KEMP Technologies LoadMaster 1500, Installation And Configuration Manual

Page 1: ...1 Copyright 2000 2005 KEMP Technologies Inc All Rights Reserved LoadMaster 1500 Installation and Configuration Guide ...

Page 2: ...ess otherwise noted Sun Sun Microsystems the Sun Logo Solaris SunOS and Java are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries UNIX is a registered trademark of X Open Company Ltd IBM is a registered trademark of International Business Machines Corporation Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Linu...

Page 3: ...adMaster Load Balancer Features 12 C LoadMaster Network Topologies 14 1 One Armed Balancer 14 2 Two Armed and Multi Armed Balancer 14 3 Direct Server Return DSR example 15 D Miscellaneous Networking Issues 16 1 S NAT 16 2 Default Gateway and Routes 17 E Single Dual Unit Configurations 18 1 Single Unit Configuration 18 2 High Availability HA Configuration 18 F Balancing Methods 19 1 Round Robin 19 ...

Page 4: ... Definition 23 1 1 Special Characters 24 1 2 Regular expressions 24 1 3 Host name matching 24 K Health Checking 25 1 Service and non service based Health Checking 25 L SNMP Support 27 1 LoadMaster Performance Metrics via SNMP 27 2 LoadMaster Event Traps via SNMP 28 M LoadMaster Software Upgrades 29 1 Online Upgrades 29 N Miscellaneous 29 1 Remote Syslogd Support 29 2 How to get a license 30 2 1 Ge...

Page 5: ...Key 35 C Initial Setup of a LoadMaster High Availability HA Cluster 36 1 Login and License Key 36 2 Configuring the second LoadMaster 36 D Quick Setup 37 E Main Menu 38 1 Configuration Menu basics 38 1 1 Quick Setup 39 2 Service Management CLI 39 3 Local Administration 39 3 1 Set Password 39 3 2 Set Date Time 39 3 3 Set Keyboard Map 39 3 4 Backup Restore 40 3 5 Remote Access Control 40 4 Basic Set...

Page 6: ...adMaster Config 46 F The LoadMaster Questionnaire 46 1 Single LoadMaster Balancer Solution 46 2 Highly Available dual LoadMaster Balancer Solution 46 III COMMAND LINE INTERFACE 47 2 Adaptive scheduling command level 48 3 Health check command level 49 5 Rule Edit command level 50 6 Virtual Service VIP command level 51 IV WEB USER INTERFACE WUI CONFIGURATION GUIDE 56 A Glossary and Abbreviations 56 ...

Page 7: ... 69 4 1 Adaptive Interval 69 4 2 Adaptive URL 69 4 3 Port 69 4 4 Min Control Variable Value 69 4 5 Min Weight Adjustment Value 69 4 6 Real Server Availability 69 5 Balancer Metrics 70 5 1 Global Metrics 70 5 1 2 Real Server Metrics 70 5 1 3 Virtual Service Metrics 70 6 System Properties 70 6 1 Route Management 70 6 2 Access Control 70 6 2 1 Packet Filter Enabled 70 6 2 2 Reject Drop blocked packet...

Page 8: ...ation or your full purchased license key Balancer A network device or logic that distributes inbound connections with a common source address across a farm of server machines Farm Side The LoadMaster network interface to which the server farm is connected Flat based The VIPs and the real servers are on the same subnet HA Highly Available or High Availability used interchangeably ICMP Internet Cont...

Page 9: ...osts these units Sooner or later physical limits of hardware upgradeability are reached Furthermore users are not willing to accept the downtime that accompanies such upgrades High availability of services and applications as Internet based networking is used for mission critical applications such as banking B2B and voice over IP the availability of services can easily determine the success or fai...

Page 10: ...re doing so the following considerations covered by the LoadMaster documentation should be taken into account when setting up your LoadMaster for the first time What sort of LoadMaster network topology best suits my application See section C of this guide Do my real servers require publicly routable IP addresses or can they be hidden behind the LoadMaster on a private network segment See section C...

