HP sa7220 User Manual

hp traffic director server appliances
user guide for the hp e-commerce traffic director server appliance sa8200/sa8220 and the hp traffic director server appliance sa7200/ sa7220
© Copyright 2001 Hewlett-Packard Company. A ll rig hts reserved.
Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304-1185
Publication Number 5971-0900 February 2001
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained here in or for i ncidental or co nsequential damages in connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett­Packard.
Warranty
A copy of the specific warranty terms applicable to your Hewlett­Packard products and replacement parts can be obtained from http://www.hp.com/serverappliances/support.
*Other brands and names are the propert y of thei r respectiv e owners.
Contents
Chapter 1: Introduction 1
Introduction to the Traffic Director Server Appliances . . . . . . . . . . . . . . . . . . . . . . . . 2
Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Typographic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2: Theory of Operations 11
General Operating Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Layer 4 (HOT) Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Layer 7 (RICH) Services (all models except the SA7200). . . . . . . . . . . . . . . . 13
Out-of-Path Return (OPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
FTP Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
C O N T E N T S HP Traffic Director Server Appliances User Guide
Sticky Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Sticky Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Sticky-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Server-timeout (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SSL and Sticky (SA8200/SA8220 only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Grouping Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SSL Acceleration (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SSL Fundamentals (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Application Message Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
HTTPS Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
HTTP Header Option Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Load Balancing Across Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Balancing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Response-Time Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Primary and Backup Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Server Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Source Address Preservation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Multi-hop Source Address Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
RICH Expressions (not available on the SA7200) . . . . . . . . . . . . . . . . . . . . . . 25
Order of Expressions (not available on the SA7200) . . . . . . . . . . . . . . . . . . . . 26
Routing with Dual Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Prioritization and Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Routing Method for VIP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Server Status Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
HTTP Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Serial Cable Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Serial Cable Failover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Replicating the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
ii
Contents
Chapter 3: Boot Monitor 41
Using the Boot Monitor CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Accessing the Boot Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interrupting the Bootup Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using the Run Time CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Boot Monitor Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 4: Graphical User Interface 59
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Logon Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Logging on to the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Topology Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Purposes of the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Topology Screen Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Online Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Topology Screen Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Window Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Policy Manager Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Policy Manager Controls and Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Policy Manager Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Policy Manager’s Pop-up Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Creating Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Throttling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Deleting Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Creating Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Additional Service Tab Controls and Displays. . . . . . . . . . . . . . . . . . . . . . . . . 73
Balance Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deleting Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
RICH Controls (all models except the SA7200). . . . . . . . . . . . . . . . . . . . . . . . 79
Order of Expressions (all models except the SA7200) . . . . . . . . . . . . . . . . . . . 81
Deleting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
iii
C O N T E N T S HP Traffic Director Server Appliances User Guide
Administration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Software Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Routing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
System Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Active Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
RIP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
OSPF Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Security Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Source IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
GUI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
CLI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
SNMP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
SNMP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Multi-Site Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Logging Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Specifying System Log Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Viewing the Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Saving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Restoring Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Deleting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Copying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Resetting the Factory Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Sending and Retrieving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Tools Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Ether. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
iv
Contents
Nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Trace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Statistics Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Statistics Screen Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Statistics Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Graph Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Selection List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Window Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Graphing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Chapter 5: Command Line Interface 133
CLI Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Secure Shell Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Pipes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Categorical List of CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
SSL Commands (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
v
C O N T E N T S HP Traffic Director Server Appliances User Guide
Run-Time CLI Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
SSL Commands (SA8200/SA8220 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 6: Scenarios 207
e-Commerce Appliance Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Scenario 1: Load Balancing a Web Site with Two Servers and the SA8220 in Inline
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Prerequisites for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Procedure for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Scenario 2: Load Balancing Servers with Source Address Preservation . . . . . . 214
Prerequisites for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Procedure for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Scenario 3: Routing Outbound Data Away from the SA8220 for OPR . . . . . . . 217
Prerequisites for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Procedure for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Scenario 4: Content Routing (SA7220 and SA8200/SA8220 only). . . . . . . . . . 220
Prerequisites for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Procedure for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Scenario 5: Using SSL Acceleration (SA8200/SA8220 only) . . . . . . . . . . . . . . 226
Procedure for Scenario 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Scenario 6: Using CRLs (SA8200/SA8220 only). . . . . . . . . . . . . . . . . . . . . . . . 228
vi
Contents
Chapter 7: SNMP Support 233
Using SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
HP MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Where to find MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Trap Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Standard SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Displaying SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring Community Authentication and Security Parameters . . . . . . . . . . . 243
Configuring Trap Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Other Configurable SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 8: Software Updates 247
Updating Your System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Multiple Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Software Image Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Saving Your Current Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Downloading and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Rebooting with the New Image and Verifying Installation. . . . . . . . . . . . . . . . . 250
Upgrading Under Serial Cable Failover Configuration. . . . . . . . . . . . . . . . . . . . 251
Appendix A: Security Configuration 253
Recommended Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Appendix B: SSL Configuration 255
Obtaining Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Copying and Pasting Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Obtaining a Certificate from Verisign or another CA . . . . . . . . . . . . . . . . . . . . . 257
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Importing Keys into the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Importing Certificates into the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Creating a new Key/Certificate on the SA8220. . . . . . . . . . . . . . . . . . . . . . . . . . 260
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
vii
C O N T E N T S HP Traffic Director Server Appliances User Guide
Using Global Site Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Generating a Client CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Generating a CRL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Using Ciphers with the SA8220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
HTTP Header Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Appendix C: Failover Method Dependencies 269
Failover Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Appendix D: Configuring Out-of-Path Return 273
Configure OPR for Windows* 2000* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configure OPR for Windows* NT*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Run a Web Service on the Loopback Interface Using IIS 3.0 . . . . . . . . . . . . 295
Run a Web Service on the Loopback Interface Using IIS 4.0 . . . . . . . . . . . . 296
Configuring OPR for Apache Web Server on a UNIX* machine . . . . . . . . . . . . . . 297
Appendix E: Diagnostics and Troubleshooting 299
Running Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Diagnostic LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Power Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Boot-time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Run time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Run time Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Appendix F: Cleaning the Dust Filter 307
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Dust Filter Cleaning Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
viii
Contents
Regulatory Information 309
Taiwan Class A EMI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
VCCI Class A (Japan). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
VCCI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
FCC Part 15 Compliance Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Canada Compliance Statement (Industry Canada). . . . . . . . . . . . . . . . . . . . . . . . . . 312
CE Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
CISPR 22 Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
WARNING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
AVERTISSEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
WARNUNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
AVVERTENZA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
ADVERTENCIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Wichtige Sicherheitshinweise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Software License Agreements 321
Support Services 325
Support for your SA8220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
U.S. and Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Asia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Latin America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Other Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Glossary 329
ix
C O N T E N T S HP Traffic Director Server Appliances User Guide
Notes
x

