next few settings and go to direct routing If answer NO here please continue setup at the Out of Path Related Configuration section Transparent Mode If selected NAT mode you can select transparent mode bridge mode or not If you choose YES the WebMux will be in Transparent Mode and will behave as an Ethernet Bridge Please continue the configuration to the Transparent Mode Related Configuration section 22 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x NAT Mode Related Configuration Enter Router LAN WebMux Proxy IP Address rtr LAN iP addr 205 133 156 200 This is the IP address that the WebMux uses as the external IP address when it functions as a proxy This IP address can be used to setup the first farm When any server behind the WebMux on the Server LAN initiates communication with another host the WebMux substitutes the servers IP address with this address This is true for all services except FTP services which use the FTP farm IP address for passive FTP connection For redundant setup secondary WebMux uses the same IP address for this entry as the primary one This address floats between primary and secondary WebMuxes r Router LAN Network IP Address Mask r LAN net mask ig Fa Ee ie M This is the network
91. r of a redundant pair 1 3 6 1 4 1 27182 3 1 1 1 6 0 caiWebMuxSerialNumber 0 SYNTAX OCTET STRING 0 255 DESCRIPTION The unique serial number of this unit 1 3 6 1 4 1 27182 3 1 1 4 1 4 x y caiWebMuxServerAddressIPv4 x y SYNTAX IpAddress DESCRIPTION The IPv4 address of this server 1 3 6 1 4 1 27182 3 1 1 4 1 5 x y caiWebMuxServerAddressIPv6 x y SYNTAX OCTET STRING 16 DESCRIPTION The IPv6 address of this server 1 3 6 1 4 1 27182 3 1 1 4 1 9 x y caiWebMuxServerConnections x y SYNTAX Counter32 DESCRIPTION The current number of connections being serviced by this server The total number of connections serviced by this server XXX delete as appropriate 1 3 6 1 4 1 27182 3 1 1 4 1 10 x y caiWebMuxServerConnectionsPerSec x y SYNTAX Gauge32 DESCRIPTION The current rate of connections being Copyright 1997 2007 CAI Networks Inc 101 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x serviced by this server 1 3 6 1 4 1 27182 3 1 1 4 1 14 x y caiWebMuxServerError x y SYNTAX Integer32 DESCRIPTION most recent error code for server if available 1 3 6 1 4 1 27182 3 1 1 4 1 7 x y caiWebMuxServerL7Pattern x y SYNTAX OCTET STRING 0 255 DESCRIPTION The layer 7 pattern to match a request against for this server 1 3 6 1 4 1 27182 3 1 1 4 1 8 x y caiWebMuxServerL7PatternAnchored x y SYNTAX INTEGER true 1 false 2 DESCRIPTION If the value of this object is true 1
92. r the Secondary WebMux Is this WebMux running solo without a backup WebMux running solo ES ENO If the Primary WebMux is running in a standalone configuration see sample configuration Standalone WebMux answer Yes If you plan to add 2nd WebMux in the future you may answer NO even there is only one WebMux at the time When you add second WebMux later on WebMux will automatically detect the backup and start functioning Copyright 1997 2007 CAI Networks Inc 27 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Clear Allowed Host File Allowed host file prevents any unauthorized access to the WebMux Management Console If a workstation s IP address is not in the allowed host file that computer will not be able to reach the WebMux management console through the network However sometimes a wrong IP address is entered so that no computer can access the browser management console At that point clearing the allowed host file will allow any browser to access it By default the allowed host list is empty so that any IP address can access WebMux We do encourage adding only host IP addresses that you do allow to manage WebMux into the list See configuration through browser interface for more details Remake home WebMux conf passwd f f P This function is provided in case you have forgotten the passwords to access the Management Console Please u
93. response is 500 or greater which is an error code indicating server internal error the WebMux will excludes that server from serving the farm If server responses 402 which indicating access is denied for that virtual farm the WebMux will mark that server dead We have checked with IIS server and Apache server they both follow the same rules Copyright 1997 2007 CAI Networks Inc 91 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 5 Sample Custom CGI Code The custom cgi bin checking program may be written in Java VB C or Perl for example or it may be a WB or shell script Here is sample script written for the linux shell bash which sees if an SSH daemon is running as its check criterion bin bash echo Content type text plain echo blank line if ps C sshd amp gt dev null then echo OK response from server goes here see list below echo SSH service available else echo NOT OK echo SSH daemon not running fi The following is a list of valid CGI code responses OK server is alive no weight change OVERLOAD set weight to 0 to quiesce same as WEIGHT 0 QUIESCE set weight to 0 to quiesce same as WEIGHT 0 WEIGHT n set weight to integer n WEIGHT n subtract integer n from the weight WEIGHT n add integer n to the weight The response must be in all capitals to be recognized The changes in weight count as an unsaved configuration chang
