Table Of Contents
Configuring Caching Services
Configuring HTTP and HTTPS Settings
Configuring HTTP Connection Settings
Configuring HTTP Cache Settings
Configuring HTTP Cache Freshness Settings
Configuring Authenticated HTTP Cache Settings
Configuring Advanced HTTP Cache Settings
Configuring HTTPS Proxy Settings
Configuring HTTP and HTTPS Outgoing Proxy Exclusion Settings
Configuring ICP Settings
ICP Client Settings
ICP Remote Client Settings
ICP Server Settings
ICP Remote Server Settings
Configuring Client Proxy Autoconfiguration Settings
Configuring FTP and TFTP Settings
Configuring FTP Cache Proxy Settings
Setting FTP Cache Freshness
About the TFTP Gateway
Configuring TFTP General Settings
Configuring TFTP Proxy Server Settings
Configuring TFTP Directory Settings
Configuring WCCP Transparent Caching Options
Configuring Authentication Traffic Bypass
Configuring WCCP Bypass Settings
Viewing WCCP Bypass Lists
Configuring Caching Services
This chapter describes how to configure caching protocols such as FTP, HTTP, HTTPS, ICP, and WCCP for the Content Engine and device groups. It includes the following sections:
•
Configuring HTTP and HTTPS Settings
•Configuring ICP Settings
•Configuring FTP and TFTP Settings
•Configuring WCCP Transparent Caching Options
Configuring HTTP and HTTPS Settings
You can configure, modify, and view HTTP and HTTPS settings for Content Engines and device groups by completing the following tasks:
•Configuring HTTP Connection Settings
•Configuring HTTP Cache Settings
•Configuring HTTP Cache Freshness Settings
•Configuring Authenticated HTTP Cache Settings
•Configuring Advanced HTTP Cache Settings
•Configuring HTTPS Proxy Settings
•Configuring HTTP and HTTPS Outgoing Proxy Exclusion Settings
Configuring HTTP Connection Settings
A proxy-style request arrives with the same destination IP address as the Content Engine; it has been specifically routed to the Content Engine by the client. The Content Engine supports up to eight incoming ports each for FTP, HTTP, HTTPS, MMS, and RTSP proxy modes. The incoming proxy ports can be the same ports that are used by transparent mode services. The incoming proxy ports can be changed without stopping any WCCP services running on the Content Engine or on other Content Engines in a Content Engine farm or on the network.
To configure HTTP connection settings, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > HTTP Connections. The HTTP Connection Settings for Content Engine window appears. (See Figure 12-1.) Table 12-1 describes the fields in this window.
Figure 12-1 HTTP Connection Settings Window
Step 4 Check the Enable Incoming Proxy check box to accept incoming requests on ports in addition to port 80.
Step 5 In the List of Incoming Ports field, enter the port numbers used by the proxy server or Content Engine to receive requests.
Step 6 Check the Enable Outgoing Proxy check box to allow an outgoing proxy server or another Content Engine to receive HTTP cache miss request traffic.
Step 7 In the Outgoing Connection Timeout field, enter a value in microseconds for the timeout period to use when probing for outgoing proxy servers.
Step 8 In the Outgoing Monitor Period field, enter an interval in seconds for monitoring an outgoing proxy server. This is the time interval over which the outgoing proxy servers are queried. If one of the outgoing proxy servers is unavailable, the polling mechanism waits for the connection timeout before polling the next server.
Step 9 Check the Use Origin Server check box to direct requests to the origin server specified in the user request if all outgoing proxy servers fail.
Step 10 Check the Preserve 407 headers check box to enable this feature.
Step 11 Configure the outgoing proxy:
a. Enter the host name or IP address for the outgoing proxy host names in the Hostname filed under the Outgoing Proxy heading.
The first host name or IP address entered designates that outgoing proxy server as the primary server. You can configure up to eight backup proxy servers for the HTTP proxy failover feature. If the primary proxy server fails to respond to the HTTP connection request, the request is redirected to the next proxy server in the list until one of the proxy servers services the request.
b. In the Port field, enter a port number corresponding to the outgoing proxy host names from the previous step. (A port is required for the primary server entered in the Hostname field.)
Step 12 Configure acquirer outgoing proxy authentication:
a. To acquire content from the origin server, enter the name of the user to be authenticated in the Username field. This username will be used for both NTLM and basic authentication.
b. Enter the password of the user in the Password field. Reenter the same password in the Confirm Password field for confirmation. The password details will be encrypted on display.
c. In the NTLM User Domain field, enter the NTLM server domain name to be used to authenticate user access.
d. Check the Disable basic authentication check box to disallow removal of NTLM headers for fallback to basic authentication.
Step 13 Click Submit to save the settings.
A "Click Submit to Save" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or group settings to change the current device settings but have not yet submitted the changes.
Table 12-1 HTTP Connection Settings GUI Fields
GUI Field
|
Description
|
CLI Command or Manifest Attribute
|
Enable Incoming Proxy
|
Configures the Content Engine to accept incoming requests on ports in addition to port 80.
|
http proxy incoming
|
List of Incoming Ports
|
Port numbers used by the proxy server or Content Engine to receive requests. This number ranges from 1 to 65535. You can specify up to 8 ports.
|
http proxy incoming ports
|
Enable Outgoing Proxy
|
Configures an outgoing proxy server or another Content Engine to receive HTTP cache miss request traffic without using ICP or WCCP.
|
http proxy outgoing
|
Outgoing Connection Timeout
|
Timeout period to use when probing for outgoing proxy servers in microseconds. The range is from 200 to 5000000. The default value is 300 microseconds.
|
http proxy outgoing connection-timeout microsecs
|
Outgoing Monitor Period
|
Specifies the interval in seconds at which to monitor one outgoing proxy server. If multiple outgoing proxy servers are configured, they are monitored sequentially. The default value is 200 seconds.
|
http proxy outgoing monitor seconds
|
Use Origin Server
|
When enabled, handles requests using the origin server if all outgoing proxy servers fail. If disabled, the user receives an error message if all outgoing proxy servers fail.
|
http proxy outgoing origin-server
|
Preserve 407 headers
|
Preserves 407 HTTP authentication headers. These headers indicate that the client must first authenticate itself with the proxy server to request cache miss traffic.
|
http proxy outgoing preserve-407
|
Outgoing Proxy
|
|
|
Hostname
|
Configures multiple outgoing proxy servers using the host name or IP address for the outgoing proxy server.
|
http proxy outgoing host {hostname | ip-address}
|
Port
|
Port number corresponding to the outgoing proxy host names.
|
http proxy outgoing host {hostname | ip-address} port 1-65535
|
Acquirer Outgoing Proxy Authentication
|
These settings can also be defined in the manifest file. (See "Configuring the ACNS Network for Content Acquisition.")
|
|
Username
|
Configures the name of the user to be authenticated.
|
Manifest file attribute:
user
|
Password
|
Configures the user password.
|
password
|
Confirm Password
|
Confirms the user password.
|
|
NTLM User Domain
|
Configures the NTLM server domain name to be used to authenticate user access.
|
ntlmUserDomain
|
Disable basic authentication
|
Disallows the removal of NTLM headers for fallback to the basic authentication method.
|
disableBasicAuth
|
Step 14 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 15 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 16 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 17 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring HTTP Cache Settings
The HTTP Cache Settings window allows you to configure caching parameters for the caching of HTTP requests.
