Table Of Contents
Configuring Load Balancing
Load Balancing Overview
Virtual Servers
Load-Balancing Predictors
Real Servers
Server Farms
Configuring Virtual Servers
Understanding Virtual Server Configuration and ACE Appliance Device Manager
Using ACE Appliance Device Manager to Configure Virtual Servers
Virtual Server Configuration Procedure
Shared Objects and Virtual Servers
Configuring Virtual Server Properties
Configuring Virtual Server SSL Termination
Configuring Virtual Server Protocol Inspection
Configuring Virtual Server Layer 7 Load Balancing
Configuring Virtual Server Default Layer 7 Load Balancing
Configuring Application Acceleration and Optimization
Configuring Virtual Server NAT
Managing Virtual Servers
Viewing Virtual Servers by Context
Activating Virtual Servers
Suspending Virtual Servers
Viewing Detailed Virtual Server Information
Viewing All Virtual Servers
Configuring Load Balancing with Real Servers
Configuring Server Farm Load Balancing
Adding Real Servers to a Server Farm
Viewing All Server Farms
Configuring the Predictor Method for Server Farms
Configuring Server Farm HTTP Return Error-Code Checking
Health Monitoring
TCL Scripts
Configuring Health Monitoring for Real Servers
Probe Attribute Tables
Configuring DNS Probe Expect Addresses
Configuring Headers for HTTP and HTTPS Probes
Configuring Health Monitoring Expect Status
Managing Real Servers
Activating Real Servers
Suspending Real Servers
Modifying Real Servers
Viewing All Real Servers
Stickiness Overview
IP Address Stickiness
Cookie Stickiness
HTTP Header Stickiness
Sticky Groups
Sticky Table
Configuring Load Balancing Using Sticky Groups
Viewing All Sticky Groups by Context
Configuring Sticky Statics
Using Parameter Maps
Configuring Connection Parameter Maps
Configuring HTTP Parameter Maps
Configuring Optimization Parameter Maps
Supported MIME Types
Viewing All Parameter Maps by Context
Configuring Secure KAL-AP
Configuring Load Balancing
This section provides an overview of server load balancing and procedures for configuring load balancing on an ACE appliance.
Topics include:
•
Load Balancing Overview
•Configuring Virtual Servers
•Configuring Server Farm Load Balancing
•Configuring Health Monitoring for Real Servers
•Configuring Load Balancing Using Sticky Groups
•Using Parameter Maps
•Configuring Secure KAL-AP
Load Balancing Overview
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should send a client request for service. For example, a client request can consist of an HTTP GET for a Web page or an FTP GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs a series of checks and calculations to determine the server that can best service each client request. The ACE appliance bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.
The ACE Appliance Device Manager allows you to configure:
•Load balancing using virtual servers—See Configuring Virtual Servers.
•Load balancing on named real servers—See Configuring Load Balancing with Real Servers.
•Load balancing on server farms—See Configuring Server Farm Load Balancing.
•Health monitoring for real servers—See Configuring Health Monitoring for Real Servers.
•Sticky group attributes—See Configuring Load Balancing Using Sticky Groups.
•Parameter maps—See Using Parameter Maps.
For information about SLB as configured and performed by the ACE appliance, see:
•Virtual Servers
•Load-Balancing Predictors
•Real Servers
•Server Farms
•Health Monitoring
•TCL Scripts
•Stickiness Overview
Virtual Servers
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm. configuration. You use class maps to configure a virtual server address and definition. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE appliance sends connection requests.
Related Topics
•Configuring Virtual Servers
•Load-Balancing Predictors
•Server Farms
Load-Balancing Predictors
The ACE appliance uses the following predictors to select the best server to satisfy a client request:
•Roundrobin—Selects the next server in the list of real servers based on server weight (weighted roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This is the default predictor.
•Leastconns—Selects the server with the fewest number of active connections based on server weight. For the least connection predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to servers that you have just put into service.
•Hash_url—Selects the server using a hash value based on the requested URL.You can specify a beginning pattern and an ending pattern to match in the URL. Use this predictor method to load-balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE appliance switches over to the standby ACE appliance. For information about configuring redundancy, see Configuring High Availability, page 6-1.
•Hash_address—Selects the server using a hash value based on either the source or destination IP address, or both. Use these predictors for firewall load balancing (FWLB).
Note FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. All packets belonging to a particular connection must go through the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces. For more information about configuring FWLB on the ACE appliance, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
•Hash_cookie—Selects the server using a hash value based on a cookie name.
•Hash_header—Selects the server using a hash value based on the HTTP header name.
Note The different hash predictor methods do not recognize the weight value you configure for real servers. The ACE appliance uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.
Related Topic
Configuring the Predictor Method for Server Farms
Real Servers
To provide services to clients, you configure real servers on the ACE appliance. Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide client services such as HTTP or XML content, Web site hosting, FTP file uploads or downloads, redirection for Web pages that have moved to another location, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values. The ACE appliance also allows you to configure backup servers in case a server is taken out of service for any reason.
After you create and name a real server on the ACE appliance, you can configure several parameters, including connection limits, health probes, and weight. You can assign a weight to each real server based on its relative importance to other servers in the server farm. The ACE appliance uses the server weight value for the weighted round-robin and the least-connections load-balancing predictors. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE appliance sends connection requests. For a listing and brief description of the load-balancing predictors, see Load-Balancing Predictors.
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter out interesting traffic and to apply specific actions to that traffic based on the SLB configuration. You use class maps to configure a virtual server address and definition.
If a primary real server fails, the ACE appliance takes that server out of service and no longer includes it in load-balancing decisions. If you configured a backup server for the real server that failed, the ACE appliance redirects the primary real server connections to the backup server. For information about configuring a backup server, see the Configuring Virtual Server Layer 7 Load Balancing.
The ACE appliance can take a real server out of service for the following reasons:
•Probe failure
•ARP timeout
•Specifying Out of Service as the administrative state of a real server
•Specifying Inservice Standby as the administrative state of a real server
The Out of Service and Inservice Standby selections both provide the graceful shutdown of a server.
Related Topics
•Configuring Load Balancing with Real Servers
•Configuring Health Monitoring for Real Servers
Server Farms
Typically, in data centers, servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, having mirrored content allows several servers to share the load of increased demand during important local or international events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a flash crowd.
After you create and name a server farm, you can add existing real servers to it and configure other server farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and so on. For a listing and brief description of load-balancing predictors, see Load-Balancing Predictors.
Related Topic
Configuring Server Farm Load Balancing
Configuring Virtual Servers
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm.
For more information about virtual servers and the ACE Appliance Device Manager, see:
•Understanding Virtual Server Configuration and ACE Appliance Device Manager
•Using ACE Appliance Device Manager to Configure Virtual Servers
•Virtual Server Configuration Procedure
Understanding Virtual Server Configuration and ACE Appliance Device Manager
The ACE Appliance Device Manager Virtual Server configuration interface, an abstraction of the Modular Policy CLI, simplifies, reorders, and makes more atomic the configuration and deployment of a functional load-balancing environment. With simplification or abstraction, some constraints or limitations are necessarily introduced. This section identifies the constraints and framework used by ACE Appliance Device Manager for virtual server configuration.
In ACE Appliance Device Manager, a viable virtual server has the following attributes:
•A single Layer 3/Layer 4 match condition
This means that you can specify only a single IP address (or single IP address range if a netmask is used), with only a single port (or port range). Having a single match condition greatly simplifies and aids virtual server configuration.
•A default Layer 7 action
•A Layer 7 policy map
•A Layer 3/Layer 4 class map
•A multi-match policy map, a class-map match, and an action
In addition:
•The virtual server multi-match policy map is associated with an interface or is global.
•The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.
Example 3-1 shows the minimum configuration statements required for a virtual server.
Example 3-1 Minimum Configuration Required for a Virtual Server
class-map match-all Example_VIP
2 match virtual-address 10.10.10.10 tcp eq www
policy-map type loadbalance first-match Example_VIP-l7slb
policy-map multi-match int10
loadbalance policy Example_VIP-l7slb
ip address 192.168.65.37 255.255.255.0
service-policy input int10
Note also the following items regarding the ACE Appliance Device Manager and virtual servers:
•Additional configuration options
The Virtual Server configuration screen allows you to configure additional items for a functional VIP. These items include server farms, sticky groups, real servers, probes, parameter maps, inspection, class maps, and inline match conditions. Because too many items on a screen can be overwhelming, not all configuration options appear on Virtual Server configuration screen, such as sticky statics or backup real servers. These options are available elsewhere in the ACE Appliance Device Manager interface instead of on the Virtual Server configuration screen.
•Configuration options and roles
To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs. Providing these options as separate configuration options in the ACE Appliance Device Manager interface ensures that a user who can view or modify virtual servers or aspects of virtual servers cannot create or delete virtual servers.
Related Topics
•Configuring Virtual Servers
•Using ACE Appliance Device Manager to Configure Virtual Servers
•Virtual Server Configuration Procedure
Using ACE Appliance Device Manager to Configure Virtual Servers
It is important to understand the following when using the ACE Appliance Device Manager to configure virtual servers:
•Virtual server configuration screens
The ACE Appliance Device Manager Virtual Server configuration screens are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices. For example, the protocols that you select in the Properties configuration subset determine the other configuration subsets that appear.
•Use the virtual server configuration method that suits you
The ACE Appliance Device Manager Virtual Server configuration screens simplify the process of creating, modifying, and deploying virtual servers by displaying those options that you are most likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface refreshes with related configuration options, such as Protocol Inspection or Application Acceleration and Optimization, thereby speeding virtual server configuration and deployment.
While Virtual Server configuration screens remove some configuration complexities, they have a few constraints that the Expert configuration options do not. If you are comfortable using the CLI, you can use the Expert options (such as Config > Virtual Contexts > context > Expert > Class Map or Policy or Config > Virtual Contexts > context > Load Balancing > Parameter Map to configure more complex attributes of virtual servers, traffic policies, and parameter maps.
•Synchronizing virtual server configurations
If you configure a virtual server using the CLI and then use the Sync option (Config > Virtual Contexts > Sync) to synchronize configurations, the configuration that appears in the ACE Appliance Device Manager for the virtual server might not display all configuration options for that virtual server. The configuration that appears in the ACE Appliance Device Manager depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.
For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in the ACE Appliance Device Manager.
•Modifying shared objects
Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or parameter map, could impact the other virtual servers. See Shared Objects and Virtual Servers for more information about modifying objects used by multiple virtual servers.
Related Topics
•Configuring Virtual Servers
•Understanding Virtual Server Configuration and ACE Appliance Device Manager
•Virtual Server Configuration Procedure
Virtual Server Configuration Procedure
Use this procedure to add virtual servers to the ACE Appliance Device Manager for load-balancing purposes.
Assumptions
•Depending on the protocol to be used for the virtual server, parameter maps need to be defined.
•For SSL service, SSL certificates, keys, chain groups, and parameter maps must be configured.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and configuration entries you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane.
Table 3-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information.
Table 3-1 Virtual Server Configuration Subsets
Configuration Subset
|
Description
|
Related Topics
|
Properties
|
This subset allows you to specify basic virtual server characteristics, such as the virtual server name, IP address, protocol, port, and VLANs.
|
Configuring Virtual Server Properties
|
SSL Termination
|
This subset appears when TCP is the selected protocol and Other or HTTPS is the application protocol.
This subset allows you to configure the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.
|
Configuring Virtual Server SSL Termination
|
Protocol Inspection
|
This subset appears in the Advanced View for:
•TCP with HTTP, HTTPS, FTP, or RTSP
•UDP with DNS
This subset appears in the Basic view for TCP with FTP.
This subset allows you to configure the virtual server so that it can verify protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance on selected application protocols.
|
Configuring Virtual Server Protocol Inspection
|
L7 Load-Balancing
|
This subset appears only in the Advanced View and when HTTP or HTTPS is the selected application protocol.
This subset allows you to configure Layer 7 load-balancing options, including SSL initiation.
|
Configuring Virtual Server Layer 7 Load Balancing
|
Default L7 Load-Balancing Action
|
This subset allows you to establish the default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.
It also allows you to configure SSL initiation.
|
Configuring Virtual Server Default Layer 7 Load Balancing
|
Application Acceleration and Optimization
|
This subset appears only in the Advanced View and when HTTP or HTTPS is the selected application protocol.
This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic.
|
Configuring Application Acceleration and Optimization
|
NAT
|
This subset appears in the Advanced View only.
This subset allows you to set up Name Address Translation (NAT) for the virtual server.
|
Configuring Virtual Server NAT
|
Step 3 When you finish configuring virtual server properties, click:
•Deploy Now to deploy the configuration on the ACE appliance.
•Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table.
Related Topic
•Configuring Virtual Servers
•Shared Objects and Virtual Servers
•Role Mapping in ACE Appliance Device Manager, page 10-18
Shared Objects and Virtual Servers
A shared object is one that is used by multiple virtual servers. Examples of shared objects are:
•Action lists
•Class maps
•Parameter maps
•Real servers
•Server farms
•SSL services
•Sticky groups
Because these objects are shared, modifying an object's configuration in one virtual server can impact other virtual servers that use the same object.
Configuring Shared Objects
ACE Appliance Device Manager offers the following options for shared objects in virtual server configuration screens (Config > Virtual Contexts > context > Load Balancing > Virtual Servers):
•View—Click View to review the object's configuration. The screen refreshes with read-only fields and the following three buttons.
•Cancel—Click Cancel to close the read-only view and to return to the previous screen.
•Edit—Click Edit to modify the selected object's configuration. The screen refreshes with fields that can be modified, except for the Name field which remains read-only.
Note Before changing a shared object's configuration, make sure you understand the effect of the changes on other virtual servers using the same object. As an alternative, consider using the Duplicate option instead.
•Duplicate—Click Duplicate to create a new object with the same configuration as the selected object. The screen refreshes with configurable fields. In the Name field, enter a unique name for the new object, then modify the configuration as desired. This option allows you to create a new object without impacting other virtual servers using the same object.
Deleting Virtual Servers with Shared Objects
If you create a virtual server and include shared objects in its configuration, deleting the virtual server does not delete the associated shared objects. This ensures that other virtual servers using the same shared objects are not impacted.
Related Topics
•Managing Virtual Servers
•Configuring Virtual Server Properties
•Configuring Virtual Server SSL Termination
•Configuring Virtual Server Protocol Inspection
•Configuring Virtual Server Layer 7 Load Balancing
•Configuring Virtual Server Default Layer 7 Load Balancing
•Configuring Application Acceleration and Optimization
Configuring Virtual Server Properties
Use this procedure to configure virtual server properties.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears. The Properties configuration subset is open by default.
The fields that you see in the Properties configuration subset depend on whether you are using Advanced View or Basic View:
•To configure Advanced View properties, continue with Step 3.
•To configure Basic View properties, continue with Step 4.
Step 3 To configure virtual server properties in the Advanced View, enter the information in Table 3-2.
Table 3-2 Virtual Server Properties - Advanced View
Field
|
Description
|
VIP Name
|
Enter the name for the virtual server.
|
VIP IP
|
Enter the IP address for the virtual server.
|
Netmask
|
Select the subnet mask to apply to the virtual server IP address.
|
Protocol
|
Select the protocol the virtual server supports:
•Any—Indicates the virtual server is to accept connections using any IP protocol.
•TCP—Indicates that the virtual server is to accept connections that use TCP.
•UDP—Indicates that the virtual server is to accept connections that use UDP.
Note This field is read-only if you are editing an existing virtual server. The Device Manager does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired protocol.
|
Application Protocol
|
This field appears if TCP or UDP is selected. Select the application protocol to be supported by the virtual server.
Note This field is read-only if you are editing an existing virtual server. The Device Manager does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol.
For TCP, the options are:
•Other—Any protocol other than those specified.
•HTTP—Hyper Text Transfer Protocol
•HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration subset appears. See Configuring Virtual Server SSL Termination.
•FTP—File Transfer Protocol
•RTSP—Real Time Streaming Protocol
For UDP, the options are:
•Other—Any protocol other than those specified.
•DNS—Domain Name System
If you select any specific application protocol, the Protocol Inspection configuration subset appears. See Configuring Virtual Server Protocol Inspection.
|
Port
|
This field appears for any specified protocol.
Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers.html.
|
All VLANs
|
Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.
|
VLAN
|
This field appears if the All VLANs check box is cleared.