Page 11: ...tion E of the Installation and Configuration Guide Do I wish to allow my balancer to be accessed by KEMP Technologies for maintenance purposes See section E of the Installation and Configuration Guide 3 A Simple Balancer Configuration Taking the above issues into consideration an example Load Balanced Site may look as follows Figure 1 Example of a simple Balancer configuration A Virtual Service VS...

Page 12: ...ver Farm network topology with NAT based forwarding See note 1 Compact Flash bootable Operating Software S NAT support for multi armed solutions See note 2 One and two armed flat based 3 Balancer Server Farm topologies Support of Direct Server Return DSR configurations Optional force setting of duplex mode for Balancer Ethernet interfaces Option to allow remote access to Balancer for maintenance p...

Page 13: ... option Stateful Failover of Cookies and TCP connections Administration Web based interface for creation deletion and editing of Virtual Services Command Line Interface CLI for the creation deletion and editing of Virtual Services Packet filtering functionality Remote Syslogd support Remote access to the LoadMaster for all administrative Balancer operations Selective restore of Balancer and Virtua...

Page 14: ...n DSR methods on the Real Servers Implies the clients consumers of the service hosted by the LoadMaster are on a logically separate network to the LoadMaster and its Virtual Services this is not true if used in conjunction with DSR 2 Two Armed and Multi Armed Balancer If a two armed or Multi Armed configuration is selected then the following is true Both eth0 net side and eth1 farm side interfaces...

Page 15: ...igurations Real Servers may exist on either the eth0 or up to the eth5 network However placing Real Server on eth0 in a two armed configuration is not recommended 3 Direct Server Return DSR example 1 incoming request intercepted by LoadMaster 2 routed to Test Server 1 3 response from Test Server 1 4 Response goes directly to Client without LoadMaster ...

Page 16: ... 70 200 Dest 00 00 00 00 00 bb 3 195 30 70 200 216 139 43 10 Source 00 00 00 00 00 bb Configuring a VIP on the loopback interface on Linux On a linux machine the ifconfig a command will look something like this root RS1 ifconfig a eth0 Link encap Ethernet HWaddr 00 00 00 00 00 bb inet addr 195 30 70 11 Bcast 195 30 70 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packe...

Page 17: ...mple configuration is given in figure A When the LoadMaster is installed in a more complicated network configuration for example as depicted in figure B the default gateway must still be specified but will only be used if additional routes are not available Additional routes may be specified so that traffic for the specified addresses will be routed over alternative gateways For example in figure ...

Page 18: ...tivities from the active server This two machine cluster appears both to the Internet side and to the server farm side as a single logical unit Note If you are running a High Availability HA cluster which consists of two interconnected LoadMaster nodes each network interface has an individual IP address and a shared sometimes called floating IP address The shared IP address is identical for both L...

Page 19: ...ly across the server farm cluster i e the available servers If this method is selected all the servers assigned to a virtual service should have the similar resource capacity and host identical applications Choose round robin if all servers have the same or similar performance and are running the same load Subject to this precondition the round robin system is a simple and effective method of dist...

Page 20: ...n general a very fair distribution method as it uses the ratio of the number of connections and the weight of a server The server in the cluster with the lowest ratio automatically receives the next request 5 Agent Based Adaptive Balancing In addition to the methods above the LoadMaster contains an adaptive logic which checks the state of the servers at regular intervals and independently of the c...

Page 21: ...ks e g class c net that can be masked with the persistency mask In some situations most notably from sites such as AOL all requests from AOL users come from only one IP address This totally defeats IP source address based persistency all requests from these so called Mega Clients would go to only one real server while the rest of the server farm idles This may be a reason to employ the Layer 7 Per...

Page 22: ...o the LoadMaster which will then use the value of the cookie to direct the request to the same real server as before When using active mode no modifications must be done to the real servers The Balancer administers all cookies for the servers 7 Active Cookie Source Active Cookie or IP source Based Persistency This method functions exactly like active cookie based persistency when the client browse...