To configure HTTP caching parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 Choose HTTP/S > HTTP Caching. The HTTP Cache Settings window appears. (See Figure 12-2.)
Figure 12-2 HTTP Cache Settings Window
Step 4 Check the L4 Switch Support check box to enable redirection using a Layer 4 switch, such as the Cisco CSS 11000 Series switches.
Step 5 Check the Anonymize Requests check box to enable stripping of the requesting IP address. This sets the HTTP anonymizer feature.
Step 6 Check the Cache Binaries with Cookies check box to enable caching of objects that are served with cookies attached and no expiration information. These are requests for binary content with Set-cookie headers attached.
Step 7 Check the Enable Fast Response check box to disable Nagle's algorithm for HTTP requests. This option must be used only if there are particular server applications that need an immediate, timely response to frequent, small bursts of information from the client. Disabling Nagle's algorithm results in performance degradation, because it disables buffering of data.
Step 8 Check the Enable Cache Vary User Agent check box to configure parameters to enable the Content Engine to cache responses with the Vary: User-Agent header.
Step 9 Check the Strict Length Checking check box to cause the Content Engine to check for required content length in HTTP requests.
Step 10 Check the L4 Switch Spoof Support check box to enable IP spoofing on the Content Engine for Layer 4 redirected traffic from Layer 4-enabled switches.
Enabling this feature makes the Content Engine spoof the client's IP address as the source IP address for requests originating from the Content Engine to the origin server. Requests to the origin server from the Content Engine generally happen on a cache miss.
Step 11 Check the Don't modify request host header check box if you do not want the Content Engine to add a default domain name to the host name, if the request contains a host name in the HTTP request header that is not a fully qualified domain name (FQDN).
This option was not available in ACNS 5.0 software. However, if you want the Content Engine to attach a default domain name, you can leave this check box unchecked. The problem with modified host names is that web servers might not be able to able to process these host names when queried by the Content Engine.
Step 12 Check the Enforce Max Object Size check box to enable this feature. An object with a size above the configurable upper limit is not stored by the Content Engine.
Step 13 In the Max Object Size field, specify the maximum object size.
The maximum object size for cached HTTP objects is 204799 KB.
Step 14 Check the URL Validation check box to revalidate every object requested in the cache with the origin server.
Step 15 Choose an option from the Client No Cache drop-down list to configure how no-cache requests should be managed.
•If you want the Content Engine to ignore the no-cache request, choose the ignore option.
•Choose the revalidate option if you want to revalidate the request with the origin server before serving a no-cache client request.
•If you do not want to set this option, choose the default Do not set option.
Step 16 Check the Enable Smart Range check box to cache an entire HTTP response even if you issue a Range request and the object is not in the cache.
Checking this check box activates the Max Start and Max Interval fields. You can use this option to download only missing portions of the object when you receive only a portion of the requested object because of a premature halt in download. The Range header specifies the byte range of the object requested.
Step 17 In the Max Start field, specify the maximum starting offset (in bytes) in the client's Range request to be cached. The range is 0 to 2147483647. The default is 16384.
Step 18 In the Max Interval field, specify the maximum interval (in bytes) between any two consecutive ranges in the Range request. The range is 0 to 2147483647. The default is 16384.
Step 19 Click Submit to save the settings.
A "Click Submit to Save" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or group settings to change the current device settings but have not yet submitted the changes.
Step 20 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 21 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 22 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 23 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring HTTP Cache Freshness Settings
You can configure HTTP cache object freshness parameters for Content Engines on the ACNS network using the HTTP Cache Freshness Settings window from the Content Distribution Manager GUI. These parameters can be configured for either directory listings or particular objects in the cache.
To configure HTTP freshness parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > HTTP Cache Freshness. The HTTP Cache Freshness Settings window appears. (See Figure 12-3.)
Figure 12-3 HTTP Cache Freshness Settings Window
Step 4 Check the Enable check box to enable the HTTP cache freshness settings. This check box is checked by default.
Step 5 Specify a value in the Text Object Age Multiplier field.
The age multiplier value enables the Content Engine to guess the life of a text object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the Content Engine. Valid values range from 0 to 100 percent. The default value is 30 percent.
Step 6 Specify a value in the Binary Object Age Multiplier field.
The age multiplier value enables the Content Engine to guess the life of a binary object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the Content Engine. Valid values range from 0 to 100 percent. The default value is 60 percent.
Step 7 Choose a value from the Maximum Time-to-Live (TTL) Scale drop-down list.
The TTL sets a ceiling on estimated expiration dates. If an object has an explicit expiration date, this takes precedence over the configured TTL.
Step 8 Specify a value in the Max Text Object TTL field.
The valid range of values is given in Table 12-2.
Table 12-2 Time To Live Range of Values for HTTP Freshness
Scale
|
Range
|
Days
|
1-1825
|
Hours
|
1-43800
|
Minutes
|
1-2628000
|
Seconds
|
1-157680000
|
Step 9 Specify a value in the Max Binary Object TTL field.
See Table 12-2 for a list of maximum values depending on the scale used.
Step 10 Specify a value in the Minimum TTL field.
A minimum TTL is the minimum Time To Live for objects in the cache. The range of values is from 0 to 86400 minutes. The default value is 30 minutes.
Step 11 Choose how reevaluation requests are to be handled from the Re-evaluate Request drop-down list.
•Choose text to apply these parameters to the directory listing.
•Choose all to apply these parameters to both objects and directory listing.
•Choose none in which case, a TTL is not applied and objects in the cache have no expiration dates.
Step 12 Check the Enable If-Modified-Since check box to specify text and age modifiers in the next two steps.
Step 13 Specify a percentage in the IMS Text Age Modifier (%) field.
Step 14 Specify a percentage in the IMS Binary Age Modifier (%) field.
Step 15 Click Submit to save the settings.
A "Click Submit to Save" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or group settings to change the current device settings but have not yet submitted the changes.