Introduction

This chapter covers the following topics:
NOTE: For ease of reading, all models are referred to as the SA8220 throughout this document. Unless noted otherwise, all SA8220 references refer to all models.
Introduction to the Traffic Director Server Appliances
Assumptions
Benefits
Specifications
Typographic Conventions
C H A P T E R 1 HP Traffic Director Server Appliances User Guide

Introduction to the Traffic Director Server Appliances

The HP e-Commerce Traffic Director Server Appliance SA8200/ SA8220s and the HP Traffic Director Server Appliance SA7200/ SA7220s provide reliable l oad b a la nci ng, fa ilo ver , and pol icy -based management to Web sites, Intranets, and e-Commerce sites. These models also include intelligent c ont ent rout i ng, a nd are t he best load balancing solution available for the reasons shown below.
Feature Description Reliability
Fault Resistance
Policy-based Management
Intelligent Content Routing (SA8200/ SA8220 only)
Error Recovery
Secure Sockets Layer Acceleration (SA8200/ SA8220 only)
The SA8220 provides 7 x 24 uptime through failover systems and the inherent robustness of leading network protocols.
The SA8220-managed configurations offer many features and capabilities that improve the availability and reliability of s erver­based services.
The SA8220 allows system administrators to implement classes of service, assign priority levels, and set target response times.
The SA8220 takes application-aware routing to a new level with the ability to segment Internet content according to the requested URL.
Application intelligence allows the SA8220 to understand and correct application errors transparently to the end user.
The SA8220 can of fload encr ypted web tra ffi c (HTTPS) p roviding a significant performance improvement over web server based Secure Sockets Layer (SSL) processing.
2
C H A P T E R 1 Assumptions

