Radware`s AppDirector And Microsoft Office Communications Server

Radware’s AppDirector
And
Microsoft Office Communications Server
Integration Guide
Products:
Radware AppDirector
Software: AppDirector version 1.06.09
Platform: On-Demand Switch II
Microsoft Office Communications Server 2007
-1-
Table of Contents
Solution Overview --------------------------------------------------------------------------------- 4
Microsoft Office Communications Server Overview ----------------------------------------- 4
Office Communications Server Architecture -------------------------------------------------------- 5
Diagram 1.0 - Microsoft Office Communications Server topology ---------------------------------------- 5
Pool Configurations----------------------------------------------------------------------------------------------- 5
Front-End Server -------------------------------------------------------------------------------------------------- 5
Consolidated Deployment Option ---------------------------------------------------------------------------- 7
Diagram 2.0 - Enterprise Pool: Consolidated Configuration ------------------------------------------------ 8
Expanded Deployment Option -------------------------------------------------------------------------------- 8
Diagram 3.0 - Enterprise Pool: Expanded Configuration ---------------------------------------------------- 9
Perimeter Network Configuration for IM and Conferencing------------------------------------------------ 9
Diagram 4.0 Office Communications Server 2007 external configuration -------------------------------10
Table 1.0 – Office Communications Server Protocols load balanced by AppDirector------------------12
Radware AppDirector Overview --------------------------------------------------------------- 12
AppDirector and Microsoft Office Communication Server Architecture---------------- 13
Diagram 5.0 - AppDirector and Microsoft Office Communications Server Reference Architecture -13
Table 2.0 - AppDirector IP/Port Configuration Parameters ------------------------------------------------14
Traffic Flow for Internal Users ------------------------------------------------------------------------------14
Traffic Flow for External Users -----------------------------------------------------------------------------15
Radware’s AppDirector Configuration for Microsoft Office Communication Server- 15
Deployment Notes for the AppDirector------------------------------------------------------- 15
Primary AppDirector Configuration---------------------------------------------------------- 16
IP Configuration--------------------------------------------------------------------------------------------------17
Farm Configuration ----------------------------------------------------------------------------------------------18
-2-
Create Layer 4 Policy--------------------------------------------------------------------------------------------21
Configure NAT---------------------------------------------------------------------------------------------------25
Extended Farms Settings----------------------------------------------------------------------------------------28
Adding Servers to the Farm-------------------------------------------------------------------------------------29
General Redundant Configuration Notes ---------------------------------------------------- 36
L4 Modification Definition for the Backup AppDirector---------------------------------------------------36
Primary AppDirector VRRP Configuration ------------------------------------------------------------------37
Primary Virtual Routers-----------------------------------------------------------------------------------------38
Primary Associated IP Addresses ------------------------------------------------------------------------------41
Primary Mirroring------------------------------------------------------------------------------------------------43
Backup AppDirector VRRP Configuration-------------------------------------------------------------------44
Backup Virtual Routers -----------------------------------------------------------------------------------------45
Backup Associated IP Addresses ------------------------------------------------------------------------------46
Backup Mirroring ------------------------------------------------------------------------------------------------49
Appendix 1 – Primary AppDirector Configuration File----------------------------------------- 51
Appendix 2 – Backup AppDirector Configuration File------------------------------------------ 53
-3-
Solution Overview
The Radware and Microsoft Office Communications Server joint solution ensures
Office Communications Server customers solution resilience, efficiency and scale.
Radware’s AppDirector guarantees Office Communications Server maximum
availability, scalability, performance and security. Managing traffic for both the
Web Service content and SIP based Unified Communication services, AppDirector
provides advanced health monitoring to avoid system down time and advanced
traffic management to deliver a best of breed subsystem. With a pay as you grow
platform licensing model, AppDirector ensures long term investment protection
facilitating incremental growth demanded by today’s business.
Microsoft Office Communications Server Overview
Office Communications Server 2007 is available in two versions, Standard Edition
and Enterprise Edition. The primary difference between these two versions is
whether the deployment model is single server versus multi-server. Each of these
deployment models is referred to a pool. Standard Edition combines all functions,
including the SQL server, onto the same server platform, whereas Enterprise
edition is intended to be deployed on multiple servers, providing scalability for
enterprise deployments.
