Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-0900
February 2001
Disclaimer
The information contained in this document is subject to change
without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for
errors contained here in or for i ncidental or co nsequential damages in
connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability
of its software on equipment that is not furnished by HewlettPackard.
Warranty
A copy of the specific warranty terms applicable to your HewlettPackard products and replacement parts can be obtained from
http://www.hp.com/serverappliances/support.
*Other brands and names are the propert y of thei r respectiv e owners.
Contents
Chapter 1: Introduction1
Introduction to the Traffic Director Server Appliances . . . . . . . . . . . . . . . . . . . . . . . . 2
C O N T E N T SHP Traffic Director Server Appliances User Guide
Notes
x
Introduction
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models.
•Introduction to the Traffic Director Server Appliances
•Assumptions
•Benefits
•Specifications
•Typographic Conventions
C H A P T E R 1HP Traffic Director Server Appliances User Guide
Introduction to the Traffic Director Server
Appliances
The HP e-Commerce Traffic Director Server Appliance SA8200/
SA8220s and the HP Traffic Director Server Appliance SA7200/
SA7220s provide reliable l oad b a la nci ng, fa ilo ver , and pol icy -based
management to Web sites, Intranets, and e-Commerce sites. These
models also include intelligent c ont ent rout i ng, a nd are t he best load
balancing solution available for the reasons shown below.
The SA8220 provides 7 x 24 uptime through failover systems and
the inherent robustness of leading network protocols.
The SA8220-managed configurations offer many features and
capabilities that improve the availability and reliability of s erverbased services.
The SA8220 allows system administrators to implement classes of
service, assign priority levels, and set target response times.
The SA8220 takes application-aware routing to a new level with
the ability to segment Internet content according to the requested
URL.
Application intelligence allows the SA8220 to understand and
correct application errors transparently to the end user.
The SA8220 can of fload encr ypted web tra ffi c (HTTPS) p roviding
a significant performance improvement over web server based
Secure Sockets Layer (SSL) processing.
2
C H A P T E R 1Assumptions
Assumptions
This User Guide assumes that you are a network administrator and
that you have at least a basic understanding of the following:
•Networking concepts and terminology
•Network topologies
•Networks and IP routing
Benefits
SA8220 benefits are listed below.
BenefitDescription
Substantial performance
boost and reliability for
e-Commerce
(SA8200/SA8220 only)
Up to 150 times SSL
acceleration
(SA8200/SA8220 only)
The SA8220 can increase the speed, scalability, and reliability of
multi-server e-Commerce sites. It regains the speed lost by servers
processing secure transactions by delivering faster SSL
processing. It integrates SSL processing with third generation
traffic management technology, eliminating errors and improving
Quality of Service (QoS). This unique capability ensures that
customers working with sensitive information or buying online
receive timely responses, do not see error messages, and are
confident that delivery of their information is kept private.
E-Commerce sites suffer dramatic performance degradation as
secure transactions increase. Using patent-pending technology to
perform cryptographic processing offloaded from the server, the
SA8220 (only) can support up to 1200 SSL connections per
second.
The SA8220 enables e-Commerce sites to transact secure bu siness
and deliver sensitive information quickly, and confidentially. It
performs all key management and encryption. The result is a
tremendous performance boost for heavily tra f ficked e-Co mmerce
sites.
3
C H A P T E R 1HP Traffic Director Server Appliances User Guide
BenefitDescription
Substantial economic
benefits
(SA8200/SA8220 only)
SSL acceleration and
intelligent traffic
management benefits
(SA8200/SA8220 only)
The SA8220 improves customer satisfaction by improving the
response time for secure transactions. E-Commerce sites can now
enjoy the benefits provided by having secure transactions
participate in layer 7 intelligent traffic management. This creates
substantial economic savings for e-Commerce sites through
improved customer satisfaction, lowe r cost of owner ship, and
reduced server provisioning requirements.
Performance degrades dramatically as more customers access a
site in secure SSL mode , f r ustr at ing to the very customers who ar e
trying to make a purchase. The SA8220 is essential to providing
high performance and superior levels of service when building
reliable, scalable, and secure e-Commerce sites.
Off-loading SSL handling from e-Commerce servers improves
overall site performance and customer response time
Accelerated SSL processing eliminates over-provisioning capacity
Lower processing demands on the server creates greater capacity
for your e-Commerce site
Drop-in installation avoids impacting your mission critical e-
Commerce servers
Response-time based prioritized service for secure transactions
Improved responsiveness, reliability, and QoS for secure
transactions means delivering the highest levels of support for
paying customers
Ensures that e-Commerce merchants are always open for business
by preventing “Server Too Busy” and “File Not Found” errors,
even for secure transactions
4
C H A P T E R 1Benefits
BenefitDescription
Intelligent content
routing for SSL
transactions
(SA8200/SA8220 only)
Intelligent session
recovery for
transactions
(all models except the
SA7200)
Response-time base
prioritized service for
secure transactions
The SA8220 incorporat es intellig ent traf fic management for secure
transactions, dramatically improving an e-Commerce site’s
responsiveness, reliability, and QoS. While typical tr affic
management devices make decisions based onl y on i nfor mat io n at
Layer 4 in the network stack, the SA8220 combines Layer 4
through 7 (application/content) awareness to speed up response
times and eliminate error messages for secure transactions. It
keeps e-Commerce sites open for business, even during back-end
transaction problems or content glitches.
The SA8220 provides I ntel ligent Session Recov ery tech nology for
transactions. By monitoring conte nt within the resp onse sent back
by the server, Intelligent Session Reco very detects HTTP 400,
500, or 600 series errors, transparently rolls back the session, and
redirects the transaction to another server until the request is
fulfilled.
The SA8220 enables system administrators to implement varying
classes of service, assign priority levels, and set target response
times for secure transactions. The SA8220 continually measures
the response times of each class of service group and assigns
incoming requests to the server that can fulfill tho s e requests
within the predefined response time. If the response time exceeds
the predefined threshold, requests designated as high priority
receive preference over those of lower priority. The SA8220
allows you to offer predictable performance for high-priority
secure requests.
5
C H A P T E R 1HP Traffic Director Server Appliances User Guide
Specifications
SA8220 specifications are listed below.
SpecificationDescription
Servers
supported
Any Web server (Apache, Microsoft,
Netscape, etc.)
Any operating system (UNIX*, Solaris*,
Windows NT*, BSD*/BSDI*, AIX*,
etc.)
Any server hardware (SUN, HP, IBM,
Compaq, SGI, Intel-based platforms,
etc.)
No practical limit on number of serversXXX
System
Administration
Command line interfaceXXX
Web-based GUIXXX
SNMP monitoring (MIB II and Private
MIB)
Dynamic configuration through
password-protected serial console,
telnet, SSH v1, and SSH v2
SA7200 SA7220SA8200/
SA8220
XXX
XXX
XXX
XXX
XXX
6
C H A P T E R 1Specifications
SpecificationDescription
Performance
SA8220 is rated up to 1200 HTTPS
connections/sec, 2500 RICH HTTP
connections/sec, 3500 HOT connections/
sec, 95 Mb/sec.
SA8200 is rated up to 600 HTTPS
connections/sec, 1300 RICH HTTP
connections/sec, 2800 HOT connections/
sec. Both the SA8200 and the SA8220
are rated up to 6600 Max HTTP/
HTTPS/sec.
Layer 7 traffic managementXX
Patent-pending technology of f l oad s all
cryptographic processing from server
Dimensions
Mounting: Standard 19-inch rack mountXXX
Height: 3.5 inches (8.9 cm)XXX
Width: 17 inches (43.2 cm)XXX
Depth: 20.16 inches (51.21 cm) for the
SA7200, SA7220, and SA8220
Depth: 23.75 inches (60.3 cm) for the
SA8200
SA7200 SA7220SA8200/
SA8220
XXX
XXX
XXX
Weight
Interface
Connections
Transparent
Operation
Priority Classes
24 pounds (10.89 kg)XXX
Dual 10/100 EthernetXXX
TTY Serial - consoleXXX
Failover portXXX
Supports single or multiple Virtual IP
XXX
(VIP) addresses per domain
Application/protocol types supported:
XXX
Any TCP Port, e.g., HTTP, HTTPS, FTP
7
C H A P T E R 1HP Traffic Director Server Appliances User Guide
SpecificationDescription
Intelligent
Content Routing
Content: URL, file types such as *.GIF,
file paths such as \ads\, file na mes such
as Index.html
Transactions: Transaction types such as
*.CGI
Intelligent
Session
Recovery
(HTTPS is
available on the
SA8200/SA8220
only)
Response-time
based Priority
for secure and
non-secure
transactions)
Automatically resubmits requestsXX
Traps 400, 500, a nd 600 series errors for
HTTP and HTTPS
Sets and enacts target response timesXX
Real-time performance monitoringXX
Automatic server weighting and tuningXX
Server-state aware (“sticky”) based on:
SA7200 SA7220SA8200/
SA8220
XX
XX
XX
System Fault
Tolerance
8
- Source IPXXX
- SSL session IDX
- HTTP cookieXX
Single site, single or multiple
XXX
connections
Automatic detection of status change
XXX
and health of servers
Intelligent Resource Verification (IRV)XXX
C H A P T E R 1Typographic Conventions
SpecificationDescription
Security
Features
Supported
SSL v2 and v3 for transaction securityXX
SSH for secure Command Line Interface XX
IP filteringXX
Serial port logonXX
Typographic Conventions
The following typographic conventions are used throughout this
manual.
ONE MODEL NUMBER (SA8220): For ease of reading, all models
are referred to as the SA8220 throughout this document. Unless
noted otherwise, all SA8220 references refer to all models.
NOTE: This is an
example of a note.
CAUTION: This is an
example of a caution.
NOTES clarify a point, emphasize vital information, or describe
options, alternatives, or shortcuts.
CAUTIONS are designed to prevent possible mistakes that could
result in injury or equipment damage.
SA7200 SA7220SA8200/
SA8220
WARNINGS alert you to potential hazard s to life or limb. Excep t for
tables, warnings are always found in the left margin.
NUMBERED LISTS indicate step-by-step proce dures that you must
follow in numeric order, as shown below:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc.
BULLETED LISTS indicate options or features available to you, as
shown below:
•The first feature or option
•The second feature or option
•The third feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls, as
shown in this example:
9
C H A P T E R 1HP Traffic Director Server Appliances User Guide
4. To edit the configuration settings, press the Configure tab.
COMMANDS are shown in the following ways:
•Any command or command response text that appears on the
terminal is presented in the
courier font.
•Any text that you need to type at the command line appears in
bold courier, for example:
HP SA8220/config/policygroup#create gold
•Angled brackets (< >) designate where you enter variable
parameters
•Straight brackets ([ ]) show parameter choices, separated by
vertical bars
•Braces ({ }) show optional commands and parameters
•VERTICAL BARS ( | ) separate the choices of in put paramet ers
within straight brackets. You can choose only one of the set of
choices separated by vertical bars. Do not include the vertical
bar in the command.
10
Theory of
Operations
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models. A l so, all
references to “RICH”
functionality or
“Expressions” in this
chapter do not apply to
the SA7200.
•Services
•FTP Limitations
•Sticky Options
•SSL Acceleration (SA8200/SA8220 only)
•Load Balancing Across Multiple Servers
•Server Configuration Options
•Routing with Dual Interfaces
•Prioritization and Policy Groups
•Error Detection
•Serial Cable Failover
C H A P T E R 2HP Traffic Director Server Appliances User Guide
General Operating Principles
This chapter discusses the general operating principles for the HP eCommerce Traffic Director Server Appl iance SA8200/SA8220s, and
the Traffic Director S erver Applianc e SA7200/SA72 20s. For de tails
about the SA8220 command set, please see “Command Line
Interface” in Chapter 5. For information about completing specific
tasks, please see “Scenarios” in Chapter 6.