Step 16 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 17 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 18 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 19 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring Authenticated HTTP Cache Settings
The authenticated HTTP caching feature allows basic and NT LAN Manager (NTLM) authenticated content to be cached and served to more than one user, while maintaining security. If an authenticated object is cached, then subsequent requests for that object (from new users) require authentication. The cached object is revalidated with the origin server through the authorization header for the new user. If the user is not authorized, the server sends a 401 (Unauthorized) response. If the user is authorized and the object is not modified, the cached object is served to the client.
To configure authenticated HTTP caching parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > Authenticated HTTP Caching. The Authenticated HTTP Cache Settings window appears. (See Figure 12-4.)
Figure 12-4 Authenticated HTTP Cache Settings Window
Step 4 Check the Enable check box to enable authenticated HTTP cache settings for the Content Engine.
Step 5 Choose an authentication method to cache authenticated content from the Cache Authenticated Content drop-down list.
•To authenticate the web object cache with any scheme, choose all.
•To authenticate the web object cache with basic or NTLM, choose basic or ntlm from the drop-down list.
•To remove the authentication method, choose Do Not Set. This choice is the equivalent of the no http cache-authenticated basic command and the no http cache-authenticated ntlm command.
Step 6 Check the Strip NTLM Headers check box to strip the NTLM headers from the authenticated content.
This feature enables browsers to fall back to basic authentication. Browsers can authenticate against a basic-style authentication challenge posed by Microsoft Internet Information Service IIS servers.
Step 7 In the Max Cached Authenticated Entries field, enter a value for the maximum number of entries that is maintained in the cache. The default value is 32000 entries.
Step 8 In the Time Authenticated Entries are cached field, enter a value for the amount of time (in minutes) between the last access and the removal of the entry from the cache on the Content Engine. The range is from 1 to 1440 minutes, and the default value is 480 minutes.
The authentication record entry is stored in the cache for the specified period. Once it is exceeded, subsequent access to restricted content requires reauthentication through NTLM, RADIUS, or LDAP servers.
Step 9 Click the Re-Authenticate Header type drop-down list and choose a header type message to send to the requesting client when authorization has failed.
Choose to send a 401 (Unauthorized Auth Header) or 407 (Proxy Authorization Required) message when authorization has failed. These authentication headers are used to query users for credentials when an entry is not found in the authentication cache, requiring server lookup.
Step 10 Check the Append Response Headers check box to enable this feature. This is necessary to ensure that proxy authentication information is not stripped from the request when it is forwarded to upstream Content Engines.
Step 11 In the Proxy Authorization header field, enter the host name or IP address that is receiving the Proxy Authorization header. This host is configured to receive the Proxy Authorization header.
Step 12 Check the Use Via Headers check box to include a "Via" header in response and replies. The Append Response Headers check box must be checked in order to enable this option.
Step 13 Enter the host name or IP address that is receiving the WWW authorization header in the WWW Authentication Server field. This host is configured to receive the WWW Authentication header.
Step 14 Check the use X-FWD-Headers check box to notify the web server of the client's IP address through the X-Forwarded-For header.
Step 15 Check the Use Host Header check box to append host headers to HTTP/1.0 requests that do not possess these headers.
Step 16 Click Submit to save the settings.
A "Click Submit to Save" message appears in red next to the Current Settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or group settings to change the current device settings but the settings have not yet been submitted.
Step 17 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 18 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 19 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 20 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring Advanced HTTP Cache Settings
To configure advanced HTTP cache settings, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > Advanced HTTP Caching. The Advanced HTTP Settings window appears. (See Figure 12-5.)
Figure 12-5 Advanced HTTP Settings Window
Step 4 Under the Cache on Abort heading, check the Enable Cache on Abort check box to continue to cache an object if the client has aborted the request.
Step 5 Check the Use Max Threshold check box to cache an object if the number of kilobytes remaining to download from the server is less than the maximum threshold value.
Step 6 Enter a value for the maximum threshold in the Abort Max Threshold field. The default value is 256 kilobytes.
Step 7 Check the Use Min Threshold check box to cache an object if the number of kilobytes remaining to download from the server is greater than the minimum threshold value.
Step 8 Enter a value for the minimum threshold in the Abort Min Threshold field. The default value is 32 kilobytes.
Step 9 Check the Use Percent Threshold check box to cache an object if the percentage of the object already downloaded is greater than the percentage threshold value entered.
Step 10 Enter a value for the percentage threshold in the Abort Percent Threshold field. The default value is 80 percent.
Step 11 Under the Cluster Settings heading, check the Enable Clustering check box to allow a Content Engine in a Content Engine farm to query and obtain cache objects from other Content Engines in the cluster.
Step 12 In the Cluster Heal Port field, enter the port number over which requests from the healing Content Engine are sent to other Content Engines in the cluster, if you are not using the default HTTP port value of 14333.
The Content Engine that responds to queries from another Content Engine in a Content Engine cluster is called a healing server. The Content Engine that requests a cache object from the cluster is called a healing client.
Step 13 In the Cluster HTTP Port field, enter the HTTP port number over which requests from the healing Content Engine are sent to other Content Engines in the cluster. The default port value for the HTTP healing port is 80.
Step 14 In the Cluster Max Delay field, enter the maximum time in seconds that a healing Content Engine waits for a healing Content Engine response.
Step 15 In the Cluster Misses field, enter the maximum number of misses that the healing Content Engine can receive from the cluster after the last healing mode hit response.
Step 16 Under the Persistent Connections Settings heading, check the Enable Persistent Connections check box to allow persistent connections on the Content Engine.
Step 17 Choose a persistent connection type from the Persistent Connections Type drop-down list. A persistent connection can be set for client-only, server-only, or all connections on the Content Engine.
Step 18 In the Persistent Connection Timeout field, enter the number of seconds that the Content Engine should keep an idle persistent connection open before it closes the connection. The default value is 600 seconds.
Step 19 Click Submit to save the settings.
A "Click Submit to Save" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or group settings to change the current device settings but the settings have not yet been submitted.
Step 20 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 21 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 22 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 23 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring HTTPS Proxy Settings
Cisco ACNS 5.x software supports HTTPS in the following two scenarios:
•The Content Engine receives an HTTPS request sent by a web client configured to use the Content Engine as an HTTPS proxy server.
•The Content Engine in transparent mode intercepts a request sent by a web client to another HTTPS proxy server.
In both cases the Content Engine creates a connection to the origin server (directly or through another proxy server) and allows the web client and origin server to set up a Secure Socket Layer (SSL) tunnel through the Content Engine.
Note A Domain Name System (DNS) server must be configured in order to support HTTPS proxy requests. See the "Configuring the Domain Name System Server" section for more information.
To configure HTTPS proxy parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > HTTPS Proxy. The HTTPS Proxy Settings window appears. (See Figure 12-6.) Table 12-3 describes the fields in this window.