Office Communications Server 2007 Enterprise Edition can be deployed in two
different topologies, consolidated and expanded, to support scaling user
populations. Microsoft recommends the use of a hardware load balancer for
Enterprise Edition deployments to distribute user traffic to the front end servers of a
pool. Software load balancing products such as NLB are not recommended for use
with Office Communications Server 2007 for deployments larger than 500 users.
Office Communications Server 2007 Edge Servers are deployed in the perimeter
network and provide connectivity for external users and public IM connections.
Employees traveling, or working from home or in remote offices, use the Edge
Servers to remotely access the service.
Client access to Office Communication Server 2007 is provided via Microsoft
Office Communicator 2007 and Live Meeting 2007 client desktop software.
Optionally Communicator Web Access 2007 is a web service where external users
can access the IM and presence features of Office Communications Server 2007
through any supported Web browser.
For more information, see the Microsoft Office Communications Server 2007
Planning Guide.
-4-
Office Communications Server Architecture
Office Communications Server 2007 is a distributed server environment.
Independent software modules work in conjunction to provide the features of
Office Communications Server 2007.
Diagram 1.0 - Microsoft Office Communications Server topology
Pool Configurations
An Office Communications Server 2007 pool consists of one or more Front End
Servers that provide IM, presence, and conferencing services and are connected
to a SQL Server database for storing user and conference information. Office
Communications Server 2007 offers three pool configurations: one Standard
Edition configuration and the consolidated and expanded Enterprise Edition
configurations. For the Standard Edition, the database resides on the same server
as the Front End Server. In addition, conferencing components are deployed on
the same physical computer as the Front End in the consolidated pool
configuration. In the expanded configuration, the Web Conferencing Server and
A/V Conferencing Server are deployed on separate computers within the pool.
Front-End Server
The principal function of the front end server is to provide the following services to
end users and control the application environment.
-5-
•
•
•
•
•
•
Address Book Server
A/V Conferencing Server
IM Conferencing Server
Telephony Conferencing Server
Web Conferencing Server
Web Components Server
The Office Communications Server 2007, Standard Edition or Enterprise Edition,
Front End Server is responsible for the following tasks:
•
•
•
•
•
•
•
•
•
Handling signaling among servers and between servers and clients
Authenticating users and maintaining user data, including all user endpoints
Routing VoIP calls within the enterprise and to the PSTN
Scheduling and initializing on-premise conferences and managing conference state
Aggregating enhanced presence information of users for clients
Routing signaling and IM traffic
Managing conferencing signaling and conference state
Hosting SIP server applications
Filtering SPIM (unsolicited commercial IM traffic)
These services are supported via the following software modules:
•
Instant Messaging—The Instant Messaging Conferencing Server (IM MCU) is
responsible for user registration into Office Communications Server 2007,
instant messaging traffic, and presence state for users.
•
Telephony Conferencing—The Telephony Conferencing Server (ACP MCU) is
responsible for facilitating audio conferences hosted on a PSTN bridge
provided by a telecomm provider.
•
Web Components—This is an Internet Information Server (IIS) service. The
Web Components Server enables organizers to upload presentations and
other data for use in a Web conference. Participants download this content via
the Web Components Server. This IIS service also performs distribution list
(DL) expansion for Office Communicator clients and distributes address book
files to clients.
Note: The Web Components server resides on the front end servers or can be
installed on separate, dedicated servers load balanced by an AppDirector for
scalability.
•
Web Conferencing—the Web Conferencing Server (DATA MCU) enables
on-premise conferencing. Users join the web conference via the Microsoft
-6-
Office Live Meeting 2007 client. Additionally, Web Conferences can include the
Audio/Visual Conferencing
•
Audio/Visual Conferencing—The A/V Conferencing Server (AV MCU) enables
users to share audio and video streams during multipoint Conferences.
Note: The Web and A/V Conferencing Servers can either reside on the front end
servers or be installed on separate, dedicated servers. These Conferencing
Servers are load balanced by the Focus element of the front-end servers.
The components on the Front End Server are as follows:
•
Focus—the service is responsible for conference setup and signaling for the
duration of the conference.
•
The Focus Factory is responsible solely for scheduling meetings.