Services
NOTE: The sample
commands used in this
chapter are meant as
examples only.
Services are the virtual resources that the SA8220 provides to
network clients. Services are defined by their Virtual Internet
Protocol (VIP) address and virtual port number. The SA8220 load
balances network client requests for a service by receiving requests
from the user and directing them for fulfillmen t to the most
appropriate resource in the provider's server farm. Services are
defined and created within Policy Groups (please see “Prioritization
and Policy Groups in Ch apter 2) and are managed usi ng the following
commands:
HOT services provide very fast brokering performance. HOT
services are defined in full by their VIP and port number.
In HOT or “Brokered” mode, the SA8220 performs Network Address
Translation (NAT) on all incoming packets passing through the
connection. NAT changes the destination IP address and port of
incoming packets to those of the selected fulfillment server. The
source IP address is modified to be that of the SA8220.
Fulfillment servers can be addressable by IP address, and thus can be
on either local or wide area networks.
By default in HOT mode, the fulfillment server sees all requests as
coming from the SA8220 rather than from the actual client. In some
environments, it may be desirable to have the fulfillment server see
the requests as if they were coming directly from the client. The
Source Address Preservation (SAP) mode of the S A8220 all ows this
to happen (see “Source Address Preservation” for more detailed
information).
Layer 7 (RICH) Services (all models except the
SA7200)
The SA8220 allows more flexible service fulfillment for RICH (Realtime Intelligent Conte nt Handling) services. The servi ce type
“RICH_HTTP” is available on the SA8220 and enables it to make
fulfillment decisions based on the content of the URL of each client
HTTP request. RICH services also i nclude advance d er ror de tection,
and automatic resubmission of HTTP requests under most error
conditions.
As with HOT services above, fulfillment servers can be addressable
by IP address, and thus can be on either local or wide area networks.
13
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Out-of-Path Return (OPR)
Ordinarily, the SA8220 processes all traffic in both directions
between clients and the server farm. Viewing the server return traffic
helps the SA8220 accurately determine server response times and
handle HTTP errors. Often, the volume of data sent from the server
to the client is much larger than the traffic from client to server, and
checking for HTTP errors is not re quired. In such situations, you can
use OPR mode to increase performance. OP R is enabled by typing the
following command:
config policygroup <name> service <name> server
<name> port <port> mode [opr]
NOTE: OPR is not
applicable to Layer 7
services.
FTP
Limitations
Each server for which OPR is enabled must have its loopback
interface configured to identify itself as the VIP of the brokered
service. This allows the server to respond directly to the client. The
server’s loopback interface, or an equivalent interface that will not
respond to ARP requests, must be configured before setting up the
SA8220 for OPR. For more information, please see “Configuring
Out-of-Path Return in Appendix D.
The table below lists t ho se limitations of FTP on the SA8200.
ModeActive FTPPassive FTP
HOT
HOT with SAP
OPR
HOT with SAP does not change the server's IP ad dress during Passive
FTP because the server is making the connecti on directly to the client,
using its real IP address. If the server’s IP address is not a "real" IP
address, this mode will not work.
NoYes
YesYes (see below )
NoNo
14
C H A P T E R 2Sticky Options
Sticky Options
Some services operate best if all requests from a sp ecific client during
a single session are directed to the same fulfillment server. For
example, if the server maintains a local database of client activity or
context (shopping cart, re gistration info, navigat ion history, etc.), it is
important that subsequent client requests go to the server with these
database records. The SA822 0's “sticky” options allow this to occur.
Sticky is available in the two modes shown below.
ModeDescription
Source IP
address
(“src-ip”)
Cookie
Sticky source IP for SSL uses the SSL session ID for stickiness
instead of the source IP of the client.
Both HTTP and HTTPS services can be RICH. However, i nco ming
RICH SSL connections will always be decrypted and sent on to the
fulfillment servers in clear text. Sticky cookie must be used when the
clients need to remain stuck to the same server between HTT PS and
HTTP.
Requests from a given IP address are directed to a
single server.
The requesting browser is given a cookie, which
subsequently identifies it as a unique requestor to
be directed to a single server. This method uniqu ely
identifies the client even if the request passes
through a proxy server. RICH service is required.
There is no sticky cookie requirement for HTTPS traffic.
Each brokered service can be configured with sticky cookie, sticky
IP, or no sticky option enabled. When a sticky option is configured,
all client requests (identified according to the enabled sticky mode)
during a session are routed to the same fulfillment server. When the
sticky option is disabled, the SA8220 determines the best fulfillment
server for each client request and directs them accordingly.
15
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Sticky Persis te nce
For source-ip based sticky, the relationship between the client IP
address and the fulfillment server remains in effect for the entire time
the SA8220 is online or until the sti cky ti meou t value expires. In th e
event of failover, the sticky rel ationship is lost. Cookie sticky remain s
in effect while the browser is running or until the sticky timeout value
expires. Since the browser maintains the cookie, cookie sticky is
maintained in the event of failover. The system clocks on both
SA8220s must be synchronized for failover handling to work. You do
this by enabling NTP (Network Time Protocol) using the Boot
Monitor. The administrator can control the length of tim e a server is
forced to handle serial re quests from a single client using the sticky
timeout value.
NOTE: SA7200 sticky
support allows for source
IP ONLY. All cookie
sticky RICH services will
be stuck to the same
server for the duration of
the sticky timeout value.
Sticky-timeout
The current software version for the SA8220 treats the timeout
differently for cookie versus source-ip sticky. With source-ip sticky,
the timeout is reset with every connection from the client (so that the
timeout is effectively an "i dle time"). With cookie stic ky, the timeout
starts with the first connection from the client to the server, and never
gets reset. When the cookie expires, even if actively being used, the
next connection will be load balanced to a new server.
We recommend that you set the cookie sticky ti meout value to at least
1.5 times the maximum amount of time a user will expect to be stuck
to a server. If you are uncertain of the exact setting, we recommend
using 43200 seconds (12 hours).
Server-timeout (SA8200/SA8220 only)
A server timeout, which causes a change in servers, can appear as a
cookie sticky state change. The recommended value for server
timeout is at least 1.5 times the maximum server response time.
We recommend that you set the value to 120 seconds.
16
C H A P T E R 2SSL Acceleration (SA8200/SA8220 only)
SSL and Sticky (SA8200/SA8220 only)
SSL (Secure Sockets Layer, or HTTPS)-en abled services can also be
made sticky by specifying “sti cky cooki e” or “sticky src-ip” on the
CLI. For SSL services, sticky cookie behaves exactly as it does for
ordinary HTTP services. Source IP sticky uses the SSL session ID to
maintain server context. The server relationship will not survive
failover. As with sticky cookie, use of the session ID uniquely
identifies the client eve n if the req uest passes t hrough a pr oxy server .
Grouping Services
NOTE: RICH is required
for sticky service
grouping.
SSL
Acceleration
(SA8200/
SA8220 only)
The SA8220's sticky capabilities can ensure that all service requests
from the same user are routed to the same server. Enabling sticky
cookie on multiple services ensures that req uests from the same client
will be routed to the same fulfillme nt server for the duration of the
sticky relationship. Of course the server must be able to fulfill all
service requests to have a true one-to-one client-server relationship.
The SA8220 is a powerful addition to any web site desiring high
security levels. It was specifically created to manage secure traffic
going to and from c ritical applicat ions. It handles SS L traffic int o and
out of the customer's environment, as well as providing load
balancing, fault management, and error recovery.
The SA8220 includes cryptographic software featur es and hardwarebased acceleration. I t provides up to 1200 SSL (HTTPS) conn ections
per second (SA8220 only), far exceed ing the performance of even the
most powerful web servers on the market today.
The SA8220 allows users to off loa d S SL processi ng f r om thei r back
end servers, and at the same time achieve full-featured traffic
management. In a SA8220 environment, all encrypted traffic—
required by e-commerce applications—is handled at the SA8220.
The interaction between the SA8220 and the servers is done in the
clear, allowing load balancing and session management.
SSL processing is enabled by assig ning an RSA private key ( a public
encryption key algorithm i nvented in 1977) and an X.509 cert ifi cat e
to a Layer 7 service. The SA8220 Command Line Interface (CLI)
allows you to create or import k eys and c ertific ate when you define a
service. Once the key and certificate are in place, secure HTTP
(HTTPS) requests are decrypted and passed on to the web server. The
17
C H A P T E R 2HP Traffic Director Server Appliances User Guide
SA8220’s dual NIC and packet filtering capabilities can be used to
isolate the web servers from the Internet, further preventing
unauthorized access.
SSL
Fundamentals
(SA8200/
SA8220 only)
SSL involves an interchange of keys used both to authenticate the
parties and to provide information to securely encrypt confidential
data. The keys distributed in this medium are “one way,” or
asymmetric. That is, they can only be used to encrypt confidential
data, and only the “owner” of the public key can d ecrypt the data once
it is encrypted using the public key inf ormation. SSL assures the three
things shown below.
BenefitDescription
AuthenticityVerifies the identities of the two parties
PrivacyNone other than the transacting parties can acce ss
the information being exchanged.
IntegrityThe message cannot be altered in transit bet ween
the two parties by a third party without the
alteration being dete cted .
To establish a secure session with a server, the client sends a “hello”
message to which the server responds with its certificate and an
encryption methodology . The client then responds with an encryp ted
random challenge, which is used to establish the session keys. This
method allows two parties to quickly establish each others’ identities
and establish a secure connection.
18
Several encryption methods are employed. Common ones are DES,
3DES, RC2, and RC4. Key size can be varied to determine the level
of security desired. A longer key is more secure.
The SA8220 supports all common keys and ciphers, as well as the
following encryption methods: DES, DES3, and RC2 & RC4. The
SA8220 includes a li censed version of the RSA code embedded in th e
security module as well. The device's session management software
has been certified by prominent security agencies and meets all
standards for SSL traffic.
The SA8220 handles all the handshaking, key establishment, and
bulk encryption for SSL transactions. Essentially, the SA8220 is a
full-featured, SSL-enabled web se rver. Traditionally, th ese functions
C H A P T E R 2SSL Fundamentals (SA8200/SA8220 only)
are performed either at the server level, by web servers generally
providing SSL functionality by way of standalone software
components, or by embedded encryption software.
The HP methodology places encryption processing on the network
side, thus eliminating the need for processing on the servers (see the
figure on the next page). The servers never see any of the SSL
connection dialogue o r the encrypted data. This removes a substantial
processing load from the servers allowing improved response times
and greater availability of system resources.
ServerServerServer
c
i
f
f
a
r
T
d
e
t
p
y
r
c
n
E
1. Client connects to server
2. Server responds with certificate
3. Client encrypts random key
4. Server generates working key
5. Session established
Client
SA8220
Client
ServerServerServer
1. Client connects to SA8220 w ith C lientH ello
(includes ciphers s uppo rted)
2. SA8220 responds with SS L ServerH ello
(includes selected cipher & sess ion ID)
3. SA8220 sends certificate for s er ver
4. Client sends ClientKeyExchange mess a ge;
includes PK (session key)
5. SA8220 and client send ChangeCiph erSp ec
message to indica te rea dines s
6. SA8220 and client send "finished " messages;
includes hash of whole conversation
7. Encrypted dat a sent to SA8220, decry pted and
forwarded to least bus y s erver
8. Clear response sent to SA8220 , encrypted and
sent to client.