In the Available Items list, select the VLANs to use for incoming traffic, then click Add to Selection. The items appear in the Selected Items list.
To remove VLANs, select them in the Selected Items lists, then click Remove from Selection. The items appear in the Available Items list.
Note You cannot change the VLAN for a virtual server once it is specified. Instead, you need to delete the virtual server and create a new one with the desired VLAN.
|
HTTP Parameter Map
|
This field appears if HTTP or HTTPS is the selected application protocol.
Select an existing HTTP parameter map or click *New* to create a new one:
•If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you click *New*, the HTTP Parameter Map configuration pane appears. Configure the HTTP parameter map as described in Table 3-3.
|
Connection Parameter Map
|
This field appears if TCP is the selected protocol.
Select an existing connection parameter map or click *New* to create a new one:
•If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you click *New*, the Connection Parameter Map configuration pane appears. Configure the connection parameter map as described in Table 3-4.
|
ICMP Reply
|
Indicate how the virtual server is to respond to ICMP ECHO requests:
•None—Indicates that the virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests.
•Active—Indicates that the virtual server is to send ICMP ECHO-REPLY responses only if the configured VIP is active.
•Always—Indicates that the virtual server is always to send ICMP ECHO-REPLY responses to ICMP requests.
|
Status
|
Indicate whether the virtual server is to be in service or out of service:
•In-Service—Enables the virtual server for load-balancing operations.
•Out-of-Service—Disables the virtual server for load-balancing operations.
|
Table 3-3 Virtual Server HTTP Parameter Map Attributes
Field
|
Description
|
Name
|
Enter a unique name for the parameter map.
|
Case-insensitive
|
Select the check box to indicate that the ACE appliance is to be case insensitive. Clear the check box to indicate that the ACE appliance is to be case sensitive. The check box is cleared by default.
|
TCP Server Connection Reuse
|
Select the check box to indicate that the ACE appliance is to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. If you enable this feature:
•Ensure that the ACE appliance maximum segment size (MSS) is the same as the server maximum segment size.
•Configure port address translation (PAT) on the interface that is connected to the real server.
•Configure on the ACE appliance the same TCP options that exist on the TCP server.
•Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).
Clear the check box to disable this option.
|
HTTP Persistence Rebalance
|
Select the check box to indicate that the ACE appliance is to:
•Separately load balance each subsequent HTTP request on the same TCP connection.
•Insert the header and cookie for every request instead of only the first request.
Clear the check box to indicate disable this option.
This option is disabled by default.
|
Exceed Max Parse Length
|
Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that exceed the maximum parse length:
•Continue—Indicates that the ACE appliance is to continue load balancing. When this option is selected, the HTTP Persistence Rebalance option is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.
•Drop—Indicates that the ACE appliance is to stop load balancing and to discard the packet.
|
Content Max Parse Length
|
Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers from 1 to 65535.
|
Header Max Parse Length
|
Enter the maximum number of bytes to parse for the total length of cookies, HTTP headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 2048.
|
Secondary Cookie Delimiters
|
Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries are unquoted text strings with no spaces and a maximum of 4 characters. The default delimiters are /&#+.
|
MIME Type to Compress
|
In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to compress, then click Add. The MIME type appears in the column on the right. To remove or change a MIME type, select it in the column on the right, then click Remove. The selected MIME type appears in the field on the left where you can modify or delete it.
To specify the sequence in which compression is to be applied, select MIME types in the column on the right, then click Up or Down to arrange the MIME types.Enter the Multipurpose Internet Mail Extension (MIME) type to compress.
Supported MIME Types lists the supported MIME types. You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME types (text/html, text/plain, and so on).
|
User Agent Not to Compress
|
A user agent is a client that initiates a request. Examples of user agents include browsers, editors, and other end-user tools. When you specify a user agent string in this field, the ACE appliance does not compress the response to a request when the request contains the matching user agent string.
In the field on the left, enter the user agent string to be matched, then click Add. The string appears in the column on the right. To remove or change a user agent string, select it in the column on the right, then click Remove. The selected string appears in the field on the left where you can modify or delete it.
To specify the sequence in which strings are to be matched, select strings in the column on the right, then click Up or Down to arrange the strings in the desired sequence.
Valid entries are 64 characters.
|
Minimum Size to Compress
|
Enter the threshold at which compression is to occur. The ACE appliance compresses files that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.
|
Table 3-4 Virtual Server Connection Parameter Map Attributes
Field
|
Description
|
Name
|
Enter a unique name for the parameter map.
|
Exceeds MSS
|
Indicate how the ACE appliance is to handle segments that exceed the maximum segment size (MSS):
•Allow—Indicates that the ACE appliance is to permit segments that exceed the configured MSS.
•Drop—Indicates that the ACE appliance is to discard segments that exceed the configured MSS.
|
Nagle
|
The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP connection.
Select the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle algorithm.
Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.
|
Random Sequence Number
|
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Select the check box to enable the use of random TCP sequence numbers. Clear the check box to disable the use of random TCP sequence numbers.
This option is enabled by default.
|
Reserved Bits
|
Indicate how the ACE appliance is to handle segments with the reserved bits set in the TCP header:
•Allow—Indicates that segments with the reserved bits are to be permitted.
•Drop—Indicates that segments with the reserved bits are to be discarded.
•Clear—Indicates that reserved bits in TCP headers are to be cleared and segments are to be allowed.
|
Type-of-Service IP Header
|
The type of service for an IP packet determines how the network handles the packet and balances its precedence, throughput, delay, reliability, and cost.
Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.
For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.
|
Smallest TCP MSS
|
Enter the size of the smallest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a minimum limit.
|
Largest TCP MSS
|
Enter the size of the largest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a maximum limit.
|
SYN Retries
|
Enter the number of attempts that the ACE appliance is to make to transmit a TCP segment when initiating a Layer 7 connection. Valid entries are integers from 1 to 15, with a default of 4.
|
TCP WAN Optimization RTT
|
This option indicates how the ACE appliance is to apply TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value:
•An entry of 0 (zero) indicates that the ACE appliance is to apply TCP optimizations to packets for the life of a connection.
•An entry of 65535 (the default) indicates that the ACE appliance is to perform normal operations (that is, without optimizations) for the life of a connection.
•Entries from 1 to 65534 indicate that the ACE appliance is to use the following guidelines:
–If the actual client RTT is less than the configured RTT, the ACE appliance performs normal operations for the life of the connection.
–If the actual client RTT is greater than or equal to the configured RTT, the ACE appliance performs TCP optimizations on the packets for the life of a connection.
Valid entries are integers from 0 to 65535.
|
Timeout for Embryonic Connections
|
An embryonic connection is a TCP three-way handshake for a connection that does not complete for some reason. Enter the number of seconds that the ACE appliance is to wait before timing out an embryonic connection. Valid entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates the ACE appliance is never to time out an embryonic connection.
|
Half Closed Timeout
|
A half-closed connection is one in which the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN itself. Enter the number of seconds the ACE appliance is to wait before closing a half-closed connection. Valid entries are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the ACE appliance is never to time out a half-closed connection.
|
Inactivity Timeout
|
Enter the number of seconds that the ACE appliance is to wait before disconnecting idle connections. Valid entries are integers from 0 to 3217203. A value of 0 indicates that ACE appliance is never to time out a TCP connection.
|
Slow Start Algorithm
|
When enabled, the slow-start algorithm increases TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection.
Select the check box to enable the slow-start algorithm, and clear the check box to disable the slow-start algorithm. This option is disabled by default.
|
SYN Segments with Data
|
Indicate how the ACE appliance is to handle TCP SYN segments that contain data:
•Allow—Indicates that the ACE appliance is to permit SYN segments that contain data and mark them for processing.
•Drop—Indicates that the ACE appliance is to discard SYN segments that contain data.
|
Urgent Pointer Policy
|
Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as soon as possible, even before normal data. Indicate how the ACE appliance is to handle urgent data as identified by the Urgent data control bit:
•Allow—Indicates that the ACE appliance is to permit the status of the Urgent control bit.
•Clear—Indicates that the ACE appliance is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent Pointer which provides segment information.
|
ACK Delay Time
|
Enter the number of milliseconds that the ACE appliance is to wait before sending an acknowledgement from a client to a server. Valid entries are integers from 0 to 400.
|
TCP Buffer-Share
|
To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance.
Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143 bytes.
Note If you enter a value in this field for an ACE that does not support this option, an error message appears. Leave this field blank when creating or modifying a connection parameter map for devices that do not support this option.
|
TCP Window-Scale Factor
|
The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window size improves TCP performance in network paths with large bandwidth, long-delay characteristics.
Enter the window scale factor. Valid entries are integers from 0 to 14 (the maximum scale factor).
For more information on TCP window scaling, refer to RFC 1323.
|
Action for TCP Options Range
|
Indicate how the ACE appliance is to handle the TCP options:
•Selective ACK
•Timestamps
•TCP Window Scaling
by selecting one of the options:
•N/A—Indicates that no action is specified.
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.
|
Lower TCP Options
|
Appears if you select Allow or Drop for the Action for TCP Options Range.
Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.
|
Upper TCP Options
|
Appears if you select Allow or Drop for the Action for TCP Options Range.
Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.
|
Selective ACK
|
Indicate how the ACE appliance is to handle the selective ACK option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
|
Timestamps
|
Indicate how the ACE appliance is to handle the timestamp option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
|
TCP Window Scale Factor
|
Indicate how the ACE appliance is to handle the TCP window scale factor option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
|
Step 4 To configure virtual server properties in the Basic View, enter the information in Table 3-5.
Table 3-5 Virtual Server Properties - Basic View
Field
|
Description
|
VIP Name
|
Enter the name for the virtual server.
|
VIP IP
|
Enter the IP address for the virtual server.
|
Protocol
|
Select the protocol that the virtual server supports:
•Any—Indicates that the virtual server is to accept connections using any IP protocol.
•TCP—Indicates that the virtual server is to accept connections that use TCP.
•UDP—Indicates that the virtual server is to accept connections that use UDP.
|
Application Protocol
|
Select the application protocol to be supported by the virtual server.
For TCP, the options are:
•Other—Any protocol other than those specified.
•HTTP—Hyper Text Transfer Protocol
•HTTPS—HTTP over SSL
If you select HTTPS, the SSL Termination configuration options appear. See Configuring Virtual Server SSL Termination.
•FTP—File Transfer Protocol
•RTSP—Real Time Streaming Protocol
For UDP, the options are:
•Other—Any protocol other than those specified.
•DNS—Domain Name System
|
Port
|
This field appears for any specified protocol.
Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers.html.
|
All VLANs
|
Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.
|
VLAN
|
This field appears if the All VLANs check box is cleared.
In the Available Items list, select the VLANs to use for incoming traffic, then click Add to Selection. The items appear in the Selected Items list.
To remove VLANs, select them in the Selected Items lists, then click Remove from Selection. The items appear in the Available Items list.
Note You cannot change the VLAN for a virtual server once it is specified. Instead, you need to delete the virtual server and create a new one with the desired VLAN.
|
Step 5 When you finish configuring virtual server properties, click:
•Deploy Now to deploy the configuration on the ACE appliance.
•Cancel to exit the procedure without saving your entries.
Related Topics
•Configuring Virtual Servers
•Configuring Virtual Server SSL Termination
Configuring Virtual Server SSL Termination
SSL termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.
Use this procedure to configure virtual server SSL termination service.
Assumption
A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see Configuring Virtual Server Properties.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server you want to configure for SSL termination, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click SSL Termination. The Proxy Service Name field appears.
Step 4 In the Proxy Service Name field, select an existing SSL termination service, or select *New* to create a new SSL proxy service:
•If you select an existing SSL service, the screen refreshes and allows you to view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you select *New*, the Proxy Service configuration subset appears.
Step 5 Configure the SSL service using the in Table 3-6.
Table 3-6 Virtual Server SSL Termination Attributes
Field
|
Description
|
Name
|
Enter a name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.
|
Key List
|
Select the SSL key pair to use during the SSL handshake for data encryption.
|
Certificate
|
Select the SSL certificate to use during the SSL handshake.
|
Chain Group
|
Select the chain group to use during the SSL handshake.
|
Parameter Map
|
Select the SSL parameter map to associate with this proxy server service.
|
For information about using SSL keys and certificates, see Configuring SSL, page 4-1.
Step 6 When you finish configuring virtual server properties, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries.
Related Topics
•Configuring Virtual Servers
•Configuring Virtual Server Properties
Configuring Virtual Server Protocol Inspection
Configuring protocol inspection allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance.
In the Advanced View, protocol inspection configuration is available for the following virtual server protocol configurations:
•TCP with HTTP, HTTPS, FTP, or RTSP
•UDP with DNS
In the Basic View, protocol inspection configuration is available for TCP with FTP.
Use this procedure to configure protocol inspection on a virtual server.
Assumption
A virtual server has been configured to use one of the protocols that supports protocol inspection in the Properties configuration subset. See Configuring Virtual Server Properties for information on configuring these protocols.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server that you want to configure for protocol inspection, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click Protocol Inspection. The Enable Inspect check box appears.
Step 4 Select the Enable Inspect check box to enable inspection on the specified traffic. Clear this check box to disable inspection on this traffic. By default, ACE appliances allow all request methods.
Step 5 If you select the Enable Inspect check box, configure additional inspection options according to virtual server application protocol configuration:
•For DNS, in the Length field enter the maximum length of the DNS packet in bytes. Valid entries are from 512 to 65535 bytes. If you do not enter a value in this field, the DNS packet size is not checked.
•For FTP, continue with Step 6.
•For HTTP and HTTPS, continue with Step 7.
Step 6 For FTP protocol inspection:
a. Select the Use Strict check box to indicate that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the virtual server is not to perform enhanced FTP inspection.
b. If you select the Use Strict check box, in the Blocked FTP Commands field, identify the commands that are to be denied by the virtual server. See Table 7-6 for more information about the FTP commands.
–Select the commands that are to be blocked by the virtual server in the Available Items list, then click Add. The commands appear in the Selected Items list.
–To remove commands that you do not want to be blocked, select them in the Selected Items list, then click Remove. The commands appear in the Available Items list.
Step 7 For HTTP or HTTPS inspection:
a. Select the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Clear this check box to disable monitoring of Layer 3 and Layer 4 traffic.
b. In the Policy subset, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Policy configuration pane appears.
c. In the Matches field, select an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.
If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate the selected class map. See Shared Objects and Virtual Servers for more information about modifying shared objects.
d. Configure match criteria and related actions by following the steps in Table 3-7.
Table 3-7 Protocol Inspection Match Criteria Configuration
Selection
|
Action
|
Existing class map
|
1. Click View to review the match condition information for the selected class map.
2. Click:
–Cancel to continue without making changes and to return to the previous screen.
–Edit to modify the existing configuration.
–Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.
See Shared Objects and Virtual Servers for more information about modifying shared objects.
3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:
–Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.
–Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.
|
*New*
|
1. In the Name field, specify a unique name for this class map.
2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:
–Any—Indicates that a match exists if at least one of the match conditions is satisfied.
–All—Indicates that a match exists only if all match conditions are satisfied.
3. In the Conditions table, click Add to add a new set of conditions, or select an existing entry, then click Edit to modify it. The Type field appears.
4. In the Type field, select the type of condition that is to be met for protocol inspection and configure protocol-specific criteria using the information in Table 3-8.
5. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:
–Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.
–Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.
|
*Inline Match*
|
1. In the Conditions Type field, select the type of inline match condition that is to be met for protocol inspection.
Table 3-8 describes the types of conditions and their related configuration options.
2. Provide condition-specific criteria using the information in Table 3-8.
3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:
–Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.
–Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.
|
Table 3-8 Protocol Inspection Conditions and Options
Condition
|
Description
|
None
|
No conditions are defined for application inspection decisions.
|
URL
|
URL names are to be used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
|
URL Length
|
URL length is to be used for application inspection decisions.
In the URL Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:
•bytes—Indicates that the URL length must equal the number of bytes specified. For example, 2048.
•>bytes—Indicates that the URL length must be greater than the number of bytes specified. For example, >1026.
•<bytes—Indicates that the URL length must be less than the number of bytes specified. For example, <512.
•bytes1-bytes2—Indicates that the URL length must fall within the range specified. For example, 1-300.
Valid entries are integers from 1 to 65535.
|
Content
|
Specific content contained within the HTTP entity-body is to be used for application inspection decisions.
1. In the Content field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.
2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 4000 bytes.
|
Content Length
|
The content parse length is used for application inspection decisions.