94. right 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x WebMux Overview Key Features The WebMux is a standalone network appliance designed primarily to load balance IP traffic to multiple servers The WebMux includes the following key features e Improves performance by distributing the traffic for a site or domain among multiple servers No one server will be bogged down trying to service a particular site e SSL Termination to reduce the cost of multiple certificates Also be able regulate the minimum acceptable SSL encryption protocol version e Provides high availability by tracking which servers are functioning properly and which servers are out of service If a server unexpectedly goes down the WebMux will automatically re direct the traffic to other servers or will bring a standby or backup server online to service the traffic The WebMux does application level health check to many network protocols on servers e Provides Persistent Connections by memorizing the user browser session and the server session and sending the same user to the same server This is important for sites using shopping cart and dynamically generated pages like BroadVision ASP and JSP sites e Provides fault tolerance This installation requires two WebMuxes a primary and a secondary The two WebMuxes will automatically sync the configuration datum e Easy management It can b
95. rm Select a service type to create a farm using its well known port If a port other than a well known port for TCP or UDP service is to be used then choose one of the Generic selections and enter the port number in the PORT NUMBER box No port number needed to be specified if the service protocol is on the list The WebMux has level 7 protocol checks for the known ports in the list For Custom Defined TCP Service custom health check please specify the URL for the CGI code in the setup screen CAUTION Once a farm is created the port number cannot be changed Like the IP address the old farm must be deleted and a new one created in order to change farm settings Please choose Generic TCP and specify port number if service is not listed below If multiple ports to be used please also select Generic TCP and specify port number 0 Service Well Known Port DNS Domain Name Service TCP 53 FTP File Transfer Protocol TCP 21 HTTP Hypertext Transfer Protocol TCP 80 HTTPS Secure Hypertext Transfer 443 Protocol TCP HTTP HTTPS Combined Ports 80 443 NTP Network Time Protocol 123 POP3 Post Office Protocol 110 SMTP Simple Mail Transfer Protocol 25 TCP Generic TCP User Specify Generic UDP User Specify Generic TCP UDP User Specify Generic no health check TCP User Specify Generic no health check UDP
96. rver there is a service attached to the IP address HTTP S FTP etc please make sure the service will run on the new IP address NOTE Although the WebMux can work with any IP address range all server IP addresses should be Internet non routable address so that the source address from the Internet does not conflict with the IP addresses on the Server LAN NOTE If there is a firewall between the WebMux and the Internet Router a rule must be defined in the firewall to allow the IP address of the WebMux interface on the Router LAN along with the farm IP address to communicate out to the Internet on all ports If you are doing Network Address Translation of the farm address to a non routable address then both the farm address and the WebMux interface address must be translated to communicate outbound on all ports 12 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Redundant Installation NAT Mode with Redundant WebMux Installation Public IP 65 25 35 156 NATed to Farm 1 IP 205 133 156 200 Public IP 65 25 35 157 NATed to Farm 2 IP 205 133 156 210 Router Network 205 133 156 0 Netmask 255 255 255 0 Gateway IP 205 133 156 1 Firewall Router To WebMux Intemet port To WebMux Internet port Crossover cable connected to WebMuxes backup ports To WebMux Server port To WebMux server po Secondary WebMux WebMux s IP on Router LAN 20
97. s C network it may be 255 255 255 0 2 Enter Server LAN Gateway IP address sur LAN gateway 2192 168 199 1 This IP address will be the Default Gateway entry for all the servers on the Server LAN In an installation with two WebMuxes if a gateway IP address of 10 1 1 1 is used this address will float between the primary and secondary WebMux If the Primary went down the 10 1 1 1 address will float to the backup In the single WebMux setup this address CANNOT be the same as the WebMux IP interface address on the Server LAN For the NAT setup please continue to the Common Configuration section Trasnparent Mode Related Configuration Enter Bridge IP Address This will be the IP address of the WebMux on the network so that you can use browser to manage it Although the server and internet ports are interchangeable in transparent mode it is recommended that you stick with labeling scheme and connect the port labeled internet to the switch on the firewall router side and connect switch on the servers to the port labeled server Enter Bridge Net Mask This should match the net mask of the existing network the WebMux will be a part of 24 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Please continue to the Common Configuration section Copyright 1997 2007 CAI Networks Inc 25 The WebMux Model
