HP sa7220 User Manual
hp traffic director
server appliances
user guide for the hp e-commerce
traffic director server appliance
sa8200/sa8220 and the hp traffic
director server appliance sa7200/
sa7220
© Copyright 2001 Hewlett-Packard Company. A ll rig hts
reserved.
Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-0900
February 2001
Disclaimer
The information contained in this document is subject to change
without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for
errors contained here in or for i ncidental or co nsequential damages in
connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability
of its software on equipment that is not furnished by HewlettPackard.
Warranty
A copy of the specific warranty terms applicable to your HewlettPackard products and replacement parts can be obtained from
http://www.hp.com/serverappliances/support.
*Other brands and names are the propert y of thei r respectiv e owners.
Contents
Chapter 1: Introduction 1
Introduction to the Traffic Director Server Appliances . . . . . . . . . . . . . . . . . . . . . . . . 2
Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Typographic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2: Theory of Operations 11
General Operating Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Layer 4 (HOT) Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Layer 7 (RICH) Services (all models except the SA7200). . . . . . . . . . . . . . . . 13
Out-of-Path Return (OPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
FTP Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
C O N T E N T S HP Traffic Director Server Appliances User Guide
Sticky Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Sticky Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Sticky-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Server-timeout (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SSL and Sticky (SA8200/SA8220 only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Grouping Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SSL Acceleration (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SSL Fundamentals (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Application Message Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
HTTPS Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
HTTP Header Option Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Load Balancing Across Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Balancing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Response-Time Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Primary and Backup Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Server Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Source Address Preservation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Multi-hop Source Address Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
RICH Expressions (not available on the SA7200) . . . . . . . . . . . . . . . . . . . . . . 25
Order of Expressions (not available on the SA7200) . . . . . . . . . . . . . . . . . . . . 26
Routing with Dual Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Prioritization and Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Routing Method for VIP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Server Status Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
HTTP Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Serial Cable Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Serial Cable Failover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Replicating the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
ii
Contents
Chapter 3: Boot Monitor 41
Using the Boot Monitor CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Accessing the Boot Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interrupting the Bootup Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using the Run Time CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Boot Monitor Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 4: Graphical User Interface 59
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Logon Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Logging on to the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Topology Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Purposes of the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Topology Screen Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Online Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Topology Screen Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Window Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Policy Manager Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Policy Manager Controls and Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Policy Manager Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Policy Manager’s Pop-up Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Creating Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Throttling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Deleting Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Creating Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Additional Service Tab Controls and Displays. . . . . . . . . . . . . . . . . . . . . . . . . 73
Balance Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deleting Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
RICH Controls (all models except the SA7200). . . . . . . . . . . . . . . . . . . . . . . . 79
Order of Expressions (all models except the SA7200) . . . . . . . . . . . . . . . . . . . 81
Deleting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
iii
C O N T E N T S HP Traffic Director Server Appliances User Guide
Administration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Software Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Routing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
System Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Active Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
RIP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
OSPF Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Security Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Source IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
GUI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
CLI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
SNMP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
SNMP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Multi-Site Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Logging Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Specifying System Log Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Viewing the Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Saving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Restoring Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Deleting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Copying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Resetting the Factory Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Sending and Retrieving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Tools Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Ether. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
iv
Contents
Nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Trace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Statistics Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Statistics Screen Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Statistics Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Graph Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Selection List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Window Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Graphing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Chapter 5: Command Line Interface 133
CLI Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Secure Shell Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Pipes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Categorical List of CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
SSL Commands (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