Consolidated Deployment Option
Office Communications Server 2007 consolidated configuration deployments
typically consists of an Enterprise pool where all server components are
co-located on the pool's front end servers. All front end servers in the Enterprise
pool are configured identically. The back end server running a SQL Server
database resides on a separate dedicated physical server. The consolidated
configuration provides scalability and high availability and is easy to plan, deploy,
and manage.
Enterprise pool in consolidated configuration requirements:
•
Requires two or more front end servers deployed behind a hardware load
balancer.
•
Each of the Office Communications Server 2007 components is installed onto
each front-end server in the pool.
•
A dedicated SQL Server is required to support the pool.
•
All servers in the Enterprise pool must be deployed on the same subnet.
-7-
Diagram 2.0 - Enterprise Pool: Consolidated Configuration
Expanded Deployment Option
This option offers maximum scalability, capacity, performance, and availability for
large organizations. Expanded configuration enables organizations to scale up
audio/video and Web conferencing requirements independently from other
Enterprise Edition server components.
Enterprise pool in expanded configuration requirements:
•
Separate servers dedicated for each of the following server roles: front end
servers, Web components Servers, Web and A/V Conferencing Servers
•
Hardware load balancer required for front-end servers and Web Components
Servers
Note: No load balancer is required for the Web Conferencing or A/V Conferencing
Servers. Traffic distribution to these servers is handled by the Focus that runs on
the front-end servers.
-8-
Diagram 3.0 - Enterprise Pool: Expanded Configuration
Perimeter Network Configuration for IM and Conferencing
Office Communications Server 2007 allows users working outside the enterprise
network to participate in on-premise conferences, complete with data collaboration
and the ability to relay audio and video through your organization’s firewall. Office
Communications Server 2007 also enhances existing support for remote access,
federation, and public IM connectivity, which were introduced in Live
Communications Server 2005 and Live Communications Server 2005 SP1.
Enabling conferencing and the ability to share data and media with users outside
the corporate firewall requires two Edge Server roles that are new in Office
Communications Server 2007: the Web Conferencing Edge Server and the A/V
Edge Server.
The HTTP reverse proxy is not an Office Communications Server 2007 role, but it
is required to provide external access to Address Book file information, the ability
to expand membership in distribution groups, access to meeting content in Web
conferences, and browser access to Communicator Web Access Server.
Diagram 4.0 shows the servers that are required in the Office Communications
Server 2007 perimeter network and the protocols they use to communicate with
Internet clients on one side and with Enterprise Edition servers on the other.
-9-
Diagram 4.0 Office Communications Server 2007 external configuration
Required servers in the Office Communications Server 2007 perimeter network
are as follows.
Access Edge Server
Formerly known as the Access Proxy, the Access Edge Server handles all SIP
traffic across the corporate firewall. The Access Edge Server handles only the
SIP/SIMPLE traffic that is necessary to establish and validate connections and IM
communications. It does not handle data transfer, nor does it authenticate users.
Authentication of inbound traffic is performed by the Director or the Front End
Server. A Director is an Office Communications Server 2007 Standard Edition
server or Enterprise pool that does not home users and that resides inside the
organization’s firewall. The Access Edge Server directly connects to the Director,
and the Director routes outbound traffic to the Edge Server. A Director is not
mandatory but is strongly recommended. If a Director is not deployed, this
authentication is performed on the Front End Server of the pool or Standard
Edition server that you designate to do so. (Active Directory access is required to
perform authentication, which the edge servers do not have because they are
deployed in the perimeter network outside Active Directory.) The Access Edge
Server is essential for all external user scenarios, including conferencing, remote
user access, federation, and public IM connectivity.
- 10 -
Web Conferencing Edge Server
The Web Conferencing Edge Server proxies PSOM (Persistent Shared Object
Model) traffic between the Web Conferencing Server and external clients. External
conference traffic must be authorized by the Web Conferencing Edge Server
before it is forwarded to the Web Conferencing Server. The Web Conferencing
Edge Server requires that external clients use TLS connections and obtain a
conference session key.
