Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-0900
February 2001
Disclaimer
The information contained in this document is subject to change
without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for
errors contained here in or for i ncidental or co nsequential damages in
connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability
of its software on equipment that is not furnished by HewlettPackard.
Warranty
A copy of the specific warranty terms applicable to your HewlettPackard products and replacement parts can be obtained from
http://www.hp.com/serverappliances/support.
*Other brands and names are the propert y of thei r respectiv e owners.
Contents
Chapter 1: Introduction1
Introduction to the Traffic Director Server Appliances . . . . . . . . . . . . . . . . . . . . . . . . 2
C O N T E N T SHP Traffic Director Server Appliances User Guide
Notes
x
Introduction
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models.
•Introduction to the Traffic Director Server Appliances
•Assumptions
•Benefits
•Specifications
•Typographic Conventions
C H A P T E R 1HP Traffic Director Server Appliances User Guide
Introduction to the Traffic Director Server
Appliances
The HP e-Commerce Traffic Director Server Appliance SA8200/
SA8220s and the HP Traffic Director Server Appliance SA7200/
SA7220s provide reliable l oad b a la nci ng, fa ilo ver , and pol icy -based
management to Web sites, Intranets, and e-Commerce sites. These
models also include intelligent c ont ent rout i ng, a nd are t he best load
balancing solution available for the reasons shown below.
The SA8220 provides 7 x 24 uptime through failover systems and
the inherent robustness of leading network protocols.
The SA8220-managed configurations offer many features and
capabilities that improve the availability and reliability of s erverbased services.
The SA8220 allows system administrators to implement classes of
service, assign priority levels, and set target response times.
The SA8220 takes application-aware routing to a new level with
the ability to segment Internet content according to the requested
URL.
Application intelligence allows the SA8220 to understand and
correct application errors transparently to the end user.
The SA8220 can of fload encr ypted web tra ffi c (HTTPS) p roviding
a significant performance improvement over web server based
Secure Sockets Layer (SSL) processing.
2
C H A P T E R 1Assumptions
Assumptions
This User Guide assumes that you are a network administrator and
that you have at least a basic understanding of the following:
•Networking concepts and terminology
•Network topologies
•Networks and IP routing
Benefits
SA8220 benefits are listed below.
BenefitDescription
Substantial performance
boost and reliability for
e-Commerce
(SA8200/SA8220 only)
Up to 150 times SSL
acceleration
(SA8200/SA8220 only)
The SA8220 can increase the speed, scalability, and reliability of
multi-server e-Commerce sites. It regains the speed lost by servers
processing secure transactions by delivering faster SSL
processing. It integrates SSL processing with third generation
traffic management technology, eliminating errors and improving
Quality of Service (QoS). This unique capability ensures that
customers working with sensitive information or buying online
receive timely responses, do not see error messages, and are
confident that delivery of their information is kept private.
E-Commerce sites suffer dramatic performance degradation as
secure transactions increase. Using patent-pending technology to
perform cryptographic processing offloaded from the server, the
SA8220 (only) can support up to 1200 SSL connections per
second.
The SA8220 enables e-Commerce sites to transact secure bu siness
and deliver sensitive information quickly, and confidentially. It
performs all key management and encryption. The result is a
tremendous performance boost for heavily tra f ficked e-Co mmerce
sites.
3
C H A P T E R 1HP Traffic Director Server Appliances User Guide
BenefitDescription
Substantial economic
benefits
(SA8200/SA8220 only)
SSL acceleration and
intelligent traffic
management benefits
(SA8200/SA8220 only)
The SA8220 improves customer satisfaction by improving the
response time for secure transactions. E-Commerce sites can now
enjoy the benefits provided by having secure transactions
participate in layer 7 intelligent traffic management. This creates
substantial economic savings for e-Commerce sites through
improved customer satisfaction, lowe r cost of owner ship, and
reduced server provisioning requirements.
Performance degrades dramatically as more customers access a
site in secure SSL mode , f r ustr at ing to the very customers who ar e
trying to make a purchase. The SA8220 is essential to providing
high performance and superior levels of service when building
reliable, scalable, and secure e-Commerce sites.