In the Content Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:
•bytes—Indicates that the content length must equal the number of bytes specified. For example, 2048.
•>bytes—Indicates that the content length must be greater than the number of bytes specified. For example, >1026.
•<bytes—Indicates that the content length must be less than the number of bytes specified. For example, <512.
•bytes1-bytes2—Indicates that the content length must fall within the range specified. For example, 1-300.
Valid entries are integers from 0 to 4294967295.
|
Header
|
The name and value in an HTTP header are used for application inspection decisions.
1. In the Header Name field, enter the name of the HTTP header to be matched. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.
|
Header Length
|
The length of the header in the HTTP message is used for application inspection decisions.
1. In the Header Command field, specify whether HTTP header request or response messages are to be used for application inspection decisions:
–Request—Indicates that HTTP header request messages are to be checked for header length.
–Response—Indicates that HTTP header response messages are to be checked for header length.
2. In the Header Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:
–bytes—Indicates that the header length must equal the number of bytes specified. For example, 248.
–bytes—Indicates that the header length must be greater than the number of bytes specified. For example, >126.
–bytes—Indicates that the header length must be less than the number of bytes specified. For example, <212.
–bytes1-bytes2—Indicates that the header length must fall within the range specified. For example, 1-30.
Valid entries are integers from 0 to 255.
|
Header MIME Type
|
Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions.
In the MIME Type field, select the MIME message type to be used for this match condition.
|
Port Misuse
|
The misuse of port 80 (or any other port running HTTP) is to be used for application inspection decisions.
Indicate the application category to be used for this match condition:
•IM—Indicates that instant messaging applications are to be checked.
•P2P—Indicates that peer-to-peer applications are to be checked.
•Tunneling—Indicates that tunneling applications are to be checked.
|
Request Method RFC
|
A request method defined in RFC 2616 is to be used for application inspection decisions.
In the RFC Request Method field, select the request method that is to be inspected.
|
Request Method EXT
|
An HTTP extension method is to be used for application inspection decisions.
In the EXT Request Method field, select the HTTP extension request method that is to be inspected.
|
Transfer Encoding
|
An HTTP transfer-encoding type is to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, select the type of encoding that is to be checked:
•Chunked—The message body is transferred as a series of chunks.
•Compress—The encoding format that is produced by the UNIX file compression program compress.
•Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.
•Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.
•Identity—The default (identity) encoding which does not require the use of transformation.
|
Strict HTTP
|
Compliance with HTTP RFC 2616 is to be used for application inspection decisions.
Note Strict HTTP is only available as an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.
|
Content Type Verification
|
Verification of MIME-type messages with the header MIME-type is to be used for application inspection decisions. This option verifies that the header MIME-type value is in the internal list of supported MIME-types and that the header MIME-type matches the content in the data or body portion of the message.
Note Content Type Verification is only available an an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.
|
e. Click:
–OK to save your entries. The Conditions table refreshes with the new entry.
–Cancel to exit the Policy subset without saving your entries.
f. In the Default Action field, select the default action that the virtual server is to take when specified match conditions for protocol inspection are not met:
–Permit—Indicates that the specified HTTP traffic is to be received by the virtual server.
–Reset—Indicates that the specified HTTP traffic is to be denied by the virtual server
–N/A—Indicates that this attribute is not set.
Step 8 When you finish configuring virtual server properties, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries.
Related Topics
•Configuring Virtual Server Properties
•Configuring Virtual Server SSL Termination
•Configuring Virtual Server Layer 7 Load Balancing
Configuring Virtual Server Layer 7 Load Balancing
Layer 7 load balancing is available for virtual servers configured for HTTP or HTTPS. See Configuring Virtual Server Properties for information on configuring these protocols.
Use this procedure to configure Layer 7 load balancing on a virtual server.
Assumption
A virtual server has been configured to use HTTP or HTTPS in the Properties configuration subset. See Configuring Virtual Server Properties for information on configuring these protocols.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server you want to configure for Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears.
Step 4 In the Rule Match table, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Rule Match configuration pane appears.
Step 5 In the Rule Match field, select an existing class map or *New* or *Inline Match* to configure new match criteria for Layer 7 load balancing:
•If you select an existing class map, click View to review, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you click *New* or *Inline Match*, the Rule Match configuration subset appears.
Step 6 Configure match criteria by following the steps in Table 3-9.
Table 3-9 Layer 7 Load-Balancing Match Criteria Configuration
Selection
|
Action
|
Existing class map
|
1. Click View to review the match condition information for the selected class map.
2. Click:
–Cancel to continue without making changes and to return to the previous screen.
–Edit to modify the existing configuration.
–Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.
See Shared Objects and Virtual Servers for more information about modifying shared objects.
|
*New*
|
1. In the Name field, enter a unique name for this class map.
2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:
–Match Any—Indicates that a match exists if at least one of the match conditions is satisfied.
–Match All—Indicates that a match exists only if all match conditions are satisfied.
3. In the Conditions table, click Add to add a new set of conditions or select an existing entry, then click Edit to modify it.
4. In the Type field, select the match condition to be used.
Table 3-10 describes the types of conditions and their related configuration options.
5. Configure any condition-specific options using the information in Table 3-10.
6. Click:
–OK to accept your entries and to return to the Conditions table.
–Cancel to exit this procedure without saving your entries and to return to the Conditions table.
|
*Inline Match*
|
1. In the Conditions Type field, select the type of inline match condition that is to be met for load balancing.
Table 3-10 describes the types of conditions and their related configuration options.
2. Provide condition-specific criteria using the information in Table 3-10.
|
Table 3-10 Layer 7 Load-Balancing Rule Match Configuration
Match Condition
|
Description
|
Http-cookie
|
Indicates that HTTP cookies are to be used for this rule.
If you select this method:
1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching string expressions. Table 7-13 lists the supported characters that you can use for matching string expressions.
3. Select the Secondary Cookie Matching check box to indicate that the ACE appliance is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE appliance is to use either the cookie name or the cookie value to satisfy this match condition.
This field does not appear for inline match conditions.
|
Http-header
|
Indicates that the HTTP header and a corresponding value are to be used for this rule.
If you select this method:
1. In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.
|
Http-url
|
Indicates that this rule is to perform regular expression matching against the received packet data from a particular connections based on the HTTP URL string.
If you select this method:
1. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE appliance supports regular expressions for matching URL strings. Table 7-13 lists the supported characters that you can use in regular expressions.
2. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).
|
Source-address
|
Indicates that this rule is to use a client source IP address to establish match conditions.
If you select this method:
1. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).
2. In the Netmask field, select the subnet mask to apply to the source IP address.
|
Class-map
|
Indicates that this rule is to use an existing class map to establish match conditions.
If you select this method, in the Classmap field, select the class map to be used.
This option is not available for inline match conditions.
|
Step 7 In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:
•Drop—Indicates that client requests for content are to be discarded when match conditions are met. Continue with Step 10.
•Forward—Indicates that client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met. Continue with Step 10.
•Load Balance—Indicates that client requests for content are to be directed to a server farm when match conditions are met. Continue with Step 8.
Step 8 If you select Load Balance as the primary action, you can configure load balancing using a server farm, a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
Note If you select an existing object in any of these scenarios, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.
Configure load balancing using the information in Table 3-11.
Table 3-11 Virtual Server Load-Balancing Options
To configure...
|
Do this...
|
Load balancing using a server farm
|
In the Server Farm field, select the server farm to be used for load balancing for this virtual server, or select *New* to configure a new server farm (see Table 3-12).
|
Load balancing using a server farm/backup server farm pair
|
1. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 3-12).
2. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 3-12).
|
Load balancing using an existing sticky group
|
1. In the Server Farm field, select the primary server farm to use for load balancing. This must be the primary server farm specified in the existing sticky group.
2. In the Backup Server Farm field, select the backup server farm to use for load balancing. This must be the backup server farm specified in the existing sticky group.
3. In the Sticky Group field, select the sticky group to use.
Note Sticky groups appear in the Sticky Group field only when their configured primary and backup server farms are selected, respectively. If you select a sticky group and then select a different primary or backup server farm, the sticky group that you selected in the Sticky Group field no longer appears. To change an existing sticky group configuration, modify it in the Stickiness configuration screen (Config > Virtual Contexts > context > Load Balancing > Stickiness).
|
Load balancing using a new sticky group
|
1. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 3-12).
2. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 3-12).
3. In the Sticky Group field, select *New*, then configure a new sticky group using the information in Table 3-13.
Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for more information on resource classes.
|
Table 3-12 New Server Farm Attributes
Field
|
Description
|
Name
|
Enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
|
Type
|
Select the type of server farm:
•Host—Indicates that this is a typical server farm that consists of real servers that provide content and services to clients.
•Redirect—Indicates that this server farm consists only of real servers that redirect client requests to alternate locations specified in the real server configuration.
|
Predictor
|
Specify the method for selecting the next server in the server farm to respond to client requests:
•Roundrobin—Indicates that server selection in the server farm is based on server weight.
•Leastconns—Indicates that server selection in the server farm is based on the number of connections; the server with the fewest connections is selected next.
If you select Leastconns, the Least Connections Slow Start field appears. In the Least Connections Slow Start field, enter the slow-start value to be applied. Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up time.
The slow-start mechanism is used to avoid sending a high number of new connections to servers that have just been put into service.
|
Probes
|
Specify the health monitoring probes to use:
•To include a probe that you want to use for health monitoring, select it in the Available Items list, then click Add. The probe appears in the Selected Items list.
•To remove a probe that you do not want to use for health monitoring, select it in the Selected Items list, then click Remove. The probe appears in the Available Items list.
•To specify a sequence for probe use, select probes in the Selected Items list, then click Up or Down until you have the desired sequence.
•Click Create to add a new probe. See Configuring Health Monitoring for Real Servers.
•Select a probe in the list on the right, then click View to review its configuration.
After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table (Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in Configuring Health Monitoring for Real Servers. You can also delete an existing health probe from the Health Monitoring table.
|
Real Servers
|
The Real Servers table allows you to add, modify, remove, or change the order of real servers.
1. Select an existing server, or click Add to add a server to the server farm:
–If you select an existing server, you can view, modify, or duplicate the server's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
–If you click Add, the table refreshes and allows you to enter server information.
2. In the IP Address field, enter the IP address of the real server in dotted-decimal format.
3. In the Name field, enter the name of the real server.
4. In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries are integers from 1to 65535.
5. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are integers from 1 to 100, and the default is 8.
6. In the State field, select the administrative state of this server:
–Inservice—The server is to be placed in use as a destination for server load balancing
–Out of Service—The server is not to be placed in use by a server load balancer as a destination for client connections.
–Inservice Standby—The server is a backup server and is to remain inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.
7. Click:
–OK to accept your entries and add this real server to the server farm. The table refreshes with updated information.
–Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
|
Table 3-13 Sticky Type Attributes
Field
|
Description
|
Group Name
|
Enter a unique identifier for the sticky type. You can either accept the automatically incremented entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
|
Sticky Type
|
Select the method to be used when establishing sticky connections:
•HTTP Cookie—Indicates that the virtual server is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.
•HTTP Header—Indicates that the virtual server is to stick client connections to the same real server based on HTTP headers.
•IP Netmask—Indicates that the virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.
|
Cookie Name
|
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
|
Enable Insert
|
This option appears for sticky type HTTP Cookie.
Select this check box if the virtual server is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the virtual server selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server.
Clear this check box to disable cookie insertion.
|
Offset
|
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie.
|
Length
|
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to 4000, and the default is 4000.
|
Secondary Name
|
This option appears for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server. The virtual server uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
|
Header Name
|
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
|
Netmask
|
This field appears for sticky type IP Netmask.
Select the netmask to apply to the source IP address, destination IP address, or both.
|
Address Type
|
This field appears for sticky type IP Netmask.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP address, or both:
•Both—Indicates that this sticky type is to be applied to both the source IP address and the destination IP address.
•Source—Indicates that this sticky type is to be applied to the source IP address only.
•Destination—Indicates that this sticky type is to be applied to the destination IP address only.
|
Aggregate State
|
Select this check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in the server farm and in the backup server farm, if configured. The ACE appliance declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.
Clear this check box if the state of the primary server farm is not to be tied to all real servers in the server farm and in the backup server farm.
|
Sticky Enabled
|
Select this check box to indicate that the backup server farm is sticky. Clear this check box if the backup server farm is not sticky.
|
Replicate
|
Select this check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm. If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky connections.
Clear this check box to indicate that the virtual server is not to replicate sticky table entries on the backup server farm.
|
Timeout
|
Enter the number of minutes that the virtual server keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are integers from 1 to 65535; the default is 1440 minutes (24 hours).
|
Timeout Active Connections
|
Select this check box to specify that the virtual server is to time out sticky table entries even if active connections exist after the sticky timer expires.
Clear this check box to specify that the virtual is not to time out sticky table entries even if active connections exist after the sticky timer expires. This is the default behavior.
|
Step 9 Select the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is to use the DEFLATE method to compress packets when a client request indicates that the client browser is capable of packet compression. The ACE appliance compresses the packets using the following default compression parameter values:
•Mime type—All text formats (text/*).
•Minimum size—512 bytes.
•User agent—None.
Clear the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is not to compress packets.
Step 10 In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.
Note The SSL Initiation field appears when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.
•If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you select *New*, configure the service using the information in Table 3-14.
Table 3-14 Virtual Server SSL Initiation Attributes
Field
|
Description
|
Name
|
Enter a name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.
|
Key List
|
Select the SSL key pair to use during the SSL handshake for data encryption.
|
Certificate
|
Select the SSL certificate to use during the SSL handshake.
|
Chain Group
|
Select the chain group to use during the SSL handshake.
|
Parameter Map
|
Select the SSL parameter map to associate with this proxy server service.
|
For information about using SSL keys and certificates, see Configuring SSL, page 4-1.
Step 11 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:
•header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.
•header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 12 Click:
•OK to save your entries and to return to the Rule Match table.
•Cancel to exit this procedure without saving your entries and to return to the Rule Match table.
Step 13 When you finish configuring virtual server properties, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries.
Related Topics
•Configuring Virtual Servers
•Configuring Virtual Server Properties
•Configuring Virtual Server SSL Termination
•Configuring Virtual Server Protocol Inspection
Configuring Virtual Server Default Layer 7 Load Balancing
Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.
Assumption
A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server you want to configure for default Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane appears.
Step 4 In the Primary Action field, indicate the default action the virtual server is to take in response to client requests for content when specified match conditions are not met:
•Drop—Indicates that client requests that do not meet specified match conditions are to be discarded. Continue with Step 6.
•Forward—Indicates that client requests that do not meet specified match conditions are to be forwarded without performing load balancing on the requests. Continue with Step 6.
•Load Balance—Indicates that client requests for content are to be directed to a server farm. If you select Load Balance, server farm, backup server farm, and sticky configuration options appear. Continue with Step 5.
Step 5 If you select Load Balance as the primary action, you can configure load balancing using a server farm, a server farm/backup server farm pair, an existing sticky group, or a new sticky group.
Note If you select an existing object in any of these scenarios, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.
Configure load-balancing using the information in Table 3-11.
Step 6 Select the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is to use the DEFLATE compression method to compress packets when a client request indicates that the client browser is capable of packet compression. The ACE appliance compresses the packets using the following default compression parameter values:
•Mime type—All text formats (text/*).
•Minimum size—512 bytes.
•User agent—None.
Clear the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is not to compress packets.
Step 7 In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.
Note The SSL Initiation field appears when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.
•If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you select *New*, configure the service using the information in Table 3-14.
For information about using SSL keys and certificates, see Configuring SSL, page 4-1.
Step 8 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:
•header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.
•header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 9 When you finish configuring virtual server properties, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•Configuring Virtual Server Properties
•Configuring Virtual Server SSL Termination
•Configuring Virtual Server Protocol Inspection
•Configuring Virtual Server Layer 7 Load Balancing
Configuring Application Acceleration and Optimization
The ACE appliance includes configuration options that allow you to accelerate enterprise applications, resulting in increased employee productivity, enhanced customer retention, and increased online revenues. The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate Web application performance. The application acceleration functionality in the ACE appliance enables enterprises to optimize network performance and improve access to critical business information. This capability accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times.
Refer to Configuring Application Acceleration and Optimization, page 8-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.
Use this procedure to configure acceleration and optimization on virtual servers.
Assumption
A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server you want to configure for optimization, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click Application Acceleration and Optimization. The Application Acceleration and Optimization configuration pane appears.