v
C O N T E N T S HP Traffic Director Server Appliances User Guide
Run-Time CLI Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
SSL Commands (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 6: Scenarios 207
e-Commerce Appliance Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Scenario 1: Load Balancing a Web Site with Two Servers and the SA8220 in Inline
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Prerequisites for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Procedure for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Scenario 2: Load Balancing Servers with Source Address Preservation . . . . . . 214
Prerequisites for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Procedure for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Scenario 3: Routing Outbound Data Away from the SA8220 for OPR . . . . . . . 217
Prerequisites for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Procedure for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Scenario 4: Content Routing (SA7220 and SA8200/SA8220 only). . . . . . . . . . 220
Prerequisites for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Procedure for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Scenario 5: Using SSL Acceleration (SA8200/SA8220 only) . . . . . . . . . . . . . . 226
Procedure for Scenario 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Scenario 6: Using CRLs (SA8200/SA8220 only). . . . . . . . . . . . . . . . . . . . . . . . 228
vi
Contents
Chapter 7: SNMP Support 233
Using SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
HP MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Where to find MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Trap Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Standard SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Displaying SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring Community Authentication and Security Parameters . . . . . . . . . . . 243
Configuring Trap Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Other Configurable SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 8: Software Updates 247
Updating Your System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Multiple Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Software Image Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Saving Your Current Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Downloading and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Rebooting with the New Image and Verifying Installation. . . . . . . . . . . . . . . . . 250
Upgrading Under Serial Cable Failover Configuration. . . . . . . . . . . . . . . . . . . . 251
Appendix A: Security Configuration 253
Recommended Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Appendix B: SSL Configuration 255
Obtaining Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Copying and Pasting Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Obtaining a Certificate from Verisign or another CA . . . . . . . . . . . . . . . . . . . . . 257
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Importing Keys into the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Importing Certificates into the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Creating a new Key/Certificate on the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . 260
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
vii
C O N T E N T S HP Traffic Director Server Appliances User Guide
Using Global Site Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Generating a Client CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Generating a CRL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Using Ciphers with the SA8220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
HTTP Header Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Appendix C: Failover Method Dependencies 269
Failover Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Appendix D: Configuring Out-of-Path Return 273
Configure OPR for Windows* 2000* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configure OPR for Windows* NT*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Run a Web Service on the Loopback Interface Using IIS 3.0 . . . . . . . . . . . . 295
Run a Web Service on the Loopback Interface Using IIS 4.0 . . . . . . . . . . . . 296
Configuring OPR for Apache Web Server on a UNIX* machine . . . . . . . . . . . . . . 297
Appendix E: Diagnostics and Troubleshooting 299
Running Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Diagnostic LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Power Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Boot-time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Run time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Run time Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Appendix F: Cleaning the Dust Filter 307
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Dust Filter Cleaning Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
viii
Contents
Regulatory Information 309
Taiwan Class A EMI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
VCCI Class A (Japan). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
VCCI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
FCC Part 15 Compliance Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Canada Compliance Statement (Industry Canada). . . . . . . . . . . . . . . . . . . . . . . . . . 312
CE Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
CISPR 22 Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
WARNING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
AVERTISSEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
WARNUNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
AVVERTENZA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
ADVERTENCIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Wichtige Sicherheitshinweise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Software License Agreements 321
Support Services 325
Support for your SA8220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
U.S. and Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Asia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Latin America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Other Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Glossary 329
ix
C O N T E N T S HP Traffic Director Server Appliances User Guide
Notes
x
Introduction
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models.
• Introduction to the Traffic Director Server Appliances
• Assumptions
• Benefits
• Specifications
• Typographic Conventions
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Introduction to the Traffic Director Server Appliances
The HP e-Commerce Traffic Director Server Appliance SA8200/
SA8220s and the HP Traffic Director Server Appliance SA7200/
SA7220s provide reliable l oad b a la nci ng, fa ilo ver , and pol icy -based
management to Web sites, Intranets, and e-Commerce sites. These
models also include intelligent c ont ent rout i ng, a nd are t he best load
balancing solution available for the reasons shown below.
Feature Description
Reliability
Fault Resistance
Policy-based
Management
Intelligent Content
Routing (SA8200/
SA8220 only)
Error Recovery
Secure Sockets Layer
Acceleration (SA8200/
SA8220 only)
The SA8220 provides 7 x 24 uptime through failover systems and
the inherent robustness of leading network protocols.
The SA8220-managed configurations offer many features and
capabilities that improve the availability and reliability of s erverbased services.
The SA8220 allows system administrators to implement classes of
service, assign priority levels, and set target response times.
The SA8220 takes application-aware routing to a new level with
the ability to segment Internet content according to the requested
URL.
Application intelligence allows the SA8220 to understand and
correct application errors transparently to the end user.
The SA8220 can of fload encr ypted web tra ffi c (HTTPS) p roviding
a significant performance improvement over web server based
Secure Sockets Layer (SSL) processing.