Basic SSL Operations
19
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Application Message Traffic Management
The SA8220 was developed to perform load balancing in SSL
environments. The SA8220 allows users to load balance based on
application content (Layer 7, or RICH mode), as well as server
address and port (Layer 4, or HOT mode). SSL management is
handled independently of RICH mode processing. That is, once a
session is established an d the message is d ecrypted, it is p assed to the
SA8220’s RICH processing component. This allows even SSL traffic
to take full advantage of the features of the device, including error
recovery and session rollback.
The SA8220 allows non-encrypted traffic to be processed
independently of SSL tr aff ic . The ad vant age of t his is t hat it permi ts
load balancing (in eithe r HOT or RICH mode) conf iguration on a per
virtual IP address, t hus all owing you to i solat e the impact o f the S SL
processing. Many users tune their sites for maximum performance by
assigning HOT load balancing to all traffic except SSL.
One of other advantages of the SA8220 is its ability to recogni ze SSL
session IDs. This permits “sticky” (or persistent) sessions to be
established on a given server.
20
HTTPS Redirect
If desired, you can specify a page to return to the client if a successful
session cannot be negotiated because the client does not support the
required cipher suite. The SA8220 accomplishes this by sending an
HTTP 302 “redirect” message back to the client in the case of a cipher
negotiation failure. For example: The server supports 128-bit
encryption, but the client’s software is only capable of 40-bit
encryption.
The CLI pa rameter
page the client is redirected to.
where <URL> is the fully qu al ified location of the page. For
example:
error.html.
redirectpage=http://www.companyname.com/
The default configuration file setting is: redirectpage=none.
redirectpage=<URL> allows you to set which
C H A P T E R 2SSL Fundamentals (SA8200/SA8220 only)
Fulfillment of each virtual service is load balanced across a number
of real servers depending on the load balancing algorithm chosen.
Servers capable of fulfilling requests for a service are identified and
managed with the following commands:
config policygroup <name> service <name> server
delete <name> port <port>
config policygroup <name> service <name> server
create <name> port <port>
Client Authentication
By default, the SA8200/SA8220 does not authenticate client
identities; however you can configure services to request client
certificates for the purpose of verif ying id entitie s. When you enable
this feature, the SA8200/SA8220 verifies that client certificates are
signed by a known CA.
Issued client certificates are expected to be in use for their entire
validity period. The CA periodically issues a signed data structure,
called a Certificate Revocation List (CRL), containing the serial
numbers of all expired certificates. You can configure the SA8200/
SA8220 to obtain and use a CRL using LDAP, HTTP or FTP
protocols. The SA8200/SA8220 first verifies a client certificate
against the installed CA certificate, and then looks up its serial
number in the installed CRL. If the serial number exists in the CRL,
then the client connection is terminated. Before the connection is
closed, the SA8200/SA8220 returns a message to the client indicating
that the client’s certificate was revoked.
21
C H A P T E R 2HP Traffic Director Server Appliances User Guide
HTTP Header Option Fields
Both the SA7220 and the SA8200/SA8220 can make the IP address
of a requesting client available to a fulfillment server b y constructing
a custom HTTP header option, with the client’s IP as the value:
HP_SOURCE_IP:<client-IP>
SSL-related HTTP header op tion fi elds are only use d by the SA8200/
SA8220 with any SSL service. The HP_CIPHER_USED header
option is used whenever HP_SOURCE_IP is used, to provide the
name of the SSL-cipher negotiated between th e SA8200/SA8220 and
the client:
HP_CIPHER_USED:<ssl-cipher>
These two header fields are used only by the SA8200/SA8220 when
client authentication is in use:
Because a client certificate contains information useful for client/user
authorization, the SA8200/SA8220 inserts the client certificate in the
request header before sending the request to the server. The server
can then extract the certificate from the request header and use it for
authorization or other purposes.
22
The client certificate is inserted in the request header only once per
session. Requests following the initial request will be sent to the
server with only the SSL-session-id i n t he he ader . The SS L- sessi onid is unique for each session and allows the server to work with
multiple sessions. The clie nt certificate is inserted in th e r equest
header with a new SSL-session-id only when the client certificate has
been re-negotiated between theSA8200/SA8220 and the client:
•New Session/Initial Request:SA8200/SA8220 sends both the
HP_CLIENT_ C ERTIFICAT E and HP_SESSIO N_ID header
options.
The use of header option fields is an efficient way of supplying
information to the server about the client. To ease the use of this
important feature, SA72 20/SA8200/SA8220 allows cu stomization of
all the above header option field names. For more information, see
Chapter 5.
C H A P T E R 2Load Balancing Across Multiple Servers
Load
Balancing
Across
Multiple
Servers
Balancing Algorithms
The SA8220 provides a choice of load balanci ng algorithms. Services
can be separately configured to load balance using a rou nd-robin or a
response time algorithm. In most networks, the best performance
results from use of the response time algorithm. Under this algorithm,
the SA8220 measures the response time of each request to each server
in the server farm. It then balances requests to the service among the
servers, sending more requests to the fastest servers and fewer to the
slower ones, thus optimizing the average response time.
In cases where Out-of-Path Return (please see “Out-of-Path Return
(OPR) in Chapter 2) is used in unpredictable WAN environments,
response time metrics may be obscur ed by WAN latency variance. I n
these situations, round-robin load balancing can provide equal
distribution of client requests to each fulfillment server.
The balancing algorithm is specified with the command:
config policygroup <name> service <name>
balancing [robin | load]
Response-Time Metrics
For both balancing algorithms, servers can be assigned target
response times. These values indicate the desired average response
time for requests for specified services to be fulfilled, and instructs
the SA8220 to use alternate resources for fulfillment if the average
response time exceeds targe t re sponse time. Target response time is
controlled with the fo llowing command:
config policygroup <name> service <name>
response <mil-seco nds>
If the servers do not meet the specified response time threshold,
backup servers, if available and enabled, are activated. In addition,
the servers providing lower priority services are throttled if the
response time is still not being met (if
policygroup). Both mechanisms are available for both of the loadbalancing algorithms.
throttle is enabled in the
23
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Primary and Backup Servers
Each server is identified as either a Primary or Backup for a given
service. Primary servers are always considered first for request
fulfillment. By default, Backup servers are considered for use on ly if
a primary server goes down, though they can optionally be
configured for use to maintain target response times. A server’s type
is established with the fo llowing command:
config policygroup <name> service <name> server
<name> port <port> typ e [primary | backup]
Backup servers are enabled to maintain target r esponse times with the
following command:
config policygroup <name> service <name> backups
[enable | disable]
Server
Configuration
Options
NOTE: For the SA8220
to operate in SAP mode,
the default gateway for
each SAP-enabled server
must be set to the
SA8220’s physical IP
address, not the VIP.
Source Address Preservation
By default, brokered service requests arriving at a fulfillment server
appear to the server as requests originating from the SA8220.
Consequently, server log files record the SA8220 as the source of
these requests. When Source Address Preservat ion (S AP) i s enab le d
however, the SA8220 preserves the original source addresses of
requests delivered to the server farm. If you use the log files from
your server farm to gather information based on client source
addresses, use Source Address Preservation. SAP is controlled with
the following command:
config policygroup <name> service <name> server
<name> port <port> mode [sap]
SAP cannot be used in WAN or multiple router LAN environmen ts.
To use SAP, each server must be configured so that its default
gateway is set to the physical IP address of the SA8220, thus there can
be no routers between the SA8220 and the fulfillment servers.
Limitations of SAP mode operation are listed below:
•The client machine cannot be on the same subnet as the SA8220.
•The SA8220 and server must be on the same subnet.
When SAP is enabled, serial cable failover is the only failover
option—routing failover is not available.
24
C H A P T E R 2Server Configuration Options
Multi-hop Source Address Preservation
It is possible in sophisticated network topologies to require requests
to pass through two SA8220s. In such configurations, the SA8220
topologically closest to the clients must be configured with the Multihop Source Address Preservation (MSAP) feature enabled.
MSAP allows requests to pass through two cascaded SA8220s in
different geographical areas. Enabling MSAP ensures that the ac tual
IP addresses of requesting c lients, rather than the virtu al IP address of
the SA8220 that delivered the request, are recorded in the server logs.
This is similar to SAP (described in the precedin g secti on), ho wever
this feature allows SA8220s to be geographically-dispersed, as
shown in below.
BostonSan Diego
BostonSan Diego
NOTE: In most
configurations, the
default setting (MSAP
disabled) is required.
SA8220 #1
SA8220 #1
SA8220 #1
with MSAP
with MSAP
ClientServer 1
ClientClientServer 1Server 1
with MS AP
Enabled
Enabled
Enabled
SA8220 #2
SA8220 #2
SA8220 #2
with MSAP
with MSAP
wit h MS AP
Disabled
Disabled
Dis abled
MSAP on a Geographically-Dispersed Network
In the figure above, a client in San Diego sends a request to a
fulfillment server in Boston. MSAP is enabled on S A8220 Br oker 1,
and Server 1’s default route is set to SA8220 Broker 2. The SA8220
Broker 2 doesn’t need SAP enabled for this service, since SAP is
automatically used on MSAP requests fro m SA8220 Broker 1. Under
this configuration, the San Diego client's IP address will be preserved
in the Boston fulfillment s erve rs' logs. MSAP is enabled at the CLI
with the following command:
config policygroup <policy-name> service
<service-name> ser ver <server-name>
port < > msap [enable]
RICH Expressions (not available on the SA7200)
Layer 7 RICH_HTTP service configurations use rich expressions to
assign particular classes of URLs to particular servers for fulfillment.
RICH expressions are used, for example, to distinguish content
requested by clients performing online transactions, from content
typically requested by casual browsers. I n this way, users performing
online transactions are given higher priority access to server
resources (and better response times) than other users.
25
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Each server listed for fulfillment of a RICH_HTTP service can be
configured to serve any number of specific rich expressions.
Applicable expressions are listed below:
•File type expressions, such as *.gif, or */index.html
•Path expressions, such as /home/*, or /home/images/*, or /home/
images/a*.
•Unique file expressions, such as /index.html
•Wildcard expression, such as *.
•Negation expressions, such as !*.gif or !*/index.html
RICH expressions are managed with the following commands:
config policygroup <name> service <name> server
<name> port <port> expression create
<expression>, and
config policygroup <name> service <name> server
<name> port <port> expression delete
<expression>
NOTE: The “*” and “!”
are allowed in
expressions, but they can
only exist at the
beginning or end of the
expression. Also, a
positive expression is
required after a not (!)
expression, otherwise the
(!) expression has no
effect.
26
Order of Expressions (not available on the
SA7200)
When using expressions in Layer 7 (RICH) operations, the order of
expressions is significant only when the "not" (!) operator is used.
Expressions are described below.
ExpressionYields
!*.gif;*
*;!*.gif
!*.html;/home/*
/home/*;!*.html
!/home/*
!/home/*;*
All non-GIF files
All files, because after specifying “all” (*), the
!*.gif expression is never reached
Matches all requests of the form “/home/*”
except HTML files
Matches all files of the form “/home/*.” The
!*.html has no effect.
No matches
All matches except ones starting with "/home"
C H A P T E R 2Routing with Dual Interfaces
Routing with
Dual Interfaces
NOTE: The SA8220
cannot route multiple
subnets on one interface.
Because the SA8220 has two network interfaces, it can act as a router
in some contexts. This means that it can rou te between two subnets.
To do this, you must designate the SA8 220 as the default gateway fo r
your fulfillment servers. Route s to the inside subnet are not
advertised to the outside router, but host routes are advertised to the
VIPs. Packets destined for defined VIPs are always routed through
the SA8220 to the server-side subnet. Other packets are forwarded
through the SA8220 only when the security mode is set to OPEN or
when set to CUSTOM and IP Forwar ding is turned on. Th e SA8220’s
routing capabilities vary depending on which routing and failover
methods are used. For more details about these variations and their
relationships to routing and failover configurations, please see
“Failover Method Dependencies” in Appendix C.