Step 4 In the Configuration field, indicate the method you want to use to configure application acceleration and optimization:
•EZ—Indicates that you want to use standard acceleration and optimization options. Continue with Step 5.
•Custom—Indicates that you want to associate specific match criteria, actions, and parameter maps for application acceleration and optimization for this virtual server. If you choose this option, continue with Step 6.
Step 5 If you select EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields appear.
a. Select the Latency Optimization (FlashForward) check box to indicate that the ACE appliance is to use bandwidth reduction and download acceleration techniques to objects embedded within HTML pages. Clear this check box to indicate that the ACE appliance is not to employ these techniques to objects embedded within HTML pages. Latency optimization corresponds to FlashForward functionality. For more information about FlashForward functionality, see Optimization Overview, page 8-2.
b. Select the Bandwidth Optimization (Delta) check box to indicate that the ACE appliance is to dynamically update client browser caches with content differences, or deltas. Clear this check box to indicate that the ACE appliance is not to dynamically update client browser caches. Bandwidth optimization corresponds to action list Delta optimization. For more information about Delta optimization, see Optimization Overview, page 8-2 and Configuring Action Lists, page 8-3.
c. Continue with Step 11.
Step 6 If you select Custom, the Actions configuration pane appears with a table listing match criteria and actions. Click Add to add an entry to this table, or select an existing entry, then click Edit to modify it. The configuration subset refreshes with the available configuration options.
Step 7 In the Apply Template field, select one of the configuration templates for the type of optimization you want to configure, or leave blank to configure optimization without a template:
•Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.
•Latency Optimization for Embedded Objects—Reduces the latency associated with embedded objects in Web-based traffic.
•Latency Optimization for Embedded Images—Reduces the latency associated with embedded images in Web-based traffic.
•Latency Optimization for Containers—Reduces the latency associated with Web containers.
If you do not select a template and select *New* in the Rule Match and Actions fields, you are creating your own optimization rules and actions.
Step 8 In the Rule Match field, select an existing class map or click *New* to specify new match criteria:
•If you select an existing class map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you click *New*, the screen refreshes with the default configuration settings for the template you selected. You can accept the default settings or modify them using the information in Table 3-15.
Table 3-15 Optimization Rule Match Configuration Options
Field
|
Description
|
Name
|
Enter a unique name for this match criteria rule.
|
Match
|
Select the method to be used to evaluate multiple match statements when multiple match conditions exist:
•Match Any—A match exists if at least one of the match conditions is satisfied.
•Match All—A match exists only if all match conditions are satisfied.
|
Conditions
|
Click Add to add a new set of conditions or select an existing entry, then click Edit to modify it:
1. In the Type field, select the match condition to be used, then configure any condition-specific options using the information in Table 3-10.
2. Click OK to save your entries, or Cancel to exit this procedure without saving your entries.
|
Step 9 In the Actions field, select an existing action list to use for optimization or click *New* to create a new action list.
•If you select an existing action list, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.
•If you click *New*, the screen refreshes with the default configuration settings for the template you selected. You can accept the default settings or modify them using the information in Table 3-16.
Table 3-16 Optimization Action List Configuration Options
Field
|
Description
|
Action List Name
|
Enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.
|
Enable Delta
|
Delta optimization dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads.
Select this check box to enable delta optimization for the specified URLs.
Clear this check box to disable delta optimization for the specified URLs.
|
Enable AppScope
|
AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance.
Select this check box to enable AppScope performance monitoring for use with the ACE appliance. Clear this check box to disable AppScope performance monitoring for use with the ACE appliance.
|
FlashForward
|
The FlashForward feature reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, thereby enforcing object freshness within the parent HTML page.
Specify how the ACE appliance is to implement FlashForward:
•N/A—Indicates that this feature is not enabled.
•FlashForward—Indicates that FlashForward is to be enabled for the specified URLs and that embedded objects are to be transformed.
•FlashForward Object—Indicates that FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.
|
Cache Dynamic
|
Select this check box to enable Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load.
Clear this check box to disable this feature.
|
Cache Forward
|
Select this check box to enables the cache forward feature for the corresponding URLs. Cache forward allows the ACE to serve the object from its cache (static or dynamic) even when the object has expired if the maximum cache TTL time period has not yet expired (set by specifying the Cache Time-to-Live Duration (%): field in an Optimization parameter map). At the same time, the ACE sends an asynchronous request to the origin server to refresh its cache of the object.
Clear this check box to disable this feature.
|
Dynamic Etag
|
This feature enables the acceleration of noncacheable embedded objects, which results in improved application response time. When enabled, this feature eliminates the need for users to download noncacheable objects on each request.
Select this check box to indicate that the ACE appliance is to implement just-in-time object acceleration for noncacheable embedded objects.
Clear this check box to disable this feature.
|
Fine Tune Optimization Parameters
|
Click this header to configure additional optimization attributes. When expanded, the configuration pane displays options specific to the type of optimization you are configuring and features that you enable.
Refer to Table 3-43 for information about specific options that appear.
|
Step 10 When you finish configuring match criteria and actions, click:
•OK to save your entries and to return to the Rule Match and Actions table.
•Cancel to exit this procedure without saving your entries and to return to the Rule Match and Actions table.
Step 11 When you finish configuring virtual server properties, click:
•Deploy Now to save your entries. The ACE appliance validates the action list configuration and deploys it on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•Configuring Virtual Server Properties
•Optimization Traffic Policies and Typical Configuration Flow, page 8-2
•Configuring Traffic Policies for HTTP Optimization, page 8-6
•Configuring Virtual Server Protocol Inspection
•Configuring Virtual Server Layer 7 Load Balancing
•Configuring Virtual Server Default Layer 7 Load Balancing
Configuring Virtual Server NAT
Use this procedure to configure Name Address Translation (NAT) for virtual servers.
Assumptions
•A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.
•A VLAN has been configured. See Configuring Virtual Context VLAN Interfaces, page 5-1 for information on configuring a VLAN interface.
•At least one NAT pool has been configured on a VLAN interface. See Configuring VLAN Interface NAT Pools, page 5-9 for information on configuring a NAT pool.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server you want to configure for NAT, then click Edit. The Virtual Server configuration screen appears.
Step 3 Click NAT. The NAT table appears.
Step 4 Click Add to add an entry, or select an existing entry, then click Edit to modify it.
Step 5 In the VLAN field, select the VLAN you want to use NAT. For more information about NAT, see Configuring VLAN Interface NAT Pools, page 5-9.
Step 6 In the NAT Pool ID field, select the NAT pool that you want to associate with the selected VLAN.
Step 7 Click:
•OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry.
•Cancel to exit the procedure without saving your entries and to return to the NAT table.
Step 8 When you finish configuring virtual server properties, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.
Related Topics
•Configuring Virtual Servers
•Configuring Virtual Server Properties
•Configuring Virtual Server SSL Termination
•Configuring Virtual Server Protocol Inspection
•Configuring Virtual Server Layer 7 Load Balancing
•Configuring Virtual Server Default Layer 7 Load Balancing
Managing Virtual Servers
After you have created a virtual server the following options are available:
Viewing Virtual Servers by Context
Use this procedure to view all virtual servers associated with a virtual context.
Procedure
Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2 Select the context associated with the virtual servers you want to view, then select Load Balancing > Virtual Servers. The Virtual Servers table appears with the following information:
•Virtual server name
•Configured state, such as Inservice
•IP address
•Port
•Associated VLANs
•Associated server farms
Related Topics
•Configuring Virtual Servers
•Managing Virtual Servers
Activating Virtual Servers
Use this procedure to activate a virtual server.
Procedure
Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the server that you want to activate, then click Activate. The server is activated and the screen refreshes with updated information in the Configured State column.
Related Topics
•Managing Virtual Servers
•Viewing All Virtual Servers
•Suspending Virtual Servers
Suspending Virtual Servers
Use this procedure to suspend a virtual server.
Procedure
Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the server that you want to suspend, then click Suspend. The server is taken out of service and the screen refreshes with updated information in the Configured State column.
Related Topics
•Managing Virtual Servers
•Viewing All Virtual Servers
•Activating Virtual Servers
Viewing Detailed Virtual Server Information
Use this procedure to view detailed information about the state of a virtual server.
Procedure
Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.
Step 2 Select the virtual server whose configuration details you want to view, then click Details. The Details window appears with the following information:
•Current operational status
•Description, if one was entered
•Configured interfaces, such as VLANs
•Configured service policies including:
–Configured class maps, detailed by type (such as load balancing or inspection)
–States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color (green, orange/yellow, and red)
–Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)
–Statistics regarding connections and counts
Related Topics
•Configuring Virtual Servers
•Managing Virtual Servers
Viewing All Virtual Servers
To view all virtual servers, select Config > Operations > Virtual Servers. The Virtual Servers table appears with the following information for each server:
•Server name, grouped by virtual context
•Configured state
•IP address
•Port
•VLANs
•Server farms
•Virtual context
You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.
Related Topics
•Activating Virtual Servers
•Suspending Virtual Servers
•Viewing Detailed Virtual Server Information
Configuring Load Balancing with Real Servers
Real servers are dedicated physical servers that are typically configured in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and specify IP addresses, connection limits, and weight values.
The ACE appliance uses traffic classification maps (class maps) within policy maps to filter specified traffic and to apply specific actions to that traffic based on the load-balancing configuration. A load-balancing predictor algorithm (round-robin or least connections) determines the servers to which the ACE appliance sends connection requests. For information about configuring class maps, see Configuring Virtual Context Class Maps, page 7-12.
Use this procedure to configure load balancing on real servers.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Real Servers. The Real Servers table appears.
Step 2 Click Add to add a new real server, or select a real server you want to modify, then click Edit. The Real Servers configuration screen appears.
Step 3 Configure the server using the information in Table 3-17.
Table 3-17 Real Server Attributes
Field
|
Description
|
Name
|
Either accept the automatically incremented value in this field, or enter a unique name for this server. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
|
Type
|
Select the type of server:
•Host—Indicates that this is a typical real server that provides content and services to clients.
•Redirect—Indicates that this server is used to redirect traffic to a new location.
|
Description
|
Enter a brief description for this real server. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.
|
IP Address
|
This field appears for only real servers specified as hosts.
Enter a unique IP address in dotted-decimal format (such as 192.168.11.1). The IP address cannot be an existing virtual IP address (VIP).
|
Max Connections
|
Enter the maximum number of active connections allowed on this server. When the number of connections exceeds this value, the ACE appliance stops sending connections to this server until the number of connections falls below the Min Connections value. Valid entries are integers from 1 to 4000000, and the default is 4000000.
|
Min Connections
|
Enter the minimum number of connections to be allowed on this server before the ACE appliance starts sending connections again after it has exceeded the Max Connections limit. This value must be less than or equal to the Max Connections value. By default, this value is equal to the Max Connections value. Valid entries are integers from 1 to 4000000.
|
Weight
|
This field appears only for real servers identified as hosts.
Enter the weight to be assigned to this real server in a server farm. Valid entries are integers from 1 to 100, and the default is 8.
|
State
|
Select the state of this real server:
•In Service—Indicates that this real server is in service.
•Out of Service—Indicates that this real server is out of service.
|
Probes
|
This field appears only for real servers identified as hosts.
In the Probes field, select the probes that are to be used for health monitoring in the list on the left, then click Add. The selected probes appear in the list on the right.
To remove probes that you do not want to use for health monitoring, select them in the list on the right, then click Remove. The selected probes appear in the list on the left.
|
Webhost Redirection
|
This field appears only for real servers identified as redirect servers.
Enter the URL and port used to redirect requests to another server.
Valid entries are in the form http://host.com:port where host is the name of the server and port is the port to be used.
Valid host entries are unquoted text strings with no spaces and a maximum of 255 characters.
Valid port numbers are from 1 to 65535.
|
Redirection Code
|
This field appears only for real servers identified as redirect servers.
Select the appropriate redirection code:
•N/A—Indicates that the webhost redirection code is not defined.
•301—Indicates that the requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URIs.
•302—Indicates that the requested resource has been found, but has been moved temporarily to another location. For future references to this resource, the client should use the request URI because the resource may be moved to other locations from time to time.
|
Step 4 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit the procedure without saving your entries and to return to the Real Servers table.
•Next to save your entries and to configure another real server.
Related Topics
•Configuring Health Monitoring for Real Servers
•Configuring Server Farm Load Balancing
•Configuring Load Balancing Using Sticky Groups
Configuring Server Farm Load Balancing
Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it.
Use this procedure to configure load balancing on server farms.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.
Step 2 Click Add to add a new server farm, or select an existing server farm, then click Edit. The Server Farms configuration screen appears.
Step 3 Enter the server farm attributes (see Table 3-18).
Table 3-18 Server Farm Attributes
Field
|
Description
|
Name
|
Either accept the automatically incremented value in this field, or enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
|
Type
|
Select the type of server farm:
•Host—Indicates that this is a typical server farm that consists of real servers that provide content and services to clients
•Redirect—Indicates that this server farm consists only of real servers that redirect client requests to alternate locations specified in the real server configuration. (See Configuring Load Balancing with Real Servers.)
|
Description
|
Enter a brief description for this server farm. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.
|
Fail Action
|
Select the action the ACE appliance is to take with respect to connections if any real server in the server farm fails:
•N/A—Indicates that the ACE appliance is to take no action if any server in the server farm fails.
•Purge—Indicates that the ACE appliance is to remove connections to a real server if that real server in the server farm fails. The ACE appliance sends a reset command to both the client and the server that failed.
|
Transparent
|
This field appears only for real servers identified as host servers.
Specify whether network address translation from VIP address to server IP is to occur:
•N/A—Indicates that the default value is to be used; the default value is False.
•False—Indicates that network address translation from VIP address to server IP address is not to occur.
•True—Indicates that network address translation from VIP address to server IP address is to occur.
|
Probes
|
This field appears only for real servers identified as host servers.
In the Probes field, select the probes that are to be used for health monitoring in the list on the left, then click Add. The selected probes appear in the list on the right.
To remove probes that you do not want to use for health monitoring, select them in the list on the right, then click Remove. The selected probes appear in the list on the left.
|
Step 4 Click:
•Deploy Now to deploy this configuration on the ACE appliance. To add real servers to the farm and to configure server farm attributes, see:
–Adding Real Servers to a Server Farm
–Configuring the Predictor Method for Server Farms
–Configuring Server Farm HTTP Return Error-Code Checking
•Cancel to exit the procedure without saving your entries and to return to the Server Farms table.
•Next to save your entries and to configure another server farm.
Related Topics
•Configuring Health Monitoring for Real Servers
•Configuring Load Balancing with Real Servers
•Configuring Load Balancing Using Sticky Groups
•Configuring the Predictor Method for Server Farms
•Configuring Server Farm HTTP Return Error-Code Checking
Adding Real Servers to a Server Farm
After adding a server farm, (see Configuring Server Farm Load Balancing), you can associate real servers with it and configure predictors and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
Note If you do not see these tabs beneath the Server Farms table, click Show Tabs just below the table name. If you still do not see tabs, it is either because there are no entries in the table or because no entries are selected.
When creating or editing a server farm, if the real server to be added has the same name as an existing global real server but contains a different IP address (or no IP address), the Device Manager displays the following error message:
IP address of pre-existing real sever cannot be changed: "<rs-name>" (ip-addr>).
If this error message appears, ensure that you specify an existing real server with the matching IP address.
Use this procedure to add real servers to a server farm.
Assumptions
•A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)
•At least one real server exists.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.
Step 2 Select the server farm you want to associate with real servers, then select the Real Servers tab. The Real Servers table appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.
Step 3 Click Add to add a new entry to the Real Servers table, or select an existing server, then click Edit to modify it. The Real Servers configuration screen appears.
Step 4 Configure the real server using the information in Table 3-19.
Table 3-19 Real Server Configuration Attributes
Field
|
Description
|
Name
|
Select the server that you want to associate with the server farm.
|
Port
|
Enter the port number to be used for server port address translation (PAT). Valid entries are integers from 1 to 65535.
|
Backup Server Name
|
Select the server that is to act as the backup server for the server farm. Leave this field blank to indicate that there is no designated backup server for the server farm.
|
Backup Server Port
|
If you select a backup server, enter the backup server port number. Valid entries are integers from 0to 65535.
|
Max Connections
|
Enter the maximum number of active connections that can be sent to the server. When the number of connections exceeds this number, the ACE appliance stops sending connections to the server until the number of connections falls below the number specified in the Min Connections field. Valid entries are integers from 1 to 4000000. The default is 4000000.
|
Min Connections
|
Enter the minimum number of connections that the number of connections must fall below before the ACE appliance resumes sending connections to the server after it has exceeded the number in the Max Connections field. The number in this field must be less than or equal to the number in the Max Connections field. 1 to 4000000. The default value is 4000000.
|
Weight
|
Enter the weight to assign to the server. Valid entries are integers from 1 to 100, and the default is 8.
|
State
|
Select the state of this server:
•In Service—Indicates that this server is in service.