A/V Edge Server
The A/V Edge Server provides a single trusted connection point through which
inbound and outbound media traffic can securely traverse NATs (network address
translators) and firewalls. The industry standard solution for multimedia traversal of
firewalls is ICE (Interactive Connectivity Establishment), which is based on the
STUN (Simple Traversal Underneath NAT) and TURN (Traversal Using Relay
NAT) protocols. The A/V Edge Server is a STUN server. All users are
authenticated to secure both access to the enterprise and use of the firewall
traversal service that is provided by the A/V Edge Server. To send media inside the
enterprise, an external user must be authenticated and must have an
authenticated internal user agree to communicate with him or her through the A/V
Edge Server.
The media streams themselves are exchanged by using SRTP (Secure Real-time
Transport Protocol), which is an industry standard for real-time media transmission
and reception over IP.
HTTP Reverse Proxy
Office Communications Server 2007 conferencing support for external users also
requires deploying an HTTP reverse proxy in the perimeter network for the
purpose of carrying HTTP and HTTPS traffic for external users. The HTTP reverse
proxy is used to download the following data for external users:
•
•
•
Address Book Server files
Web conferencing content
Expanded distribution lists for group IM
Communicator Web Access
Communicator Web Access is the browser-based client for Office
Communications Server 2007. Communicator Web Access 2007 is designed with
a similar look and feel to the desktop version of Microsoft Office Communicator
2007. External Users can access the IM and presence features in Office
Communications Server 2007 through any supported Web browser.
Communicator Web Access Server is deployed in the internal network. Internal
- 11 -
users can access it directly. External users access the Communicator Web Access
Servers through the HTTP reverse proxy.
Note: The reverse proxy does not run Office Communications Server 2007 or carry
SIP traffic.
Port
Required
Virtual IP
Port Use
5060
Load balancer VIP used by the
Front End Servers
Client to server SIP communication over
TCP
5061
Load balancer VIP used by the
Front End Servers
135
Load balancer VIP used by the
Front End Servers
Load balancer VIP used by the
Front End Servers
Client to Front End Server SIP
communication over TLS
SIP communication between Front End
Servers over MTLS
To move users and perform other pool level
WMI operations over DCOM
Communication between the internal
components that manage conferencing and
the conferencing servers
HTTPS traffic to the pool URLs
444
443
Load balancer VIP used by the
Web Components Server
Table 1.0 – Office Communications Server Protocols load balanced by
AppDirector
For more information, please visit:
http://www.microsoft.com/communicationsserver/en/us/technical-resources.aspx
Radware AppDirector Overview
Radware’s AppDirector is an intelligent application delivery controller (ADC) that
provides scalability and application-level security for service infrastructure
optimization, fault tolerance and redundancy. Radware combined its
next-generation, OnDemand Switch multi-gigabit hardware platform with the
powerful capabilities of the company’s APSolute™ operating system “classifier”
and “flow management” engine. The result – AppDirector – enables accelerated
application performance; local and global server availability; and application
security and infrastructure scalability for fast, reliable and secure delivery of
applications over IP networks.
AppDirector is powered by the innovative OnDemand Switch platform. OnDemand
Switch, which has established a new price/performance standard in the industry,
delivers breakthrough performance and superior scalability to meet evolving
network and business requirements. Based on its on demand, “pay-as-you-grow”
approach, no forklift upgrade is required even when new business requirements
arise. This helps companies guarantee short-term and long-term savings on
CAPEX and OPEX for full investment protection. Radware’s OnDemand Switch
- 12 -
enables customers to pay for the exact capacity currently required, while allowing
them to scale their ADC throughput capacity and add advanced application-aware
services or application acceleration services on demand to meet new or changing
application and infrastructure needs. And it does it without compromising on
performance.
AppDirector lets you get the most out of your service investments by maximizing
the utilization of service infrastructure resources and enabling seamless
consolidation and high scalability. AppDirector’s throughput licensing options
allows pay as you grow investment protection. Make your network adaptive and
more responsive to your dynamic services and business needs with AppDirector’s
fully integrated traffic classification and flow management, health monitoring and
failure bypassing, traffic redirection, bandwidth management, intrusion prevention
and DoS protection.