Off-loading SSL handling from e-Commerce servers improves
overall site performance and customer response time
Accelerated SSL processing eliminates over-provisioning capacity
Lower processing demands on the server creates greater capacity
for your e-Commerce site
Drop-in installation avoids impacting your mission critical e-
Commerce servers
Response-time based prioritized service for secure transactions
Improved responsiveness, reliability, and QoS for secure
transactions means delivering the highest levels of support for
paying customers
Ensures that e-Commerce merchants are always open for business
by preventing “Server Too Busy” and “File Not Found” errors,
even for secure transactions
4
C H A P T E R 1Benefits
BenefitDescription
Intelligent content
routing for SSL
transactions
(SA8200/SA8220 only)
Intelligent session
recovery for
transactions
(all models except the
SA7200)
Response-time base
prioritized service for
secure transactions
The SA8220 incorporat es intellig ent traf fic management for secure
transactions, dramatically improving an e-Commerce site’s
responsiveness, reliability, and QoS. While typical tr affic
management devices make decisions based onl y on i nfor mat io n at
Layer 4 in the network stack, the SA8220 combines Layer 4
through 7 (application/content) awareness to speed up response
times and eliminate error messages for secure transactions. It
keeps e-Commerce sites open for business, even during back-end
transaction problems or content glitches.
The SA8220 provides I ntel ligent Session Recov ery tech nology for
transactions. By monitoring conte nt within the resp onse sent back
by the server, Intelligent Session Reco very detects HTTP 400,
500, or 600 series errors, transparently rolls back the session, and
redirects the transaction to another server until the request is
fulfilled.
The SA8220 enables system administrators to implement varying
classes of service, assign priority levels, and set target response
times for secure transactions. The SA8220 continually measures
the response times of each class of service group and assigns
incoming requests to the server that can fulfill tho s e requests
within the predefined response time. If the response time exceeds
the predefined threshold, requests designated as high priority
receive preference over those of lower priority. The SA8220
allows you to offer predictable performance for high-priority
secure requests.
5
C H A P T E R 1HP Traffic Director Server Appliances User Guide
Specifications
SA8220 specifications are listed below.
SpecificationDescription
Servers
supported
Any Web server (Apache, Microsoft,
Netscape, etc.)
Any operating system (UNIX*, Solaris*,
Windows NT*, BSD*/BSDI*, AIX*,
etc.)
Any server hardware (SUN, HP, IBM,
Compaq, SGI, Intel-based platforms,
etc.)
No practical limit on number of serversXXX
System
Administration
Command line interfaceXXX
Web-based GUIXXX
SNMP monitoring (MIB II and Private
MIB)
Dynamic configuration through
password-protected serial console,
telnet, SSH v1, and SSH v2
SA7200 SA7220SA8200/
SA8220
XXX
XXX
XXX
XXX
XXX
6
C H A P T E R 1Specifications
SpecificationDescription
Performance
SA8220 is rated up to 1200 HTTPS
connections/sec, 2500 RICH HTTP
connections/sec, 3500 HOT connections/
sec, 95 Mb/sec.
SA8200 is rated up to 600 HTTPS
connections/sec, 1300 RICH HTTP
connections/sec, 2800 HOT connections/
sec. Both the SA8200 and the SA8220
are rated up to 6600 Max HTTP/
HTTPS/sec.
Layer 7 traffic managementXX
Patent-pending technology of f l oad s all
cryptographic processing from server
Dimensions
Mounting: Standard 19-inch rack mountXXX
Height: 3.5 inches (8.9 cm)XXX
Width: 17 inches (43.2 cm)XXX
Depth: 20.16 inches (51.21 cm) for the
SA7200, SA7220, and SA8220
Depth: 23.75 inches (60.3 cm) for the
SA8200
SA7200 SA7220SA8200/
SA8220
XXX
XXX
XXX
Weight
Interface
Connections
Transparent
Operation
Priority Classes
24 pounds (10.89 kg)XXX
Dual 10/100 EthernetXXX
TTY Serial - consoleXXX
Failover portXXX
Supports single or multiple Virtual IP
XXX
(VIP) addresses per domain
Application/protocol types supported:
XXX
Any TCP Port, e.g., HTTP, HTTPS, FTP
7
C H A P T E R 1HP Traffic Director Server Appliances User Guide
SpecificationDescription
Intelligent
Content Routing
Content: URL, file types such as *.GIF,
file paths such as \ads\, file na mes such
as Index.html
Transactions: Transaction types such as
*.CGI
Intelligent
Session
Recovery
(HTTPS is
available on the
SA8200/SA8220
only)
Response-time
based Priority
for secure and
non-secure
transactions)
Automatically resubmits requestsXX
Traps 400, 500, a nd 600 series errors for
HTTP and HTTPS
Sets and enacts target response timesXX
Real-time performance monitoringXX
Automatic server weighting and tuningXX
Server-state aware (“sticky”) based on:
SA7200 SA7220SA8200/
SA8220
XX
XX
XX
System Fault
Tolerance
8
- Source IPXXX
- SSL session IDX
- HTTP cookieXX
Single site, single or multiple
XXX
connections
Automatic detection of status change
XXX
and health of servers
Intelligent Resource Verification (IRV)XXX
C H A P T E R 1Typographic Conventions
SpecificationDescription
Security
Features
Supported
SSL v2 and v3 for transaction securityXX
SSH for secure Command Line Interface XX
IP filteringXX
Serial port logonXX
Typographic Conventions
The following typographic conventions are used throughout this
manual.