Page 23: ... private key must also be transferred to the LoadMaster This can be either a separate file on the same machine or the private key can be appended to the SSL certificate If the private key is appended to the SSL certificate openssl can generate one file with both parts in then a separate private key is not required J Rule Based Content Switching In the previously described load balancing methods it...

Page 24: ...he following special characters are defined This can only be placed at the start of the string and means that the string must match at the start of the URL This can only be placed at the end of the string and means that the string must match at the end of the URL This matches any single character This matches zero or more characters This starts the set notation This matches a SINGLE character whic...

Page 25: ...nged from the default settings using the Virtual Service wizard to accommodate non standard settings For example one could run an http service on port 8080 instead of 80 and change the health check to HTTP instead of the default Layer4 check Note These global settings hold for all servers in the farm i e you cannot assign different timeouts for different servers It is mandatory that one of the ser...

Page 26: ...the connection and marks the server as active If the server fails to respond within the configured response time for the configured number of times or if it responds with a different status code it is assumed dead 7 HTTPS The LoadMaster opens a SSL connection to the Real Server on the Service port port 443 The LoadMaster sends a HTTP 1 0 HEAD request the server requesting the page If the server se...

Page 27: ...sions in use are SNMPv1 and SNMPv2c community based SNMPv2 The SNMP support of the LoadMaster is based on SNMPv3 so that all 3 of the above versions can be used However since SNMPv1 does not support 64bit values as used in the LoadMaster MIB it is recommended to use SNMPv2c or SNMPv3 1 LoadMaster Performance Metrics via SNMP The information regarding all LoadMaster specific data objects is stored ...

Page 28: ...tion is disabled by default References SNMPv1 RFC 1155 Structure and Identification of Management Information for TCP IP based Internets RFC 1157 A Simple Network Management Protocol SNMP RFC 1212 Concise MIB Definitions SNMPv2c RFC 1901 Introduction to Community based SNMP RFC 1902 Structure of Management Information for Version 2 of the Simple Network Management Protocol SNMPv2 RFC 1903 Textual ...

Page 29: ... the user will be asked if the patch should be installed Upon the successful installation of the patch the LoadMaster should be rebooted to activate the new version If for some reason the patch does not perform as required the previous version of the software may be reactivated via the configuration menu Converting from a 30 or 60 day evaluation license to a full license or from a L4 only to a L4 ...

Page 30: ...ll LoadMaster license 1 A service agreement upon purchase must be approved by KEMP in order to obtain a full LoadMaster appliance 2 Using a null modem cable connect a PC using terminal emulation software from its COM port to the LoadMaster COM port COM settings should 115200 8 N 1 After boot a login prompt appears login as bal password 1fourall and your Access Code will be displayed on the screen ...

Page 31: ... a network to a remote server The complete configuration the Virtual Service Configuration and the base Configuration of the balancer will be saved to a single file on the server The server must be running an FTP daemon or an SSH daemon By default the remote protocol will be FTP Using console or SSH access go to 7 Utilities then 2 Transfer protocol to change setting Consult the WUI User Manual to ...

Page 32: ...e in the range between 0 and 100 representing the actual load on this server 0 idle 100 overload The balancer retrieves this file by an HTTP GET operation It is the servers job to provide the actual load in the ASCII file There are no prerequisites though how the servers evaluate this information Anyway there are some conditions that must hold There must exist an ASCII file with a number between 0...

Page 33: ...0 It uses the Performance Data Helper PDH API and must be linked to the pdh lib The PDH Dynamic Link Library DLL pdh dll must also be installed on the system Modify the counter paths for Windows 2000 dependent on the installed language 2 Http Server Configuration for Cookie Support This short example shows how a cookie may be set on a real server ...