For more information, please visit: http://www.radware.com/
AppDirector and Microsoft Office Communication Server Architecture
Diagram 5.0 - AppDirector and Microsoft Office Communications Server
Reference Architecture
- 13 -
Interface
Virtual IP Interface
IP Address
L4
Protocol
L4
Port
L4 Policy
Subnet
IP
range
IP's used
G-7
26
38.21.228.1
TCP
5061
FRONTEND_SIP
0
1-30
1,2,10,15,16,24,25,26,30
G-7
26
38.21.228.2
TCP
443
FRONTEND_AB
G-7
26
38.21.228.26
Any
Any
FRONTEND_VRRP
G-7
58
38.21.228.33
TCP
5061
EDGE_SIP
32
33-62
33,45,46,56,57,58
G-7
58
38.21.228.58
Any
Any
EDGE_VRRP
G-7
90
38.21.228.65
TCP
5061
DIRECTOR_SIP
64
65-94
65,75,76,88,89,90
G-7
90
38.21.228.90
Any
Any
DIRECTOR_VRRP
G-7
122
38.21.228.97
TCP
443
CWA_HTTPS
96
97-126
97,105,106,120,121,122
G-7
122
38.21.228.122
Any
Any
CWA_VRRP
Interface
Primary IP
Subnet
Backup IP
Default Gateway
G7
38.21.228.24
255.255.255.224
38.21.228.25
38.21.228.30
G7
38.21.228.56
255.255.255.224
38.21.228.57
G7
38.21.228.88
255.255.255.224
38.21.228.89
Client NAT
Address
Client NAT intercept range
G7
38.21.228.120
255.255.255.224
38.21.228.121
38.21.228.10
38.21.228.1 - 38.21.228.30
Table 2.0 - AppDirector IP/Port Configuration Parameters
Traffic Flow for Internal Users
1. Client service requests are made to the front-end server virtual IP address
(VIP) hosted by the AppDirector. These requests are made via SIP TCP or
TLS on either port 5060 or 5061. In the case of the reference architecture, only
SIP TLS traffic was used requesting port 5061.
2. Clients requesting meeting content from the Web Component Servers do so
via port 443 (HTTPS) to the Web Component Servers load balanced by the
AppDirector (expanded configuration). In the consolidated configuration,
where the Web Component Server is collocated on the front-end server
servers, the requests would reference the front-end servers rather than a
separately defined Web Component Server Farm (In our reference design this
service farm is known as Address Book or AB).
3. Administrative request traffic uses UDP port 135 can be hosted via the
AppDirector with one to one server mappings using a VIP on the AppDirector to
access an individual front-end server or sent directly to the individual front-end
server servers.
4. Client conferencing traffic using TCP port 8057 is established directly between
clients and Web Conferencing Servers. Therefore, no load balancing is
required to be performed by AppDirector.
- 14 -
5. A/V conferencing traffic over the UDP port range, 49152 – 65535, goes directly
between clients and A/V Conferencing Servers. Therefore, no load balancing is
required to be performed by AppDirector.
Traffic Flow for External Users
1. External client SIP requests are made via the Edge Servers (Edge Servers)
load balanced by the AppDirector. They are then passed to a pool of Directors
(Director) hosted by the AppDirector. Once the client is authenticated by a
Director, requests are then passed to the pool where the user is homed on
(similar to request flows from internal clients). This traffic flow is performed
using the SIP protocol over TLS on port 5061. The AppDirector distributes
traffic across the servers within each pool of servers for scalability and
reliability. The AppDirector maintains affinity to the servers the AppDirector
directed client requests to for the duration of the user’s session.
2. External client Web requests for meeting content download connect to the Web
Component Servers deployed in the network perimeter. Clients connect to the
Web Component Servers on port 443 (HTTPS).
3. Communicator Web Access 2007 is designed with a similar look and feel to the
desktop version of Microsoft Office Communicator 2007. External Users can
access the IM and presence features in Office Communications Server 2007
through any supported Web browser. Users access the Communicator Web
Access servers through the reverse proxy (previously defined) then onto the
AppDirector where a specific server is chosen and persisted throughout the
lifetime of a client’s session.
Note: the Communicator Web Access and Director can be deployed on multiple
servers which are load balanced by the AppDirector. Also the Access Edge Servers,
HTTP Reverse Proxies and A/V Edge Servers can be load balanced by the
AppDirector in the Perimeter Network.