ONE MODEL NUMBER (SA8220): For ease of reading, all models
are referred to as the SA8220 throughout this document. Unless
noted otherwise, all SA8220 references refer to all models.
NOTE: This is an
example of a note.
CAUTION: This is an
example of a caution.
NOTES clarify a point, emphasize vital information, or describe
options, alternatives, or shortcuts.
CAUTIONS are designed to prevent possible mistakes that could
result in injury or equipment damage.
SA7200 SA7220SA8200/
SA8220
WARNINGS alert you to potential hazard s to life or limb. Excep t for
tables, warnings are always found in the left margin.
NUMBERED LISTS indicate step-by-step proce dures that you must
follow in numeric order, as shown below:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc.
BULLETED LISTS indicate options or features available to you, as
shown below:
•The first feature or option
•The second feature or option
•The third feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls, as
shown in this example:
9
C H A P T E R 1HP Traffic Director Server Appliances User Guide
4. To edit the configuration settings, press the Configure tab.
COMMANDS are shown in the following ways:
•Any command or command response text that appears on the
terminal is presented in the
courier font.
•Any text that you need to type at the command line appears in
bold courier, for example:
HP SA8220/config/policygroup#create gold
•Angled brackets (< >) designate where you enter variable
parameters
•Straight brackets ([ ]) show parameter choices, separated by
vertical bars
•Braces ({ }) show optional commands and parameters
•VERTICAL BARS ( | ) separate the choices of in put paramet ers
within straight brackets. You can choose only one of the set of
choices separated by vertical bars. Do not include the vertical
bar in the command.
10
Theory of
Operations
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models. A l so, all
references to “RICH”
functionality or
“Expressions” in this
chapter do not apply to
the SA7200.
•Services
•FTP Limitations
•Sticky Options
•SSL Acceleration (SA8200/SA8220 only)
•Load Balancing Across Multiple Servers
•Server Configuration Options
•Routing with Dual Interfaces
•Prioritization and Policy Groups
•Error Detection
•Serial Cable Failover
C H A P T E R 2HP Traffic Director Server Appliances User Guide
General Operating Principles
This chapter discusses the general operating principles for the HP eCommerce Traffic Director Server Appl iance SA8200/SA8220s, and
the Traffic Director S erver Applianc e SA7200/SA72 20s. For de tails
about the SA8220 command set, please see “Command Line
Interface” in Chapter 5. For information about completing specific
tasks, please see “Scenarios” in Chapter 6.
Services
NOTE: The sample
commands used in this
chapter are meant as
examples only.
Services are the virtual resources that the SA8220 provides to
network clients. Services are defined by their Virtual Internet
Protocol (VIP) address and virtual port number. The SA8220 load
balances network client requests for a service by receiving requests
from the user and directing them for fulfillmen t to the most
appropriate resource in the provider's server farm. Services are
defined and created within Policy Groups (please see “Prioritization
and Policy Groups in Ch apter 2) and are managed usi ng the following
commands:
HOT services provide very fast brokering performance. HOT
services are defined in full by their VIP and port number.
In HOT or “Brokered” mode, the SA8220 performs Network Address
Translation (NAT) on all incoming packets passing through the
connection. NAT changes the destination IP address and port of
incoming packets to those of the selected fulfillment server. The
source IP address is modified to be that of the SA8220.
Fulfillment servers can be addressable by IP address, and thus can be
on either local or wide area networks.
By default in HOT mode, the fulfillment server sees all requests as
coming from the SA8220 rather than from the actual client. In some
environments, it may be desirable to have the fulfillment server see
the requests as if they were coming directly from the client. The
Source Address Preservation (SAP) mode of the S A8220 all ows this
to happen (see “Source Address Preservation” for more detailed
information).