Assumptions

This User Guide assumes that you are a network administrator and that you have at least a basic understanding of the following:
Networking concepts and terminology
Network topologies
Networks and IP routing

Benefits

SA8220 benefits are listed below.
Benefit Description Substantial performance
boost and reliability for e-Commerce (SA8200/SA8220 only)
Up to 150 times SSL acceleration (SA8200/SA8220 only)
The SA8220 can increase the speed, scalability, and reliability of multi-server e-Commerce sites. It regains the speed lost by servers processing secure transactions by delivering faster SSL processing. It integrates SSL processing with third generation traffic management technology, eliminating errors and improving Quality of Service (QoS). This unique capability ensures that customers working with sensitive information or buying online receive timely responses, do not see error messages, and are confident that delivery of their information is kept private.
E-Commerce sites suffer dramatic performance degradation as secure transactions increase. Using patent-pending technology to perform cryptographic processing offloaded from the server, the SA8220 (only) can support up to 1200 SSL connections per second.
The SA8220 enables e-Commerce sites to transact secure bu siness and deliver sensitive information quickly, and confidentially. It performs all key management and encryption. The result is a tremendous performance boost for heavily tra f ficked e-Co mmerce sites.
3
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Benefit Description Substantial economic
benefits (SA8200/SA8220 only)
SSL acceleration and intelligent traffic management benefits (SA8200/SA8220 only)
The SA8220 improves customer satisfaction by improving the response time for secure transactions. E-Commerce sites can now enjoy the benefits provided by having secure transactions participate in layer 7 intelligent traffic management. This creates substantial economic savings for e-Commerce sites through improved customer satisfaction, lowe r cost of owner ship, and reduced server provisioning requirements.
Performance degrades dramatically as more customers access a site in secure SSL mode , f r ustr at ing to the very customers who ar e trying to make a purchase. The SA8220 is essential to providing high performance and superior levels of service when building reliable, scalable, and secure e-Commerce sites.
Off-loading SSL handling from e-Commerce servers improves overall site performance and customer response time
Accelerated SSL processing eliminates over-provisioning capacity Lower processing demands on the server creates greater capacity
for your e-Commerce site Drop-in installation avoids impacting your mission critical e-
Commerce servers Response-time based prioritized service for secure transactions Improved responsiveness, reliability, and QoS for secure
transactions means delivering the highest levels of support for paying customers
Ensures that e-Commerce merchants are always open for business by preventing Server Too Busy and File Not Found errors, even for secure transactions
4
C H A P T E R 1Benefits
Benefit Description Intelligent content
routing for SSL transactions (SA8200/SA8220 only)
Intelligent session recovery for transactions (all models except the SA7200)
Response-time base prioritized service for secure transactions
The SA8220 incorporat es intellig ent traf fic management for secure transactions, dramatically improving an e-Commerce site’s responsiveness, reliability, and QoS. While typical tr affic management devices make decisions based onl y on i nfor mat io n at Layer 4 in the network stack, the SA8220 combines Layer 4 through 7 (application/content) awareness to speed up response times and eliminate error messages for secure transactions. It keeps e-Commerce sites open for business, even during back-end transaction problems or content glitches.
The SA8220 provides I ntel ligent Session Recov ery tech nology for transactions. By monitoring conte nt within the resp onse sent back by the server, Intelligent Session Reco very detects HTTP 400, 500, or 600 series errors, transparently rolls back the session, and redirects the transaction to another server until the request is fulfilled.
The SA8220 enables system administrators to implement varying classes of service, assign priority levels, and set target response times for secure transactions. The SA8220 continually measures the response times of each class of service group and assigns incoming requests to the server that can fulfill tho s e requests within the predefined response time. If the response time exceeds the predefined threshold, requests designated as high priority receive preference over those of lower priority. The SA8220 allows you to offer predictable performance for high-priority secure requests.
5
C H A P T E R 1 HP Traffic Director Server Appliances User Guide