98. s to the servers and your local computers It is the right most RJ45 socket In Out of Path configuration this is the only Ethernet cable to be connected Backup WebMux Port Optionally you may connect another WebMux to this port so that you can have redundancy If you have more than one WebMux you can connect them using a cross over cable or a regular cable with a hub Router LAN Port Connect this port to the Router LAN switch or hub In most situations this port connects to the Internet side network in NAT mode It is the left most RJ45 Socket PLEASE NOTE The Router LAN and Server LAN port are not interchangeable External Modem Connect Port To utilize the phone pager function of the WebMux please connect the external modem to this port In some cases if you prefer support engineers to not use diagnostic ports over the Internet our support engineers can also connect through the modem to assist you with setup issues A US Robotics V Everything modem is required US Robotics part number 3CP3453 Modem dip switch has 3 8 and 10 down rest up A standard external modem cable is also needed Check with your modem supplier for the cable Power Switch This switches the WebMux on and off When in the off position the front panel power switch is disabled Power Cord Please use the supplied power cord to connect the WebMux to the power source 1U WebMux has a 115V 230V AC universal power supply 2 Copy
99. se a browser to access Management Console for normal password changes The factory default password is the same as the login ID on the screen Answer Y to reset the Passwords to factory default Answer N to leave them unchanged Enter Admin http Port Number This is the http port number for accessing Management Console in non secure mode Any unused port number can be used Factory default port number is 24 one could choose to use any unused port below 10214 or port number above 1024 for this Using port number above 1024 will need to setup an admin farm This farm is for preventing port collision in case passive FTP is one of the farms Using port number below 1024 will not need to setup this farm Enter Admin https Port Number This is the https port number for accessing Management Console in secure mode Factory default port number is 35 one could choose to use any unused port below 1024 or port number above 1024 for this Using port number above 1024 will need to setup an admin farm That is for preventing port collision in 28 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x case passive FTP is one of your server farms Using port number below 1024 will not need to have this farm Discard Changes Made User can select Yes at this point all the changes made will be discarded By default the answer is NO all the changes will be saved to internal s
100. st name of the WebMux Use the right arrow to move the position the up and down arrows to select characters left arrow to move back in position check mark button to confirm the change This host name is for identification purposes You may call it weobmux1 webmux2 etc Trick to enter name quickly If you hold down the up down button for more than a second the letter will start changing quickly Note the left most down arrow on the LCD allows the user to skip certain entries Enter WebMux Domain Name domain cainetworks col This is for identification only no effect for network operation Although it can be any name we suggest using the primary domain name of the Router LAN network If you have only one domain use that domain name Note the left most position on the LCD has changed to an up and down arrow allowing the user to go back and forth for questions and answers Choose NAT mode or Out of Path Mode use svr LAN NAT B ES NO This is where to choose NAT Network Address Translation or Out of Path mode is a default or selected option Network address translation provides protection to the servers it can handle large amounts of data as noted in the specification It provides the best security for isolating servers from any other part of the networks Out of Path provides better performance when huge amounts of data need to go back to clients up to 100X more than on the specification chart it also does not re
101. t allow the server to change its own weight and announce such change to a remote syslog daemon Please see appendix 5 for a sample code and a list of allowed responses UDP NTP Time Server IP Address Since version 5 4 the WebMux can sync its internal clock with any UDP NTP server By default it points to a tier 2 NTP server You can also set it to your Internet NTP server or wipe out the entry to not sync to any NTP server Reset Stranded TCP Connections When a server failed to function there could be many TCP connections still in TCP_WAIT state If this set to Yes when client tries to access the failed server the WebMux will pretend the server is sending TCP Reset to the client thus freeing all the TCP_WAIT state connections Default setting is Yes to conserve resources Reboot Changes to TACACS server configuration server gateway address server farm network mask WebMux http control port WebMux https control port WebMux SNMP UDP Port WebMux diagnostic ports least significant bits forwarding policy front network verification and persistence timeout requires a reboot for the new configuration to take effect You can use the Reboot button to reboot the WebMux remotely Reboot button will require confirmation before proceeding with reboot Copyright 1997 2007 CAI Networks Inc 41 The WebMux Model 481S 591SG and 680PG User Guide Versi