Terms pertinent to SA8220 routing are listed be low.
TermDescription
Network-side
subnet
Server-side
subnet
The SA8220 interface attached to the side of the
physical network on w hich client requests arrive.
The SA8220 interface attached to the side of the
physical network that includes the fulfillment
servers.
“Outside”
device
“Inside”
device
The router or switch one ho p from the SA8220 on
the brokered subnet
The router or switch one ho p from the SA8220 on
the server-side subnet
The figure below shows an example of the SA82 20 routing topo logy.
Brokered
Brokered
Subnet
Subnet
Router
RouterRouter
“Outs ide”
“Outs ide”
Router
Router
SA8220
SA8220SA8220
Server-side
Server-side
Subnet
Subnet
Hub or
Hub or
Hub or
Switch
Switch
Switch
“I ns i de” Hub
“I ns i de” Hub
or S witch
or S witch
Server
ServerServer
Server
ServerServer
Server
ServerServer
SA8220 Routing Topology
27
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Prioritization
and Policy
Groups
Policy groups are containers used to organize services. Service
prioritization uses pol icy g roup infor mation t o make deci sions a bout
which services should get more or less ser ver resources. Although the
assignment of services to poli cy groups can be arb itrarily determin ed
by the operator, effective use requires t hat each p olicy grou p cont ain
services related by their shared use o f server resources. Services and
servers are assigned to Policy Groups at their time of creation.
Policy group management commands are listed below:
The policy group framework allows the priori tization of categories of
client requests. Each service defined in a policy group is assigned a
priority within that group and a target response time. When the
average response time of a service exceeds its target response time,
that service is allocated, on the ba sis of its pr iority, a great er share of
common server resources to attempt to bring response time back
within the target range (this assumes that the throttling option is
enabled for the policy group).
28
Server 1:
HTTP
SA8220
Server 2:
HTTPS
Server 3:
HTTP/HTTPS
VIP: 10.2.2.4
HTTPS: 10 ms
HTT P: 1 0 ms
Target Response Time Satisfied
C H A P T E R 2Prioritization and Policy Groups
For example, the services HTTP and HTTPS are both assigned to a
single policy group. HTTPS is designated the highest priori ty service,
and HTTP the second priority. The SA8220 monitors the response
time of each service, and if necessary re-prioritizes server resources
of subordinate services to keep the response time for the highest
priority service within the specified range. The figure above shows a
policy group with services sharing a defined VIP, two services, and
their associated target response times. When the average response
time of HTTPS is less than or equal to 10ms, Server 1 fulfills HTTP
requests, Server 2 fulfills HTTPS re quests, and Se rver 3 fulfi lls both
HTTP and HTTPS requests. The ne xt figure illustrates server
utilization after HTTPS response time exceeds 10 ms.
Server 1:
HTTP
Server 2:
HTTPS
Server 3:
HTTP
VIP : 1 0 .2.2 .4
HTTPS: 12 ms
HTTP: 10 ms
SA8220
Target Response Time Exceeded
Upon noticing a break in the target response time threshold, the
SA8220 scans the policy group’s active service and server pools for
shared resources. In this example, both the HTTP and HTTPS
services use Server 3. To provide the greatest server resources for the
highest priority service, shared resources are eliminated from
subordinate service pools (although each service will always have at
least one point of fulfillment.) F or example, in the figure above, n ew
HTTP connections are no longer sent to Server 3 in an effort to
guarantee the target response time for HTTPS. Server 3 will again
serve HTTP when target response times are met.
29
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Routing
Method for VIP
Addresses
After setting up the servi ce, you must con figure the SA822 0 to rout e
the VIP address to the Internet. There are two possibilities:
•In single SA8220 installations, “Standalone” mode is preferred
as it allows the VIP to be ARP-accessible from the router.
•If there are multiple address spaces (such as a SA8220 on the
10.x.x.x network and a VIP on the 209.x.x.x), then a routing
protocol might be the best method to advertise the VIP. When
configuring routing on the SA8220, always match the router's
configuration. The SA8220 can be programmed to use RIP v1,
RIP v2, or OSPF.
For example (standalone mode):
HP SA8220#config route
HP SA8220/config/route#info
Route configura tion:
OSPF Info:
Active: no
Area: backbone
Hello interval: 10 (seconds)
Router dead interval: 40 (seconds)
30
C H A P T E R 2Error Detection
Error
Detection
The SA8220 is capable of recognizing and reacting to server error
conditions, detecting non-responsive (comatose) servers, and
directing traffic to alternate resources until the server is back in
operation. The SA8220 can also capture many HTTP errors before
they reach the client, and redirect the request to an alternate server.
Server Status Detection
The SA8220 uses multiple means to monitor the status of the
fulfillment servers. The “Intelligent Resource Verifica tion” (IRV)
module periodically pings the servers to verify they are alive. The
SA8220 also monitors a “dup-syn” interval to calculate packet loss
rate.
Intelligent Resource Verification
When the IRV module pings a server and receives no response, it tries
to connect to each port on which the suspect server is configured to
listen. If the SA8220 itself does not receive a response from a given
port, then that server/port combination is decl ared dead. If the server
maintains network connectivity and responds positively to IRV
pings, but ports stop responding, then t he dup -syn interval threshold
(described below) is used to decide if the server is declared dead.
Dup-syn Interval
The SA8220 dynamically calculat es th e t hreshol d f or t he ac cept abl e
number of dropped packets within a given interval. If at any time in
this interval the number of dropped packets exceeds this threshold,
the server is considered dead. After the specified time value has
expired the lost packet (or dup-syn) count is divided by two and the
time interval starts again. In this way, some history information is
kept between time intervals.
The dup-syn interval for this threshold is established with the
syn
CLI command, and ranges in value from 1000 to 2,147, 483,647
microseconds. The default time interval value is 500,000
microseconds (one half second), which is appropriate for most
environments. By lowering or raising this value, you render the
SA8220 respectively less or more sensitive to dropped packets, and
less or more likely to declare a server dead. The volume of network
traffic must be taken into account when set ting the dup-syn interval.
Higher volumes of traffic require a shorter dup-syn interval to avoid
mistakenly declaring a server dead due to network congestion.
dup-
31
C H A P T E R 2HP Traffic Director Server Appliances User Guide
The dup-syn command uses the following syntax:
config policygroup <name> service <name>
dup-syn <micro-seconds>
HTTP Error Detection
NOTE: This section
applies to all models
except the SA7200.
The SA8220 offers HTTP error detection for RICH services. When
HTTP error detection is enabled, the SA8220 scans the headers of
server responses for errors. If an HTTP error is found, the original
request is rerouted to another server for fulfillment, transparently to
the client. This process continues until a server responds without an
error, or all applicable servers have bee n tried. Co nversel y, i f HTTP
error detection is disabled, the error is returned directly to the client.
HTTP error detection for errors 401-405 and 500-503 (as defined in
the HTTP specification) is configured with the command:
config policygroup <name> service <name> server
<name> port <port> http [enable | disable]
The SA8220 extends standard HTTP error handling by allowing the
server to return a special 606 error code. Detection and handling of
606 errors is separately configurable. In this way, standard errors may
be passed to the client while 606 errors are hand led transparently by
the HP system. If 606 error handl ing is enabled, the SA8220 scans the
returned HTTP header for an HTTP 606 response code. If the 606
response code is found and another server is available to handle the
request, it is sent automatically. This process continues until a server
responds without an error, or until all applicable servers have been
tried.
The HTTP header for 606 handling is of the form: “HTTP/1.0 606
Error.” Users can generate this response through a variety of methods
including CGI and nph scripts. Consult your web server
documentation for information about generating custom error
messages.
32
config policygroup <name> service <name> server
<name> port <port> 606 [enable | disable]
C H A P T E R 2Serial Cable Failover
Serial Cable
Failover
NOTE: DHCP is not
available when serial
cable failover is en abled.
NOTE: You can log on to
the Backup SA8220, but
the full command set is
not available.
The SA8220 offers two failover methods:
•Router Failover (including OSPF, RIPv1 and RIPv2), and
•Serial Cable Failover
When serial cable failover is configured, the Primary and Backup
SA8220s communicate heartbeat, configuration, and status
information using the include d null modem serial ca ble. The Back up
SA8220 assumes control from the Pr imary when any of the following
occur:
•The Backup SA8220 does not detect the Primary SA8220's
heartbeat within the timeout period (the default is 3 seconds).
•The Primary SA8220's Ethernet interface becomes inactive. For
example, if the Ethernet cable is disconnected.
•The Primary SA8220 experiences an internal software error.
Both the Primary and Backup SA8220s need to know their own
identity and the “Online Identity” by address and name to satisfy
internal communication parameters. The SA8220s' own names and
the shared online identi ty are automatically entered into their host
files during failover configuration. If Dual NIC is enabled, the
identities for both the Outside (network-side) and Inside (server-side)
NICs are shared.
For information on failover method dependencies, see Appendix C.
NOTE: Before
configuring serial cable
failover, both the primary
and backup SA8220s
must be configured with
the
setup command.
For more information,
please see “Setup” in
Chapter 3.
Serial Cable Failover Configuration
The following procedures are used to configure the Primary and
Secondary SA8220s for serial cable failover operation.
Configure the Primary SA8220
1. Connect the two SA8220s using their failover ports using the
provided null modem serial cable.
2. Reboot the SA8220 that will be the Primary and press a key at
the prompt to enter the Boot Monitor.
3. At the prompt, type the following command:
monitor>failover
33
C H A P T E R 2HP Traffic Director Server Appliances User Guide
NOTE: The Online IP
Address is the address
used by the SA8220 tha t is
currently accepting
remote administration
connections — this can be
either the Primary or the
Backup SA8220 (though
it is typically the
Primary) . The Onli ne IP
Address is the address by
which you can access the
Online SA8220 using
telnet for administration.
4. Follow the prompts as illustrated below (for single NIC
operation):
Specify failove r method (disabled, se rial,
route) :[disabled] --->serial
Checking for fail over unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup? [Primary]--->
Enter the Network ’s ONline IP Address
--->10.6.3.200
Enter the Network ’s Online hostname
--->netonline
Serial failover successfully configured
If Dual NIC operation is enabled, failover configuration looks
like the example shown below:
monitor>failover
Specify failove r method (disabled, se rial,
route) [disabled] -- ->serial
Checking for fail over unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup? [Primary]
--->primary
Enter the Netwo rk side Online IP Address
[10.6.3.200]--->
Enter the Serve r side Online IP Address
[10.6.4.200] --->
Enter the Netwo rk side Online hostname
[netonline] --->
Enter the Serve r side Online hostname --- >
servonline
34
Serial failover successfully configured
C H A P T E R 2Serial Cable Failover
5. Save the Primary configuration.
monitor>save
List of currently saved configuration files(s).
You may save over an existing configuration file
or enter a new name.
File name
---------active.cfg
backup.cfg
cris.cfg
‘active.cfg’ is the last booted configuration.
Enter configura tion file name (- to cance l):
[active.cfg] --->
Configuration has been saved.
6. Boot the SA8220.
monitor>boot
Do you really want to continue boot? [y]
---> <Enter>
Boot which config uration? [active.c fg]
---> <Enter>
Please stand by, the system is being booted.
.... Done
Login>
Configure the Backup SA8220
1. Reboot the SA8220 that wi l l b e th e Secondary and press a key at
the prompt to enter the Boot Monitor.
2. At the prompt, type the following command:
monitor>failover
3. Follow the prompts as listed below:
Specify failove r method (disabled, se rial,
route) [ ] --->s
Checking for fail over unit...