•Out of Service—Indicates that this server is out of service.
•In Service Standby—Indicates that this server is a backup server and is to remain inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.
|
Probes
|
Select the probes in the list on the left that you want to apply to this server, then click Add. The selected probes appear in the list on the right. To remove probes you do not want to apply to this server, select the probes in the list on the right, then click Remove.
|
Step 5 When you finish configuring this server for this server farm, click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
•Next to save your entries and to add another real server for this server farm.
Related Topics
•Configuring Health Monitoring for Real Servers
•Configuring Load Balancing with Real Servers
•Configuring Load Balancing Using Sticky Groups
•Configuring the Predictor Method for Server Farms
•Configuring Server Farm HTTP Return Error-Code Checking
Viewing All Server Farms
Use this procedure to view all server farms associated with a virtual context.
Procedure
Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2 Select the virtual context with the server farms you want to view, then click Load Balancing > Server Farms. The Server Farms table appears with the following information:
•Server farm name
•Server farm type (either host or redirect)
•Description
Depending on the server farms selected, additional tables appear below the Server Farms table. These tables include:
•Real Servers—This table identifies the real servers associated with the selected server farm.
•Predictor—This configuration screen displays the selected predictor method for the selected server farm.
•Retcode Map—This table displays the HTTP return error-code checking that has been configured for the selected server farm.
Related Topics
•Configuring Server Farm Load Balancing
•Adding Real Servers to a Server Farm
•Configuring the Predictor Method for Server Farms
•Configuring Server Farm HTTP Return Error-Code Checking
Configuring the Predictor Method for Server Farms
After adding a server farm, (Configuring Server Farm Load Balancing), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
If you do not see these tabs beneath the Server Farms table, click Show Tabs just below the table name. If you still do not see tabs, it is either because there are no entries in the table or because no entries are selected.
Use this procedure to configure the predictor method for a server farm. The predictor method specifies how the ACE appliance is to select a server in the server farm when it receives a client request for a service.
Note You can configure only one predictor method per server farm.
Assumptions
•A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)
•At least one real server exists.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.
Step 2 Select the server farm you want to configure the predictor method for, then select the Predictor tab. The Predictor configuration screen appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.
Step 3 In the Type field, select the method that the ACE appliance is to use to select a server in this server farm when it receives a client request. Table 3-20 lists the available options and describes them.
Step 4 Enter the required information for the selected predictor method. See Table 3-20.
Table 3-20 Predictor Method Attributes
Predictor Method
|
Description / Action
|
None
|
Indicates that a predictor method is not specified for the server farm.
Continue with Step 5.
|
Roundrobin
|
Indicates that the ACE appliance is to select the next server in the list of servers based on server weight. This is the default predictor method.
Continue with Step 5.
|
Leastconns
|
Indicates that the ACE appliance is to select the server with the fewest number of connections.
In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you have just put into service.
|
Hash_url
|
Indicates that the ACE appliance is to select the server using a hash value based on the URL. Use this method to load balance firewalls.
Enter values in one or both of the pattern fields:
•In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse.
•In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters for each pattern you configure.
|
Hash_address
|
Indicates that the ACE appliance is to select the server using a hash value based on the source or destination IP address.
To configure the hash address predictor method:
1. In the Mask Type field, indicate whether server selection is based on source IP address or the destination IP address:
–N/A—Indicates that this option is not defined.
–Source—Indicates that the server is selected based on the source IP address.
–Destination—Indicates that the server is selected based on the destination IP address.
2. In the IP Netmask field, select the subnet mask to apply to the address. If none is specified, the default is 255.255.255.255.
|
Hash_cookie
|
Indicates that the ACE appliance is to select the server by using a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters.
|
Hash_header
|
Indicates that the ACE appliance is to select the server by using a hash value based on the header name.
In the Header Name field, select the HTTP header to be used for server selection:
•To specify an HTTP header that is not one of the standard HTTP headers, select the first radio button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
•To specify one of the standard HTTP headers, select the second radio button, then select one of the HTTP headers from the list.
|
Step 5 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Predictor table.
Related Topics
•Configuring Health Monitoring for Real Servers
•Configuring Load Balancing with Real Servers
•Configuring Load Balancing Using Sticky Groups
•Adding Real Servers to a Server Farm
•Configuring Server Farm HTTP Return Error-Code Checking
Configuring Server Farm HTTP Return Error-Code Checking
After adding a server farm, (Configuring Server Farm Load Balancing), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
Use this procedure to configure HTTP return error-code checking (retcode map) for a server farm.
Note This feature is available only for server farms configured as hosts. It is not available for server farms configured with the type Redirect.
Assumption
A host type server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.
Step 2 Select the server farm you want to configure return error-code checking for, then select the Retcode Map tab. The Retcode Map table appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.
Step 3 Click Add to add a new entry to the table. The Retcode Map configuration screen appears.
Note You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, then add a new one.
Step 4 In the Lowest Retcode field, enter the minimum value for an HTTP return error code. Valid entries are integers from 100 to 599. This number must be less than or equal to the number in the Highest Retcode field.
Step 5 In the Highest Retcode field, enter the maximum number for an HTTP return error code. Valid entries are integers from 100 to 599. This number must be greater than or equal to the number in the Lowest Retcode field.
Step 6 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Retcode Map table.
•Next to save your entries and to add another retcode map.
Related Topics
•Using Virtual Contexts, page 2-1
•Configuring Virtual Context Class Maps, page 7-12
•Configuring Virtual Context Policy Maps, page 7-27
•Configuring Load Balancing with Real Servers
•Configuring Load Balancing Using Sticky Groups
Health Monitoring
You can instruct the ACE appliance to check the health of servers and server farms by configuring health probes (sometimes referred to as keepalives). After you create a probe, you assign it to a real server or a server farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You can also configure scripted probes using the TCL scripting language (see TCL Scripts).
The ACE appliance sends out probes periodically to determine the status of a server, verifies the server response, and checks for other network problems that may prevent a client from reaching a server. Based on the server response, the ACE appliance can place the server in or out of service, and, based on the status of the servers in the server farm, can make reliable load-balancing decisions.
Health monitoring on the ACE appliance tracks the state of a server by sending out probes. Also referred to as out-of-band health monitoring, the ACE appliance verifies the server response or checks for any network problems that can prevent a client to reach a server. Based on the server response, the ACE appliance can place the server in or out of service, and can make reliable load balancing decisions.
The ACE appliance identifies the health of a server in the following categories:
•Passed—The server returns a valid response.
•Failed—The server fails to provide a valid response to the ACE appliance is unable to reach a server for a specified number of retries.
By configuring the ACE appliance for health monitoring, the ACE appliance sends active probes periodically to determine the server state.
The ACE appliance supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE appliance also allows the opening of 1000 sockets simultaneously.
Related Topics
•Configuring Health Monitoring for Real Servers
•TCL Scripts
TCL Scripts
The ACE appliance supports several specific types of health probes (for example HTTP, TCP, or ICMP health probes) when you need to use a diverse set of applications and health probes to administer your network. The basic health probe types supported in the current ACE appliance software release may not support the specific probing behavior that your network requires. To support a more flexible health-probing functionality, the ACE appliance allows you to upload and execute TCL scripts on the ACE appliance.
The TCL interpreter code in the ACE appliance is based on Release 8.44 of the standard TCL distribution. You can create a script to configure health probes. Script probes operate similar to other health probes available in the ACE appliance software. As part of a script probe, the ACE appliance executes the script periodically, and the exit code that is returned by the executing script indicates the relative health and availability of specific real servers. For information on health probes, see Configuring Health Monitoring for Real Servers.
For your convenience, the following sample scripts for the ACE appliance are available to support the TCL feature and are supported by Cisco TAC:
•CHECKPORT_STD_SCRIPT
•ECHO_PROBE_SCRIPT
•FINGER_PROBE_SCRIPT
•FTP_PROBE_SCRIPT
•HTTP_PROBE_SCRIPT
•HTTPCONTENT_PROBE
•HTTPHEADER_PROBE
•HTTPPROXY_PROBE
•IMAP_PROBE
•LDAP_PROBE
•MAIL_PROBE
•POP3_PROBE
•PROBENOTICE_PROBE
•RTSP_PROBE
•SSL_PROBE_SCRIPT
•TFTP_PROBE
The ace_scripts.tgz zip file contains these scripts and is located at the URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-intellother
To load a script into memory on the ACE appliance and enable it for use, use the script file command. For detailed information on uploading and executing Toolkit Command Language (TCL) scripts on the ACE appliance, refer to the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
Configuring Health Monitoring for Real Servers
To check the health and availability of a real server, the ACE appliance periodically sends a probe to the real server. Depending on the server response, the ACE appliance determines whether to include the server in its load-balancing decision.
Use this procedure to establish monitoring of real servers to determine their viability in load-balancing decisions.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.
Step 2 Click Add to add a new health monitoring probe, or select an existing entry, then click Edit to modify it. The Health Monitoring screen appears.
Step 3 In the Name field, enter a name that identifies the probe and that associates the probe with the real server. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4 In the Type field, select the type of probe you want to use. The probe type determines what the probe sends to the real server. See Table 3-21 for the types of probes and their descriptions.
Table 3-21 Probe Types
Probe Type
|
Description
|
DNS
|
Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE appliance must receive the configured IP address for that domain.
|
ECHO-TCP
|
Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE appliance retries as configured before the server is marked as failed.
|
ECHO-UDP
|
Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE appliance retries as configured before the server is marked as failed.
|
FINGER
|
Sends a probe to the server to verify that a defined username is a username on the server.
|
FTP
|
Initiates an FTP session. By default, this probe is for an anonymous login with the option of configuring a user ID and password. The ACE appliance performs an FTP GET or LS to determine the outcome of the problem. This probe supports only active connections.
|
HTTP
|
Sets up a TCP connection and issues an HTTP request. Any valid HTTP response causes the probe to mark the real server as passed.
|
HTTPS
|
Similar to an HTTP probe, but this probe uses SSL to generate encrypted data.
|
ICMP
|
Sends an ICMP request and listens for a response. If the server returns a response, the ACE appliance marks the real server as passed. If there is no response and times out, or an ICMP standard error occurs, such as DESTINATION_UNREACHABLE, the ACE appliance marks the real server as failed.
|
IMAP
|
Initiates an IMAP session, using a configured user ID and password. Then, the probe attempts to retrieve e-mail from the server and validates the result of the probe based on the return codes received from the server.
|
POP
|
Initiates a POP session, using a configured user ID and password. Then, the probe attempts to retrieve e-mail from the server and validates the result of the probe based on the return codes received from the server.
|
RADIUS
|
Connects to a RADIUS server and logs into it to determine if the server is up.
|
Scripted
|
Executes probes from a configured script to perform health probing. This method allows you to author specific scripts with features not present in standard probes.
|
SMTP
|
Initiates an SMTP session by logging into the server.
|
TCP
|
Initiates a TCP handshake and expects a response. By default, a successful response causes the probe to mark the server as passed. The probe then sends a FIN to end the session. If the response is not valid, or if there is no response, the probe marks the real server as failed.
|
TELNET
|
Establishes a connection to the real server and verifies that a greeting from the application was received.
|
UDP
|
Sends a UDP packet to a real server. The probe marks the server as failed only if an ICMP Port Unreachable messages is returned.
|
Step 5 Enter health monitoring general attributes (see Table 3-22).
Table 3-22 Health Monitoring General Attributes
Field
|
Action
|
Description
|
Enter a description for this probe. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.
|
Probe Interval
|
Enter the number of seconds that the ACE appliance is to wait before sending another probe to a server marked as passed. Valid entries are from 2 to 65535 with a default of 120.
|
Pass Detect Count
|
Enter the number of successful probe responses from the server before the server is marked as passed. Valid entries are integers from 1 to 65535 with a default of 3.
|
Pass Detect Interval
|
Enter the number of seconds that the ACE appliance is to wait before sending another probe to a server marked as failed. Valid entries are integers from 2 to 65535 with a default of 300.
|
Receive Timeout
|
Enter the number of seconds the ACE appliance is to wait for a response from a server that has been probed before marking the server as failed. Valid entries are integers from 1 to 65535 with a default of 10.
|
Fail Detect
|
Enter the consecutive number of times that an ACE appliance must detect that probes have failed to contact a server before marking the server as failed. Valid entries are integers from 1 to 65535 with a default of 3.
|
Dest IP Address1
|
By default, the probe uses the IP address from the real or virtual server configuration for the destination IP address. To override the destination address that the probe uses, enter the preferred destination IP address in this field using dotted-decimal notation, such as 192.168.11.1.
|
Is Routed2
|
Select the check box to indicate that the destination IP address is routed according to the ACE appliance internal routing table. Clear the check box to indicate that the destination IP address is not routed according to the ACE appliance internal routing table.
|
Step 6 Enter the attributes for the specific probe type selected:
•For DNS probes, see Table 3-23.
•For Echo-TCP probes, see Table 3-24.
•For Echo-UDP probes, see Table 3-25.
•For Finger probes, see Table 3-26.
•For FTP probes, see Table 3-27.
•For HTTP probes, see Table 3-28.
•For HTTPS probes, see Table 3-29.
•There are no specific attributes for ICMP probes.
•For IMAP probes, see Table 3-30.
•For POP probes, see Table 3-31.
•For RADIUS probes, see Table 3-32.
•For Scripted probes, see Table 3-33.
•For SMTP probes, see Table 3-34.
•For TCP probes, see Table 3-35.
•For Telnet probes, see Table 3-36.
•For UDP probes, see Table 3-37.
Step 7 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Health Monitoring table.
•Next to save your entries and to configure another probe.
Related Topics
•Configuring DNS Probe Expect Addresses
•Configuring Headers for HTTP and HTTPS Probes
•Configuring Health Monitoring Expect Status
•Configuring Load Balancing with Real Servers
•Configuring Server Farm Load Balancing
•Configuring Load Balancing Using Sticky Groups
Probe Attribute Tables
Refer to the following topics to configure health monitoring probe-specific attributes:
•DNS Probe Attributes
•Echo-TCP Probe Attributes
•Echo-UDP Probe Attributes
•Finger Probe Attributes
•FTP Probe Attributes
•HTTP Probe Attributes
•HTTPS Probe Attributes
•IMAP Probe Attributes
•POP Probe Attributes
•RADIUS Probe Attributes
•Scripted Probe Attributes
•SMTP Probe Attributes
•TCP Probe Attributes
•Telnet Probe Attributes
•UDP Probe Attributes
Refer to the following topics for additional configuration options for health monitoring probes:
•Configuring DNS Probe Expect Addresses
•Configuring Headers for HTTP and HTTPS Probes
•Configuring Health Monitoring Expect Status
DNS Probe Attributes
Table 3-23 DNS Probe Attributes
Field
|
Action
|
Domain Name
|
Enter the domain name that the probe is to send to the DNS server. Valid entries are unquoted text strings with a maximum of 255 characters.
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
To configure expect addresses for DNS probes, see Configuring DNS Probe Expect Addresses.
Echo-TCP Probe Attributes
Table 3-24 Echo-TCP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
Send Data
|
Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
Echo-UDP Probe Attributes
Table 3-25 Echo-UDP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Send Data
|
Enter the ASCII data that the probe is to send to the server.Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
Finger Probe Attributes
Table 3-26 Finger Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
Send Data
|
Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
FTP Probe Attributes
Table 3-27 FTP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
To configure probe expect statuses for FTP probes, see Configuring Health Monitoring Expect Status.
HTTP Probe Attributes
Table 3-28 HTTP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
User Name
|
Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Password
|
Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Expect Regex
|
Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.
|
Expect Regex Offset
|
Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Valid entries are integers from 1 to 4000.
|
Hash
|
Select the Hash check box to indicate that the ACE appliance is to use an MD5 hash for an HTTP GET probe. Clear the Hash check box to indicate that the ACE appliance should not use an MD5 hash for an HTTP GET probe.
|
Hash String
|
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE appliance is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE appliance generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.
|
Request Method Type
|
Select the type of HTTP request method that is to be used for this probe:
•N/A—Indicates that this option is not defined.