102. t value to a larger value Many times servers can not resolve the IP address for the back end of the WebMux IP address and could cause the server to not respond to the WebMux s protocol checking Adding the WebMux server LAN IP address and server LAN gateway address to the name resolution table will help resolve this problem Please read the Q amp A section for more information Copyright 1997 2007 CAI Networks Inc 35 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Administration Set Up After logging into management console as superuser click on the setup button you will come to this screen gt admin configuration Windows Internet Explorer Sie x ey http 192 168 12 21 24 cai bin adm_conf time 1186521856 45883 4 lt f ve Search Pi we de admin configuration gt BD gt oh gt h Page O Toos Please enter information below Use as divider for multiple entries except use as divider for IPv6 addresses Multiple entries are not allowed for the server gateway control ports mail server or warning threshold The items with take effect on next restart allowed remote host IPs __ i allowed remote host IPv6 IPs a TACACS server configuration E Eoo dialout prefix blank if none E pager phone numbers AAAA email server IP address for notification _ email addresses for notification Oee Ml UDP s
103. terference Regulations Cet appareil est conforme aux norms de Classe B d interference radio tel que specifie par le Ministere Canadien des Communications dans les reglements d ineteference radio Notice for Europe CE Mark This product is in conformity with the Council Directive 89 336 EEC 92 31 EEC EMC Caution Lithium battery included with this device Do not puncture mutilate or dispose of batter in fire Danger of explosion if battery is incorrectly replaced Replace only with the same or equivalent type recommended by manufacture Dispose of used Battery according to manufacture instruction and in accordance with your local regulations Copyright 1997 2007 CAI Networks Inc 85 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 1 How to Add A Loopback Adapter For out of path mode a loopback adapter or device in similar function is required This appendix listed a few different ways to add such a device for different OSes Installing the MS Loopback Adapter 1 Click Add Hardware gt Add a new device gt No want to select the hardware from a list and select Microsoft Loopback Adapter from the list and click OK 2 At the MS Loopback Adapter Card Setup screen hit OK to the default of 802 3 3 You should be prompted for the path to the NT setup files Click Continue once the path is correct 4 Click Close Reboot maybe necessary Go to step below for Configuring the MS
104. the confirm button it is not automatically saved and will get lost if the WebMux is rebooted or powered off To save your settings select save displayed table from the drop down menu and click the confirm button If you made unsaved changes and want to quickly revert back to your previously saved settings select restore last saved table from the drop down menu and click the confirm button To get to the CLI you can either telnet or ssh in to the WebMux diagnostic port By default it is port 77 for ssh and port 87 for telnet Login as superuser Issue the route command to modify the routing table The network interfaces are as follows ethfO Interface labeled Internet ethsO Interface labeled Backup ethbO Interface labeled Server Modifications to the routing table issued through the CLI are automatically saved after issuing the command 72 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Initial setup change Through Browser Sometimes users like to change the basic settings for the WebMux through browser interface for example when the WebMux located in a hosting center across the country If one has information about the WebMux current basic settings one could change those parameters through browser On the browser enter the following URL https Awebmux_ip webmux_manage_port cgi