Failover unit det ected
-------------------------Version : 2.3
Type : PRIMARY
State : ONLINE
Name : online13
35
C H A P T E R 2HP Traffic Director Server Appliances User Guide
IP : 13.1.1.20
Mac : 0:1:c9:ed:a6:fb
NOTE: Use the same
Online IP Address and
name for the Backup
SA8220 as the Primary
(these appear by default).
Is this machine Primary or Backup? [Backup]
---> <Enter>
Enter Online IP Addr ess [13.1.1.20] --- > <Enter>
Enter Online Name [online13] ---> <Enter>
Serial failover successfully configured
monitor>
4. Save the Backup configuration.
monitor>save
List of currently saved configuration file(s).
You may save over an exi sting configurati on file
or enter a new name.
File name
---------active.cfg
backup.cfg
cris.cfg
‘active.cfg’ is the last booted configuration.
Enter configura tion file name (- to cance l):
[active.cfg] --->
Configuration has been saved.
5. Boot the SA8220.
monitor>boot
... current configuration ...
... list of saved configuration files ...
Boot configuration file name? [active.cfg]
---> <Enter>
Do you really want to boot ‘active.cfg’? [y]
---> <Enter>
Please stand by, the system is being booted.
36
C H A P T E R 2Serial Cable Failover
Replicating the Configuration
The active configuration is replicated upon changes to the Backup
SA8220 from the Primary. For most configurations, faults are
detected within 3 seconds, and the Backup is ful ly online within 25
seconds. The latter interval increases as the number of services
increases.
Status Information
You can display information about the SA8220s’ function and
failover status either via the Command Line Interface or the GUI.
Below are the commands to display status information followed by a
list of status messages and their explanations.
1. Log in to the SA8220.
2. At the CLI prompt, type the following command:
HP SA8220>info
The status appears on the last line of the info command’s output.
A description of the status message can be found below.
Failover Status MessageDescription
The broker is ONLINE, and
serial failover is NONE
(disabled).
The broker is PRIMARY and
ONLINE, the remote's serial
failover is NONE (disabled).
The broker is PRIMARY and
One of the SA8220s is configured
for either “none” or “route”
failover.
One of the SA8220s is configured
for either “none” or “route”
failover.
Normal Serial Failover Operation
ONLINE, the remote's state is
READY.
The broker is BACKUP and
READY, and the remote's
state is ONLINE.
37
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Failover Status MessageDescription
The broker is PRIMARY and
NIC_FAILED, and the
remote’s state is ONLINE.
The broker is BACKUP and
ONLINE, and the remote’s
state is NIC_FAILED.
The broker is PRIMARY and
ONLINE, the connection to
the remote has TIMED OUT.
The broker is BACKUP and
IP_IN_USE_ERROR, the
connection to the remote has
TIMED OUT.
Ethernet cable disconnected, or
cable, NIC, or HUB port failure
The serial cable connecting the
SA8220s is disconnected
38
C H A P T E R 2Serial Cable Failover
NOTE: The notation,
PRIMARY/BACKUP
indicates that either
“PRIMARY” or
“BACKUP” will be
displayed.
The Failover Status messages in this table are not specific to the
Primary or Backup SA8220s.
Failover Status MessageDescription
The broker is PRIMARY/
BACKUP and
WAITING_FOR_SYNC
One of the SA8220s has been
restarted. This status persists
while the configuration files are
loaded from the online SA8220.
The time this state persists
depends on the number of VIPs
and services configured.
The broker is PRIMARY/
BACKUP and
CONFIGURATION_
ERROR
The broker is PRIMARY/
BACKUP and DNS_FAILED
Both SA8220s are configured as
Primary or as Backup. Neither
SA8220 will come online until
this condition is corrected
The online IP address is missing
form both the local host file and
the DNS server.
The broker is PRIMARY/
BACKUP and
CORE_APP_FAILED.
Indeterminate error. Use an earlier
working configuration. If the
condition persists, contact
Customer Support for assistance.
The broker is PRIMARY/
BACKUP and
RICH_APP_FAILED.
39
C H A P T E R 2HP Traffic Director Server Appliances User Guide
Notes
40
Boot Monitor
This chapter covers the following topics:
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models.
•System Requirements
•Accessing the Boot Monitor
•Boot Monitor Commands
C H A P T E R 3HP Traffic Director Server Appliances User Guide
Using the Boot Monitor CLI
CAUTION: After
configuring the SA8220
with the Boot Monitor,
you must enable Autob oot
with the
command or the SA8220
will not operate.
autoboot
System
Requirements
The HP e-Commerce Traffic Director Server Appliance SA8200/
SA8220s’ and the HP Traffic Director Server Appliance SA7200/
SA7220s’ Boot Monitor Command Line Interface (CLI) allow you to
configure boot options and manage boot configuration files.
Typically, you will use th e Boot Monitor only during the initial
configuration or after major reconfigurations, if the latter becomes
necessary. Day-to-day operations are managed using the Graphical
User Interface (please see “Graphical User Interface”, Chapter 4) or
the Run Time CLI (please see “Command Line Interface, Chapter 5).
General categories of tasks performed by the Boot Monitor include:
•Configure and display boot options, including the configuration
file
•Manage the boot configuration file system
•Configure and change IP parameters
You can use any terminal or workstation with a terminal emulator as
the CLI command station, provided the terminal has the following
features:
•9600 bits per second, 8 data bits, 1 stop bit no parity, no flow
control (9600-8-N-1)
•A terminal emulation program, such as HyperTerminal*
42
•Cable and connector to match the male DTE connector (DB-9)
C H A P T E R 3Using the Boot Monitor CLI
Accessing the
Boot Monitor
You can access the Boot Monitor Command Line Interface in either
of the two ways described in this section.
Interrupting the Bootup Sequence
1. Interrupt the SA8220’s bootup sequence by pressing a key at the
following prompt:
Press any key to stop au toboot.
In a few seconds the monitor> prompt displays, confirming
that the Boot Monitor is running:
Using the Run Time CLI
1. Type this command at the prompt:
config sys autobo ot disable
2. Then, at the HPSA8220# prompt, type this command:
reboot
The monitor> prompt displays, confirming that the Boot
Monitor is running.
43
C H A P T E R 3HP Traffic Director Server Appliances User Guide
Boot Monitor
Commands
autobootEnables or disables the Autoboot function. When Autoboot is
Boot Monitor CLI commands (listed below) are described in this
chapter.
•autoboot•info
•boot•interface
•delete•ip
•dhcp•load
•dir•netmask
•dns•rich_bias
•dual•save
•factory_reset•settime
•failover•setup
•gateway•static_routes
•help•version
•host
enabled, the SA8220 prompts you to press a key during restart to
enter the Boot Monitor command line interface. If you ignore the
prompt, restart finishes with the SA8220 in normal operating mode.
If Autoboot is disabled, the restart sequence ends by displaying the
Boot Monitor interface.
bootBoots the device with a specific configuration. Variations on use of
the reboot command are described below.
Reboot with No Configuration Changes
1. Type the boot command.
The Boot Monitor displays the current configuration prompts
you for confirmation, as shown in the example below:
C H A P T E R 3Using the Boot Monitor CLI
Current active configuration
---------------------------Product: HP
Version: 2.7
Patch Level: 0.0
Build: 12
Current time: Tue Sep 12 17:02:05 2000
Hostname: CSLab7k
------------Network side NIC:
IP Address: 10.6.3.21
Netmask: 255.255.255.0
MAC address: 0:a0:c9:ed:6c:cc
------------Service side NIC:
IP Address 10.6.5.21
Netmask: 255.255.255.0
MAC address: 0:d0:b7:6:c1:85
------------Default Gateway: 10.6.3.1
Domain: None
Primary name server: None
DHCP: Disabled
Failover mode: Disabled
Network NIC setup: Auto
Server NIC setup: Auto
NTP: Disabled
Autoboot: Disabled
Static Routes: None
RICH_Biased: Enabled
Do you really want to boot active.cfg? [y] --->
SA8220
2. To boot to the normal operational prompt, type y.
3. To return to the
monitor> prompt, type n.
Reboot with Configuration Changes
When you use the boot command after changing the SA8220’s
configuration, you are presented with a number of options. These
allow you to use the changed configuration, revert to the last saved
45
C H A P T E R 3HP Traffic Director Server Appliances User Guide
configuration, or choose among a list of previously saved
configurations. Procedures for choosing among these options are
organized within three groups, described below.
1. Type the
boot command.
2. The Boot Monitor displays the changed configuration
information and prompts you to save the new configuration, as
shown in the example below:
Current active configuration
---------------------------Product: HP
Version: 2.7
Patch Level: 0.0
Build: 12
Current time: Tue Sep 12 17:02:05 2000
Hostname: CSLab7k
------------Network side NIC:
IP Address: 10.6.3.21
Netmask: 255.255.255.0
MAC address: 0:a0:c9:ed:6c:cc
------------Service side NIC:
IP Address 10.6.5.21
Netmask: 255.255.255.0
MAC address: 0:d0:b7:6:c1:85
------------Default Gateway: 10.6.3.1
Domain: None
Primary name server: None
DHCP: Disabled
Failover mode: Disabled
Network NIC setup: Auto
Server NIC setup: Auto
NTP: Disabled
Autoboot: Disabled
Static Routes: None
RICH_Biased: Enabled
The configuration has changed, save it? [y] --->
SA8220
46
C H A P T E R 3Using the Boot Monitor CLI
First Options:
NOTE: This list includes
backup.cfg, a backup
of the most recently
booted configuration.
This file is automatically
created when you c hange
the configuration and
save.
1. If you select the defaul t,
figuration as either
Configuration file name? [active.cfg] --->
2. You can either accept the default,
y, the system allows you to save the con-
active.cfg or the last loaded filename.
active.cfg, or type a new
filename. The system then saves the file and presents a list of all
saved files.
Select a boot config uration from the foll owing
files.
active.cfg
backup.cfg
Boot configuration file name? [active.cfg] --->
3. You can accept the default, active.cfg, or select another
previously saved confi gur at io n. R eg ar dle ss of the file you select,
the configuration f ile you are about t o boot is di spla yed to e nsure
that the last file displayed is the configuration that is booted.
4. If you select the default,
operational prompt, if you type
y, the system boots to the normal
n, it returns to the monitor>
prompt.
Second Options:
1. If you choose not to save the modified fi le, the system di spl ays a
warning that it is reverting to the previously booted configuration, as shown below:
Warning: The curr ent configuration ha s NOT been
saved and will not be bo oted. Reverting to las t
saved active.cf g.
2. If there are no additional saved configurations then the system
prompts you to confirm that want to boot the last saved
configuration, which will always be
Do you really want to boot active.cfg? [y] --->
active.cfg.
3. If you select the default, y, the system boots to the normal
operational prompt. If you type
n, it returns to the monitor>
prompt.
47
C H A P T E R 3HP Traffic Director Server Appliances User Guide
Third Options:
1. If there are any previously saved configurations on the system,
you are offered a choice of configuration files to boot from.
Select a boot config uration from the foll owing
files.
active.cfg
backup.cfg
Boot configuration file name? [active.cfg] --->
2. You can accept the offered default, active.cfg, or select
another previously saved configuration. If you select
active.cfg, the configuration is not redisplayed. If you select
a file other than
active.cfg, the file’s contents are displayed to
ensure that the last file displayed is the configuration that is
booted.
3. If you select the default,
operational prompt, if you type
y, the system boots to the normal
n, it returns to the monitor>
prompt.
deleteDeletes the specified configuration file.
Example:
monitor>delete
Select a configur ation to delete from the
following files.
Note: You cannot del ete the active
configuration file active.cfg.
File name
-------------active.cfg
backup.cfg
cris.cfg
‘active.cfg’ is the last booted configuration.
Enter the configu ration filename to del ete:
--->broker1.cfg
broker1.cfg successfully deleted.