2
C H A P T E R 1 Assumptions
Assumptions
This User Guide assumes that you are a network administrator and
that you have at least a basic understanding of the following:
• Networking concepts and terminology
• Network topologies
• Networks and IP routing
Benefits
SA8220 benefits are listed below.
Benefit Description
Substantial performance
boost and reliability for
e-Commerce
(SA8200/SA8220 only)
Up to 150 times SSL
acceleration
(SA8200/SA8220 only)
The SA8220 can increase the speed, scalability, and reliability of
multi-server e-Commerce sites. It regains the speed lost by servers
processing secure transactions by delivering faster SSL
processing. It integrates SSL processing with third generation
traffic management technology, eliminating errors and improving
Quality of Service (QoS). This unique capability ensures that
customers working with sensitive information or buying online
receive timely responses, do not see error messages, and are
confident that delivery of their information is kept private.
E-Commerce sites suffer dramatic performance degradation as
secure transactions increase. Using patent-pending technology to
perform cryptographic processing offloaded from the server, the
SA8220 (only) can support up to 1200 SSL connections per
second.
The SA8220 enables e-Commerce sites to transact secure bu siness
and deliver sensitive information quickly, and confidentially. It
performs all key management and encryption. The result is a
tremendous performance boost for heavily tra f ficked e-Co mmerce
sites.
3
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Benefit Description
Substantial economic
benefits
(SA8200/SA8220 only)
SSL acceleration and
intelligent traffic
management benefits
(SA8200/SA8220 only)
The SA8220 improves customer satisfaction by improving the
response time for secure transactions. E-Commerce sites can now
enjoy the benefits provided by having secure transactions
participate in layer 7 intelligent traffic management. This creates
substantial economic savings for e-Commerce sites through
improved customer satisfaction, lowe r cost of owner ship, and
reduced server provisioning requirements.
Performance degrades dramatically as more customers access a
site in secure SSL mode , f r ustr at ing to the very customers who ar e
trying to make a purchase. The SA8220 is essential to providing
high performance and superior levels of service when building
reliable, scalable, and secure e-Commerce sites.
Off-loading SSL handling from e-Commerce servers improves
overall site performance and customer response time
Accelerated SSL processing eliminates over-provisioning capacity
Lower processing demands on the server creates greater capacity
for your e-Commerce site
Drop-in installation avoids impacting your mission critical e-
Commerce servers
Response-time based prioritized service for secure transactions
Improved responsiveness, reliability, and QoS for secure
transactions means delivering the highest levels of support for
paying customers
Ensures that e-Commerce merchants are always open for business
by preventing “Server Too Busy” and “File Not Found” errors,
even for secure transactions
4
C H A P T E R 1Benefits
Benefit Description
Intelligent content
routing for SSL
transactions
(SA8200/SA8220 only)
Intelligent session
recovery for
transactions
(all models except the
SA7200)
Response-time base
prioritized service for
secure transactions
The SA8220 incorporat es intellig ent traf fic management for secure
transactions, dramatically improving an e-Commerce site’s
responsiveness, reliability, and QoS. While typical tr affic
management devices make decisions based onl y on i nfor mat io n at
Layer 4 in the network stack, the SA8220 combines Layer 4
through 7 (application/content) awareness to speed up response
times and eliminate error messages for secure transactions. It
keeps e-Commerce sites open for business, even during back-end
transaction problems or content glitches.
The SA8220 provides I ntel ligent Session Recov ery tech nology for
transactions. By monitoring conte nt within the resp onse sent back
by the server, Intelligent Session Reco very detects HTTP 400,
500, or 600 series errors, transparently rolls back the session, and
redirects the transaction to another server until the request is
fulfilled.
The SA8220 enables system administrators to implement varying
classes of service, assign priority levels, and set target response
times for secure transactions. The SA8220 continually measures
the response times of each class of service group and assigns
incoming requests to the server that can fulfill tho s e requests
within the predefined response time. If the response time exceeds
the predefined threshold, requests designated as high priority
receive preference over those of lower priority. The SA8220
allows you to offer predictable performance for high-priority
secure requests.
5
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Specifications
SA8220 specifications are listed below.