Specifications

SA8220 specifications are listed below.
Specification Description
Servers supported
Any Web server (Apache, Microsoft, Netscape, etc.)
Any operating system (UNIX*, Solaris*, Windows NT*, BSD*/BSDI*, AIX*, etc.)
Any server hardware (SUN, HP, IBM, Compaq, SGI, Intel-based platforms, etc.)
No practical limit on number of servers XXX
System Administration
Command line interface XXX Web-based GUI XXX SNMP monitoring (MIB II and Private
MIB) Dynamic configuration through
password-protected serial console, telnet, SSH v1, and SSH v2
SA7200 SA7220 SA8200/
SA8220
XXX
XXX
XXX
XXX
XXX
6
C H A P T E R 1 Specifications
Specification Description
Performance
SA8220 is rated up to 1200 HTTPS connections/sec, 2500 RICH HTTP connections/sec, 3500 HOT connections/ sec, 95 Mb/sec. SA8200 is rated up to 600 HTTPS connections/sec, 1300 RICH HTTP connections/sec, 2800 HOT connections/ sec. Both the SA8200 and the SA8220 are rated up to 6600 Max HTTP/ HTTPS/sec.
Layer 7 traffic management XX Patent-pending technology of f l oad s all
cryptographic processing from server
Dimensions
Mounting: Standard 19-inch rack mount XXX Height: 3.5 inches (8.9 cm) XXX Width: 17 inches (43.2 cm) XXX Depth: 20.16 inches (51.21 cm) for the
SA7200, SA7220, and SA8220 Depth: 23.75 inches (60.3 cm) for the SA8200
SA7200 SA7220 SA8200/
SA8220
XXX
XXX
XXX
Weight Interface
Connections
Transparent Operation
Priority Classes
24 pounds (10.89 kg) XXX Dual 10/100 Ethernet XXX TTY Serial - console XXX Failover port XXX Supports single or multiple Virtual IP
XXX
(VIP) addresses per domain Application/protocol types supported:
XXX
Any TCP Port, e.g., HTTP, HTTPS, FTP
7
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
Specification Description
Intelligent Content Routing
Content: URL, file types such as *.GIF, file paths such as \ads\, file na mes such as Index.html
Transactions: Transaction types such as *.CGI
Intelligent Session Recovery (HTTPS is available on the SA8200/SA8220 only)
Response-time based Priority for secure and non-secure transactions)
Automatically resubmits requests XX Traps 400, 500, a nd 600 series errors for
HTTP and HTTPS
Sets and enacts target response times XX
Real-time performance monitoring XX Automatic server weighting and tuning XX Server-state aware (“sticky”) based on:
SA7200 SA7220 SA8200/
SA8220
XX
XX
XX
System Fault Tolerance
8
- Source IP XXX
- SSL session ID X
- HTTP cookie XX Single site, single or multiple
XXX
connections Automatic detection of status change
XXX
and health of servers Intelligent Resource Verification (IRV) XXX
C H A P T E R 1 Typographic Conventions
Specification Description
Security Features Supported
SSL v2 and v3 for transaction security XX SSH for secure Command Line Interface XX IP filtering XX Serial port logon XX

Typographic Conventions

The following typographic conventions are used throughout this manual.
ONE MODEL NUMBER (SA8220): For ease of reading, all models are referred to as the SA8220 throughout this document. Unless noted otherwise, all SA8220 references refer to all models.
NOTE: This is an example of a note.
CAUTION: This is an example of a caution.
NOTES clarify a point, emphasize vital information, or describe options, alternatives, or shortcuts.
CAUTIONS are designed to prevent possible mistakes that could result in injury or equipment damage.
SA7200 SA7220 SA8200/
SA8220
WARNINGS alert you to potential hazard s to life or limb. Excep t for tables, warnings are always found in the left margin.
NUMBERED LISTS indicate step-by-step proce dures that you must follow in numeric order, as shown below:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc. BULLETED LISTS indicate options or features available to you, as
shown below:
The first feature or option
The second feature or option
The third feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls, as shown in this example:
9
C H A P T E R 1 HP Traffic Director Server Appliances User Guide
4. To edit the configuration settings, press the Configure tab. COMMANDS are shown in the following ways:
Any command or command response text that appears on the terminal is presented in the
courier font.
Any text that you need to type at the command line appears in
bold courier, for example:
HP SA8220/config/policygroup#create gold
Angled brackets (< >) designate where you enter variable parameters
Straight brackets ([ ]) show parameter choices, separated by vertical bars
Braces ({ }) show optional commands and parameters
VERTICAL BARS ( | ) separate the choices of in put paramet ers
within straight brackets. You can choose only one of the set of choices separated by vertical bars. Do not include the vertical bar in the command.
10