48
C H A P T E R 3Using the Boot Monitor CLI
dhcpEnables or disables the SA8220’s use of DHCP. When DHCP is
enabled, the SA8220 receives its configuration parameters from the
DHCP server at startup. When DHCP is di sabled, the SA8220 ignores
the DHCP server, and so it must be manually configured at restart.
Respond to the prompt with
y to enable, or n to disable. DHCP is
disabled by default.
Example:
monitor> dhcp
Enable DHCP (yes, no)? [no] --->
dirDisplays the list of saved boot configuration files.
dnsSpecifies the domain and (optionally) nameserver(s). The system
prompts you for the required information.
Example:
Would you like to configure DNS (yes, no)?
[no] --->
monitor>dns
Would you like to configure DNS (yes, no)?
[no] --->yes
Enter Domain name (‘-’ to cancel)
--->mydomain.com
Enter the IP Address of the Primary name serve r
(‘-’ to cancel) --->10.6.3.5
Specify additional name server
( <return> to end ) --->10.6.3.10
Specify additional name server
( <return> to end ) --->
dualSelects single or dual NIC operation.
Example:
monitor>dual
Enable dual NIC operation (yes, no) [no] --->
49
C H A P T E R 3HP Traffic Director Server Appliances User Guide
factory_resetResets the system to factory defaults, listed below.
NOTE: The first boot
after a
factory_reset
command or a new
installation will prompt
you for the root
password. Also, the
factory_reset
command does not delete
ParameterSetting
All added user accountsDeleted
Policy groups, services, and serversDeleted
Route parametersDeleted
saved configuration files.
CLI parametersDeleted
IP addressDeleted
Default routeDeleted
HostnameDeleted
DomainDeleted
Name serversDeleted
50
DHCPDisabled
Dual NICDisabled
Failover modeDisabled
AutobootDisabled
Autoboot timeout5 seconds
Added hosts in the host fileDeleted
New root password on next bootForced
Rich biasEnabled
Static routesDeleted
C H A P T E R 3Using the Boot Monitor CLI
failoverSpecifies the SA8220’s failover method. Three failover options are
available:
•disabled: no failover method will be used
•serial: serial cable failover will be used
•route: router failover will be used
Example:
monitor>failover
Specify failove r method (disabled, se rial,
route): [disabled] --->serial
Checking for fail over unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup?
[Primary] --->
Enter the Network side Online IP Address
--->
Enter the Server sid e Online Address
--->10.6.5.200
Enter the Network side Online hostname
--->net-onlinehost
Enter the Server sid e Online hostname
--->serv-onlinehost
Serial failover successfully configured
10.6.3.200
gatewaySpecifies the default gateway.
Example:
monitor>gateway
Enter default gateway: --->10.6.3.1
helpLists all Boot Monitor commands or optionally displays syn tax for a
specified command.
Example:
gateway Set default gateway
interface Configure network interface card
51
C H A P T E R 3HP Traffic Director Server Appliances User Guide
hostSets the SA8220’s host name.
Example:
monitor>host
Enter the hostname you would like to assign to
the Network NIC: --->CSLab7k
infoDisplays the current boot configuration.
interfaceConfigures Ethernet port parameters. Compatibility with some older
switches, hubs, or routers, may require that y ou manuall y specify th e
Ethernet speed and duplex mode of the SA8220's network interface
card.
Single NIC configuration example:
Auto configure the network NIC speed and duplex
(yes,no)? [yes] --->no
1 - 100BaseTx
2 - 10BaseTx
Select Media Type (1 or 2): [1] --->
Use Full Duplex? [n] --->n
2
52
Dual NIC configuration example:
Auto configure the Network side NIC speed and
duplex (yes,no)? [yes] --->
Auto configure th e Server side NIC speed and
duplex (yes,no)? [yes] --->
ipSpecifies the SA8220's IP address.
Example:
monitor>ip
Enter the IP address for the Network side NIC
[10.6.3.21] --->
Enter the IP address for the Server side NIC
[10.6.5.21] --->
C H A P T E R 3Using the Boot Monitor CLI
loadLoads a previously saved configuration file into memory.
Example:
monitor>load
Select a configuration file to load from the
following files.
File name
-------------active.cfg
backup.cfg
cris.cfg
‘active.cfg’ is the last booted configuration.
Enter the configu ration filename to loa d
(- to cancel): [active.cfg] --->
Configuration loaded: active.cfg
netmaskSpecifies the netmask.
Example:
monitor>netmask
Enter Netmask for Network side NIC
[255.255.255.0] --->
Enter Netmask for Service side NIC
[255.255.255.0] --->
rich-bias
(not available on the
SA7200)
Optimizes RICH_HTTP serv ice performance. If your RI C H_HTT P
service responses consist mostl y of files gr eater than 8K, the enable d
(default) setting of
rich_bias will optimize performance. If your
site is experiencing performance problems and the RICH_HTTP
service responses are less than 8K, you may want to disable
rich_bias.
This command has no effect on SSL terminated connections.
Example:
monitor>rich_bias
Unit is currently ‘RICH_Biased’, change it
(yes, no) [no] --->
RICH_Biased (enable, disable) [enable]
--->
disable
yes
53
C H A P T E R 3HP Traffic Director Server Appliances User Guide
saveSaves the current configuration. Changes made during the current
Boot Monitor session are lost unless you use the
save command.
Example:
monitor>save
List of currently saved configuration file(s).
You may save over an exi sting configurati on file
or enter a new name.
File name
------------active.cfg
bckup.cfg
cris.cfg
‘active.cfg’ is the last booted configuration.
Enter configura tion file name (- to cance l):
[active.cfg] ---> -monitor>
settimeSelects a method for setting the SA8220’s system time and date. If
you select NTP, you will be prompted for the IP address of the NTP
server(s) you want to use. If you set the date manually, you will be
prompted first for the timezone, then for the date in 24-hour format.
NOTE: Example 1 is for
setting the time usin g
Greenwich Mean Time
(GMT). For example, the
GMT-14 timezone is
GMT minus 14 hours.
54
Example, with NTP:
monitor>settime
Use NTP? [enable] --->
Enter IP address of NT P server or <return> to
end: --->
Enter IP address of NT P server or <return> to
end: --->
Enter IP address of NT P server or <return> to
end: --->
209.218.240.1
209.218.240.238
Example 1, without NTP (manual setting):
monitor>settime
Use NTP? [disable ] --->
Select TIMEZONE s to list (GMT, US, Other or q to
quit: [GMT] --->GMT
C H A P T E R 3Using the Boot Monitor CLI
Select a TIMEZONE from the ‘GMT’ list.
1) GMT-14 2) GMT-13 3) GMT-12
4) GMT-11 5) GMT-10 6) GMT-9
7) GMT-8 8) GMT-7 9) GMT-6
10)GMT-5 11)GMT-4 12)GMT-3
13)GMT-2 14)GMT-1 15)GMT
16)GMT+1 17)GMT+2 18)GMT+3
19)GMT+4 20)GMT+5 21)GMT+6
22)GMT+7 23)GMT+8 24)GMT+9
25)GMT+10 26)GMT+11 27)GMT+12
Select a number betw een 1 and 27
(q to quit)--->2
Selected TIMEZONE ‘GMT-13’
The current time is no w: Fri Sep 29 05:38:38
GMT-13 2000
Enter the year (YYYY): [2000] --->
Enter the month (MM): [09] --->
Enter the day (DD): [29] --->
Enter the hour (HH): [05] --->
Enter the minute (MM): [38] --->
Enter the seconds (SS): [38] --->
Fri Sep 29 05:38:38 GM T-13 2000
NOTE: Example 2 is for
setting the time usin g
United States time (US).
Example 2, without NTP (manual setting):
monitor>settime
Use NTP? [disable] -- ->
Select TIMEZONE s to list (GMT, US, Other or q to
quit: [GMT] --->US
Select a TIMEZONE from the ‘US’ list.
1) Alaska 2) Aleutian 3) Arizona
4) Central 5) Eastern 6) Hawaii
7) Indiana-East 8) Indiana-Starke 9) Michigan
10)Mountain 11)Pacific 12)Somoa
Select a number betw een 1 and 12
(q to quit): [11}--->5
55
C H A P T E R 3HP Traffic Director Server Appliances User Guide
Selected TIMEZO NE ‘Eastern’
The current time is no w: Sat Oct 28 23:59:42
2000
Enter the year (YYYY ): [2000]--->
Enter the month(MM): [10]--->
Enter the day (DD): [28]--->29
Enter the hour (HH): [23]--->01
Enter the minute (MM ): [59]-->57
Enter the seconds (SS): [39]--->
Sun Oct 29 01:57:39 ED T 2000
Example 3, without NTP (manual setting):
NOTE: Example 3 is for
setting the time using any
timezone OTHER THAN
GMT or US.
monitor>settime
Use NTP? [disable] -- ->
Select TIMEZONE s to list (GMT, US, Other or q to
quit: [GMT] --->O
Select a TIMEZONE from the ‘Other’ list.
1) Bangkok 2) Belfast 3) Belgrade
4) Berlin 5) Brussels 6) Copenhagen
7) Hongkong 8) Israel 9) Japan
10)London 11)Madrid 12)Manila
13)Paris 14)Poland 15)Portugal
16)Prague 17)Rome 18)Singapore
19)Stockholm 20)Turkey 21)Warsaw
22)Zulu 23)Zurich
Select a number betw een 1 and 23 (q to quit):
[10]--->22
Selected TIMEZO NE ‘Zulu’
The current time is no w: Sat Oct 28 23:59:42
2000
Enter the year (YYYY ): [2000]--->
Enter the month(MM): [10]--->
Enter the day (DD): [28]--->29
Enter the hour (HH): [23]--->01
Enter the minute (MM ): [59]-->57
Enter the seconds (SS): [39]--->
Sun Oct 29 01:57:39 ED T 2000
56
C H A P T E R 3Using the Boot Monitor CLI
setupInitiates the SA8220’s setup procedure. The system displays prompts
for all inputs necessary to initialize it.
Example:
monitor>setup
Enable dual NIC operation(yes,no)? [no] ---> yes
Autoconfigure the Network side NIC speed and
duplex? (yes,no)? [y es] --->
Autoconfigure the Server side NIC speed and
duplex? (yes,no)? [y es] --->
DHCP is disabled for dual NIC operation.
Enter the hostname you would like to assign to
the Network NIC: --->
Enter the IP address for the Network side NIC
--->10.6.3.21
Enter the IP address for the Server side NIC
--->10.6.5.21
Enter the Netmask for the Network side NIC
--->255.255.255.0
Enter the Netmask for the Server side NIC
--->[255.255.25 5.0] --->255.255.255.0
Enter default gateway: --->10.6.3.1
Would you like to configure DNS (yes, no)? [no]
--->DNS not configured.
Specify failove r method (disabled, se rial,
route): [disabled] --->
Set Autoboot? (yes,no) [no] --->
CSLab7k
57
C H A P T E R 3HP Traffic Director Server Appliances User Guide
static_routesDeletes and adds any number of static IP routes. Shows the current
static IP routes (if any) when the function is entered. You are
prompted for the destination and gateway IP addresses. The
info
command will show any static IP routes that are known to the Boot
Monitor, and
factory_reset will remove all static IP routes as
part of its cleanup.
Example:
monitor>static_routes
Static Route information.
Enter Static rout e (1) dest IP(- to del, q to
quit): --->10.7.16.5
Enter Static rout e (1) gate IP(- to del, q to
quit): --->10.8.15.40
Enter Static rout e (2) dest IP(- to del, q to
quit): --->10.7.18.50
Enter Static rout e (2) gate IP(- to del, q to
quit): --->10.8.15.40
Enter Static rout e (3) dest IP(- to del, q to
quit): --->q
{2} Static Route( s).