Radware’s AppDirector Configuration for Microsoft Office Communication
Server
Deployment Notes for the AppDirector
Farm Aging time tuned to 20 minutes from default value. This will ensure that state entries will not
be terminated prior to client aging time.
appdirector farm table setCreate EDGE_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
Reset of the sessions if still existing after the aging. This will ensure any clean-up of abandoned
sessions which could hold state on the servers inadvertently.
appdirector farm extended-params set EDGE_SIP -sc Enabled
- 15 -
Primary AppDirector Configuration
Using a serial cable and a terminal emulation program, connect to the AppDirector.
The default console port settings are:
• Bits per Second: 19200
• Data Bits: 8
• Parity: None
• Stop Bits: 1
• Flow Control: None
1. Using the following Command line, assign management IP address
192.168.1.51 / 24 to interface MNG-1 (Dedicated Management Interface) of the
AppDirector:
net ip-interface create 192.168.1.51 255.255.255.0 MNG-1
2. Using a browser, connect to the management IP Address of the AppDirector
(192.168.1.51) via HTTP or HTTPS. The default username and password are
“radware” and “radware”.
Failure to establish a connection may be due to the following:
•
•
•
•
Incorrect IP Address in the browser
Incorrect IP Address or default route configuration in the AppDirector
Failure to enable Web Based Management or Secure Web Based
Management in the AppDirector
If the AppDirector can be successfully pinged, attempt to connect to it
via Telnet or SSH. If the pinging or the Telnet/SSH connection are
unsuccessful, reconnect to the AppDirector via its console port.
- 16 -
IP Configuration
1. From the menu, select Router IP Router Interface Parameters to
display the IP Interface Parameters page.
2. Click the Create button.
3. On the IP Interface Parameters Create page, enter the necessary parameters
as shown below:1 This will create the interfaces needed for the Office
Communications Server ecosystem.
4. Click the Set button to save parameters.
5. Follow steps 1 – 4 to create the rest of the IP Interfaces
IP 38 .21.228.56 subnet mask 255.255.255.240 interface G-7
IP 38 .21.228.88 subnet mask 255.255.255.240 interface G-7
IP 38 .21.228.120 subnet mask 255.255.255.240 interface G-7
6. Verify that the new entries were created on the IP Interface Parameters page:
1
Items circled in red indicate settings that need to be entered or changed. Items not circled should
be left to default settings.
- 17 -
Farm Configuration
1. From the menu, select AppDirector Farms Farm Table to display the
Farm Table page similar to the one shown below:
2. Click the Create button.
3. On the Farm Table Create page, enter the necessary parameters as shown
below:2
2
Items circled in red indicate settings that need to be entered or changed. Items not circled should
be left to default settings.
- 18 -
4. Click the Set button to save parameters.
5. On Farm Table page Click the Create button to configure another Farm. Enter
the necessary parameters as shown below:
6. Click the Set button to save parameters.
7. On Farm Table page Click the Create button to configure another Farm. Enter
the necessary parameters as shown below:
- 19 -
8. Click the Set button to save parameters.
9. On Farm Table page Click the Create button to configure another Farm. Enter
the necessary parameters as shown below:
10. Click the Set button to save parameters.
11. On Farm Table page Click the Create button to configure another Farm. Enter
the necessary parameters as shown below:
- 20 -
12. Click the Set button to save parameters.
13. Verify that the new entries are created on the Farm Table page:
Create Layer 4 Policy
1. From the menu, select AppDirector Layer 4 Farm Selection Layer 4 Policy
Table to display the Layer 4 Policy Table page similar to the one shown below:
- 21 -
2. Click the Create button.
3. On the Layer 4 Policy Table Create page, enter the necessary parameters as
shown below.
4. Click the Set button to save the parameters.
5. On Layer 4 Policy Table Create page Click the Create button to configure
another Layer 4 Policy. Enter the necessary parameters as shown below:
- 22 -
6. Click the Set button to save the parameters.
7. On Layer 4 Policy Table Create page Click the Create button to configure
another Layer 4 Policy. Enter the necessary parameters as shown below:
8. Click the Set button to save the parameters.
9. On Layer 4 Policy Table Create page Click the Create button to configure
another Layer 4 Policy. Enter the necessary parameters as shown below:
- 23 -
10. Click the Set button to save the parameters.
11. On Layer 4 Policy Table Create page Click the Create button to configure
another Layer 4 Policy. Enter the necessary parameters as shown below:
12. Click the Set button to save the parameters.
13. On Layer 4 Policy Table Create page Click the Create button to configure
another Layer 4 Policy. Enter the necessary parameters as shown below:
14.