Theory of Operations

This chapter covers the following topics:
NOTE: For ease of reading, all models are referred to as the SA8220 throughout this document. Unless noted otherwise, all SA8220 references refer to all models. A l so, all references to “RICH” functionality or “Expressions” in this chapter do not apply to the SA7200.
Services
FTP Limitations
Sticky Options
SSL Acceleration (SA8200/SA8220 only)
Load Balancing Across Multiple Servers
Server Configuration Options
Routing with Dual Interfaces
Prioritization and Policy Groups
Error Detection
Serial Cable Failover
C H A P T E R 2 HP Traffic Director Server Appliances User Guide

General Operating Principles

This chapter discusses the general operating principles for the HP e­Commerce Traffic Director Server Appl iance SA8200/SA8220s, and the Traffic Director S erver Applianc e SA7200/SA72 20s. For de tails about the SA8220 command set, please see Command Line Interface in Chapter 5. For information about completing specific tasks, please see Scenarios in Chapter 6.

Services

NOTE: The sample commands used in this chapter are meant as examples only.
Services are the virtual resources that the SA8220 provides to network clients. Services are defined by their Virtual Internet Protocol (VIP) address and virtual port number. The SA8220 load balances network client requests for a service by receiving requests from the user and directing them for fulfillmen t to the most appropriate resource in the provider's server farm. Services are defined and created within Policy Groups (please see “Prioritization and Policy Groups in Ch apter 2) and are managed usi ng the following commands:
config policygroup <policy-name> service create <service-name> vip <ipaddr> port <num ber> {type [TCP | UDP | RICH_HTTP]} {sticky [disable| src-ip | cookie]} {sticky-timeout <seconds>} {backups [enable | disable]} {response <milli-sec>} {priority <level>} {balancing [load | robin]} {server-timeout <seconds>} config policygroup <name> service delete [<name> | -all] config policygroup <name> service <name> {enable}{disable} {balancing [robin | load]} {sticky [disable | src-ip | cookie]} {sticky-timeout <seconds>} {backups [enable | disable]} {respons e <milli-sec>} {dup -syn <micro-sec>} {prio rity <level>} {server-timeout <seconds>}
12
C H A P T E R 2 Services
Layer 4 (HOT) Services
HOT services provide very fast brokering performance. HOT services are defined in full by their VIP and port number.
In HOT or “Brokered” mode, the SA8220 performs Network Address Translation (NAT) on all incoming packets passing through the connection. NAT changes the destination IP address and port of incoming packets to those of the selected fulfillment server. The source IP address is modified to be that of the SA8220.
Fulfillment servers can be addressable by IP address, and thus can be on either local or wide area networks.
By default in HOT mode, the fulfillment server sees all requests as coming from the SA8220 rather than from the actual client. In some environments, it may be desirable to have the fulfillment server see the requests as if they were coming directly from the client. The Source Address Preservation (SAP) mode of the S A8220 all ows this to happen (see Source Address Preservation for more detailed information).
Layer 7 (RICH) Services (all models except the SA7200)
The SA8220 allows more flexible service fulfillment for RICH (Real­time Intelligent Conte nt Handling) services. The servi ce type RICH_HTTP is available on the SA8220 and enables it to make fulfillment decisions based on the content of the URL of each client HTTP request. RICH services also i nclude advance d er ror de tection, and automatic resubmission of HTTP requests under most error conditions.
As with HOT services above, fulfillment servers can be addressable by IP address, and thus can be on either local or wide area networks.
13
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
Out-of-Path Return (OPR)
Ordinarily, the SA8220 processes all traffic in both directions between clients and the server farm. Viewing the server return traffic helps the SA8220 accurately determine server response times and handle HTTP errors. Often, the volume of data sent from the server to the client is much larger than the traffic from client to server, and checking for HTTP errors is not re quired. In such situations, you can use OPR mode to increase performance. OP R is enabled by typing the following command:
config policygroup <name> service <name> server <name> port <port> mode [opr]
NOTE: OPR is not applicable to Layer 7 services.