Specification Description
Servers
supported
Any Web server (Apache, Microsoft,
Netscape, etc.)
Any operating system (UNIX*, Solaris*,
Windows NT*, BSD*/BSDI*, AIX*,
etc.)
Any server hardware (SUN, HP, IBM,
Compaq, SGI, Intel-based platforms,
etc.)
No practical limit on number of servers XXX
System
Administration
Command line interface XXX
Web-based GUI XXX
SNMP monitoring (MIB II and Private
MIB)
Dynamic configuration through
password-protected serial console,
telnet, SSH v1, and SSH v2
SA7200 SA7220 SA8200/
SA8220
XXX
XXX
XXX
XXX
XXX
6
C H A P T E R 1 Specifications
Specification Description
Performance
SA8220 is rated up to 1200 HTTPS
connections/sec, 2500 RICH HTTP
connections/sec, 3500 HOT connections/
sec, 95 Mb/sec.
SA8200 is rated up to 600 HTTPS
connections/sec, 1300 RICH HTTP
connections/sec, 2800 HOT connections/
sec. Both the SA8200 and the SA8220
are rated up to 6600 Max HTTP/
HTTPS/sec.
Layer 7 traffic management XX
Patent-pending technology of f l oad s all
cryptographic processing from server
Dimensions
Mounting: Standard 19-inch rack mount XXX
Height: 3.5 inches (8.9 cm) XXX
Width: 17 inches (43.2 cm) XXX
Depth: 20.16 inches (51.21 cm) for the
SA7200, SA7220, and SA8220
Depth: 23.75 inches (60.3 cm) for the
SA8200
SA7200 SA7220 SA8200/
SA8220
XXX
XXX
XXX
Weight
Interface
Connections
Transparent
Operation
Priority Classes
24 pounds (10.89 kg) XXX
Dual 10/100 Ethernet XXX
TTY Serial - console XXX
Failover port XXX
Supports single or multiple Virtual IP
XXX
(VIP) addresses per domain
Application/protocol types supported:
XXX
Any TCP Port, e.g., HTTP, HTTPS, FTP
7
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Specification Description
Intelligent
Content Routing
Content: URL, file types such as *.GIF,
file paths such as \ads\, file na mes such
as Index.html
Transactions: Transaction types such as
*.CGI
Intelligent
Session
Recovery
(HTTPS is
available on the
SA8200/SA8220
only)
Response-time
based Priority
for secure and
non-secure
transactions)
Automatically resubmits requests XX
Traps 400, 500, a nd 600 series errors for
HTTP and HTTPS
Sets and enacts target response times XX
Real-time performance monitoring XX
Automatic server weighting and tuning XX
Server-state aware (“sticky”) based on:
SA7200 SA7220 SA8200/
SA8220
XX
XX
XX
System Fault
Tolerance
8
- Source IP XXX
- SSL session ID X
- HTTP cookie XX
Single site, single or multiple
XXX
connections
Automatic detection of status change
XXX
and health of servers
Intelligent Resource Verification (IRV) XXX
C H A P T E R 1 Typographic Conventions
Specification Description
Security
Features
Supported
SSL v2 and v3 for transaction security XX
SSH for secure Command Line Interface XX
IP filtering XX
Serial port logon XX
Typographic Conventions
The following typographic conventions are used throughout this
manual.
ONE MODEL NUMBER (SA8220): For ease of reading, all models
are referred to as the SA8220 throughout this document. Unless
noted otherwise, all SA8220 references refer to all models.
NOTE: This is an
example of a note.
CAUTION: This is an
example of a caution.
NOTES clarify a point, emphasize vital information, or describe
options, alternatives, or shortcuts.
CAUTIONS are designed to prevent possible mistakes that could
result in injury or equipment damage.
SA7200 SA7220 SA8200/
SA8220
WARNINGS alert you to potential hazard s to life or limb. Excep t for
tables, warnings are always found in the left margin.
NUMBERED LISTS indicate step-by-step proce dures that you must
follow in numeric order, as shown below:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc.
