Planning the Installation
This chapter describes planning considerations for installing Cisco ACE XML Gateway and Manager appliances. It covers these topics:
•Considerations for the Installation Target Network
•Ports Used by the ACE XML Gateway and Manager
•Enabling Web Console Access through a Proxy Server
•Appliance Network Interface Considerations
•Obtaining the Root Password
Considerations for the Installation Target Network
To perform its daily operations, the ACE XML Gateway relies on a variety of agreements, protocols, and physical connections. Implementing the ACE XML Gateway involves not only configuring settings on the appliance itself, but configuring settings to accomodate the appliance in the target network (for example, by configuring adjacent firewalls or remote network management devices).
Before starting your installation, it is recommended that you gather as much information as possible on the target environment. This advance planning can ease the task of installing and maintaining the appliance.
The ACE XML appliances can be deployed to several types of target environments:
•In a production environment, one or more ACE XML Gateways are typically deployed to the network DMZ, often behind a load balancer. In this setting, the Gateways receive external requests and communicate with backend servers within and outside the organization.
•During policy development or testing, the ACE XML Gateway usually resides within a protected network.
•The ACE XML Manager normally resides in an internal, protected network, where it is not exposed to external traffic. However, it needs to be able to connect to each ACE XML Gateway, and be available to policy developers.
In production deployments, the ACE XML Gateway and Manager usually require access to external networks. Depending on your network topology, you may need to configure an outgoing HTTP proxy for the appliances. The ACE XML Gateway and Manager use the proxy for all outbound HTTP connections. The HTTP Proxy settings are individually configurable for the Manager and Gateway, as set in the System Management page of the web console. For more information, see the ACE XML Manager online help, available from the web console.
Ports Used by the ACE XML Gateway and Manager
For ACE XML appliances to function properly in your network, you need to ensure that existing network devices (such as internal firewalls) permit the types of traffic used by the appliances.
In particular, the firewalls affected by an ACE XML Gateway and Manager installation may include:
•Firewalls between each ACE XML Gateway and the ACE XML Manager that controls it.
•Firewalls between the ACE XML Manager and the computer used to access the web console.
•Firewalls between the gateway and the external network.
The following sections list the ports that may need to be opened.
System Traffic Ports
The following ports are used by the ACE XML system for operation purposes (that is, for traffic other than service traffic). This information should be used to configure internal firewalls. The use of a port is implementation-specific. For example, if you do not use NTP, you do not have to configure firewall to permit TCP/UDP traffic on port 123.
The ACE XML Manager uses the following ports and protocols:
•ICMP from anywhere
•TCP on port 22 from anywhere. This port exposes SSH, for administrators who want to start terminal sessions on the ACE XML Manager.
•TCP on port 8243 from anywhere. This port exposes the ACE XML Manager web console for browser access.
Optionally, you can configure the ACE XML Manager to present its web console on another port.
•UDP on port 53 from anywhere. The ACE XML Manager uses this port to perform DNS lookups.
•UDP on port 161 from anywhere. This port enables the ACE XML Manager to receive SNMP queries.
•UDP on port 514 from ACE XML Gateways. The ACE XML Manager listens on this port to receive syslog information from the gateways. This information is aggregated to make up the event logs.
On the gateway, traffic is passed on the following ports and protocols:
•ICMP from anywhere
•TCP on port 22 from anywhere. This port exposes SSH, for the sake of administrators who want to start terminal sessions on the gateway.
•TCP on port 8200 only from the ACE XML Manager. The gateway requires this port to be open so that it can receive control messages from its ACE XML Manager.
•UDP on port 53 from anywhere. This port enables the gateway to perform DNS lookups.
•UDP on port 161 from anywhere. This port enables the gateway to receive SNMP queries.
Each Gateway sends traffic to its ACE XML Manager on the ports opened on the ACE XML Manager for that purpose. Additionally, the ACE XML Manager and Gateway appliances may generate network traffic on the following ports:
•TCP/UDP on port 123, for Network Time Protocol (NTP).
•TCP on port 25, to send email alerts via SMTP.
•UDP on port 162, for SNMP traps.
Service Traffic Ports
In addition to allowing traffic for ports required for system traffic mentioned in "System Traffic Ports" section, firewalls need to allow traffic on service ports configured in the ACE XML Gateway policy.
The ports used for service traffic vary by policy, but generally include ports 80 and 443, for standard HTTP and HTTPS traffic, respectively.