FTP Limitations

Each server for which OPR is enabled must have its loopback interface configured to identify itself as the VIP of the brokered service. This allows the server to respond directly to the client. The server’s loopback interface, or an equivalent interface that will not respond to ARP requests, must be configured before setting up the SA8220 for OPR. For more information, please see “Configuring Out-of-Path Return in Appendix D.
The table below lists t ho se limitations of FTP on the SA8200.
Mode Active FTP Passive FTP HOT HOT with SAP OPR
HOT with SAP does not change the server's IP ad dress during Passive FTP because the server is making the connecti on directly to the client, using its real IP address. If the servers IP address is not a "real" IP address, this mode will not work.
No Yes Yes Yes (see below ) No No
14
C H A P T E R 2 Sticky Options

Sticky Options

Some services operate best if all requests from a sp ecific client during a single session are directed to the same fulfillment server. For example, if the server maintains a local database of client activity or context (shopping cart, re gistration info, navigat ion history, etc.), it is important that subsequent client requests go to the server with these database records. The SA822 0's “sticky” options allow this to occur.
Sticky is available in the two modes shown below.
Mode Description Source IP
address (“src-ip”)
Cookie
Sticky source IP for SSL uses the SSL session ID for stickiness instead of the source IP of the client.
Both HTTP and HTTPS services can be RICH. However, i nco ming RICH SSL connections will always be decrypted and sent on to the fulfillment servers in clear text. Sticky cookie must be used when the clients need to remain stuck to the same server between HTT PS and HTTP.
Requests from a given IP address are directed to a single server.
The requesting browser is given a cookie, which subsequently identifies it as a unique requestor to be directed to a single server. This method uniqu ely identifies the client even if the request passes through a proxy server. RICH service is required.
There is no sticky cookie requirement for HTTPS traffic. Each brokered service can be configured with sticky cookie, sticky
IP, or no sticky option enabled. When a sticky option is configured, all client requests (identified according to the enabled sticky mode) during a session are routed to the same fulfillment server. When the sticky option is disabled, the SA8220 determines the best fulfillment server for each client request and directs them accordingly.
15
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
Sticky Persis te nce
For source-ip based sticky, the relationship between the client IP address and the fulfillment server remains in effect for the entire time the SA8220 is online or until the sti cky ti meou t value expires. In th e event of failover, the sticky rel ationship is lost. Cookie sticky remain s in effect while the browser is running or until the sticky timeout value expires. Since the browser maintains the cookie, cookie sticky is maintained in the event of failover. The system clocks on both SA8220s must be synchronized for failover handling to work. You do this by enabling NTP (Network Time Protocol) using the Boot Monitor. The administrator can control the length of tim e a server is forced to handle serial re quests from a single client using the sticky timeout value.
NOTE: SA7200 sticky support allows for source IP ONLY. All cookie sticky RICH services will be stuck to the same server for the duration of the sticky timeout value.
Sticky-timeout
The current software version for the SA8220 treats the timeout differently for cookie versus source-ip sticky. With source-ip sticky, the timeout is reset with every connection from the client (so that the timeout is effectively an "i dle time"). With cookie stic ky, the timeout starts with the first connection from the client to the server, and never gets reset. When the cookie expires, even if actively being used, the next connection will be load balanced to a new server.
We recommend that you set the cookie sticky ti meout value to at least
1.5 times the maximum amount of time a user will expect to be stuck
to a server. If you are uncertain of the exact setting, we recommend using 43200 seconds (12 hours).
Server-timeout (SA8200/SA8220 only)
A server timeout, which causes a change in servers, can appear as a cookie sticky state change. The recommended value for server timeout is at least 1.5 times the maximum server response time.
We recommend that you set the value to 120 seconds.
16
C H A P T E R 2 SSL Acceleration (SA8200/SA8220 only)
SSL and Sticky (SA8200/SA8220 only)
SSL (Secure Sockets Layer, or HTTPS)-en abled services can also be made sticky by specifying sti cky cooki e or sticky src-ip on the CLI. For SSL services, sticky cookie behaves exactly as it does for ordinary HTTP services. Source IP sticky uses the SSL session ID to maintain server context. The server relationship will not survive failover. As with sticky cookie, use of the session ID uniquely identifies the client eve n if the req uest passes t hrough a pr oxy server .
Grouping Services
NOTE: RICH is required for sticky service grouping.