BULLETED LISTS indicate options or features available to you, as
shown below:
• The first feature or option
• The second feature or option
• The third feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls, as
shown in this example:
9
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
4. To edit the configuration settings, press the Configure tab.
COMMANDS are shown in the following ways:
• Any command or command response text that appears on the
terminal is presented in the
courier font.
• Any text that you need to type at the command line appears in
bold courier, for example:
HP SA8220/config/policygroup#create gold
• Angled brackets (< >) designate where you enter variable
parameters
• Straight brackets ([ ]) show parameter choices, separated by
vertical bars
• Braces ({ }) show optional commands and parameters
• VERTICAL BARS ( | ) separate the choices of in put paramet ers
within straight brackets. You can choose only one of the set of
choices separated by vertical bars. Do not include the vertical
bar in the command.
10
Theory of Operations
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models. A l so, all
references to “RICH”
functionality or
“Expressions” in this
chapter do not apply to
the SA7200.
• Services
• FTP Limitations
• Sticky Options
• SSL Acceleration (SA8200/SA8220 only)
• Load Balancing Across Multiple Servers
• Server Configuration Options
• Routing with Dual Interfaces
• Prioritization and Policy Groups
• Error Detection
• Serial Cable Failover
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
General Operating Principles
This chapter discusses the general operating principles for the HP eCommerce Traffic Director Server Appl iance SA8200/SA8220s, and
the Traffic Director S erver Applianc e SA7200/SA72 20s. For de tails
about the SA8220 command set, please see “Command Line
Interface” in Chapter 5. For information about completing specific
tasks, please see “Scenarios” in Chapter 6.
Services
NOTE: The sample
commands used in this
chapter are meant as
examples only.
Services are the virtual resources that the SA8220 provides to
network clients. Services are defined by their Virtual Internet
Protocol (VIP) address and virtual port number. The SA8220 load
balances network client requests for a service by receiving requests
from the user and directing them for fulfillmen t to the most
appropriate resource in the provider's server farm. Services are
defined and created within Policy Groups (please see “Prioritization
and Policy Groups in Ch apter 2) and are managed usi ng the following
commands:
config policygroup <policy-name> service create
<service-name>
vip <ipaddr> port <num ber> {type [TCP | UDP |
RICH_HTTP]} {sticky [disable| src-ip |
cookie]} {sticky-timeout <seconds>} {backups
[enable | disable]} {response <milli-sec>}
{priority <level>} {balancing [load | robin]}
{server-timeout <seconds>}
config policygroup <name> service delete [<name>
| -all]
config policygroup <name> service <name>
{enable}{disable} {balancing [robin | load]}
{sticky [disable | src-ip | cookie]}
{sticky-timeout <seconds>} {backups [enable |
disable]} {respons e <milli-sec>} {dup -syn
<micro-sec>} {prio rity <level>}
{server-timeout <seconds>}
12
C H A P T E R 2 Services
Layer 4 (HOT) Services
HOT services provide very fast brokering performance. HOT
services are defined in full by their VIP and port number.
In HOT or “Brokered” mode, the SA8220 performs Network Address
Translation (NAT) on all incoming packets passing through the
connection. NAT changes the destination IP address and port of
incoming packets to those of the selected fulfillment server. The
source IP address is modified to be that of the SA8220.
Fulfillment servers can be addressable by IP address, and thus can be
on either local or wide area networks.
By default in HOT mode, the fulfillment server sees all requests as
coming from the SA8220 rather than from the actual client. In some
environments, it may be desirable to have the fulfillment server see
the requests as if they were coming directly from the client. The
Source Address Preservation (SAP) mode of the S A8220 all ows this
to happen (see “Source Address Preservation” for more detailed
information).
Layer 7 (RICH) Services (all models except the SA7200)
The SA8220 allows more flexible service fulfillment for RICH (Realtime Intelligent Conte nt Handling) services. The servi ce type
“RICH_HTTP” is available on the SA8220 and enables it to make
fulfillment decisions based on the content of the URL of each client
HTTP request. RICH services also i nclude advance d er ror de tection,
and automatic resubmission of HTTP requests under most error
conditions.
As with HOT services above, fulfillment servers can be addressable
by IP address, and thus can be on either local or wide area networks.