Considerations for Load Balancers
Best performance can usually be achieved by placing multiple ACE XML Gateways behind one or more load-balancing devices. In general, you do not need to place a load balancer ahead of a dedicated ACE XML Manager, since it is not usually subject to high volumes of traffic.
The number of load balancers to use depends on the amount of traffic you expect each Gateway to handle, as well as the specifications of the load balancers. For assistance in determining the number of load-balancers you'll need, contact the manufacturer of the load balancer.
Load balancers need to be able to monitor the gateways for availability. The ACE XML Gateway supports application-level monitoring—the load balancer can send an HTTP request to the gateway and get back an HTML page or SOAP message that indicates the health of the gateway.
To configure a response to a health check from a load balancer, configure a static response message on a port object in the policy. For more information, see Cisco ACE XML Gateway User Guide.
Enabling Web Console Access through a Proxy Server
The primary development environment for the system is the ACE XML Manager web console, a browser-based interface for developing the policy. Policy developers in your organization will need to be able to access the web console from their network environments. If the computers used to access the console use proxy servers for web access, a configuration change may be needed.
By default, the ACE XML Manager web console runs on port 8243 (leaving port 443 available for web service traffic). After installation, policy developers who attempt to connect to the ACE XML Manager with a browser configured to use a proxy server that doesn't allow access to port 8243 will get a "permission denied" error.
One workaround for this issue is to configure the proxy server to allow access to the ACE XML Manager appliance on port 8243. Alternatively, the ACE XML Manager can be configured to present the web console on a port other than 8243. As an additional alternative, the browsers for users who need to access the web console can be configured to bypass the proxy server when connecting to the web console.
Appliance Network Interface Considerations
ACE XML appliances use Ethernet for networking communications. They do not support other kinds of networks, such as token ring or PS/2 networks. For full Gigabit Ethernet performance, the cabling that composes your network must be rated at CAT 5e or better. The appliances accept standard RJ-45 Ethernet connectors.
The 1U platform is equipped with four network interfaces on which it can accept service traffic (an additional RJ-45 interface is dedicated to connectivity for the Integrated Lights-Out module). The interfaces can be configured to run at full-duplex 10baseT, 100baseT or gigabit Ethernet speeds.
Although the interfaces can be configured to negotiate this setting automatically, you'll obtain best performance by avoiding the use of auto-negotiation and setting each interface to a specific speed. The reason for this recommendation is that the time required to auto-negotiate bandwidth settings inflicts a small amount of performance overhead. Changing network conditions may cause unnecessary re-negotiation of bandwidth settings, again reducing performance. Problems with other network devices, such as firewalls and routers, may propagate unnecessarily slow performance when using auto-negotiate bandwidth. Theoretically, one malfunctioning router could cause all of the auto-negotiating ACE XML Gateways that work with it to bottleneck all the traffic they handle, potentially reducing bandwidth in zones that have nothing to do with the failed router.
Auto-negotiation often makes performance issues difficult to track down, while preset bandwidth settings can help to identify a malfunctioning router, firewall or ACE XML Gateway quickly.
IP Addresses for Gateways
Depending on the model of the ACE XML appliance, the appliance chassis can have up to five Ethernet ports. The Integrated Lights-Out (iLO) port is for management purposes only, and not intended for service traffic.
Typically, the use of a single interface and IP address is sufficient for handling traffic for the ACE XML Gateway. In some cases, administrators may choose to separate service traffic from ACE XML Manager traffic addressed to the gateway onto two different Ethernet ports. This is an optional configuration, however, meant to enhance security.
Another configuration option involves having multiple IP addresses associated with a given Gateway interface, and accepting traffic for various services on different virtual hosts. To do so, you will need to specify the addresses in the network configuration of the gateway appliance, as described in this guide. In the policy, you then associate ports definitions with the additional IP address. For more information on configuring ports, see the Cisco ACE XML Gateway User Guide.
IP Addresses for Managers
Each ACE XML Manager uses only one Ethernet port and one static IP address. On appliance chassis that have multiple physical Ethernet ports, you can use any Ethernet port to connect the ACE XML Manager to the network.
For extra security, some network administrators place the ACE XML Manager appliance behind their own firewall. Typically, this firewall resides within the corporate intranet, behind the DMZ. The resulting configuration places a minimum of three firewall barriers and at least one Gateway between production Manager appliances and packets arriving from the extranet.
Obtaining the Root Password
Before starting, you'll need the password for the root account on each appliance. The default, built-in password for root user is "swordfish."
Be sure to change the default password at first login.