Figure 12-6 HTTPS Proxy Settings Window
Step 4 Check the Enable Incoming Proxy check box to allow the Content Engine to accept incoming requests on ports in addition to port 80.
Step 5 In the List of Incoming Ports field, enter the port numbers used by the proxy server.
Step 6 Check the Enable Outgoing Proxy check box to enable the use of an outgoing proxy, if needed.
Step 7 Enter an IP address or host name in the Outgoing Proxy Hostname field. This field is required if an outgoing proxy is enabled.
Step 8 In the Outgoing Proxy Port field, enter a port number that will be used by the outgoing proxy server to accept proxy HTTPS requests. This field is required if an outgoing proxy is enabled.
Step 9 in the Allow Port List field, enter a list of port numbers on which HTTPS traffic is to be allowed and separate each number with a space This field is required if an outgoing proxy is enabled. The range is from 1 to 65535. Up to 8 ports can be configured. Ports 443 and 563 are allowed by default.
Step 10 In the Deny Port List field, enter a list of port numbers on which HTTPS requests must be rejected. Separate each number with a space. This field is required if an outgoing proxy is enabled.
The range is from 1 to 65535. Up to 8 ports can be configured. Ports under 1024 are denied for HTTPS requests by default. This ensures that unwanted access to any HTTPS port is prevented when a request goes through the Content Engine
Step 11 Check the Enable TCP check box to configure the TCP server connection's read/write timeout.
Step 12 In the TCP Read/Write Timeout field, enter a value in seconds for the read/write timeout. The range is from 1 to 3600, and the default is 120 seconds.
Step 13 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings but the settings have not yet been submitted.
Table 12-3 shows key GUI parameters and CLI commands associated with HTTPS proxy features. The order in which the CLI commands are entered is not important.
Table 12-3 HTTPS Proxy Features
Key GUI Parameter
|
HTTPS Proxy Features
|
CLI Command (Abbreviated Syntax)
|
Enable incoming proxy
|
Configures the Content Engine to accept incoming HTTPS traffic request on ports in addition to port 80.
|
https proxy incoming
|
List of incoming ports
|
Supports up to 8 incoming proxy ports.
|
https proxy incoming port 1-65535, port, . . .
|
Enable outgoing proxy
|
Enables an outgoing HTTPS proxy server.
|
https proxy outgoing host {hostname | ip-address} port 1-65535
|
Outgoing proxy hostname
|
IP address or host name of the HTTPS outgoing proxy server.
|
https proxy outgoing host {hostname | ip-address}
|
Outgoing proxy port
|
Port of the HTTPS outgoing proxy server.
|
https proxy outgoing host {hostname | ip-address} port 1-65535
|
Allow Port List
|
List of port numbers on which HTTPS traffic is to be allowed (required, if outgoing proxy is enabled).
The range is from 1 to 65535. Up to 8 ports can be configured. Ports 443 and 563 are allowed by default.
|
|
Deny Port List
|
List of port numbers on which HTTPS requests must be rejected (required, if outgoing proxy is enabled).
|
|
Enable TCP
|
Enables the TCP Read/Write Timeout field.
|
|
TCP Read/Write Timeout
|
Configures the TCP server connection's read/write timeout. The range is from 1 to 3600, and the default is 120 seconds.
|
|
Note HTTPS traffic is encrypted and cannot be interpreted by the Content Engine or any other device between the web client and the origin server. HTTPS objects are not cached.
Step 14 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 15 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 16 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 17 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring HTTP and HTTPS Outgoing Proxy Exclusion Settings
When in transparent caching mode, the Content Engine can intercept requests sent to another proxy and send these requests to one of the following two destinations:
•Default server—This is the default option. The Content Engine retrieves the objects from the web server itself, or if it is configured to use an outgoing proxy for this protocol, it forwards the request to its outgoing proxy. In this scenario, the client browser configuration is ignored, and the Content Engine configuration is used to retrieve the object from the server.
•Original proxy—The Content Engine forwards the request to the proxy that the client originally addressed the request to. This may be different from the Content Engine's own outgoing proxy for the specified protocol.
ACNS 5.x software also has an option that allows the administrator to specify a single domain name, host name, or IP address to be globally excluded from proxy forwarding. Domains are entered as an ASCII string, separated by spaces. The wildcard character * (asterisk) can be used for IP addresses (for instance, 172.16.*.*). Requests with a destination specified with wildcard characters bypass the Content Engine proxy as well as the failover proxies.
To configure proxy protocol parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > Outgoing Proxy Exclusions. The Outgoing Proxy Exclusions window appears. (See Figure 12-7.) Table 12-4 describes the fields in this window.
Figure 12-7 Outgoing Proxy Exclusions Settings Window
Step 4 Check the Enable Outgoing Proxy Exclusion check box to intercept requests sent to another proxy and send these requests to either the origin server or a specified proxy server.
Step 5 Enter domain names, IP addresses, or host names, each separated by a space, in the Outgoing Proxy Exclude List field. The item entered here is globally excluded from proxy forwarding. You can also specify the asterisk (*) wildcard character to match any IP address to be excluded.
Step 6 Check the Enable Transparent Mode check box to set the transparent mode behavior for proxy-style requests.
Step 7 Choose default-server, original-proxy, or reset from the Transparent Proxy Mode drop-down list. See Table 12-4 for an explanation of these choices.
Table 12-4 Proxy Protocols Key Parameters
Key Parameter
|
Description
|
CLI Command
|
Default-server
|
The Content Engine retrieves objects from the web server itself. With this option, a proxy-style request can be sent to an outgoing proxy server if such a server is configured. If no outgoing proxy server is configured, then the request is served by the origin server and the Content Engine.
|
proxy-protocols transparent default-server
|
Original-proxy
|
The Content Engine forwards the request to the original proxy that the client addressed the request to.
|
proxy-protocols transparent original-proxy
|
Reset
|
This option resets the transparent proxy mode to use the default server. The request will be returned to the client during a cache miss. The client does not obtain the requested object in this mode.
|
proxy-protocols transparent reset
|
Step 8 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings but the settings have not yet been submitted.
Step 9 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 10 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 11 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 12 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring ICP Settings
Internet Cache Protocol (ICP) is a lightweight message format used for communicating among Content Engines and for supporting interoperability with older proxy protocols. ICP is used to exchange hints about the existence of URLs in neighboring caches in a Content Engine farm. Content Engines exchange ICP queries and replies to gather information for use in selecting the most appropriate location from which to retrieve an object.
Although ICP has traditionally been a way to scale the overall size of a cluster of caches beyond a single unit, history has shown ICP to be a poor way of scaling a cache clustering solution. In fact, because of the way that traffic is currently directed toward a transparent network cache cluster, the requirement for ICP is all but negated for the majority of cache deployments.