13
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
Out-of-Path Return (OPR)
Ordinarily, the SA8220 processes all traffic in both directions
between clients and the server farm. Viewing the server return traffic
helps the SA8220 accurately determine server response times and
handle HTTP errors. Often, the volume of data sent from the server
to the client is much larger than the traffic from client to server, and
checking for HTTP errors is not re quired. In such situations, you can
use OPR mode to increase performance. OP R is enabled by typing the
following command:
config policygroup <name> service <name> server
<name> port <port> mode [opr]
NOTE: OPR is not
applicable to Layer 7
services.
FTP Limitations
Each server for which OPR is enabled must have its loopback
interface configured to identify itself as the VIP of the brokered
service. This allows the server to respond directly to the client. The
server’s loopback interface, or an equivalent interface that will not
respond to ARP requests, must be configured before setting up the
SA8220 for OPR. For more information, please see “Configuring
Out-of-Path Return in Appendix D.
The table below lists t ho se limitations of FTP on the SA8200.
Mode Active FTP Passive FTP
HOT
HOT with SAP
OPR
HOT with SAP does not change the server's IP ad dress during Passive
FTP because the server is making the connecti on directly to the client,
using its real IP address. If the server’s IP address is not a "real" IP
address, this mode will not work.
No Yes
Yes Yes (see below )
No No
14
C H A P T E R 2 Sticky Options
Sticky Options
Some services operate best if all requests from a sp ecific client during
a single session are directed to the same fulfillment server. For
example, if the server maintains a local database of client activity or
context (shopping cart, re gistration info, navigat ion history, etc.), it is
important that subsequent client requests go to the server with these
database records. The SA822 0's “sticky” options allow this to occur.
Sticky is available in the two modes shown below.
Mode Description
Source IP
address
(“src-ip”)
Cookie
Sticky source IP for SSL uses the SSL session ID for stickiness
instead of the source IP of the client.
Both HTTP and HTTPS services can be RICH. However, i nco ming
RICH SSL connections will always be decrypted and sent on to the
fulfillment servers in clear text. Sticky cookie must be used when the
clients need to remain stuck to the same server between HTT PS and
HTTP.
Requests from a given IP address are directed to a
single server.
The requesting browser is given a cookie, which
subsequently identifies it as a unique requestor to
be directed to a single server. This method uniqu ely
identifies the client even if the request passes
through a proxy server. RICH service is required.
There is no sticky cookie requirement for HTTPS traffic.
Each brokered service can be configured with sticky cookie, sticky
IP, or no sticky option enabled. When a sticky option is configured,
all client requests (identified according to the enabled sticky mode)
during a session are routed to the same fulfillment server. When the
sticky option is disabled, the SA8220 determines the best fulfillment
server for each client request and directs them accordingly.
15
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
Sticky Persis te nce
For source-ip based sticky, the relationship between the client IP
address and the fulfillment server remains in effect for the entire time
the SA8220 is online or until the sti cky ti meou t value expires. In th e
event of failover, the sticky rel ationship is lost. Cookie sticky remain s
in effect while the browser is running or until the sticky timeout value
expires. Since the browser maintains the cookie, cookie sticky is
maintained in the event of failover. The system clocks on both
SA8220s must be synchronized for failover handling to work. You do
this by enabling NTP (Network Time Protocol) using the Boot
Monitor. The administrator can control the length of tim e a server is
forced to handle serial re quests from a single client using the sticky
timeout value.
NOTE: SA7200 sticky
support allows for source
IP ONLY. All cookie
sticky RICH services will
be stuck to the same
server for the duration of
the sticky timeout value.
Sticky-timeout
The current software version for the SA8220 treats the timeout
differently for cookie versus source-ip sticky. With source-ip sticky,
the timeout is reset with every connection from the client (so that the
timeout is effectively an "i dle time"). With cookie stic ky, the timeout
starts with the first connection from the client to the server, and never
gets reset. When the cookie expires, even if actively being used, the
next connection will be load balanced to a new server.
We recommend that you set the cookie sticky ti meout value to at least
1.5 times the maximum amount of time a user will expect to be stuck
to a server. If you are uncertain of the exact setting, we recommend
using 43200 seconds (12 hours).