- 24 -
15. Click the Set button to save the parameters.
16. Follow steps 13-14 to create the rest of the VRRP VIP’s for the remaining
subnets in the Layer 4 Policy.
EDGE_VRRP = 38.21.228.58, DIRECTOR_VRRP = 38.21.228.90 and
CWA_VRRP = 38.21.228.122.
17. Verify that the new entry was created on the Layer 4 Policy Table page:
Configure NAT
Client NAT (Source NAT – SNAT)
In addition to the configurations below, you must enable Client NAT in the
Extended Farms Table and in the Server Table Configuration, both configuration
steps will be identified in upcoming sections.
For an explanation on why client NAT is need, see the section Traffic Flow for
Internal Users.
1. From the menu, select Services Tuning Device to display the Device
Tuning page similar to the one shown.
- 25 -
2. Adjust the number of allowable Client NAT address to the desired amount, at
least one and click the Set button to save parameters.
Note: The AppDirector must be reset in order for the settings to take effect.
3. To reset the device, From the menu, select Device Reset Device
4. From the menu, select AppDirector NAT Client NAT Intercept
Address to display the Client NAT Intercept Table page similar to the one
shown.
- 26 -
5. Click the Create button.
6. Create the intercept range. On the Client NAT Intercept Table Create page,
enter the necessary parameters as shown below:
7. Click the Set button to save parameters.
8. From the menu, select AppDirector NAT Client NAT Intercept
Address to display the Client NAT Address Table page similar to the one
shown.
9. Click the Create button.
- 27 -
10. Create the NAT Address range. On the Client NAT Address Table Create
page, enter the necessary parameters as shown below:
11. Click the Set button to save parameters.
12. From the menu, select AppDirector NAT Client NAT Global
Parameters to display the Client NAT Global Parameters page similar to the
one shown.
13. Enable Client NAT and click the Set button to save parameters.
Extended Farms Settings
1. Click the Extended Farm Parameters URI at the top of the Farm Table page.
2. On the Extended Farm Parameters Table page, click on the Farm Name
FRONTEND_SIP.
- 28 -
3. On the Extended Farm Parameters Update page, Select the parameters as
shown below:
4. Click the Set button to save parameters.
5. Repeat step 2 - 4 for extended farms: FRONTEND_AB to select “Client NAT
Address Range” and “Close Session at Aging”.
Adding Servers to the Farm
1. From the menu, select AppDirector Servers Application Servers to
display the Server Table page similar to the one shown below:
- 29 -
2. On the Server Table Create page, enter the necessary parameters as shown
below:
3. Click the Set button to save parameters.
4. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
- 30 -
5. Click the Set button to save parameters.
6. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
7. Click the Set button to save parameters.
8. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
- 31 -
9. Click the Set button to save parameters.
10. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
11. Click the Set button to save parameters.
- 32 -
12. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
13. Click the Set button to save parameters.
14. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
- 33 -
15. Click the Set button to save parameters.
16. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
17. Click the Set button to save parameters.
18. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
- 34 -
19. Click the Set button to save parameters.
20. On Server Table Create page Click the Create button to configure another
Server. Enter the necessary parameters as shown below:
21. Verify that the new entries were created on the Server Table page:
- 35 -
This completes the Primary AppDirector policy configuration.
General Redundant Configuration Notes
For complete high-availability, Radware encourages implementing pairs of
AppDirector units in an Active / Backup configuration. If your implementation of
this architecture includes only a single AppDirector, then it is unnecessary to follow
the steps in this section.
The overall configuration of a backup AppDirector is almost identical in many ways
to that of the active device. There are, however, several important differences that
are noted throughout these steps. Radware offers two means of redundancy and
failover between pairs of devices – Proprietary and VRRP. Since VRRP is a more
commonly used method within the industry, this section will cover the steps to
configure both AppDirectors using that method.3
There are separate configuration steps to be taken on both the Active and Backup
AppDirector devices, and this section is divided into two parts – one for the active
device and one for the backup device.