The ICPv2 protocol is documented in two standards documents:
•RFC 2186: Internet Cache Protocol (ICP), Version 2
•RFC 2187: Application of Internet Cache Protocol (ICP), Version 2
Note The ability to act as both an ICP server (servicing requests from neighboring caches) and an ICP client (sending requests to neighboring caches) is supported.
ICP Client Settings
You can configure your Content Engine farm to generate ICP queries before retrieving requested objects from the Internet using the ICP client functionality.
With ICP functionality, you can configure parent and sibling Content Engines in a hierarchy. ICP parents are essentially one step higher than ICP siblings in a hierarchy of Content Engines.
You can configure a Content Engine to be either a parent or a sibling. Parent Content Engines are able to retrieve data during a cache miss, whereas sibling Content Engines cannot retrieve data and instead forward the request to the parent Content Engines.
To configure ICP client functionality, follow these steps.
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure.
Step 3 From the Contents pane, choose HTTP/S > ICP Client. The ICP Client Settings window appears. (See Figure 12-8.) Table 12-5 describes the fields in this window.
Figure 12-8 ICP Client Settings Window
Step 4 Check the Enable check box to enable ICP client queries.
Step 5 In the Maximum Reply Wait Time field, specify the timeout period in seconds for ICP responses.
Step 6 In the Number of Failures field, specify the number of failures that each Content Engine allows an unresponsive ICP server before it removes that ICP server from the list of available servers.
Step 7 Enter a domain to be excluded from ICP queries in the Excluded Domains field.
Step 8 Click Submit to save the settings.
Table 12-5 describes the ICP client settings in the Content Distribution Manager GUI and provides the corresponding global configuration CLI commands.
Table 12-5 ICP Client Parameters
GUI Field
|
Description
|
CLI Command
|
Enable
|
Enables the ICP client.
|
icp client enable
|
Maximum Reply Wait Time
|
Configures how long the Content Engine waits before retrieving the requested data directly from the Internet. The range is from 1 to 30 seconds, and the default value is 2 seconds.
|
icp client max-wait timeout
|
Number of Failures
|
Configures the number of failures that each Content Engine allows an unresponsive ICP server before it removes that ICP server from the list. The range is from 0 to 100, and the default value is 20 failures.
|
icp client max-fail retries
|
Excluded Domains
|
Excludes local domains from ICP caching services.
|
icp client exclude domainnames
|
| |
Modifies the ICP client remote server parameters.
|
icp client modify-remote-server
|
| |
Adds an ICP client remote server.
|
icp client add-remote-server
|
ICP Remote Client Settings
To add a remote ICP client to the ICP client list using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > ICP Remote Clients.
Step 4 Click the Create New ICP Remote Client icon. The Configuring New ICP Remote Client window appears. (See Figure 12-9.)
Figure 12-9 Configuring New ICP Remote Client Window
Step 5 Enter the host name or IP address for the ICP remote client in the Client Name field.
Step 6 Check the Fetch Misses check box to configure the Content Engine to act as a parent server to the designated client. If the Content Engine cannot satisfy the client's request, it forwards the request to another server or the Internet.
Step 7 Click Submit to save the settings.
ICP Server Settings
You can also configure a Content Engine to act as an ICP server. This allows the Content Engine to probe the hierarchy of Content Engines by multicasting an ICP message to ICP parent and sibling clients in the hierarchy.
To configure ICP server functionality, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > ICP Server. The ICP Server Settings window appears. (See Figure 12-10.) Table 12-6 describes the fields in this window and provides the corresponding CLI global configuration commands.
Figure 12-10 ICP Server Settings Window
Step 4 Check the Enable check box to enable ICP server queries.
Step 5 In the ICP Port field, designate a port that will listen for ICP requests on the server.
Step 6 In the HTTP Port field, specify the HTTP port that will listen for ICP-generated requests on the server.
Step 7 Click Submit to save the settings.
Table 12-6 ICP Server CLI Command Summary
GUI Field
|
Description
|
CLI Command
|
Enable
|
Enables the ICP sever.
|
icp server enable
|
ICP Port
|
Configures an HTTP proxy port to listen for ICP-generated requests. The range is from 0 to 65535. The default port number is 3128.
|
icp server http-port
|
HTTP Port
|
Configures an ICP server port on a Content Engine to listen for ICP requests. The range is from 0 to 65535. The default port number is 3130.
|
icp server port
|
| |
Sets the ICP server remote client.
|
icp server remote-client
|
ICP Remote Server Settings
To add a remote ICP server to the ICP server list using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > ICP Remote Servers.
Step 4 Click the Create New ICP Remote Server icon. The Creating New ICP REmote Server window appears. (See Figure 12-11.)
Figure 12-11 ICP Remote Server Settings Window
Step 5 In the Server Name field, enter the host name or IP address for the ICP remote server.
Step 6 Check the Parent check box to enable the configured ICP server to act as a parent server and retrieve cache miss data. If this box is not checked, the configured ICP server will not retrieve cache miss data.
Step 7 In the ICP Port field, enter the ICP port to which ICP queries are directed at this ICP server. The range is from 1 to 65535, and the default port is 3130.
Step 8 In the HTTP Port field, enter the HTTP port on the ICP server to which proxy-style requests are forwarded. The range is from 1 to 65535, and the default port is 3128.
Step 9 In the Excluded Domains field, enter a list of excluded domains if you want to limit ICP requests directed toward this ICP server to a specific set of domains. Otherwise, all ICP requests (aside from those specified as "local domains") are forwarded to this ICP server.
Step 10 Click Submit to save the settings.
Configuring Client Proxy Autoconfiguration Settings
ACNS 5.x software supports proxy automatic configuration files (.pac files). A browser obtains proxy IP address and port configuration information from the proxy automatic configuration file when the browser's autoconfiguration URL field is configured with the Content Engine IP address, incoming port number, file directory, and .pac filename.
Note You must configure disks /local1 or /local2 as a sysfs volume before downloading the autoconfiguration file to either of these two disk locations.
The Microsoft Internet Explorer and Netscape browsers support the proxy autoconfiguration feature. The browser must be manually configured for automatic proxy configuration.
This example demonstrates the URL syntax to enter in the proxy automatic configuration URL field of the browser:
http://ContentEngine-IPaddress:portnumber/theproxyfile.pac
Note Use a port number specified by the proxy incoming settings for configuring proxy incoming ports. For instance, if port 8080 is specified, then use 8080 as your port number in the example shown.
To configure proxy autoconfiguration, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > Client Proxy Autoconfig. The Client Proxy Auto Config Settings window appears. (See Figure 12-12.)