Server-timeout (SA8200/SA8220 only)
A server timeout, which causes a change in servers, can appear as a
cookie sticky state change. The recommended value for server
timeout is at least 1.5 times the maximum server response time.
We recommend that you set the value to 120 seconds.
16
C H A P T E R 2 SSL Acceleration (SA8200/SA8220 only)
SSL and Sticky (SA8200/SA8220 only)
SSL (Secure Sockets Layer, or HTTPS)-en abled services can also be
made sticky by specifying “sti cky cooki e” or “sticky src-ip” on the
CLI. For SSL services, sticky cookie behaves exactly as it does for
ordinary HTTP services. Source IP sticky uses the SSL session ID to
maintain server context. The server relationship will not survive
failover. As with sticky cookie, use of the session ID uniquely
identifies the client eve n if the req uest passes t hrough a pr oxy server .
Grouping Services
NOTE: RICH is required
for sticky service
grouping.
SSL Acceleration (SA8200/ SA8220 only)
The SA8220's sticky capabilities can ensure that all service requests
from the same user are routed to the same server. Enabling sticky
cookie on multiple services ensures that req uests from the same client
will be routed to the same fulfillme nt server for the duration of the
sticky relationship. Of course the server must be able to fulfill all
service requests to have a true one-to-one client-server relationship.
The SA8220 is a powerful addition to any web site desiring high
security levels. It was specifically created to manage secure traffic
going to and from c ritical applicat ions. It handles SS L traffic int o and
out of the customer's environment, as well as providing load
balancing, fault management, and error recovery.
The SA8220 includes cryptographic software featur es and hardwarebased acceleration. I t provides up to 1200 SSL (HTTPS) conn ections
per second (SA8220 only), far exceed ing the performance of even the
most powerful web servers on the market today.
The SA8220 allows users to off loa d S SL processi ng f r om thei r back
end servers, and at the same time achieve full-featured traffic
management. In a SA8220 environment, all encrypted traffic—
required by e-commerce applications—is handled at the SA8220.
The interaction between the SA8220 and the servers is done in the
clear, allowing load balancing and session management.
SSL processing is enabled by assig ning an RSA private key ( a public
encryption key algorithm i nvented in 1977) and an X.509 cert ifi cat e
to a Layer 7 service. The SA8220 Command Line Interface (CLI)
allows you to create or import k eys and c ertific ate when you define a
service. Once the key and certificate are in place, secure HTTP
(HTTPS) requests are decrypted and passed on to the web server. The
17
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
SA8220’s dual NIC and packet filtering capabilities can be used to
isolate the web servers from the Internet, further preventing
unauthorized access.
SSL Fundamentals (SA8200/ SA8220 only)
SSL involves an interchange of keys used both to authenticate the
parties and to provide information to securely encrypt confidential
data. The keys distributed in this medium are “one way,” or
asymmetric. That is, they can only be used to encrypt confidential
data, and only the “owner” of the public key can d ecrypt the data once
it is encrypted using the public key inf ormation. SSL assures the three
things shown below.
Benefit Description
Authenticity Verifies the identities of the two parties
Privacy None other than the transacting parties can acce ss
the information being exchanged.
Integrity The message cannot be altered in transit bet ween
the two parties by a third party without the
alteration being dete cted .
To establish a secure session with a server, the client sends a “hello”
message to which the server responds with its certificate and an
encryption methodology . The client then responds with an encryp ted
random challenge, which is used to establish the session keys. This
method allows two parties to quickly establish each others’ identities
and establish a secure connection.
18
Several encryption methods are employed. Common ones are DES,
3DES, RC2, and RC4. Key size can be varied to determine the level
of security desired. A longer key is more secure.
The SA8220 supports all common keys and ciphers, as well as the
following encryption methods: DES, DES3, and RC2 & RC4. The
SA8220 includes a li censed version of the RSA code embedded in th e
security module as well. The device's session management software
has been certified by prominent security agencies and meets all
standards for SSL traffic.
The SA8220 handles all the handshaking, key establishment, and
bulk encryption for SSL transactions. Essentially, the SA8220 is a
full-featured, SSL-enabled web se rver. Traditionally, th ese functions
Loading...