105. ts If the pager cannot display 18 digits some codes may get truncated For WebMux Single and with Secondary 99 IIIPPPP A server went down This 18 digit code no spaces starts with 99 followed by 12 digits of the IP address without the periods of the server The last four digits represent the port number of the server OOMMIIIIIIIIPPPP A downed server went back up This 18 digit code no spaces starts with 00 followed by 12 digits of the IP address without the periods of the server The last four digits represent the port number of the server IB PPPP Gateway router LAN does not respond 12 digits number after the 98 is the IP address of the gateway Port number is optional 01 llllli PPPP Gateway comes back in service 12 digits number after the 01 is the IP address of the gateway Port number is optional 88 P PPP WebMux has detected more connections than the threshold defined in the setup screen 40 last resort servers taken out of service for a farm 41 last resort servers put in service for a farm 73 WebMux cannot reach to the back LAN 74 WebMux cannot reach the front LAN 75 Primary or Secondary cannot reach the other WebMux through the serial cable 76 Serial cable communication restored 55 User configuration cannot be parsed by WebMux after the configuration restored through browser Copyright 1997 2007 CAI Networks Inc 89 The
106. ttings clear all current setting getallsettings save all WebMux settings from WebMux to your PC getconfig save all farm server settings from WebMux to your PC ifconfig display and configure a network interface s iptables allows you to create custom packet filtering for the WebMux The changes made here are not reboot persistent ip6tables version of iptables for IPv6 netstat display network connections routing tables interface statistics etc ping send ICMP ECHO_REQUEST packets to network hosts ping6 version of ping command for IPv6 poweroff initiates the proper shutdown sequence putconfig restore farm server settings from your PC to WebMux reboot initiates a soft reboot rec_cmdline allowing configure basic WebMux IP without using pushbutton route manipulate or display the routing table Settings made here ARE reboot persistent tcpdump capture and display network traffic traceroute print the route packets take to network host Copyright 1997 2007 CAI Networks Inc 93 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Most commands can be found on Unix for detailed usage please refer to any Unix man pages Our support center does not support the usage of these commands 94 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 7 Extended Regular E
107. tup page superuser login is required to access this page See related section later for details Show Event This button will display all the events since the WebMux s last reboot The event includes server failure or state change Logout It is not recommended to leave the management browser login unattended Click the Logout button to close the session The Login screen will re appear Pause Resume The status screen automatically refreshes frequently to provide most up to date status You can use the Pause button to freeze the auto refresh After the Pause button is pushed the button will change to Resume and the auto refresh stopped Click the Resume button to restart the auto refresh Adjusting Timeout for Each Service Clicking on the service type on each farm will allow you to change the timeout value of layer 7 testing for each different service Please note this change is global and will affect all the farms using the same type of service For example the default timeout for checking HTTP protocol alive or not is 5 seconds If the web server does not respond to the WebMux protocol chat within 5 seconds the WebMux will declare that server is dead and switch that server out from service and notify the operator through email or pager However if your web server is not really dead but for some reason not responding to the checking request the WebMux will false alarm To avoid this the user can change the timeou
108. tup by clicking the Setup button It is important to set up the Server Farm Gateway IP address and network mask first If only HTTPS management login is allowed go to setup and make the first port number for HTTP HTTPS management port to 0 35 NOTE For customers who enabled TACACS support the login screen will display the TACACS user login field and password WebMux will validate the user to the specified TACACS server specified in the Setup screen Please refer to that section for details Copyright 1997 2007 CAI Networks Inc 33 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Main Management Console show configuration Microsoft Internet Explorer Te lol x Eile Edit View Favorites Tools Help Back v A A Asearch Hravorites PMedia 4 Av 3 m v J Address http 192 168 12 21 24 cgi bin show_status time 1114555902 v Go Links Fy Norton AntiVirus 5 v ka webmux cainetworks com 102 conn s cpu 0 mem 0 IP 492 168 12 21 MAC 00 e0 81 61 2e 6d IP 192 168 11 21 MAC 00 e0 81 61 2e 6c unsaved in memory configuration changes type service IP address port SSL status conn conn s pkt s 1 WRR P farm http 192 168 12 200 80 443 2server ALIVE 6134 102 1025 2 server 192 168 11 11 80 weight 1 ALIVE 3066 51 512 3 server 192 168 11 12 80 weight 1 ALIVE 3068 51 513 Once logged in to the Management Console this main screen will show T