Page 34: ...ted You only need to connect via COM Console port with a terminal emulation application on PC to initially setup your LoadMaster machine s Using a null modem cable connect a PC using terminal emulation software from its COM port to the LoadMaster COM port COM settings should 115200 8 N 1 After boot a login prompt appears login as bal password 1fourall and your Access Code will be displayed on the ...

Page 35: ...ense Key Enter bal for the first login and 1fourall for the password Using a null modem cable connect a PC using terminal emulation software from its COM port to the LoadMaster COM port on the right note the left COM port will not be used to connect to unit COM settings should 115200 8 N 1 Upon successful login a screen will appear with the following message Thank you for purchasing LoadMaster Ple...

Page 36: ...ing used Hint You must have a service agreement or an evaluation window with KEMP Technologies to receive the Access Code of the LoadMaster License keys are linked to LoadMaster hardware and are not transferable Once a valid License Key has been input Quick Setup will be started For more information on Quick Setup please consult the Quick Setup section 2 Configuring the second LoadMaster Log in on...

Page 37: ...ters Domain parameters Default Gateway After these parameters have been set the configuration should be activated The LoadMaster is then ready for work Note If a parameter has been incorrectly set Use the CANCEL button until the main menu appears Quick Setup can then be performed again to correct the error Ethernet IP address s eth0 The user is asked to input the IP address of the eth0 NETWORK sid...

Page 38: ... Note If the password for bal has been forgotten a user can login on the console as pwreset The password is 1pwreset this will reset the password for bal to 1fourall until the LoadMaster is rebooted If unit is rebooted the password will be reset to its old unknown value It is thus strongly advised that the password should be changed using the configuration menu before the next reboot 1 Configurati...

Page 39: ...ould be changed for security reasons Remote access over SSH is not allowed until the password has been changed Important The password is not saved when performing a backup and is not replaced when performing a restore If the LoadMaster is running in a HA high availability mode cluster Each LoadMaster can have a separate password The password information is not transferred between the members of a ...

Page 40: ...guration 3 5 Remote Access Control This option allows the user to enable or disable remote access to the LoadMaster Enable Disable Remote SSH access This option allows enables or disables access to the LoadMaster via the SSH protocol If this option is disabled the menus can only be accessed via the local console If no password has been specified for bal it is not possible to log in via SSH Enable ...

Page 41: ...specified using this menu These routes are static and the gateways must be on the same network as the LoadMaster 5 Extended Configuration This menu allows the user to configure several features which do not directly affect the main function of the LoadMaster but makes the balancer easier to use 5 1 Interface Control This option allows the configuration of the protocol used at the physical level on...

Page 42: ...er to respond to SNMP requests Note By default SNMP is disabled Configure SNMP Clients With this option the user can specify from which SNMP management hosts the LoadMaster will respond to Important If no client has been specified the LoadMaster will respond to SNMP management requests from any host Configure SNMP Community String This option allows the SNMP community string to be changed The defa...

Page 43: ...ernet interface parameter under Multicast Configuration has any affect on this option This toggle option will either enable or disable the transfer of L4 connection information If this feature takes too much bandwidth or is not required then it may be safely disabled 5 8 Multicast Configuration Note This option is only available on a HA cluster configuration when the L7 persistency state failover ...

Page 44: ...ting software of the LoadMaster may be installed or removed Install Update With this option a patch can be downloaded onto the LoadMaster from a remote server The server must be running a SSH daemon Once the patch has been downloaded the patch is unpacked and verified If the patch is valid then the name of the patch will be displayed and the user will be asked to confirm if the patch should be ins...

Page 45: ...ows the user to download a certificate file for the virtual service Note the SCP protocol may be used to transfer certificate files Get a key file This option allows the user to download a private key file for the virtual service If a private key is included in the certificate file no additional private key file is required Delete the key and certificate files Allows the user to delete a certifica...

Page 46: ...ork side eth0 IP Address ________________________________________________________________________ Netmask ________________________________________________________________________ Farm side eth1 IP Address ________________________________________________________________________ Netmask ________________________________________________________________________ Hostname ________________________________...