•Head—Indicates that the server is to only get the header for the page. Using this method can prevent the ACE appliance from assuming that the service is down due to changed content and therefore changed hash values.
•Get—Indicates that the HTTP request method is a GET with a URL of "/". This request method directs the server to get the page, and the ACE appliance calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE appliance assumes the service is down. This is the default request method.
|
Request HTTP URL
|
Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is "/'.
|
To configure probe headers and expect statuses for HTTP probes, see:
•Configuring Headers for HTTP and HTTPS Probes
•Configuring Health Monitoring Expect Status
HTTPS Probe Attributes
Table 3-29 HTTPS Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
User Name
|
Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Password
|
Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Expect Regex
|
Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.
|
Expect Regex Offset
|
Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.
|
Hash
|
Select the Hash check box to indicate that the ACE appliance is to use an MD5 hash for an HTTP GET probe. Clear this check box to indicate that the ACE appliance is not to use an MD5 hash for an HTTP GET probe.
|
Hash String
|
This field appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE appliance is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE appliance generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.
|
Request Method Type
|
Select the type of HTTP request method that is to be used for this probe:
•N/A—Indicates that this option is not defined.
•Head—Indicates that the server is to only get the header for the page. Using this method can prevent the ACE appliance from assuming that the service is down due to changed content and therefore changed hash values.
•Get—Indicates that the HTTP request method is a GET with a URL of "/". This request method directs the server to get the page, and the ACE appliance calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE appliance assumes the service is down. This is the default request method.
|
Request HTTP URL
|
Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is "/'.
|
Cipher
|
Select the cipher suite to be used with this HTTPS probe:
•RSA_ANY—Indicates that the HTTPS probe accepts all RSA-configured cipher suites and that no specific suite is configured. This is the default action.
•RSA_EXPORT1024_WITH_DES_CBC_SHA
•RSA_EXPORT1024_WITH_RC4_56_MD5
•RSA_EXPORT1024_WITH_RC4_56_SHA
•RSA_EXPORT_WITH_DES40_CBC_SHA
•RSA_EXPORT_WITH_RC4_40_MD5
•RSA_WITH_3DES_EDE_CBC_SHA
•RSA_WITH_AES_128_CBC_SHA
•RSA_WITH_AES_256_CBC_SHA
•RSA_WITH_DES_CBC_SHA
•RSA_WITH_RC4_128_MD5
•RSA_WITH_RC4_128_SHA
|
SSL Version
|
Select the version of SSL or TLS to be used in ClientHello messages sent to the server:
•SSLv2—Indicates that the probe is to use SSL version 2.
•SSLv3—Indicates that the probe is to use SSL version 3.
•TLSv1—Indicates that the probe is to use TLS version 1.
By default, the probe sends ClientHello messages with an SSL version 3 header and a TLS version 1 message.
|
To configure probe headers and expect statuses for HTTPS probes, see:
•Configuring Headers for HTTP and HTTPS Probes
•Configuring Health Monitoring Expect Status
IMAP Probe Attributes
Table 3-30 IMAP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
User Name
|
Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 24 characters.
|
Password
|
Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 24 characters.
|
Mailbox Name
|
Enter the user mailbox name from which to retrieve e-mail for this IMAP probe. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Request Method
|
Enter the request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces.
|
POP Probe Attributes
Table 3-31 POP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
User Name
|
Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Password
|
Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Request Method
|
Enter the request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces.
|
RADIUS Probe Attributes
Table 3-32 RADIUS Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
User Secret
|
Enter the shared secret to be used to allow probe access to the RADIUS server. Valid entries are case-sensitive strings with no spaces and a maximum of 128 characters.
|
User Name
|
Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
Password
|
Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.
|
NAS IP Address
|
Enter the IP address of the Network Access Server (NAS) in dotted-decimal format, such as 192.168.11.1.
|
Scripted Probe Attributes
Table 3-33 Scripted Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Script needs to be copied from remote location?
|
Select this check box to indicate that the file needs to be copied from a remote server. Clear this check box to indicate that the script resides locally.
|
Protocol
|
This field appears if the Script needs to be copied from remote Location? check box is selected.
Select the protocol to be used for copying the script:
•FTP—Indicates that the script is to be copied using FTP.
•TFTP—Indicates that the script is to be copied using TFTP.
|
Username
|
This field appears if FTP is selected in the Protocol field.
Enter the name of the user account on the remote server.
|
Password
|
This field appears if FTP is selected in the Protocol field.
Enter the password for the user account on the remote server.
|
Confirm
|
This field appears if FTP is selected in the Protocol field.
Reenter the password.
|
Source File Name
|
Enter the host IP address, path, and filename of the file on the remote server in the format host-ip/path/filename where:
•host-ip represents the IP address of the remote server.
•path represents the directory path of the file on the remote server.
•filename represents the filename of the file on the remote server.
For example, your entry might resemble 192.168.11.2/usr/bin/my-script.ext.
|
Script Name
|
Enter the local name that you want to assign to this file on the ACE appliance. This file can reside in the disk0: directory or the probe: directory (if the probe: directory exists). Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
Script Arguments
|
Enter up to 5 arguments that are to be passed to the script. Valid arguments are unquoted text strings with no spaces; separate multiple arguments with a space. The field limit is 255 characters.
|
SMTP Probe Attributes
Table 3-34 SMTP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
To configure probe expect statuses for SMTP probes, see Configuring Health Monitoring Expect Status.
TCP Probe Attributes
Table 3-35 TCP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
Send Data
|
Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
Expect Regex
|
Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.
|
Expect Regex Offset
|
Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.
|
Telnet Probe Attributes
Table 3-36 Telnet Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Is Connection
|
Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.
|
Open Timeout
|
Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.
|
UDP Probe Attributes
Table 3-37 UDP Probe Attributes
Field
|
Action
|
Port
|
Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.
|
Send Data
|
Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
|
Expect Regex
|
Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.
|
Expect Regex Offset
|
Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.
|
Configuring DNS Probe Expect Addresses
When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses.
Use this procedure to specify the IP address that the ACE appliance expects to receive in response to a DNS request.
Assumption
A DNS probe has been configured. See Configuring Health Monitoring for Real Servers for more information.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.
Step 2 Select the DNS probe that you want to configure with an expected IP address. The Expect Addresses subtable appears.
Step 3 Click Add to add an entry to the Expect Addresses table. The Expect Address configuration screen appears.
Note You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, then add a new one.
Step 4 In the IP Address field, enter the IP address that the ACE appliance is to expect as a server response to a DNS request. Valid entries are unique IP addresses in dotted-decimal notation, such as 192.168.11.1.
Step 5 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entry and to return to the Expect Addresses table.
•Next to save your entry and to add another IP Address to the Expect Addresses table.
Related Topics
•Configuring Health Monitoring for Real Servers
•DNS Probe Attributes
Configuring Headers for HTTP and HTTPS Probes
Use this procedure to specify header fields for HTTP and HTTPS probes.
Assumption
An HTTP or HTTPS probe has been configured. See Configuring Health Monitoring for Real Servers for more information.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.
Step 2 Select the HTTP or HTTPS probe that you want to configure with header. The Probe Headers subtable appears.
Step 3 Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Probe Headers configuration screen appears.
Step 4 In the Header Name field, select the HTTP header the probe is to use.
Step 5 In the Header Value field, enter the string to assign to the header field. Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.
Step 6 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entry and to return to the Probe Headers table.
•Next to save your entry and to add another header entry to the Probe Headers table.
Related Topics
•Configuring Health Monitoring for Real Servers
•HTTP Probe Attributes
•HTTPS Probe Attributes
Configuring Health Monitoring Expect Status
When the ACE appliance receives a response from the server, it expects a status code to mark a server as passed. By default, there are no status codes configured on the ACE appliance. If you do not configure a status code, any response code from the server is marked as failed.
Expect status codes can be configured for FTP, HTTP, HTTPS, and SMTP probes.
Use this procedure to configure a single or range of code responses that the ACE appliance expects from the probe destination.
Assumption
An FTP, HTTP, HTTPS, or SNMP probe has been configured. See Configuring Health Monitoring for Real Servers for more information.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.
Step 2 Select the FTP, HTTP, HTTPS, or SMTP probe that you want to configure for expect status codes. The Expect Status subtable appears.
Step 3 Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Expect Status configuration screen appears.
Step 4 To configure a single expect status code:
a. In the Min Expect Status Code field, enter the expect status code for this probe. Valid entries are integers from 0 to 999.
b. In the Max Expect Status code, enter the same expect status code that you entered in the Min Expect Status Code field.
Step 5 To configure a range of expect status codes:
a. In the Min Expect Status Code, enter the lower limit of the range of status codes. Valid entries are integers from 0 to 999.
b. In the Max Expect Status Code, enter the upper limit of a range of status codes. Valid entries are integers from 0 to 999. The value in this field must be greater than or equal to the value in the Min Expect Status Code field.
Step 6 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without saving your entries and to return to the Expect Status table.
•Next to save your entries and to add another expect status code to the Expect Status table.
Related Topics
•Configuring Health Monitoring for Real Servers
•FTP Probe Attributes
•HTTP Probe Attributes
•SMTP Probe Attributes
Managing Real Servers
The Real Servers table (Config > Operations > Real Servers) provides the following information by default for each server:
•Server name
•IP address
•Port
•Configured status, such as In Service, Out of Service, or In Service Standby
•Current state (See Table 3-38 for descriptions of real server operational states.)
•Number of current connections
•Current server weight
•Associated server farm
•Owner, such as the associated virtual context
In the table, N/A indicates that either the information is not available from the database or that it is not being collected via SNMP. To identify any SNMP-related issues, select the real server's virtual context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper right above the content pane.
The following options are available from the Real Servers table:
•Activating Real Servers
•Suspending Real Servers
•Modifying Real Servers
•Viewing All Real Servers
Activating Real Servers
Use this procedure to activate a real server.
Procedure
Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.
Step 2 Select the servers that you want to activate, then click Activate. The Activate Server screen appears.
Step 3 In the Task field, confirm that this is the server that you want to activate.
Step 4 In the Reason field, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.
Step 5 Click:
•Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the status Inservice.
•Cancel to exit this procedure without activating the server and to return to the Real Servers table.
Related Topics
•Managing Real Servers
•Suspending Real Servers
•Viewing All Real Servers
Suspending Real Servers
Use this procedure to suspend a real server.
Procedure
Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.
Step 2 Select the server that you want to suspend, then click Suspend. The Suspend Server screen appears.
Step 3 In the Task field, confirm that the correct server is identified.
Step 4 In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.
Step 5 Select the Clear Existing Connections? check box to clear the existing connections to this server as part of the shutdown process. Clear the check box if you do not want to clear the existing connections as part of the shutdown process.
Step 6 Click:
•Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the status Out of Service.
•Cancel to exit this procedure without suspending the server and to return to the Real Servers table.
Related Topics
•Managing Real Servers
•Activating Real Servers
•Viewing All Real Servers
Modifying Real Servers
Use this procedure to modify weight and connections for real servers.
Procedure
Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.
Step 2 Select the server whose configuration you want to modify, then click Edit. The Real Server configuration screen appears.
Step 3 In the Reason field, enter for this change. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.
Step 4 In the Weight field, enter the weight to be assigned to this real server in a server farm. Valid entries are integers from 1 to 100, and the default is 8.
Step 5 In the Minimum Connections field, enter the number of connections that must occur before this server starts accepting connections again after maximum number of connections has been exceeded. Valid entries are integers from 1 to 4000000.
Step 6 In the Maximum Connections field, enter the maximum number of connections allows for this server. Valid entries are integers from 1 to 4000000.
Step 7 Click:
•Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the updated information.
•Cancel to exit this procedure without saving your entries and to return to the Real Servers table.
Related Topics
•Managing Real Servers
•Activating Real Servers
•Viewing All Real Servers
Viewing All Real Servers
To view all real servers, select Config > Operations > Real Servers. The Real Servers table displays the following information by default:
•Real server name
•IP address
•Port
•Configured status, such as In Service, Out of Service, or In Service Standby
•Current operational state. Table 3-38 describes real server operational states.
•Number of current connections
•Server weight
•Associated server farm
•Owner, such as the associated virtual context
In the table, N/A indicates that either the information is not available from the database or that it is not being collected via SNMP. To identify any SNMP-related issues, select the real server's virtual context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper right above the content pane.
Table 3-38 Real Server Operational States
State
|
Description
|
Failed
|
The server has failed and will not be retried for the amount of time specified by its retry timer.
|
Inband probe failed
|
The server has failed the inband Health Probe agent.
|
In service
|
The server is in use as a destination for server load balancing client connections.
|
Operation wait
|
The server is ready to become operational but is waiting for the associated redirect virtual server to be in service.
|
Out of service
|
The server is not in use by a server load balancer as a destination for client connections.
|
Probe failed
|
The server load-balancing probe to this server has failed. No new connections will be assigned to this server until a probe to this server succeeds.
|
Probe testing
|
The server has received a test probe from the server load balancer.
|
Ready to test
|
The server has failed and its retry timer has expired; test connections will begin flowing to it soon.
|
Return code failed
|
The server has been disabled because it returned an HTTP code that matched a configured value.
|
Test wait
|
The server is ready to be tested. This state is applicable only when the server is used for HTTP redirect load balancing.
|
Testing
|
The server has failed and has been given another test connection. The success of this connection is not known.
|
Throttle: DFP
|
DFP has lowered the weight of the server to throttle level; no new connections will be assigned to the server until DFP raises its weight.
|
Throttle: max clients
|
The server has reached its maximum number of allowed clients.
|
Throttle: max connections
|
The server has reached its maximum number of connections and is no longer being given connections.
|
Unknown
|
The state of the server is not known.
|
Related Topics
•Activating Real Servers
•Suspending Real Servers
•Modifying Real Servers
Stickiness Overview
When customers visit an e-commerce site, they usually start out by browsing the site, the Internet equivalent of window shopping. Depending on the application, the site may require that the client become "stuck" to one server once the connection is established, or the application may not require this until the client starts to build a shopping cart.
In either case, once the client adds items to the shopping cart, it is important that all of the client requests get directed to the same server so that all the items are contained in one shopping cart on one server. An instance of a customer's shopping cart is typically local to a particular Web server and is not duplicated across multiple servers.
E-commerce applications are not the only types of applications that require stickiness. Any Web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers.
Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session. A session, as used here, is defined as a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple connections with the same server while shopping online, especially while building a shopping cart and during the checkout process.
Depending on the configured SLB policy, the ACE appliance "sticks" a client to an appropriate server after the ACE appliance has determined which load-balancing method to use. If the ACE appliance determines that a client is already stuck to a particular server, then the ACE appliance sends that client request to that server, regardless of the load-balancing criteria specified by the matched policy. If the ACE appliance determines that the client is not stuck to a particular server, it applies the normal load-balancing rules to the content request.
For information on stickiness, see:
•IP Address Stickiness
•Cookie Stickiness
•HTTP Header Stickiness
•Sticky Groups
•Sticky Table
Related Topics
•Configuring Virtual Server Default Layer 7 Load Balancing
•Configuring Load Balancing Using Sticky Groups
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
Related Topics
•Stickiness Overview
•Cookie Stickiness
•HTTP Header Stickiness
•Sticky Groups
•Sticky Table
Cookie Stickiness
Client cookies uniquely identify clients to the ACE appliance and the servers providing content. A cookie is a small data structure within the HTTP header that is used by a server to deliver data to a Web client and request that the client store the information. In certain applications, the client returns the information to the server to maintain the connection state or persistence between the client and the server.
When the ACE appliance examines a request for content and determines through policy matching that the content is sticky, it examines any cookie or URL present in the content request. The ACE appliance uses the information in the cookie or URL to direct the content request to the appropriate server.
The ACE appliance supports the following types of cookie stickiness:
•Dynamic cookie learning
You can configure the ACE appliance to look for a specific cookie name and automatically learn its value either from the client request HTTP header or from the server Set-Cookie message in the server response. Dynamic cookie learning is useful when dealing with applications that store more than just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value are relevant to stickiness.
By default, the ACE appliance learns the entire cookie value. You can optionally specify an offset and length to instruct the ACE appliance to learn only a portion of the cookie value.
Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP request. This option instructs the ACE appliance to search for (and eventually learn or stick to) the cookie information as part of the URL. URL learning is useful with applications that insert cookie information as part of the HTTP URL. In some cases, you can use this feature to work around clients that reject cookies.