Layer 7 (RICH) Services (all models except the
SA7200)
The SA8220 allows more flexible service fulfillment for RICH (Realtime Intelligent Conte nt Handling) services. The servi ce type
“RICH_HTTP” is available on the SA8220 and enables it to make
fulfillment decisions based on the content of the URL of each client
HTTP request. RICH services also i nclude advance d er ror de tection,
and automatic resubmission of HTTP requests under most error
conditions.
As with HOT services above, fulfillment servers can be addressable
by IP address, and thus can be on either local or wide area networks.
13
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Out-of-Path Return (OPR)
Ordinarily, the SA8220 processes all traffic in both directions
between clients and the server farm. Viewing the server return traffic
helps the SA8220 accurately determine server response times and
handle HTTP errors. Often, the volume of data sent from the server
to the client is much larger than the traffic from client to server, and
checking for HTTP errors is not re quired. In such situations, you can
use OPR mode to increase performance. OP R is enabled by typing the
following command:
config policygroup <name> service <name> server
<name> port <port> mode [opr]
NOTE: OPR is not
applicable to Layer 7
services.
FTP
Limitations
Each server for which OPR is enabled must have its loopback
interface configured to identify itself as the VIP of the brokered
service. This allows the server to respond directly to the client. The
server’s loopback interface, or an equivalent interface that will not
respond to ARP requests, must be configured before setting up the
SA8220 for OPR. For more information, please see “Configuring
Out-of-Path Return in Appendix D.
The table below lists t ho se limitations of FTP on the SA8200.
ModeActive FTPPassive FTP
HOT
HOT with SAP
OPR
HOT with SAP does not change the server's IP ad dress during Passive
FTP because the server is making the connecti on directly to the client,
using its real IP address. If the server’s IP address is not a "real" IP
address, this mode will not work.
NoYes
YesYes (see below )
NoNo
14
C H A P T E R 2Sticky Options
Sticky Options
Some services operate best if all requests from a sp ecific client during
a single session are directed to the same fulfillment server. For
example, if the server maintains a local database of client activity or
context (shopping cart, re gistration info, navigat ion history, etc.), it is
important that subsequent client requests go to the server with these
database records. The SA822 0's “sticky” options allow this to occur.
Sticky is available in the two modes shown below.
ModeDescription
Source IP
address
(“src-ip”)
Cookie
Sticky source IP for SSL uses the SSL session ID for stickiness
instead of the source IP of the client.
Both HTTP and HTTPS services can be RICH. However, i nco ming
RICH SSL connections will always be decrypted and sent on to the
fulfillment servers in clear text. Sticky cookie must be used when the
clients need to remain stuck to the same server between HTT PS and
HTTP.
Requests from a given IP address are directed to a
single server.
The requesting browser is given a cookie, which
subsequently identifies it as a unique requestor to
be directed to a single server. This method uniqu ely
identifies the client even if the request passes
through a proxy server. RICH service is required.
There is no sticky cookie requirement for HTTPS traffic.
Each brokered service can be configured with sticky cookie, sticky
IP, or no sticky option enabled. When a sticky option is configured,
all client requests (identified according to the enabled sticky mode)
during a session are routed to the same fulfillment server. When the
sticky option is disabled, the SA8220 determines the best fulfillment
server for each client request and directs them accordingly.
15
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Sticky Persis te nce
For source-ip based sticky, the relationship between the client IP
address and the fulfillment server remains in effect for the entire time
the SA8220 is online or until the sti cky ti meou t value expires. In th e
event of failover, the sticky rel ationship is lost. Cookie sticky remain s
in effect while the browser is running or until the sticky timeout value
expires. Since the browser maintains the cookie, cookie sticky is
maintained in the event of failover. The system clocks on both
SA8220s must be synchronized for failover handling to work. You do
this by enabling NTP (Network Time Protocol) using the Boot
Monitor. The administrator can control the length of tim e a server is
forced to handle serial re quests from a single client using the sticky
timeout value.
NOTE: SA7200 sticky
support allows for source
IP ONLY. All cookie
sticky RICH services will
be stuck to the same
server for the duration of
the sticky timeout value.
Sticky-timeout
The current software version for the SA8220 treats the timeout
differently for cookie versus source-ip sticky. With source-ip sticky,
the timeout is reset with every connection from the client (so that the
timeout is effectively an "i dle time"). With cookie stic ky, the timeout
starts with the first connection from the client to the server, and never
gets reset. When the cookie expires, even if actively being used, the
next connection will be load balanced to a new server.