109. umber 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary WebMux running solo without backup Y Reboot y There is no change to each server s IP address netmask and gateway address except if using the WebMux for SSL termination or Layer 7 load balancing See next paragraph There is need to add a loopback adapter to each server 78 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x and assign the farm address to the loopback adapter For MS Windows it always adds a route for the loopback adapter which will need to be removed please refer to Appendix 2 In the virtual farm each server uses its original IP address to join the farm For SSL termination or Layer 7 load balancing you must set server LAN gateway IP address and set the servers default gateway to that IP Copyright 1997 2007 CAI Networks Inc 79 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x A Redundant Installation Configuration Before WebMux Installation Equipment IP Address Internet Router or Firewall Address 205 133 156 1 Webserver s Default Gateway 205 133 156 1 Web Site IP Address 205 133 156 200 Configuration Before WebMux Installation Question Entry Primary Secondary Host Name webmux1 webmux2 Domain Name Cainetworks com Cainetworks com N
110. us the port numbers before obtaining support from us Connection warning threshold The WebMux monitors the number of connections established When the number of connections is greater than the value entered the WebMux will page the designated numbers For example if a DoS attack is occurring the number of connections to the site would be extremely high Assuming they exceeded the value set for the connection warning threshold the designated numbers would be paged Least significant bits in client IP address to ignore for persistent connections This feature allows persistent connections to be handled properly when communicating with America Online s bank of cache servers With AOL s cache servers the IP address of the cache server becomes the source address Since an end user can be sent through multiple cache servers it is possible the requests for one HTML page are being routed to different web servers in the same session Therefore applications such as shopping carts that require persistent and secure connections will not work properly This feature will treat multiple cache servers as one source thus the WebMux can properly handle the persistent requests from browsers From customers feedback number three 3 is good enough for most AOL requests The WebMux will use this entry to determine how to load balance the traffic It calculates based on two to the power of the entry as the number of IP addresses to c
111. xes In this configuration one WebMux is serving as the primary and the other is serving as the secondary or backup providing a fault tolerant solution In order for the web servers to share the incoming traffic the WebMux must be connected to the network There are two interfaces on the WebMux One interface Internet connects to the Router LAN This is the network to which the Internet router is connected The other interface server is connected to the Server LAN This network connects all the web servers The WebMux routes traffic between these two networks Next a Virtual Farm or multiple farms must be configured on the WebMux A virtual farm is a single representation of the servers to the clients A farm consists 8 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x of a group of servers that service the same domain website or services For example to configure a farm or virtual farm to serve www cainetworks com e First Server 1 and Server 2 would each need the website www cainetworks com configured on them and HTTP HTTPS services started and e Second a farm on the WebMux is defined with Server 1 and Server 2 in it The servers would be setup to either share the traffic or setup as a primary server and standby server In either case if Server 1 goes down then all traffic will be automatically directed to Server 2 by the WebMux
112. xpressions Example Patterns An item which has the string Compiler in it Compiler Items with various spellings of Dijkstra with the j replaced by any character Di kstra Items with various spellings of Dijkstra with the ijk replaced by any number of characters D stra An item with either Compiler or compiler in it cC ompiler String like bananas banananas bananananas etc bana na s Items with the strings regular and expression on the same line with anything or nothing between them regular expression Items with either regular or expression or both regular expression Items with either OO or Object Oriented or Object Oriented on one line OO oO bject oO riented To search for characters other than letters or digits put a in front of them S SL These examples were taken from the following web page http www csci csusb edu dick samples egrep html Copyright 1997 2007 CAI Networks Inc 95 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 8 Notes on IPv6 Because IPv6 uses the colon symbol in the address there are special considerations needed when using the IPv6 address in a web browser because the colon is also used to denote a port number i e 192 168 12 21 24 Because accessing the WebMux s web management requires access to port 24 you cannot simply put the IPv6 address in the address bar of the browser l