Page 47: ...________________ Default Gateway IP Address III Command Line Interface Reference Guide The command interface syntax is loosely based on the industry standard syntax as used by other Load Balancer manufacturers The command interface has a line based hierarchical command set Changes made to the configuration are only performed when returning to the top level Hint A port can either be specified as a ...

Page 48: ...mmand set A VIP is the IP address of the Virtual Service A name is the name of the Virtual Service If no Virtual Service with the specified IP address or IP name respectively then a new Virtual Service will be created No changes will occur to the configuration until the user returns to the top level command level 1 9 Help Prints a summary of commands at the current level 1 10 End Terminate the CLI...

Page 49: ...session No changes performed after entering this level will be saved 2 9 Exit Returns the input to the top command level Any changes will be written to the configuration file and the system will be updated accordingly 3 Health check command level The following commands can be performed at the health check command level 3 1 Interval Integer Specifies how often the health of a Real Server should be ...

Page 50: ...specified or the specified rule 4 5 Help Lists the commands that are available at the rules command level 4 6 End Terminate the CLI session Any changes since entering the health check command level will be ignored 4 7 Exit Leave the rules command level any changes to the rules will be saved and the system will be configured accordingly 5 Rule Edit command level The following commands can be perfor...

Page 51: ...s since entering the rules command level will be ignored 5 11 Exit Leave the rule edit command level and return to the rules command level Modifications will not be saved until after the rules command level is exited 6 Virtual Service VIP command level The following commands are available at the Virtual Service command level No changes will be made to the system until the user performs an exit fro...

Page 52: ...y be specified which is used to determine if two IP addresses should be treated as coming from the same source By default the mask has a value of 255 255 255 255 which means that all IP addresses are different 6 10 no Name Name Specifies the name of the Virtual Service To delete the name use the command no name 6 11 Healthcheck String This specifies which health check method should be used for a g...

Page 53: ... Specifies the IP port to be used for the Virtual Service If no health check mechanism has been specified and the port is a well known port the relevant health check mechanism will be selected 6 14 Precedence rule name number The precedence of the rule rule name is set to number A value of 1 moves the rule to the start of the rule list I e this rule is checked first A higher value moves the rule t...

Page 54: ...other rules Use the Virtual Service command Precedence to change the precedence order 7 2 Delrule Rule name This command removes the association of rule Rule name from the Real Server If there are no more instances of the rule associated with the Virtual Service the rule will be deleted from the Virtual Service precedence list 7 3 Disable Disables the current Real Server The Real Server will only ...

Page 55: ...duling methods that utilize the weighting of a Real Server 7 9 Help Lists the commands at this level 7 10 End Terminate the CLI session No changes made in the VIP and Real Server command levels will be saved 7 11 Exit Return to the Virtual Service command level No changes will be saved until the editing of the current Virtual Service has been completed ...

Page 56: ... interface over which requests to the server farm are made One armed Only one Ethernet interface is used for in and outbound traffic Farm side and Network side are both connected to it RS Real Server Physical server machines which make up a server farm Service A Service is an application that is connected to the network Shared IP The shared floating IP address is always the assigned IP address of ...

Page 57: ... the console of the Balancer That password will be the one that will be used to connect to WUI 2 Create a Simple Virtual Service This section will take you through the steps required to create a simple virtual service that has two real servers Firstly click on the Virtual Services tab to bring up the virtual service page Any virtual services that are on the balancer are listed here and their prope...

Page 58: ...e TCP or UDP but in the vast majority of cases TCP will be the one used Once you are satisfied with the choice of VIP port and protocol click Add This Virtual Service to bring up the virtual service properties In this example we are not concerned with most of these values and will create a virtual service with no persistence no content switching and Round Robin as the scheduling method which are t...

Page 59: ...al action to be performed is adding real servers To get to the real server parameters page click the Add New button in the real server table Here we specify the IP address of the real server we wish to add the port and forwarding method it is to use and its relative weight ...