Figure 12-12 Client Proxy Auto Config Settings Window
Step 4 Check the Enable check box to enable proxy autoconfiguration.
Step 5 Enter a host name or an IP address in the Remote FTP Server Host Name Field if you are downloading the .pac file from a remote FTP server.
Step 6 In the Remote File field, enter the name of the autoconfiguration file to be accessed on the remote FTP server.
Step 7 In the User name field, enter a username or ID to gain access to the FTP server.
Step 8 In the Password field, enter a password used to access the file on the remote FTP server.
Step 9 Enter the password again in the Confirm Password field.
Step 10 Click Submit to save the settings.
Configuring FTP and TFTP Settings
You can configure, modify, and view FTP and TFTP settings for Content Engines and device groups by completing the following tasks:
•Configuring FTP Cache Proxy Settings
•Setting FTP Cache Freshness
•Configuring TFTP General Settings
•Configuring TFTP Proxy Server Settings
•Configuring TFTP Directory Settings
Configuring FTP Cache Proxy Settings
The Content Engine has the ability to handle FTP-style requests over HTTP when configured in proxy mode. When the Content Engine receives an FTP request from a client, it processes the request by searching its cache. If the object is not in its cache, it fetches the object from an upstream FTP proxy server if this proxy server has been configured, or it fetches the object directly from the origin FTP server.
To configure FTP connection settings using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears. (Alternatively, choose Devices > Content Engines.)
Step 2 Click the Edit icon next to the name of the device group (or Content Engine) that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose FTP > FTP Connections. The FTP Connection Settings window appears. (See Figure 12-13.) Table 12-7 describes the fields in this window.
Figure 12-13 FTP Connection Settings for Device Group Window
Table 12-7 FTP Connection Settings GUI Fields
GUI Field
|
Description
|
CLI Command
|
Inetd Enable FTP Service
|
Enables FTP service on the Content Engine
|
inetd enable ftp
|
Enable FTP Caching
|
Configures the Content Engine to accept incoming FTP requests on ports in addition to port 80.
|
ftp proxy incoming
|
Enable Incoming Active Mode
|
Configures the Content Engine to support FTP active mode. Passive mode is the default.
|
fttp proxy active-mode enable
|
List of Incoming Ports
|
Port numbers used by the proxy server or Content Engine to receive FTP requests. This number ranges from 1 to 65535. You can specify up to 8 ports.
|
ftp proxy incoming ports 1-65535
|
Enable Outgoing Proxy
|
Configures an outgoing proxy server or another Content Engine, without using ICP or WCCP, to receive FTP cache miss request traffic.
|
ftp proxy outgoing
|
Outgoing Proxy Hostname
|
Configures multiple outgoing proxy servers. Enter the host name or IP address for the outgoing FTP proxy server.
|
ftp proxy outgoing host {hostname | ip-address}
|
Outgoing Proxy Port
|
Port number corresponding to the outgoing FTP proxy host names.
|
ftp proxy outgoing host {hostname | ip-address} ports 1-65535
|
Anonymous FTP Password
|
Password required to access outgoing FTP proxy server.
|
|
Confirm Anonymous FTP Password
|
Repeat the password required to access outgoing FTP proxy server.
|
|
Step 4 Check the Inetd Enable FTP Service check box to enable FTP service on the Content Engine.
Step 5 Check the Enable FTP Caching check box to accept incoming FTP requests on ports in addition to port 80.
Step 6 Check the Enable Incoming Active Mode check box to enable the Content Engine to act in FTP active mode. If active mode is enabled, the Content Engine attempts to fetch the object in active mode. If active mode fails, the Content Engine attempts to fetch the object again in passive mode.
Step 7 In the List of Incoming Ports field, enter port numbers used by the FTP proxy server or Content Engine to receive requests. The range is from 1 to 65535. Up to 8 ports are allowed.
Step 8 Check the Enable Outgoing Proxy check box to allow an outgoing FTP proxy server or another Content Engine to receive FTP cache miss request traffic.
Step 9 In the Outgoing Proxy Host Name field, enter the host name or IP address for the outgoing FTP proxy.
Step 10 In the Outgoing Proxy Port field, enter a port number corresponding to the outgoing proxy host name from Step 9. The range is from 1 to 65535, and up to 8 ports are allowed. In proxy mode, the Content Engine accepts and serves FTP requests only on the ports specified. All the FTP requests on other proxy-mode ports are rejected.
The Content Engine supports both anonymous and authenticated FTP requests. In the case of the URL ftp//user@site/dir/file, the proxy sends back an authentication failure reply and the browser displays a popup window for you to enter login information.
Step 11 In the Anonymous FTP Password field, enter the anonymous password (for example, wwwuser@cisco.com) needed to access the FTP proxy server. The default is anonymous@hostname.
Step 12 In the Confirm Anonymous FTP Password field, reenter the anonymous password needed to access the FTP proxy server.
Step 13 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings but the settings have not yet been submitted.
Step 14 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 15 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 16 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 17 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Setting FTP Cache Freshness
You can configure FTP cache object freshness parameters for Content Engines on the ACNS network using the FTP Cache Freshness Settings window from the Content Distribution Manager GUI. These parameters can be configured for either directory listings or particular objects in the cache.
To configure FTP freshness parameters, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose FTP > FTP Cache Freshness. (See Figure 12-14.)
Figure 12-14 FTP Cache Freshness Settings Window
Step 4 Check the Enable check box to o enable FTP cache freshness settings on the Content Engine.
Step 5 Specify a value for the Directory Listing Age Multiplier field.
The age multiplier value enables the Content Engine to guess the life of a directory by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent requests for the object cause a fresh retrieval by the Content Engine. Valid values range from 0 to 100 percent. The default value is 30 percent.
Step 6 Specify a value for the File Object Age Multiplier field.
The age multiplier value enables the Content Engine to guess the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the Content Engine. Valid values range from 0 to 100 percent. The default value is 60 percent.
Step 7 Choose a value for the Max Time to Live (TTL) Scale field from the drop-down list.
The TTL sets a ceiling on estimated expiration dates. If an object has an explicit expiration date, this takes precedence over the configured TTL.
Step 8 Specify a value for the Max Directory Listing TTL field.
The valid range of values is given in Table 12-8.
Table 12-8 Time To Live Range of Values for FTP Freshness
Scale
|
Range
|
Days
|
1-1825
|
Hours
|
1-43800
|
Minutes
|
1-2628000
|
Seconds
|
1-157680000
|
Step 9 Specify a value for the Max File Object TTL field.
See Table 12-8 for a list of maximum values depending on the scale used.
Step 10 Specify a value (in minutes) for the Minimum TTL field.