113. y issuing the route inet6 command See Appendix 8 for other IPv6 related information For SUSE Enterprise Linux 9 You can use YAST to set up a Virtual Interface and add the farm IP Login as root and add this command to the bootup script iptables t nat A PREROUTING d lt farm_ip gt j DNAT to dest lt server_ip gt For HP UX 11 00 and 11i Please make sure PHNE_26771 and related patches applied first Login as root and add this command to the bootup script ifconfig lo0 1 farm_ip_address up For FreeBSD ifconfig lo0 inet farm_ip_address netmask 255 255 255 255 alias For Solaris ifconfig 100 1 FARM_IP_ADDR ifconfig lo0 1 FARM_IP_ADDR FARM_IP_ADDR ifconfig lo0 1 netmask 255 255 255 255 ifconfig lo0 1 up For Apple Servers ifconfig loO inet farm_ip_addr netmask 255 255 255 255 alias route delete gateway_ip farm_ip addr netmask Where lo0 is the loopback adapter Copyright 1997 2007 CAI Networks Inc 87 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x Appendix 2 How to make route delete reboot persistent In a Windows system go to boot drive root by cd C 2 Use a text editor to create a text file in which it contains one line route delete 10 1 0 0 mask 255 255 0 0 10 1 1 200 3 In above file 10 1 0 0 is the network destination 255 255 0 0 is the Netmask for the network and 10 1 1 200 is the farm address also is the address for the loopback adapter address st
114. y more than 8 hours the manager will not be able to login in to the WebMux This section on the rec screen will allow the manager to correct the clock if it is Copyright 1997 2007 CAI Networks Inc 73 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x off After entering proper password and setting the clock information optional the continue button will bring up this screen e http 192 168 12 21 24 cgi bin rec 1151710893 408035 Microsoft Internet Explorer File Edt View Favorites Tools Help Da Jr a fi Lp search Sip ravortes 2 fle Address http 192 168 12 21 24 coi binfrec 1151710893 408035 WebMurx initialization 8 0 00 WebMux s name without the domain name Wwebmux WebMux s domain name dispatch method IP address of external router used by WebMux WebMux s address on router s network used as servers proxy address network mask on this network WebMux s fixed IP address on the server s network network mask on this network Remake password file with default passwords WebMux administration HTTP port WebMux administration HTTPS port Is this WebMux a primary or solo WebMux 7 Is this WebMux running solo without a secondary z IP address on WebMux on server s network used by servers as their router not same as fixed IP address abovel required for NAT optional for O
115. your network It provides phone pager and email notification so that the network administrator can be paged or emailed whenever a server or WebMux goes down and when it returns online This feature could reduce server room night shift operator costs or timely repair should the server goes down unexpectedly 4 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x e SNMP Support Remotely monitor various WebMux parameters in real time via SNMP e IPv6 Support Out of Path mode only WebMux is ready for the next generation of internet protocol IPv6 e Multiple Address and Port MAP farm to integrate multiple ports and IPs as one virtual service Copyright 1997 2007 CAI Networks Inc 5 The WebMux Model 481S 591SG and 680PG User Guide Version 8 3 x The WebMux Family The 1U WebMux family consists of three models They are e The WebMux 481S e The WebMux 591SG e The WebMux 680SP The table below compares the features of the models Model Number 481S 591SG 680SP Layer 4 Performance Maximum concurrent connections 1 440 000 2 880 000 5 760 000 Maximum transactions per second 15 000 50 000 100 000 Maximum throughput per second 200 MBits 1GBits 4GBits Maximum Internet link speed 2XT3 1 5 X OC 12 1 5 X OC 12 Layer 7 amp SSL Acceleration Max 1024bit RSA l 120 Fee 2000 terminations second round trip 2400 3000
116. yslog server IP address for notification Loo E server gateway IP address foooo WebMux http control port ae WebMux https control port fs WebMux SNMP UDP port 161 WebMux diagnostic ports g connection warning threshold least significant bits in client IP address to ignore for 0 specific IP address x persistent connections ICMP packet input policy accept gt forwarding policy deny front network verification TCP connection front network verification address send gratuitous ARP replies for farms yes z persistence timeout fio min z connection timeout min URL for custom service check jegi bin custom UDP NTP time server IP address 16467 62194 reset stranded TCP connections Change Password Allowed remote host IPs The WebMux management console and diagnostic login only allow logins from these IP addresses to establish a management session You can access from more than one IP address by specifying all the allowed IP addresses separated by a Netmask following the IP address specify the range of hosts can access management console For example 192 168 12 0 24 will allow all hosts in 192 168 12 network to access it From version 6 4 00 192 168 12 will be allowed for class C allowed host If this field is left blank you can access the 36 Copyright 1997 2007 CAI Networks Inc The WebMux Model 481S 591SG and 680PG User Guide
Download Pdf Manuals
Related Search