NOTE: For ease of
reading, all models are
referred to as the SA8220
throughout this
document. Unless noted
otherwise, all SA8220
references refer to all
models.
•Before You Begin
•Logon Screen
•Topology Screen
•Policy Manager Screen
•Administration Screen
•Configuration Screen
•Tools Screen
•Statistics Screen
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Before You Begin
NOTE: Some functions
and features are not
available in the GUI.
The HP e-Commerce Traffic Director Server Appliance SA8200/
SA8220s and HP Traffic Director Server Appliance SA7200/
SA7220s have features and functions that are controlled through
either the browser-based Graphical User Interface (GUI), as
discussed in this chapter, or the Command Line Interface (CLI), as
discussed in Chapter 5.
In order to use the insi de IP or inside online IP for admi nistration , the
client must be on the same subnet as the inside interface, or must have
an alternate path back through the outside interface.
60
C H A P T E R 4Logon Screen
Logon Screen
To access the various GUI services available to you on the SA8220,
you must first log on to the system as described in this section.
Logging on to
the GUI
NOTE: If Internet
Explorer* 5.01 (or later)
is your browser, you must
add a trailing slash (/) to
the URL, as shown in step
(2). Also, the default GUI
port (1095) can be
changed. For details,
please see “GUI Tab” in
this chapter.
1. Launch your browser.
2. In your browser’s Address or Location field, type the SA8220’s
address and specify port 1095. For example:
http://system_name:1095/
where system_name is the actual name or IP address of your
SA8220.
3. Press Enter.
The Logon screen displays, as shown below.
Logon Screen
61
C H A P T E R 4HP Traffic Director Server Appliances User Guide
NOTE: The factory
default for both the user
name and password is
admin (lowercase
required). To change
them, please see “Users
Tab” in this chapter.
4. In the space provided, type your User name.
5. In the space provided, type your Password.
6. Click Logon.
The Topology screen displays, as shown on the next page. The
number of server icons varies, depending upon your network
configuration.
62
C H A P T E R 4Topology Screen
Topology Screen
Using the
Topology
Screen
Topology Screen
Purposes of the Topology Screen
•Displays a graphical representation of the current topological
relationships between the SA8220 and network servers. The
SA8220’s status and Serial Cable failover , i f configured, are also
reflected here.
•Serves as a gateway to the Administration and Policy Manager
screens, and the Configuration and Tools screens.
63
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Topology Screen Toolbar
Policy
Back
Administration
Manager
Log File
Configuration
Tools
Statistics
Topology Screen Toolbar
Located at the top left of the window, the toolbar is shown above.
The toolbar’s buttons, from left to right, are described below:
•Back returns you to the previous screen. From the T opo lo gy
screen, this will log you off the system and return you to the
logon screen.
•Configuration displays the Configuration Screen
•Administration displays the Administration Screen
•Tools displays the Tools Screen
•Policy Manager displays the Policy Manager Screen
•Statistics displays the Statistics Screen
•Log File displays the SA8220's log file.
Online Help
64
Online Help Button
Located at the top right of the window, the Help button is shown
iabove. Click Help to display the online help file.
C H A P T E R 4Topology Screen
Topology Screen Elements
SA8220 Icon
The SA8220 is represented onscreen by a horizont al "rack unit" icon,
as shown above.
•Right-clicking on the SA8220 icon displays a popup menu that
can take you to other screens.
•Double-clicking the SA8220 icon takes you to the Policy
Management screen by default, but this can be changed in the
Administration screen (please see “Administration Screen” in
this chapter).
Server Icon
Servers are represented onscreen by vertical "tower case" icons, as
shown above.
•Right-clicking on a server icon displays a popup menu that can
take you to other screens.
•Double-clicking the server icon takes you to the Statistics screen
by default, but this can be changed in the Administration screen
(please see “Administration Screen” in this chapter).
65
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Window Controls
Slider Control
To resize the Topology screen elements, click and drag the slider
control located in the upper right hand corner of the screen, as shown
above.
•Move the slider control to the far right, as shown above, for the
largest display.
•Move the slider control to the far left for the smallest display.
66
Background Zoom and Refresh Control
The Topology screen elements can also be resized by right-clicking
on the background of the screen. The popup menu shown above
displays onscreen.
•Zoom In enlarges the display an d is t he equi va lent of moving the
slider control to the right.
•Zoom Out reduces the display and is the equ ivalent of moving the
slider control to the left.
•Refresh Display updates the Topology screen.
C H A P T E R 4Policy Manager Screen
Policy Manager Screen
When you double-click a SA8220 icon in the Topology screen (or
right-click and select Policy Management), the Policy Manager
screen displays, as shown below.
Policy Manager Screen
The Policy Manager consists of a series of screens with multiple tabs
that includes the controls used in the implementation of Policies. The
discrete items created, alte re d, and deleted in the course of Policy
management are listed below:
•Policy Groups
•Services
•Servers
67
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Policy
Manager
Controls and
Displays
Policy
Manager
Toolbar
The Policy Manager screen contains two main regions, as described
below:
•The Policies display, on the left side of the Po licy Manager
screen
•The Details display, on the right side of the Policy Manager
screen
The relative sizes of the Policies and Details displays are adjustable
by clicking and dragging the vertical line between the panels. The
Policies display includes existing Policy Groups, Services, and
Servers, reflecting the previously mentioned hierarchy. The Details
display includes controls and status displays relating to the item
selected in the Policies display, and changes according to the type
(Policy Group, Service, or Server) of the it em selected. If a Ser vice or
Server is selected, then the Details screen contains two tabs, each
containing related controls.
The three types of items form a hierarchy: policy groups contain
Services. Services in turn contain Servers. A lower hierarchy item
cannot be created unless its immediately superior type exists, t hat is,
a policy group must exist before you can create a Service, and a
Service must exist before you can create a Server.
New
Policy
Group
New
Server
68
New
Service
Policy Manager Toolbar
Delete
Selected
Item
C H A P T E R 4Policy Manager Screen
The Policy Manager toolbar contains three bu ttons for creating Policy
Groups, Services and Servers, and one button to delete the currently
selected item, regardless of its type. The toolbar’s buttons are enabled
or disabled (dimmed) according to the type of ite m selected in the
Policies display.
Policy
Manager’s
Pop-up Menu
Policy Groups
You can display the Policy Mana ger’s pop-up menu, shown below,
by right-clicking in the Policies display.
Display
Commands
Sort
Commands
Create/
Delete
Commands
Policy Manager’s Pop-up Menu
Services are virtual resou rces provided to a client. However, Services
can exist only in the context of Policy Groups. Policy Groups are
regarded as containers used to organize Services. Therefore, before
Services can be defined, Policy Groups must be created to contain
them.
The Policy Manager's Policy Group Details screen provides two
functions:
•Naming of newly created Policy Groups
•Enabling or disabling of the selected Policy Group's throttling
function
69
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Creating Policy Groups
You can create Policy Groups in either of two ways:
1. Click New Policy Group, in the left of the Policy Manager
toolbar, or
2. Right-click to display the menu, then select the New Policy Group command.
A new Policy Group icon and the De ta il screen displays in the
Policies display, as shown below.
NOTE: The names of
existing Policy Groups
cannot be changed.
70
Adding a New Policy Group
3. T ype a name for the new Policy Group in the Policy Group Name
field. Policy Group names must adhere to the following
conventions:
•From 1 to 25 characters in length
•Any alphanumeric character
•Other eligible characters include hyphens ("-"), p eriods ("."), and
underscores ("_")
•Spaces must not be used.
Within these restrictions, the naming of Policy Groups is at your
discretion, though convenient naming schemes might include
serial names ("Group1," "Group2," etc.), or names that reflect a
Policy Group’s content, such as "e-CommerceGrp" or
"HTTP_Group."
C H A P T E R 4Policy Manager Screen
Naming the New Policy Group
4. To accept the specified name, click Apply. The new Policy
Group’s new name displays in the Policies display.
When the new Policy Group name displays, Create Service (see
above), becomes available. This reflects the fact that Services
cannot be created unless at least one Policy Group already exists.
Throttling
When throttling is enabled, requests to eligible serve rs in lowerpriority services are stopped until response times of higher priority
services are met, or all eligible servers have been throttled. An
eligible server is one that is shared by both higher and lower priority
services. Throttling affects all services within a Policy Group.
To enable or disable throttling for the selected Policy Group, follow
the steps below:
1. Select the Enable S erver T hrottling check bo x (see figure above).
2. Click Apply.
Deleting Policy Groups
To delete a Policy Group, follow the steps below:
1. In the Policies display, click to select the name of the Policy
Group to be deleted.
2. In the Policy Manager toolbar, click Delete (X), or right-click to
display the menu and click the Delete Selected Item command.
71
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Services
Once a Policy Group exists, you can create Services.
Creating Services
Follow these steps to create a Service:
1. In the Policies display, click to select a Policy Group.
2. In the Policy Manager toolbar, click New Service, or right-click
in the Policies display and select New Service from the pop-up
menu.
The Service Details ta b displays in the Details screen, as shown
below.
NOTE: All fields
mentioned in steps (3)
through (6) become readonly after the service is
created.
72
Service Details Tab
3. In the Service Name field, Type a name for the service.
4. From the Service Type pull-down menu, click the desired Service
type. The choices are HOT TCP (the default), or RICH_HTTP.
C H A P T E R 4Policy Manager Screen
5. From the Virtual IP pull -down menu, click the desired Virtual IP
(VIP) address. If there are no VIPs in the menu, or if the desired
one is absent, type it in.
NOTE: The VIP/port
combination must be
unique.
6. Type a port in the Port field. The port is the listening port fo r
incoming connections, and you can select port numbers between
1 and 65535.
7. When you have finished f illing in the f ields in t he Service Details
tab, click Apply.
The Policies display now reflects the name of the new Service
below the name of the Policy Group from which it was created.
Additional Service Tab Controls and Displays
The items listed below can be changed after the Service has been
created.
Control or DisplayDescription
Enabled
Priority
Duplicate SYN
Timeout
Select this check box to activate the selected Service. Clear the check
box to disable the Service.
Services within a single P olicy Group can be pri oritized. The SA 8220
assures more server resources to Services with high priority numbers
than to those with lower numbers. The Priority setting is an integer
from 1 (highest priority) to 5 (lowest priority), and the default is 1.
This value is the time interval (in microseconds) after which the
fulfillment server is declared dead if the dynamically calculated
number of duplicate SYNs (lost packets) to that server is detected. You
can specify a value from 1000 to 2,147,483,647, and the default is
500,000.
Server Timeout
(RICH only on all
models except the
SA7200)
Enable Backup
Servers
This value is the time interval (in seconds) during which a server must
respond before it is declared dead. If the server fails to respond before
the end of timeout interval, the outstanding request is passed to another
server. This value is only available for RICH_HTTP services.
This check box allows you to enable or disable servers designated as
type "Backup" to come on line if necessary to assure target response
times. For more details about servers, please see “Servers” in this
chapter.
73
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Control or DisplayDescription
Insert Source IP in
HTTP Header
(RICH only on all
models except the
SA7200)
Sticky Mode
NOTE: If using SSL
services on the
SA8200/SA8220, the
SSL session ID
maintains a sticky
relationship when
Source IP sticky is
selected
Sticky Timeout
This check box specifies whether or not the Source IP address is
embedded within the HTTP header information.
The SA8220 is configured to maintain a session’s state so that serial
requests from a single client are allocated to the same server. This is
called a "sticky" port. This setting may be disabled, based on Source
IP, or based on a Cookie as described below:
Source IP: Source IP sticky mode uses the client’s source IP address
to identify a series of requests to be directed to a single server.