•Cookie insert
The ACE appliance inserts the cookie on behalf of the server upon the return request, so that the ACE appliance can perform cookie stickiness even when the servers are not configured to set cookies. The cookie contains information that the ACE appliance uses to ensure persistence to a specific real server.
Related Topics
•Stickiness Overview
•IP Address Stickiness
•HTTP Header Stickiness
•Sticky Groups
•Sticky Table
HTTP Header Stickiness
You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the HTTP header.
Related Topics
•Stickiness Overview
•IP Address Stickiness
•Cookie Stickiness
•Sticky Groups
•Sticky Table
Sticky Groups
The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.You can create a maximum of 4096 sticky groups in each context. Each sticky group that you configure on the ACE appliance contains a series of parameters that determine:
•Sticky method
•Timeout
•Replication
•Cookie offset and other cookie-related attributes
•HTTP header offset and other header-related attributes
Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for information about configuring ACE appliance resources.
Related Topics
•Stickiness Overview
•IP Address Stickiness
•Cookie Stickiness
•HTTP Header Stickiness
•Sticky Table
Sticky Table
To keep track of sticky connections, the ACE appliance uses a sticky table. Table entries include the following items:
•Sticky groups
•Sticky methods
•Sticky connections
•Real servers
The sticky table can hold a maximum of four million entries (four million simultaneous users). When the table reaches the maximum number of entries, additional sticky connections cause the table to wrap and the first users become unstuck from their respective servers.
The ACE appliance uses a configurable timeout mechanism to age out sticky table entries. When an entry times out, it becomes eligible for reuse. High connection rates may cause the premature aging out of sticky entries. In this case, the ACE appliance reuses the entries that are closest to expiration first.
Sticky entries can be either dynamic (generated by the ACE appliance on-the-fly) or static (user-configured). When you create a static sticky entry, the ACE appliance places the entry in the sticky table immediately. Static entries remain in the sticky database until you remove them from the configuration. You can create a maximum of 4096 static sticky entries in each context.
If the ACE appliance takes a real server out of service for whatever reason (probe failure, no inservice command, or ARP timeout), the ACE appliance removes from the database any sticky entries that are related to that server.
Related Topics
•Stickiness Overview
•IP Address Stickiness
•Cookie Stickiness
•HTTP Header Stickiness
•Sticky Groups
•Sticky Table
Configuring Load Balancing Using Sticky Groups
Stickiness (or session persistence) is a feature that allows the same client to maintain multiple simultaneous or subsequent TCP connections with the same real server for the duration of a session. A session, as used here, is defined as a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple TCP connections with the same server while shopping online, especially while building a shopping cart and during the checkout process.
E-commerce applications are not the only types of applications that require stickiness. Any Web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers.
The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.
Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for information about configuring ACE appliance resources.
Assumption
The context in which you are configuring a sticky group is associated with a resource class that allocates resources to stickiness.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table appears.
Step 2 Click Add to add a new sticky group, or select an existing sticky group you want to modify, then click Edit.
Step 3 Enter the sticky group attributes (see Table 3-39).
Table 3-39 Sticky Group Attributes
Field
|
Description
|
Group Name
|
The sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
|
Type
|
The method to be used when establishing sticky connections:
•HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.
•HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real server based on HTTP headers.
•IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.
|
Cookie Name
|
This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
|
Enable Insert
|
This option appears only for sticky type HTTP Cookie.
Select this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the ACE appliance selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server.
Clear this check box to disable cookie insertion.
|
Offset
|
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE appliance does not exclude any portion of the cookie.
|
Length
|
This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to 1000. The default is 1000.
|
Secondary Name
|
This option appears only for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server. The ACE appliance uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
|
Header Name
|
This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
|
Netmask
|
This option appears only for sticky type IP Netmask.
Select the netmask to apply to the source IP address, the destination IP address, or both.
|
Address Type
|
This option appears only for sticky type IP Netmask.
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP address, or both:
•Both—Indicates that this sticky type is to be applied to both the source IP address and the destination IP address.
•Source—Indicates that this sticky type is to be applied to the source IP address only.
•Destination—Indicates that this sticky type is to be applied to the destination IP address only.
|
Sticky Server Farm
|
Select a server farm you want to associate with this sticky group.
|
Backup Server Farm
|
Select a backup server farm to be associated with this sticky group. If the primary server farm is down, the ACE appliance uses the backup server farm.
|
Aggregate State
|
This field appears when a server farm and backup server farm are selected.
Select this check box to indicate that the state of the backup server farm is tied to the virtual server state. Clear this check box if the backup server farm is not tied to the virtual server state.
|
Sticky Enabled
|
This field appears when a server farm and backup server farm are selected.
Select this check box to indicate that the backup server farm is sticky. Clear this check box if the backup server farm is not sticky.
|
Replicate
|
Select this check box to indicate that the ACE appliance to replicate sticky table entries on the standby ACE appliance. If a failover occurs and this option is selected, the new active ACE appliance can maintain the existing sticky connections.
Clear this check box to indicate that the ACE appliance is not to replicate sticky table entries on the standby ACE appliance.
|
Timeout
|
Enter the number of minutes that the ACE appliance keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are integers from 1 to 65535; the default is 1440 minutes (24 hours).
|
Timeout Active Connections
|
Select this check box to specify that the ACE appliance is to time out sticky table entries even if active connections exist after the sticky timer expires.
Clear this check box to specify that the ACE appliance is not to time out sticky table entries even if active connections exist after the sticky timer expires. This is the default behavior.
|
Step 4 Click:
•Deploy Now to deploy this configuration on the ACE appliance. To configure sticky statics, see Configuring Sticky Statics.
•Cancel to exit the procedure without saving your entries and to return to the Sticky Groups table.
•Next to save your entries and to configure another sticky group.
Related Topics
•Configuring Sticky Statics
•Configuring Virtual Context Class Maps, page 7-12
•Configuring Virtual Context Policy Maps, page 7-27
•Configuring Load Balancing with Real Servers
•Configuring Server Farm Load Balancing
Viewing All Sticky Groups by Context
Use this procedure to view all sticky groups associated with a virtual context.
Procedure
Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2 Select the virtual context with the sticky groups you want to view, then select Load Balancing > Stickiness. The Sticky Groups table appears, listing the sticky groups associated with the selected context.
Related Topics
•Configuring Load Balancing Using Sticky Groups
•Configuring Sticky Statics
Configuring Sticky Statics
Use this procedure to configure sticky statics.
Assumption
A sticky group has been configured. See Configuring Load Balancing Using Sticky Groups for more information.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table appears.
Step 2 Select the sticky group you want to configure for sticky statics, then select the Sticky Statics tab. If you do not see the Sticky Statics tab beneath the Sticky Groups table, click Show Tabs just below the table name.
Step 3 Click Add to add a new entry to the table, or select an existing entry, then click Edit to modify it. The Sticky Statics configuration screen appears.
Step 4 In the Seqnumber field, either accept the automatically incremented number for this entry or enter a new sequence number.The sequence number indicates the order in which multiple sticky static configurations are applied.
Step 5 In the Type field, confirm that the correct sticky group type is selected. If you select multiple sticky groups and are creating a new static sticky entry, select the sticky group type to use:
•HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.
•HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real server based on HTTP headers.
•IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.
Step 6 If you select either HTTP Cookie or HTTP Header for sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotes.
Step 7 If you select IP Netmask for the sticky type:
a. In the Static Source field, enter the source IP address of the client.
b. In the Static Destination field, enter the destination IP address of the client.
Step 8 In the Named Real Server field, select the real server to associate with this static sticky entry.
Step 9 In the Port field, enter the port number of the real server. Valid entries are integers from 1 to 65535.
Step 10 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit the procedure without saving your entries and to return to the Sticky Statics table.
•Next to save your entries and to configure another sticky static entry.
Related Topic
Configuring Load Balancing Using Sticky Groups
Using Parameter Maps
Parameter maps allow you to combine related actions for IP, TCP, or HTTP connections in a Layer 3 and Layer 4 policy map.
The ACE Appliance Device Manager interface enables you to create:
•Connection parameter maps that combine all IP and TCP connection-related behaviors pertaining to:
–TCP normalization, termination, and server reuse
–IP normalization, fragmentation, and reassembly
•HTTP parameter maps that configure HTTP behavior for HTTP load-balanced connections.
•Optimization parameter maps that specify optimization-related commands that pertain to application acceleration and optimization functions performed by the ACE appliance.
Related Topics
•Configuring Connection Parameter Maps
•Configuring HTTP Parameter Maps
•Configuring Optimization Parameter Maps
•Configuring Traffic Policies, page 7-1
•Configuring Load Balancing
•Configuring Virtual Contexts, page 2-4
Configuring Connection Parameter Maps
Use this procedure to configure a Connection parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.
Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Maps configuration screen appears.
Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.
Step 4 In the Type field, select Connection.
Step 5 Enter the information in Table 3-40.
Table 3-40 Connection Parameter Map Attributes
Field
|
Description
|
Exceeds MSS
|
Indicate how the ACE appliance is to handle segments that exceed the maximum segment size (MSS):
•Allow—Indicates that the ACE appliance is to permit segments that exceed the configured MSS.
•Drop—Indicates that the ACE appliance is to discard segments that exceed the configured MSS.
|
Nagle
|
The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP connection.
Select the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle algorithm.
Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.
|
Random Sequence Number
|
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Select the check box to enable the use of random TCP sequence numbers. Clear the check box to disable the use of random TCP sequence numbers.
This option is enabled by default.
|
Reserved Bits
|
Indicate how the ACE appliance is to handle segments with the reserved bits set in the TCP header:
•Allow—Indicates that segments with the reserved bits are to be permitted.
•Drop—Indicates that segments with the reserved bits are to be discarded.
•Clear—Indicates that reserved bits in TCP headers are to be cleared and segments are to be allowed.
|
Type-of-Service IP Header
|
The type of service for an IP packet determines how the network handles the packet and balances its precedence, throughput, delay, reliability, and cost.
Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.
For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.
|
ACK Delay Time
|
Enter the number of milliseconds that the ACE appliance is to wait before sending an acknowledgement from a client to a server. Valid entries are integers from 0 to 400.
|
TCP Buffer-Share
|
To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance.
Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143 bytes.
Note If you enter a value in this field for an ACE device that does not support this option, an error message appears. Leave this field blank when creating or modifying a connection parameter map for devices that do not support this option.
|
Smallest TCP MSS
|
Enter the size of the smallest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a minimum limit.
|
Largest TCP MSS
|
Enter the size of the largest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a maximum limit.
|
SYN Retries
|
Enter the number of attempts that the ACE appliance is to make to transmit a TCP segment when initiating a Layer 7 connection. Valid entries are integers from 1 to 15, with a default of 4.
|
TCP WAN Optimization RTT
|
This option indicates how the ACE appliance is to apply TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value:
•An entry of 0 (zero) indicates that the ACE appliance is to apply TCP optimizations to packets for the life of a connection.
•An entry of 65535 (the default) indicates that the ACE appliance is to perform normal operations (that is, without optimizations) for the life of a connection.
•Entries from 1 to 65534 indicate that the ACE appliance is to use the following guidelines:
–If the actual client RTT is less than the configured RTT, the ACE appliance performs normal operations for the life of the connection.
–If the actual client RTT is greater than or equal to the configured RTT, the ACE appliance performs TCP optimizations on the packets for the life of a connection.
Valid entries are integers from 0 to 65535.
|
Timeout for Embryonic Connections
|
An embryonic connection is a TCP three-way handshake for a connection that does not complete for some reason. Enter the number of seconds that the ACE appliance is to wait before timing out an embryonic connection. Valid entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates the ACE appliance is never to time out an embryonic connection.
|
Half Closed Timeout
|
A half-closed connection is one in which the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN itself. Enter the number of seconds the ACE appliance is to wait before closing a half-closed connection. Valid entries are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the ACE appliance is never to time out a half-closed connection.
|
Inactivity Timeout
|
Enter the number of seconds that the ACE appliance is to wait before disconnecting idle connections. Valid entries are integers from 0 to 4294967295. A value of 0 indicates that ACE appliance is never to time out a TCP connection.
|
Slow Start Algorithm
|
When enabled, the slow start algorithm increases TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection.
Select this check box to enable the slow start algorithm, and clear this check box to disable the slow start algorithm. This option is disabled by default.
|
SYN Segments with Data
|
Indicate how the ACE appliance is to handle TCP SYN segments that contain data:
•Allow—Indicates that the ACE appliance is to permit SYN segments that contain data and mark them for processing.
•Drop—Indicates that the ACE appliance is to discard SYN segments that contain data.
|
Urgent Pointer Policy
|
Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as soon as possible, even before normal data. Indicate how the ACE appliance is to handle urgent data as identified by the Urgent data control bit:
•Allow—Indicates that the ACE appliance is to permit the status of the Urgent control bit.
•Clear—Indicates that the ACE appliance is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent Pointer which provides segment information.
|
TCP Window-Scale Factor
|
The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window size improves TCP performance in network paths with large bandwidth, long-delay characteristics.
Enter the window scale factor in this field. Valid entries are integers from 0 to 14 (the maximum scale factor).
For more information on TCP window scaling, refer to RFC 1323.
|
Action for TCP Options Range
|
Indicate how the ACE appliance is to handle the TCP options:
•Selective ACK
•Timestamps
•TCP Window Scaling
by selecting one of the options:
•N/A—Indicates that this option is not set.
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.
|
Lower TCP Options
|
Appears if you select Allow or Drop for the Action for TCP Options Range.
Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.
|
Upper TCP Options
|
Appears if you select Allow or Drop for the Action for TCP Options Range.
Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.
|
Selective ACK
|
Indicate how the ACE appliance is to handle the selective ACK option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
|
Timestamps
|
Indicate how the ACE appliance is to handle the timestamp option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
|
TCP Window Scale Factor
|
Indicate how the ACE appliance is to handle the TCP window scale factor option that is specified in SYN segments:
•Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.
•Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.
•Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.
|
Table 3-41 TCP Options for Connection Parameter Maps1
Kind
|
Length
|
Meaning
|
6
|
6
|
Echo (obsoleted by option 8)
|
7
|
6
|
Echo Reply (obsoleted by option 8)
|
9
|
2
|
Partial Order Connection Permitted
|
10
|
3
|
Partial Order Service Profile
|
11
|
|
CC
|
12
|
|
CC.NEW
|
13
|
|
CC.ECHO
|
14
|
3
|
TCP Alternate Checksum Request
|
15
|
N
|
TCP Alternate Checksum Data
|
16
|
|
Skeeter
|
17
|
|
Bubba
|
18
|
3
|
Trailer Checksum Option
|
19
|
18
|
MD5 Signature Option
|
20
|
|
SCPS Capabilities
|
21
|
|
Selective Negative Acknowledgements (SNACK)
|
22
|
|
Record Boundaries
|
23
|
|
Corruption Experienced
|
24
|
|
SNAP
|
25
|
|
Unassigned (released 12/18/2000)
|
26
|
|
TCP Compression Filter
|
Step 6 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.
•Next to accept your entries and to add another parameter map.
Related Topics
•Using Parameter Maps
•Configuring HTTP Parameter Maps
•Configuring Optimization Parameter Maps
•Configuring Traffic Policies, page 7-1
•Configuring Load Balancing
•Configuring Virtual Contexts, page 2-4
Configuring HTTP Parameter Maps
Use this procedure to configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.
Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Maps configuration screen appears.
Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.
Step 4 In the Type field, select HTTP.
Step 5 Enter the information in Table 3-42.
Table 3-42 HTTP Parameter Map Attributes
Field
|
Description
|
Case-insensitive
|
Select this check box to indicate that the ACE appliance is to be case insensitive. Clear this check box to indicate that the ACE appliance is to be case sensitive. This check box is cleared by default.
|
Exceed Max Parse Length
|
Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that exceed the maximum parse length:
•Continue—Indicates that the ACE appliance is to continue load balancing. When this option is selected, the HTTP Persistence Rebalance option is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.
•Drop—Indicates that the ACE appliance is to stop load balancing and to discard the packet.
|
HTTP Persistence Rebalance
|
Select this check box to indicate that the ACE appliance is to:
•Separately load balance each subsequent HTTP request on the same TCP connection.
•Insert the header and cookie for every request instead of only the first request.
Clear this check box to indicate that this option is disabled.
This option is disabled by default.
|
TCP Server Connection Reuse
|
Select this check box to indicate that the ACE appliance is to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. If you enable this feature:
•Ensure that the ACE appliance maximum segment size (MSS) is the same as the server maximum segment size.