A minimum TTL is the minimum time to live for objects in the cache. The range of values is 0 to 86400 minutes. The default value is 30 minutes.
Step 11 Check the Enforce Max Object Size check box to enforce the maximum object size specified in the next step.
Step 12 Specify a value in the Max Object Size field.
This value represents the maximum object size (in kilobytes) that can be stored. The range of values is 1 to 204799 kilobytes. The default value is set to the maximum value of 1048576 kilobytes.
Step 13 Choose a method for handling reevaluation requests from the Re-eval Request drop-down list.
You can apply these FTP cache freshness parameters to the directory listing or to objects as well as the directory listing. You can also choose not to apply a TTL scale to these parameters. In this case, a TTL is not applied, and objects in the cache have no expiration dates.
Step 14 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings but the settings have not yet been submitted.
Step 15 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 16 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 17 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 18 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
About the TFTP Gateway
The Trivial File Transfer Protocol (TFTP) gateway feature in the ACNS 5.1 software release provides a way for Content Engines to serve content files requested by networking devices that use the native TFTP protocol. Content Engines running ACNS 5.1 software now perform TFTP to HTTP or FTP translation, eliminating the need for the system administrator to configure and manage a dedicated TFTP server to serve TFTP requests. This feature allows the Content Engine to accept native TFTP requests from the client at the front end, and serve the request using HTTP or FTP protocol at the back end, hence the name TFTP gateway.
Content files include router software images, router configurations, set top box images, IP phone configuration files, and so forth. If the requested file is not available on the Content Engine, the Content Engine caches the file on the fly from the origin server. The ACNS caching system retrieves the file from the Internet on behalf of the requesting device and forwards it to the device. Future requests by any devices for the same file are satisfied by forwarding the file from the Content Engine cache.
Configuring TFTP General Settings
Content Engines serve TFTP requests from clients by accepting native TFTP requests and retrieving content using FTP or HTTP from locally configured directories or origin servers. Content devices such as set top boxes and routers make TFTP requests for downloading router software images, set top box images, and router configurations. Content Engines allow TFTP-to-HTTP or TFTP-to-FTP translation without the need for configuring and managing a dedicated TFTP server to serve TFTP requests.
To enable the TFTP service on the Content Engine to serve TFTP requests from networking devices, follow these steps:
Step 1 Choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the desired Content Engine. The Modifying Content Engine window appears with the Contents pane on the left.
Step 3 In the Contents pane, choose FTP/TFTP > TFTP General. The TFTP Settings for Content Engine window appears. (See Figure 12-15.)
Figure 12-15 TFTP General Settings Window
Step 4 Check the Inetd Enable TFTP Service check box to enable the TFTP service application to run on the specified Content Engine.
Checking this check box enables the Content Engine to serve TFTP requests by retrieving the requested content. If you uncheck this check box, TFTP service is disabled on the content Engine.
Step 5 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings, but the settings have not yet been submitted.
Step 6 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 7 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 8 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 9 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring TFTP Proxy Server Settings
When a requested file does not exist on the Content Engine, the Content Engine makes an HTTP or FTP request to the origin server to retrieve the content. The requested content is cached and sent to the TFTP client. Future requests for the same content from TFTP clients are served by forwarding the file from the cfs or cdnfs directory on the Content Engine.
You can configure a maximum of two origin servers: a primary and a secondary backup server. The TFTP server application running on the Content Engine attempts to retrieve content from the secondary backup server, if configured, when the primary server fails. You can associate priorities with the two origin servers to categorize them as primary or secondary servers.
To configure the TFTP proxy server settings, follow these steps:
Step 1 Choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the desired Content Engine. The Modifying Content Engine window appears with the Contents pane on the left.
Step 3 In the Contents pane, choose FTP/TFTP > TFTP Proxy. The TFTP Proxy for Content Engine window appears.
Step 4 Click the Create New TFTP Proxy icon in the taskbar. The Creating New TFTP Proxy for Content Engine window appears. (See Figure 12-16.)
Figure 12-16 TFTP Proxy Settings
Note Only two TFTP proxy servers can be defined. When you attempt to create a third TFTP proxy server, the system displays a popup window stating that only two TFTP proxy servers can be defined because each server needs to be configured a unique priority value.
Step 5 Choose the protocol that the proxy server will use to serve TFTP requests from the Protocol drop-down list. You can choose either FTP or HTTP to specify that the Content Engine make a request using the corresponding protocol to the origin server.
Step 6 Enter the host name or IP address of the TFTP proxy server in the TFTP Gateway Server field.
Step 7 in the Priority field, enter the priority (LOW or HIGH) in which the origin servers must be queried for content.
Priority values can be used to categorize the servers as primary or secondary backup servers. The proxy server with the higher priority is the primary origin server and is queried first for content. You cannot configure two origin servers with the same priority, whether they are of the same or different protocols.
Step 8 In the Directory Path field, enter the path to the content that exists on the proxy server. You can enter the complete path or a relative path that specifies the directory in which the requested content resides.
Step 9 Check the Configure User check box to specify user authentication details for logging in to the proxy server. The user details cannot be entered if this check box is not checked.
Step 10 In the User Name field, enter the login ID of the user to be used on the remote server.
Step 11 In the Password field, enter the user password to be used to authenticate users who access the proxy server. Reenter the same password in the Confirm Password field. The password details are encrypted in the display.
Step 12 Click Submit to save the settings.
Configuring TFTP Directory Settings
When a TFTP client makes a request for content, the TFTP server application running on the Content Engine searches the specified directory to serve the content. If the request does not contain any directory path, the default directory will be searched for content. You can configure a maximum of eight TFTP directory configurations that TFTP clients can access.
To configure the directories to be used by TFTP, follow these steps:
Step 1 Choose Devices > Content Engines. The Content Engines window appears.
Step 2 Click the Edit icon next to the desired Content Engine. The Modifying Content Engine window appears with the Contents pane on the left.
Step 3 In the Contents pane, choose FTP/TFTP > TFTP Directory. The TFTP Settings for Content Engine window appears. (See Figure 12-17.)
Figure 12-17 TFTP Settings Window
Step 4 In the TFTP Directory Settings section, check the Configure TFTP Directories check box to enable configuration of TFTP directories.
If this check box is unchecked, the remaining fields in the window are disabled. By default, this check box is unchecked. When the Configure TFTP Directories check box is unchecked, all configured TFTP directories are removed.
Step 5 To configure the default directory, enter the complete absolute path to the directory to be used by the TFTP server application in the Directory 1 field. The first directory configured in the list of TFTP directories becomes the default directory.
You can configure seven more TFTP directories. You cannot duplicate directory paths.
Step 6 Click Submit to save the settings.