Page 60: ...virtual service page either click Virtual Services link at the top left of the frame or click the Virtual Services tab The virtual service table should now list the service we have just created 3 Create a Virtual Service with Content Rules This section will take you through the steps required to set up a virtual service that makes use of content switching Content Switching means that the Balancer ...

Page 61: ...e Name field enter the name by which the rule should be known In this case we will call our rule TestRule Next select the type of rule Prefix Postfix or Regular Expression A description of these rule types may be found in the next chapter and in this example we will choose Postfix Finally enter the text string that the balancer will attempt to match in this example we will enter jpg so we will per...

Page 62: ... displays the number of rules assigned to that real server In this case the button will display None Click the button to add rules to the real server For example if real server 10 1 1 13 contained all JPEG files we would wish to add the TestRule to this real server The rule assignment page shows a summary list of rules that are assigned to the real server in question and a pull down list of rules ...

Page 63: ...ed per virtual service Note When SSL Acceleration is enabled communication from the balancer to the real servers is unencrypted Firstly create a new service see first section that has the port 443 HTTPS Make certain that the persistence is not set to SSL and a Real Server has been assigned to this service Simply check the SSL Acceleration checkbox to enable SSL Acceleration If there is no certific...

Page 64: ...s to 80 2 It sets the service check method to HTTP and not HTTPS as would normally be the case with SSL services C Full Menu Tree This section is Quick Reference that shall help you find your way through the menu structure of the Load Master WUI The Balancer menu consists of navigation tabs on the upper side of the screen Two of these tabs each have a submenu These two tabs are System Properties a...

Page 65: ...check methods may be specified http Http checking is enabled https Https SSL checking is enabled smtp The simple mail transfer protocol is used nntp The network news transfer protocol is used ftp The file transfer protocol is used telnet The telnet protocol is used pop3 The postoffice mail client protocol is used imap The imap mail client protocol is used tcp A basic TCP connection is checked dns ...

Page 66: ...90 125 X will be grouped together and directed to the same real server until the timeout has expired URL Persistence Requests to the same URL go to the same server Cookie Persistence The Balancer checks the value of a specially set cookie in the HTTP header Connections with the same cookie will go to the same real server Standard Cookie The real server must be configured to set the special cookie ...

Page 67: ...re is no certificate for the virtual service you will be prompted to install a certificate To download a certificate enter the remote host where the certificate is located and your username and password for this host Then enter the filename of the certificate and the private key and click Get File to install them 2 3 Real Server Assignment This section lists the real servers that are assigned to t...

Page 68: ... rule this will be Prefix Postfix or Regular Expression These match to the URL as follows absolute pathname of the url foo html Prefix Postfix Regular Expression With the Include host in URL checkbox checked the host name is also included in the URL match string www a host com absolute pathname of the url foo html Prefix Postfix Regular Expression The protocol definition e g http is ignored in all...

Page 69: ...le containing a value in the range of 0 to 100 in the first line where 0 idle and 100 overloaded The file is set to load by default The file must be accessible via HTTP The URL must be the same for all servers that are to be supported by the adaptive method Note This feature is not only of interest for HTTP based Virtual Services but for all Services HTTP is merely used as the transport method for...

Page 70: ...terface 5 1 2 Real Server Metrics These graphs display the connections bytes or packets depending on choice the buttons in the top right of the page toggle which value is to be displayed handled by each real server The value is a sum over all virtual services that this real server is a part of and is represented as a percentage of the overall value for the whole balancer 5 1 3 Virtual Service Metr...

Page 71: ...his means that the real servers can be on a private network and still have access to the Internet When S NAT is disabled the Load Master will not perform masquerading and so the real servers cannot access the Internet through the Load Master In Single Armed configurations S NAT does not provide any extra functionality 6 3 2 Set Transfer Protocol This option allows the user to specify which transfe...