We recommend that you set the cookie sticky ti meout value to at least
1.5 times the maximum amount of time a user will expect to be stuck
to a server. If you are uncertain of the exact setting, we recommend
using 43200 seconds (12 hours).
Server-timeout (SA8200/SA8220 only)
A server timeout, which causes a change in servers, can appear as a
cookie sticky state change. The recommended value for server
timeout is at least 1.5 times the maximum server response time.
We recommend that you set the value to 120 seconds.
16
C H A P T E R 2SSL Acceleration (SA8200/SA8220 only)
SSL and Sticky (SA8200/SA8220 only)
SSL (Secure Sockets Layer, or HTTPS)-en abled services can also be
made sticky by specifying “sti cky cooki e” or “sticky src-ip” on the
CLI. For SSL services, sticky cookie behaves exactly as it does for
ordinary HTTP services. Source IP sticky uses the SSL session ID to
maintain server context. The server relationship will not survive
failover. As with sticky cookie, use of the session ID uniquely
identifies the client eve n if the req uest passes t hrough a pr oxy server .
Grouping Services
NOTE: RICH is required
for sticky service
grouping.
SSL
Acceleration
(SA8200/
SA8220 only)
The SA8220's sticky capabilities can ensure that all service requests
from the same user are routed to the same server. Enabling sticky
cookie on multiple services ensures that req uests from the same client
will be routed to the same fulfillme nt server for the duration of the
sticky relationship. Of course the server must be able to fulfill all
service requests to have a true one-to-one client-server relationship.
The SA8220 is a powerful addition to any web site desiring high
security levels. It was specifically created to manage secure traffic
going to and from c ritical applicat ions. It handles SS L traffic int o and
out of the customer's environment, as well as providing load
balancing, fault management, and error recovery.
The SA8220 includes cryptographic software featur es and hardwarebased acceleration. I t provides up to 1200 SSL (HTTPS) conn ections
per second (SA8220 only), far exceed ing the performance of even the
most powerful web servers on the market today.
The SA8220 allows users to off loa d S SL processi ng f r om thei r back
end servers, and at the same time achieve full-featured traffic
management. In a SA8220 environment, all encrypted traffic—
required by e-commerce applications—is handled at the SA8220.
The interaction between the SA8220 and the servers is done in the
clear, allowing load balancing and session management.
SSL processing is enabled by assig ning an RSA private key ( a public
encryption key algorithm i nvented in 1977) and an X.509 cert ifi cat e
to a Layer 7 service. The SA8220 Command Line Interface (CLI)
allows you to create or import k eys and c ertific ate when you define a
service. Once the key and certificate are in place, secure HTTP
(HTTPS) requests are decrypted and passed on to the web server. The
17
C H A P T E R 2HP Traffic Director Server Appliances User Guide
SA8220’s dual NIC and packet filtering capabilities can be used to
isolate the web servers from the Internet, further preventing
unauthorized access.
SSL
Fundamentals
(SA8200/
SA8220 only)
SSL involves an interchange of keys used both to authenticate the
parties and to provide information to securely encrypt confidential
data. The keys distributed in this medium are “one way,” or
asymmetric. That is, they can only be used to encrypt confidential
data, and only the “owner” of the public key can d ecrypt the data once
it is encrypted using the public key inf ormation. SSL assures the three
things shown below.
BenefitDescription
AuthenticityVerifies the identities of the two parties
PrivacyNone other than the transacting parties can acce ss
the information being exchanged.
IntegrityThe message cannot be altered in transit bet ween
the two parties by a third party without the
alteration being dete cted .
To establish a secure session with a server, the client sends a “hello”
message to which the server responds with its certificate and an
encryption methodology . The client then responds with an encryp ted
random challenge, which is used to establish the session keys. This
method allows two parties to quickly establish each others’ identities
and establish a secure connection.
18
Several encryption methods are employed. Common ones are DES,
3DES, RC2, and RC4. Key size can be varied to determine the level
of security desired. A longer key is more secure.
The SA8220 supports all common keys and ciphers, as well as the
following encryption methods: DES, DES3, and RC2 & RC4. The
SA8220 includes a li censed version of the RSA code embedded in th e
security module as well. The device's session management software
has been certified by prominent security agencies and meets all
standards for SSL traffic.
The SA8220 handles all the handshaking, key establishment, and
bulk encryption for SSL transactions. Essentially, the SA8220 is a
full-featured, SSL-enabled web se rver. Traditionally, th ese functions
Loading...
+ 322 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.