A "Click to Submit" message appears in red next to the current settings when there are pending changes to be saved. You can also revert to the previously configured window settings by clicking Reset. The Reset button is visible only when you apply default or device group settings to change the current device settings, but the settings have not yet been submitted.
Step 7 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar. This icon appears only if you have configured the settings for the Content Engine.
Step 8 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 9 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 10 To override the device group settings that have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
To apply settings from a different device group to this device, choose the device group name from the drop-down list that appears in the taskbar.
Configuring WCCP Transparent Caching Options
One of the fundamental principles of transparent network request redirection is that the Content Engine must remain transparent to the end user at all times. A transparent caching solution in an ACNS network environment must not introduce any possible failure conditions or side effects in the network.
The Cisco ACNS transparent caching solution uses a WCCP-enabled router and various advanced techniques to ensure that the Content Engine remains transparent, even if web browsers are nonoperational or web servers are not HTTP-compliant.
If a Content Engine becomes overwhelmed with traffic, it can use the overload bypass feature to reroute the overload traffic. When the Content Engine is overloaded and the bypass load command is enabled, the Content Engine refuses additional requests and forwards them to the origin servers. If the load remains too high, more traffic is bypassed to the servers, and so on until the Content Engine can handle the load. The time interval between one bucket being bypassed and the next is set by the out-interval option. The default is 4 seconds. (See Figure 12-18.)
Figure 12-18 Overload Bypass
When the first bucket bypass occurs, a set interval must elapse before the Content Engine begins to again service the bypassed buckets. The duration of this interval is set by the time-interval option. The default is 10 minutes.
When the Content Engine begins to service the bypassed traffic again, it begins with a single bypassed bucket. If the load is serviceable, it picks up another bypassed bucket, and so on. The time interval between picking up one bucket and the next is set by the in-interval option. The default is 60 seconds.
Configuring Authentication Traffic Bypass
Because of IP authentication, some websites do not allow the Content Engine to connect directly on behalf of the client. In order to preserve cache transparency and avoid disruption of service, the Content Engine can use authentication traffic bypass to automatically generate a dynamic access list for the selected client/server pairs. Authentication bypass triggers are also propagated upstream and downstream in the case of hierarchical caching.
Note The bypass feature is only available when WCCP Version 2 is enabled in your local network.
Configuring WCCP Bypass Settings
To configure WCCP bypass settings, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > WCCP Bypass Settings. The WCCP Bypass Settings window appears. (See Figure 12-19.)
Figure 12-19 WCCP Bypass Settings Window
Step 4 Check the Load Bypass Enable check box to enable traffic bypass.
Step 5 Specify a value (in seconds) for the Interval between bypassing buckets field.
When the Content Engine is overwhelmed with traffic and the bypass option is enabled, it bypasses traffic one bucket at a time until it is no longer overloaded. This field represents the amount of time between the bypassing of one bucket and the next. The default value is 4 seconds.
Note A bucket is defined as a certain subsection of the allotted hash assigned to each Content Engine in a Content Engine farm. If only one Content Engine exists in this environment, it has 256 buckets assigned to it.
Step 6 Specify a value (in minutes) for the Time that a bucket is bypassed field.
Once a bucket is bypassed and the Content Engine remains in bypass mode, it does not attempt to pick up the bypassed load for the number of minutes specified in this field. The default value is 10 minutes.
Step 7 Specify a value (in seconds) for the Time interval between buckets coming back field.
Once the time interval allotted to bypass mode has elapsed, the Content Engine begins to pick up bypassed traffic one bucket at a time. The time between the pickup of each bucket is measured in seconds. The default value is 2 seconds.
Step 8 Check the Bypass Enable check box to enable the Content Engine to bypass incoming requests from clients.
Step 9 Check the Authentication Bypass check box to enable this feature.
Note Some websites may not allow the Content Engine to connect directly on behalf of the client. In order to avoid a disruption of service when traffic is bypassed, the Content Engine can use authentication bypass to generate a dynamic access list for these client/server pairs. Authentication bypass triggers are also propagated upstream and downstream in an ACNS network environment.
Step 10 Bypass Gateway field, specify the IP address of the bypass gateway to enable the Content Engine to return a bypassed packet through Layer 2 redirection to the configured redirecting switch. If no bypass gateway is configured, the bypass packet will be forwarded to the source MAC address that sent the packet.
Step 11 Specify a value (in minutes) for the Bypass entry expiration time field.
This value represents the number of minutes that an idle client/server pair remains on the bypass access list. The default value is 20 minutes.
Step 12 Choose a method for handling errors from the Error Handling drop-down list: transparent, reset-connection, or send-cache-error. (See Table 12-9.)
Table 12-9 Error Handling Options
Option
|
Description
|
Transparent
|
The Content Engine will not send errors to the client but will bypass the client connections to the server.
|
Send-cache-error
|
The Content Engine sends an error page to the client.
|
Reset-connection
|
The Content Engine resets the TCP connection without specifying an error.
|
Step 13 Click Submit to save the settings. A "Click Submit to Save" message appears in red next to the current settings line when there are pending changes to be saved. To revert to the previously configured window settings, click Reset. The Reset button appears only when you have applied default or group settings to change the current device settings but the settings have not yet been submitted.
Step 14 To delete the configured settings for the device, click the Remove Device Settings icon in the taskbar This icon appears only if you have configured the settings for the Content Engine.
Step 15 To restore the factory default settings to the device, click the Apply Defaults icon in the taskbar.
Step 16 To override the device group settings applied to the device with the factory default settings, click the Override Group Settings with Defaults icon in the taskbar. This icon appears only if you have applied the device group settings to the Content Engine.
Step 17 When settings have been applied from device groups with which the device is associated, click the Override Group Settings icon in the taskbar to override the device group settings and configure the device settings. This icon appears only if you have applied the device group settings to the Content Engine.
Step 18 When a device is associated with one or many device groups that have been configured with WCCP bypass settings, choose the device group name from the drop-down list that appears in the taskbar if you want to apply settings from a different device group to this device.
Viewing WCCP Bypass Lists
The Content Engine can use authentication bypass to generate a dynamic access list for client/server pairs. To generate these lists with the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Device Groups. If you have created device groups, the Device Group window appears.
Step 2 Click the Edit icon next to the name of the device group that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose HTTP/S > WCCP Bypass List.
Step 4 Click the Create New WCCP Bypass List Entry Remote Server icon. The Creating New Static WCCP Bypass List Entry window appears. (See Figure 12-20.)
Figure 12-20 Creating New Static WCCP Bypass List Entry Window
Step 5 Enter the IP address for the client in the Client Address field.
Note You must not exceed 50 bypass list entries for any one Content Engine.
Step 6 Enter the IP address for the server in the Server Address field.
Step 7 Check Submit to save the settings.