Cookie: In cases where requests come through a proxy server, all
requests display to originate from that server’s IP address, thus IP
address is of no use in iden tif ying individ ual r equest ors. Coo kie st icky
mode provides an active method of identifying requestors in such
situations. When Cookie sticky mode is enabled, a cookie is given to
requesting browsers. Subsequent requests from clients who have
received cookies contain ident ifying i nformat ion al l owing t he SA82 20
to direct them to a single server. Cookie mode is available only for
RICH_HTTP, so it is not available on the SA7200.
The current software version for the SA8220 treats the timeout
differently for cookie versus Source IP sticky. With Source IP sticky,
the timeout is reset with every connection from the client (so that the
timeout is effectively an "idle time"). With cookie sticky, the timeout
starts with the first connection from the client to the server, and never
gets reset. When the cookie expires, even if actively being used, the
next connection will be load balanced to a new server.
Protocol
Status
74
Work around: We recommend that you set the cookie sticky timeout
value to at least 1.5 times the maximum amount of time a user will
expect to be stuck to a server. The default is 90 seconds
This read-only field displays the protocol of the Service (TCP).
This read-only field displays the status of the selected Service
("Active" or "Inactive").
C H A P T E R 4Policy Manager Screen
Balance Strategy
HOT Services are assigned server resources according to either of
two Balance Algorithms. Click the Balance Strategy tab of the
Service Details screen to displa y the Balance Algorithm controls, as
shown below.
Service Balance Strategy Screen
Two Balance Algorithms are available:
•Response Time: Requests for a Service using the Response
Time algorithm are forwarded to the server th at can fulfill them
within the shortest time.
•Round Robin: Requests for a Service using the Round Robin
algorithm are distributed evenly among the available servers.
1. From the pull-down menu, click to select the desired Balance Algorithm for the Service selected in the Policies display. If you
select Response Time, type a value (in milliseconds) in the Max response time (ms) field. For more details, please see “Response-
Time Metrics” in Chapter 2.
75
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Deleting Services
To delete a Service:
1. In the Tree, click select the name of the Service to be deleted.
2. In the Policy Manager toolbar, click Delete, or right-click to
display the menu and click the Delete Selected Item command.
Servers
After you create Services, y ou must designa te, or "create" Servers to
fulfill client requests for Services. As Services must exist within
Policy Groups, a Server (for example, a fulfillment host) must be
mapped to a Service.
To create Servers, follow the steps below:
1. In the tree, click an existing Service.
2. In the Policy Manager toolbar, Click Create Server, or right-click
in the Policies display and click New Server from the pop-up
menu.
The Server Details ta b displays in the Details screen, as shown
below.
76
C H A P T E R 4Policy Manager Screen
The Policy Manager’s Server Detail Screen
3. In the Server Name field, type an IP address or server name
known to the SA8220 via DNS or static host table. This value
cannot be changed after the server is created.
4. If appropriate, edit the Port field. The default value is the port
number of the Service under which this Server displays in the
Tree. This value cannot be changed after the server is created.
77
C H A P T E R 4HP Traffic Director Server Appliances User Guide
5. From the drop down menu, click to select the desired Server
Type. Available types are listed below:
•Primary: Primary servers are immediately available to
accept client requests forwarded from the SA8220.
•Backup: Backup servers are sent requests under only two
circumstances: First, when the primary servers are unable to
meet the configured target response times a backup server
may be used if and only if "backups" is enabled for this
service. Second, backup servers are given requests when a
primary server is unavailable. As primary servers become
inactive, backup servers are brought into service to handle
requests.
•Disabled: Renders the server unavailable to accept client
requests.
6. From the drop down menu, click to select the desired Server Mode. This command enables or disables Source Address
Preservation (SAP) on the named server. When Out-of-Path
Return (OPR) is enabled, the user-designated server port is
ignored and the configured service server port is used. By
default, SAP is enabled (and ca nnot be disa bled) when OPR is in
effect.
78
•For more details about SAP, please see Source Address
Preservation” in Chapter 2.
•For more details about OPR, please see “Out-of-Path Return
(OPR)” in Chapter 2.
C H A P T E R 4Policy Manager Screen
RICH Controls (all models except the SA7200)
NOTE: OPR cannot be
used in conjunction with
Services of type
RICH_HTTP.
If the type of the Service under which you create a Server is
RICH_HTTP, the Server Details tab displays some additional
controls, as shown below.
Server Details Screen with RICH Controls Displayed
The RICH controls are listed below:
•Multi-hop Source Address Preservation: It is possible in
sophisticated network topologies to require that requests pass
through two cascaded SA8220s. In such configurations, the
SA8220 topologically closest to the clients must be configured
with the MSAP feature enabled. In most configurations, the
default setting (MSAP disabled) must be used.
•606 Error Detection: "606" is a user -defined error code, that is,
you can specify an applicati on level error as a "606 error" so i t is
detectable by the SA822 0. W hen 606 E r ror Det ect ion i s enabled,
requests that generate a 606 error are rerouted, transparently to
the client, to the next available server. When disabled, the error is
sent back to the requesting client.
79
C H A P T E R 4HP Traffic Director Server Appliances User Guide
•HTTP Error Detection: When HTTP Error Detection is
enabled, requests that generate HTTP errors 401-405 and 500503 are rerouted, transparently to the client, to the next available
server. When disabled, these errors are sent back to the
requesting client.
•RICH Expression List: Expressions allow the SA8220 to parse
requests at the levels of path name, file type, and filename and
direct them to the appropriate server. Expressions can include
wildcards. To define an expression list, type a series of
expressions separated by the semicolon character into the RICH
Expression List: field according to the following usage:
Valid expressions include the following:
NOTE: The “*” and “!”
are allowed in
expressions, but they can
only exist at the
beginning or end of the
expression. Also, a
positive expression is
required after a not (!)
expression, otherwise the
(!) expression has no
effect.
•File type expressions, such as *.gif, or */index.html
•Path expressions, such as /home/*, or /home/images/*, or /home/
images/a*
• Unique file expressions, such as /index.html
•Wildcard expression, such as *
•The negation operator (!), e.g., !*.gif, or !*/index.html
Invalid expressions include the following:
•Text on either side of the asterisk, e.g., /index*.gif
•Expressions containing more than one asterisk, e.g., /index*.*
•Expressions containing one or more spaces or the dollar sign ($)
character
80
C H A P T E R 4Policy Manager Screen
Order of Expressions (all models except the
SA7200)
When using expressions in Layer 7 (RICH) operations, the order of
expressions is significant only when the "not" (!) operator is used.
Expressions are described below.
ExpressionYields
!*.gif;*
*;!*.gif
All non-GIF files
All files, because after specifying “all” (*),
the !*.gif expression is never reached
!*.html;/home/*
Matches all entries of the form “/home/*”
except HTML files
/home/*;!*.html
Matches all files of the form “/home/*.” The
!*.html has no effect.
!/home/*
!/home/*;*
No matches
all matches except ones starting with "/
home."
Deleting Servers
To delete a Server:
1. In the Tree, click the name of the Server to be deleted.
2. In the Policy Manager toolbar, click Delete, or right click to
display the menu and click the Delete Selected Item command.
81
C H A P T E R 4HP Traffic Director Server Appliances User Guide
Administration Screen
The Administration Screen is a set of ten tabs containing the
functions used to manage th e SA8220. Each tab includes cont rols and
displays related to a specific category of administration tasks.
Settings Tab
82
Administration Screen — Settings Tab
The Settings tab includes controls used to set the following:
•System ID: Edit this field to set the unit identifi er. The SA8220s
are shipped with the unit serial number in this field. You can use
this control to change the identifier if your site requ ires alternate
asset tracking information. The new ID can be an alphanumeric
value from 1 to 64 characters. To change this value, type the
desired identifier, and then click Apply.
C H A P T E R 4Administration Screen
•Server Verification Interval: Edit this field to change the
interval in seconds at which servers are "pinged" to verify they
are available and able to handle traffi c requests. (See "IRV" in the
Command Line Interface chapter). The valid range for this field
is 0 to 99999. A value of 0 disables IRV.
In addition to the above controls, the Settings tab also contains
the following read-only displays:
•System Name: Displays the name given the SA8220 in its in itial
configuration.
•MAC Address: Displays the SA8220's Media Access Control
address.
•Status: The Status field displays information about the
SA8220's function and failover status. For more details about
status messages, please see “Status Information” in Chapter 2.
Software Tab
The Software tab contains controls and displays allowing you to
perform the following tasks:
•Specify image category as either System software or Agent
Software (Agent software lists software components other than
the SA8220 system image that may be installed on the unit, such
as the HP Multi-Site Traffic Director Server Appliance SA9200
agent).
•View the list of currently installed system software images (the
SA8220 can have up to five system images installed).
•View the list of currently installed agent software ima ges (the
SA8220 can have up to four agents installed in addition to those
accompanying each system software image).
•Specify which of the inst al led software images is to be ac tive.
•Install or update software images.
•Delete software images.
•Enable or disable Passive FTP.
•FTP or TFTP new Multi-Site Agents to the SA8220.
83
C H A P T E R 4HP Traffic Director Server Appliances User Guide
The SA8220 provides sufficient local storage for five software
images (though at any t ime, o nly one image is activ e and executing. )
The "System Software" a rea of the Software tab display s the list of
currently installed system images, incl uding the following detai ls for
each:
•Image index number
•"Active" status (yes/no)
•Product name
C H A P T E R 4Administration Screen
•Product version number
•Patch number
•Build number
Agent Software
The SA8220 can interface with other HP units by using Agent
Software images. The SA8220 provides sufficient local storage for
at least five Agent software images (though at any time, only one
image is enabled). To display the "Agent Software" area of the
Software tab, click Agent Software, which displays the list of
currently installed Multi-Site Director Agent images, as shown
below.
Software Tab in Agent Software View
Details displayed for each Agent include:
•Image index number
•"Active" status (yes/no)
85
C H A P T E R 4HP Traffic Director Server Appliances User Guide
•Product version number
•Patch number
•Build numbe r
•Compatible Multi- Site Traffic Director version number
Specifying the Active System Software Image
To change the active system image:
1. Click System Software.
2. In the System Software box, click the image you want to activate.
3. Click Boot. The SA8220 displays a message prompting you to
proceed but warning you that the SA8220 will reboot as shown
below.
NOTE: You can also
perform a soft reboot of
the SA8220 by selecting
the currently active
software image an d
clicking Boot.
86
Boot Warning Window
4. Click Yes.
As the SA8220 reboots, the screen shown below displays.
Reboot Screen
You must close all browser windows to ensu re your browser uses
the newly activated Administration Application.
5. Wait three to five minutes for the SA8220 to finish rebooting,
and then run the administration application.
6. Go to the Software tab of the Administration screen and verify
that the "Active" column of the selected image displays yes.
C H A P T E R 4Administration Screen
Installing Software Images
You can download and install new system and agent software images
for the SA8220 using the controls in the Update Software box at the
bottom of the Software tab.
Downloading a System Software Update
NOTE: A key is not
required to obtain Agent
Software.
1. To download the new image, contact HP Customer Support or
your System Administrator to obtain the URL, Key, User, and Password information.
For more details about software installation and updates, please
see Software Updates and Upgrades” in Chapter 8.
Deleting Software Images
To delete a software image from th e list of installed images:
1. In the Software View box, click the software type to be deleted.
2. In the Installed Software box, click the image to be deleted.
3. Click Delete. The SA8220 prompts you to co nfi rm that you want
to delete the selected image, as shown below.
Delete Image Confirmation (System View)
87
C H A P T E R 4HP Traffic Director Server Appliances User Guide
4. Click Yes.
If you selected Agent Software, the prompt shown below
displays.
Delete Image Confirmation (Agent View)
5. Click Yes.
88
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.