•Configure port address translation (PAT) on the interface that is connected to the real server.
•Configure on the ACE appliance the same TCP options that exist on the TCP server.
•Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).
Clear this check box to disable this option.
|
Content Max Parse Length
|
Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers from 1 to 65535.
|
Header Max Parse Length
|
Enter the maximum number of bytes to parse for the total length of cookies, HTTP headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 2048.
|
Secondary Cookie Delimiters
|
Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries are unquoted text strings with no spaces and a maximum of 4 characters. The default delimiters are /&#+.
|
MIME Type to Compress
|
In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to compress, then click Add. The MIME type appears in the column on the right. To remove or change a MIME type, select it in the column on the right, then click Remove. The selected MIME type appears in the field on the left where you can modify or delete it.
To specify the sequence in which compression is to be applied, select MIME types in the column on the right, then click Up or Down to arrange the MIME types.
Supported MIME Types lists the supported MIME types. You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME types (text/html, text/plain, and so on).
|
User Agent Not to Compress
|
A user agent is a client that initiates a request. Examples of user agents include browsers, editors, and other end-user tools. When you specify a user agent string in this field, the ACE appliance does not compress the response to a request when the request contains the matching user agent string.
In the field on the left, enter the user agent string to be matched, then click Add. The string appears in the column on the right. To remove or change a user agent string, select it in the column on the right, then click Remove. The selected string appears in the field on the left where you can modify or delete it.
To specify the sequence in which strings are to be matched, select strings in the column on the right, then click Up or Down to arrange the strings in the desired sequence.
Valid entries are 64 characters.
|
Minimum Size to Compress
|
Enter the threshold at which compression is to occur. The ACE appliance compresses files that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.
|
Step 6 Click:
•Deploy Now to deploy this configuration on the ACE appliance.
•Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.
•Next to accept your entries and to add another parameter map.
Related Topics
•Using Parameter Maps
•Configuring Connection Parameter Maps
•Configuring Optimization Parameter Maps
•Configuring Traffic Policies, page 7-1
•Configuring Load Balancing
•Configuring Virtual Contexts, page 2-4
Configuring Optimization Parameter Maps
Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map.
Refer to Configuring Application Acceleration and Optimization, page 8-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.
Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Map configuration screen appears.
Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.
Step 4 In the Type field, select Optimization. The Optimization parameter map configuration attributes appear.
Step 5 Configure the Optimization parameter map using the information in Table 3-43.
Table 3-43 Optimization Parameter Map Attributes
Field
|
Description
|
Set Browser Freshness Period
|
Select the method that the ACE appliance is to use to determine the freshness of objects in the client's browser:
•N/A—Indicates that this option is not configured.
•Set freshness similar to FlashForward objects—Indicates that the ACE appliance is to set freshness similar to that used for FlashForwarded objects and to use the values specified in the Maximum Time for Cache Time-to-Live and Minimum Time for Cache Time-to-Live fields.
•Disable browser object freshness control—Indicates that browser freshness control is not to be used.
|
Duration for Browser Freshness (seconds)
|
Enter the number of seconds that objects in the client's browser are considered fresh. Valid entries are 0 to 2147483647 seconds.
|
Response Codes to Ignore
|
Enter a comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.
|
Appscope Optimize Rate (%)
|
Enter the percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered in the Passthru Rate Percent field must not exceed 100.
|
Appscope Passthrough Rate (%)
|
Enter the percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 100 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100.
|
Max Number for Parameter Summary Log (bytes)
|
Enter the maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.
|
Max for POST Data to Scan for Logging (kBytes)
|
Enter the maximum number of kilobytes of POST data the ACE appliance is to scan for parameters for the purpose of logging transaction parameters in the statistics log.
Valid entries are 0 to 1000 KB.
|
Specify String for Grouping Requests
|
Enter the string the ACE appliance is to use to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports.
For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region).
Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed in Table 3-44.
|
Specify Base File Anonymous Level
|
Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific. The anonymous base file feature enables the ACE appliance to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files.
Enter the value for base file anonymity for the all-user condensation method. Valid entries are integers from 0 to 50; the default value of 0 disables the base file anonymity feature.
|
Specify Cache-Key Modifier Expression
|
A cache object key is a unique identifier that is used to identify a cached object to be served to a client, replacing a trip to the origin server. The cache key modifier feature allows you to modify the canonical form of a URL; that is, the portion before "?" in a URL. For example, the canonical URL of "http://www.xyz.com/somepage.asp?action=browse&level=2" is "http://www.xyz.com/somepage.asp".
Enter a regular expression containing embedded variables as described in Table 3-44. The ACE appliance transforms URLs specified in class maps for this virtual server with the expression and variable entered here.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotation marks (").
|
Maximum Time for Cache Time-to-Live (seconds)
|
Enter the maximum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE appliance cache. Valid entries are 0 to 2147483647 seconds.
|
Minimum Time for Cache Time-to-Live (seconds)
|
Enter the minimum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE appliance cache. This value specifies the minimum time that content can be cached. If the ACE appliance is configured for FlashForward optimization, this value should normally be 0. If the ACE appliance is configured for dynamic caching, this value should indicate how long the ACE appliance should cache the page. (See Table 3-16 for information about these configuration options.)
Valid entries are 0 to 2147483647 seconds.
|
Cache Time-to-Live Duration (%)
|
Enter the percent of an object's age at which an embedded object without an explicit expiration time is considered fresh.
Valid entries are 0 to 100 percent.
|
Expression to Modify Cache Key Query Parameter
|
The cache parameter feature allows you to modify the query parameter of a URL; that is, the portion after "?" in a URL. For example, the query parameter portion of "http://www.xyz.com/somepage.asp?action=browse&level=2" is "action=browse&level=2".
Enter a regular expression containing embedded variables as described in Table 3-44. The ACE appliance transforms URLs specified in class maps for this virtual server with the expression and variable entered here. If no string is specified, the query parameter portion of the URL is used as the default value for this portion of the cache key.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.
|
Canonical URL Expressions
|
The ACE appliance uses the canonical URL feature to eliminate the "?" and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE appliance maps multiple URLs to a single canonical URL.
Enter a comma-separated list of parameter expander functions as defined in Table 3-44 to identify the URLs to associate with this parameter map.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.
|
Enable Cacheable Content Optimization
|
This feature allows the ACE appliance to detect cacheable content and perform delta optimization on it.
Select the check box to enable delta optimization of cacheable content. Clear the check box to disable this feature.
|
Enable Delta Optimization on First Visit to Web Page
|
Select the check box to enable delta optimization on the first visit to a Web page. Clear the check box to disable this feature.
|
Minimum page size for delta optimization (bytes)
|
Enter the minimum page size, in bytes, that can have delta optimization applied. Valid entries are integers from 1 to 250000 bytes.
|
Maximum page size for delta optimization (bytes)
|
Enter the maximum page size, in bytes, that can have delta optimization applied. Valid entries are integers from 1 to 250000 bytes.
|
Set Default Client Script
|
Indicate the scripting language that the ACE appliance is to recognize on condensed content pages:
•N/A—Indicates that this option is not configured.
•Javascript—Indicates that the default scripting language is JavaScript.
•Visual Basic Script—Indicates that the default scripting language is Visual Basic.
|
Exclude Iframes from Delta Optimization
|
Select the check box to indicate that delta optimization is not to be applied to IFrames (inline frames). Clear the check box to indicate that delta optimization is to be applied to IFrames.
|
Exclude Non-ASCII Data from Delta Optimization
|
Select the check box to indicate that delta optimization is not to be applied to non-ASCII data. Clear the check box to indicate that delta optimization is to be applied to non-ASCII data.
|
Exclude JavaScripts from Delta Optimization
|
Select the check box to indicate that delta optimization is not to be applied to JavaScript. Clear the check box to indicate that delta optimization is to be applied to JavaScript.
|
MIME Types to Exclude from Delta Optimization
|
1. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See Supported MIME Types for a list of supported MIME types.
2. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons.
|
Remove HTML META Elements from Documents
|
Select the check box to indicate that HTML META elements are to be removed from documents to prevent them from being condensed. Clear the check box to indicate that HTML META elements are not to be removed from documents.
|
Set FlashForward Refresh Policy
|
Select the method the ACE appliance is to use to refresh stale embedded objects:
•N/A—Indicates that this option is not configured.
•Allow FlashForward to indirect refresh of objects—Indicates that the ACE appliance is to use FlashForward to indirectly refresh embedded objects.
•Bypass FlashForward to direct refresh of objects—Indicates that the ACE appliance is to bypass FlashForward for stale embedded objects so that they are refreshed directly.
|
Rebase Delta Optimization Threshold (%)
|
Enter the delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size.
Valid entries are 0 to 10000 percent.
|
Rebase FlashForward Threshold (%)
|
Enter the threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold.
Valid entries are 0 to 10000 percent.
|
Rebase History Size (pages)
|
Enter the number of pages to be stored before the ACE appliance resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid.
Valid entries are 10 to 2147483647.
|
Rebase Modify Cool-off Period (seconds)
|
Enter the number of seconds after the last modification before performing a rebase.
Valid entries are 1 to 14400 seconds (4 hours).
|
Rebase Reset Period (seconds)
|
Enter the period of time, in seconds, for performing a meta data refresh.
Valid entries are 1 to 900 seconds (15 minutes).
|
Override Client Request Headers
|
Indicate how the ACE appliance is to handle client request headers (primarily for embedded objects):
•N/A—Indicates that this feature is not enabled.
•All cache request headers are ignored—Indicates that all cache request headers are to be ignored.
•Overrides the Cache-Control: no cache HTTP header from a request—Indicates that the ACE appliance is to ignore cache control request headers that state no cache.
|
Override Server Response Headers
|
Indicate how the ACE appliance is to handle origin server response headers (primarily for embedded objects):
•N/A—Indicates that this feature is not enabled.
•All cache response headers are ignored—Indicates that all response headers are to be ignored.
•Overrides the Cache-Control: private HTTP header from a response—Indicates that the ACE appliance is to ignore cache control response headers that state private.
|
UTF-8 Character Set Threshold
|
The UTF-8 (8-bit Unicode Transformation Format) character set is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII.
Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8 character set page. Valid entries are integers from 1 to 1,000,000.
|
Server Load Threshold Trigger (%)
|
The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is to be based dynamically on server load. With this method, TTL periods increase if the current response time from the origin sever is greater than the average response time and decrease if the current response time from the origin server is less than the average response time when the difference in response times exceeds a specified threshold amount.
Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed.
Valid entries are from 0 to 100 percent.
|
Server Load Time-to-Live Change (%)
|
This option specifies the percentage by which the cache TTL is increased or decreased in response to a change in server load. For example, if this value is set to 20 and the current TTL for a response is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache TTL for the response is raised to 360 seconds.
Enter the percent by which the cache TTL is to be increased or decreased when the server load threshold trigger is met.
Valid entries are from 0 to 100 percent.
|
Specify Delta Optimization Mode
|
Select the method by which delta optimization is to be implemented:
•N/A—Indicates that a delta optimization mode is not configured.
•Enable all user mode for delta optimization—Indicates that the ACE appliance is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal.
•Enable the per-user mode for delta optimization—Indicates that the ACE appliance is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users.
|
String To Be Used for Server HTTP Header
|
Use this option to define a string that is to be sent in the server header for an HTTP response. This option provides you with a method for uniquely tagging the context or URL match statement by setting the server header value to a particular string. The server header string can be used when a particular URL is not being transmitted to the correct target context or match statement.
Enter the string that is to appear in the server header. Valid entries are quoted text strings with a maximum of 64 alphanumeric characters.
|
Table 3-44 lists the parameter expander functions that you can use.
Table 3-44 Parameter Expander Functions
Variable
|
Description
|
$(number)
|
Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis "(" counting from the left. You can specify any positive integer for the number. $(0) matches the entire URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern, then the variable expands to the empty string.
|
$http_query_string()
|
Expands to the value of the whole query string in the URL. For example, if the URL is http://myhost/dothis?param1=value1¶m2=value2, then the following is correct:
$http_query_string() = param1=value1¶m2=value2
This function applies to both GET and POST requests.
|
$http_query_param(query-param-name)
The obsolete syntax is also supported:
$param(query-param-name)
|
Expands to the value of the named query parameter (case-sensitive).
For example, if the URL is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the variable expands to the empty string. This function applies to both GET and POST requests.
|
$http_cookie(cookie-name)
|
Evaluates to the value of the named cookie. For example, $http_cookie(cookiexyz). The cookie name is case-sensitive.
|
$http_header(request-header-name)
|
Evaluates to the value of the specified HTTP request header. In the case of multivalued headers, it is the single representation as specified in the HTTP specification. For example, $http_header(user-agent). The HTTP header name is not case-sensitive.
|
$http_method()
|
Evaluates to the HTTP method used for the request, such as GET or POST.
|
Boolean Functions:
$http_query_param_present(query-param-name)
$http_query_param_notpresent(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
|
Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name). All identifiers are case-sensitive except for the HTTP request header name.
|
$regex_match(param1, param2)
|
Evaluates to a Boolean value: True if the two parameters match and False if they do not match. The two parameters can be any two expressions, including regular expressions, that evaluate to two strings. For example, this function:
$regex_match($http_query_param(URL), .*Store\.asp.*)
compares the query URL with the regular expression string .*Store\.asp.*
If the URL matches this regular expression, this function evaluates to True.
|
Step 6 Click:
•Deploy Now to save your entries. The ACE appliance validates the parameter map configuration and deploys it.
•Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.
•Next to accept your entries and to add another parameter map.
Related Topics
•Using Parameter Maps
•Configuring Traffic Policies, page 7-1
•Configuring Load Balancing
•Configuring Virtual Contexts, page 2-4
Supported MIME Types
The ACE appliance supports following MIME types:
•application/msexcel
•application/mspowerpoint
•application/msword
•application/octet-stream
•application/pdf
•application/postscript
•application/\x-gzip
•application/\x-java-archive
•application/\x-java-vm
•application/\x-messenger
•application/\zip
•audio/*
•audio/basic
•audio/midi
•audio/mpeg
•audio/x-adpcm
•audio/x-aiff
•audio/x-ogg
•audio/x-wav
•image/*
•image/gif
•image/jpeg
•image/png
•image/tiff
•image/x-3ds
•image/x-bitmap
•image/x-niff
•image/x-portable-bitmap
•image/x-portable-greymap
•image/x-xpm
•text/*
•text/css
•text/html
•text/plain
•text/richtext
•text/sgml
•text/xmcd
•text/xml
•video/*
•video/flc
•video/mpeg
•video/quicktime
•video/sgi
•video/x-fli
Viewing All Parameter Maps by Context
Use this procedure to view all parameter maps associated with a virtual context.
Procedure
Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.
Step 2 Select the virtual context with the parameter maps you want to view, then select Load Balancing > Parameter Map. The Parameter Map table appears listing each parameter map and its type (either connection, HTTP, or optimization).
Related Topics
•Configuring Connection Parameter Maps
•Using Parameter Maps
Configuring Secure KAL-AP
A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the Global Site Selector (GSS), which send KAL-AP requests, to report the server states and loads for global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to calculate weights and provide information for server availability to the KAL-AP device. The ACE acts as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens on the standard 5002 port for any KAL-AP requests. You cannot configure any other port.
The ACE appliance supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE appliance context.
Use this procedure to configure secure KAL-AP associated with a virtual context.
Assumptions
•You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.
•You have enabled KAL-AP on the ACE by configuring a management class map and policy map, and apply it to the appropriate interface.
Procedure
Step 1 Select Config > Virtual Contexts > context > Load Balancing > Secure KAL-AP. The Secure KAL-AP table appears.
Step 2 Click Add to configure secure KAL-AP for MD5 encryption of data. The Secure KAL-AP configuration screen appears.
Step 3 In the IP Address field, enable secure KAL-AP by configuring the VIP address for the GSS. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).
Step 4 In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and the ACE appliance. Enter the shared secret as a case-sensitive string with no spaces and a maximum of 31 alphanumeric characters.
Step 5 Click:
•Deploy Now to save your entries. The ACE appliance validates the secure KAL-AP configuration and deploys it.
•Cancel to exit this procedure without accepting your entries and to return to the Secure KAL-AP table.
•Next to accept your entries.
Related Topics
•Creating Virtual Contexts, page 2-2
•Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 7-17
Feedback