SSL Acceleration (SA8200/ SA8220 only)

The SA8220's sticky capabilities can ensure that all service requests from the same user are routed to the same server. Enabling sticky cookie on multiple services ensures that req uests from the same client will be routed to the same fulfillme nt server for the duration of the sticky relationship. Of course the server must be able to fulfill all service requests to have a true one-to-one client-server relationship.
The SA8220 is a powerful addition to any web site desiring high security levels. It was specifically created to manage secure traffic going to and from c ritical applicat ions. It handles SS L traffic int o and out of the customer's environment, as well as providing load balancing, fault management, and error recovery.
The SA8220 includes cryptographic software featur es and hardware­based acceleration. I t provides up to 1200 SSL (HTTPS) conn ections per second (SA8220 only), far exceed ing the performance of even the most powerful web servers on the market today.
The SA8220 allows users to off loa d S SL processi ng f r om thei r back end servers, and at the same time achieve full-featured traffic management. In a SA8220 environment, all encrypted traffic required by e-commerce applicationsis handled at the SA8220. The interaction between the SA8220 and the servers is done in the clear, allowing load balancing and session management.
SSL processing is enabled by assig ning an RSA private key ( a public encryption key algorithm i nvented in 1977) and an X.509 cert ifi cat e to a Layer 7 service. The SA8220 Command Line Interface (CLI) allows you to create or import k eys and c ertific ate when you define a service. Once the key and certificate are in place, secure HTTP (HTTPS) requests are decrypted and passed on to the web server. The
17
C H A P T E R 2 HP Traffic Director Server Appliances User Guide
SA8220’s dual NIC and packet filtering capabilities can be used to isolate the web servers from the Internet, further preventing unauthorized access.

SSL Fundamentals (SA8200/ SA8220 only)

SSL involves an interchange of keys used both to authenticate the parties and to provide information to securely encrypt confidential data. The keys distributed in this medium are one way, or asymmetric. That is, they can only be used to encrypt confidential data, and only the “owner” of the public key can d ecrypt the data once it is encrypted using the public key inf ormation. SSL assures the three things shown below.
Benefit Description
Authenticity Verifies the identities of the two parties Privacy None other than the transacting parties can acce ss
the information being exchanged.
Integrity The message cannot be altered in transit bet ween
the two parties by a third party without the alteration being dete cted .
To establish a secure session with a server, the client sends a “hello” message to which the server responds with its certificate and an encryption methodology . The client then responds with an encryp ted random challenge, which is used to establish the session keys. This method allows two parties to quickly establish each others identities and establish a secure connection.
18
Several encryption methods are employed. Common ones are DES, 3DES, RC2, and RC4. Key size can be varied to determine the level of security desired. A longer key is more secure.
The SA8220 supports all common keys and ciphers, as well as the following encryption methods: DES, DES3, and RC2 & RC4. The SA8220 includes a li censed version of the RSA code embedded in th e security module as well. The device's session management software has been certified by prominent security agencies and meets all standards for SSL traffic.
The SA8220 handles all the handshaking, key establishment, and bulk encryption for SSL transactions. Essentially, the SA8220 is a full-featured, SSL-enabled web se rver. Traditionally, th ese functions
Loading...
+ 322 hidden pages