Follow the steps previously defined to create the Backup AppDirector
configuration. The only difference between the primary and the backup device
beyond what is yet to be defined specifically for VRRP is the Redundancy Status
setting. In the Backup AppDirector configuration when configuring the Layer 4
Policy Table Create the Redundancy Status needs to be set to Backup on all
farm definitions. The suggested change in configurations instructions is defined
below.
L4 Modification Definition for the Backup AppDirector
3
For a detailed discussion of VRRP, see RFC 3768.
- 36 -
1. From the menu, select AppDirector Layer 4 Farm Selection Layer 4
Policy Table to display the Layer 4 Policy Table page similar to the one
shown below:
2. Click the Create button.
3. On the Layer 4 Policy Table Create page, enter the parameters as previously
done for the primary device except for the Redundancy Status, select “Backup”
as shown below.
4. Click the Set button to save the parameters.
Primary AppDirector VRRP Configuration
1. From the menu, select AppDirector Redundancy Global Configuration
and set the parameters as noted below:
- 37 -
2. Click the Set button to save these changes.
Primary Virtual Routers
1. From the menu, select AppDirector Redundancy VRRP Virtual
Routers to display the Virtual Router Table page similar to the one shown
below.
2. Click the Create button
3. On the Virtual Router Table page, enter the necessary parameters as shown
below.
- 38 -
4. Click the Set button to save the parameters.
5. On the Virtual Router Table page click the Create button to create a new
Virtual Router, enter the necessary parameters as shown below.
6. Click the Set button to save the parameters.
7. On the Virtual Router Table page click the Create button to create a new
Virtual Router, enter the necessary parameters as shown below.
- 39 -
8. Click the Set button to save the parameters.
9. On the Virtual Router Table page click the Create button to create a new
Virtual Router, enter the necessary parameters as shown below.
10. Verify that the new entries were created on the Virtual Router Table page:
- 40 -
Primary Associated IP Addresses
1. From the menu, select AppDirector Redundancy VRRP Associated
IP Addresses to display the Associated IP Addresses Create page similar to
the one shown below:
2. Click the Create button
3. On the Associated IP Addresses Create page, enter the necessary
parameters as shown below:
- 41 -
4. Click the Set button to save the parameters
5. Follow steps 2-4 to create the rest of the associated IP Addresses, (follow table
below)
6. Verify that the new entries are created on the Associated IP Addresses page:
7. Go to AppDirector Redundancy VRRP Virtual Routers and on the
Virtual Router Table under VRID’s Up/Down select “All Up” and click on the
Set button to enable all Virtual Routers.
8. Make certain that the State of this VR is displayed as Master in the Virtual
Router table.
- 42 -
Primary Mirroring
1. Go to AppDirector Redundancy Mirroring Active Device
Parameters and set the Client Table Mirroring status to enable:
2. Click the Set button to save the parameters.
3. From the menu, select AppDirector Redundancy Mirroring Mirror
Device Parameters to display the Mirror Device Parameters page similar to
the one shown below
- 43 -
4. Click the Create button
5. On the Mirror Device Parameters page, enter the necessary parameters as
shown below:
Note: This sets the Backup AD target address used for mirror traffic.
6. Click the Set button to save the parameters.
This completes VRRP redundancy configuration on the Primary AppDirector.
Backup AppDirector VRRP Configuration
Note: Interface Grouping is not required for the backup AppDirector because of
the working assumption that if the Backup device holds Master VRRP status we
should continue to provide best effort traffic management even if a single interface
is lost.
- 44 -
1. On the Backup AppDirector, go to AppDirector Redundancy Global
Configuration and change the following setting:
2. Click the Set button to save the parameters.
Backup Virtual Routers
1. From the menu, select AppDirector Redundancy VRRP Virtual
Routers to display the Virtual Router Table page similar to the one shown
below.
2. Click the Create button
3. On the Virtual Router Table page, enter the necessary parameters as shown
below.
- 45 -
Note: that the Priority on the Backup AppDirector is set to 100 while on the
Primary device, this value was set to 250. The device with the higher priority will
be Master of this Virtual Router.
4. Click the Set button to save the parameters.
5. Repeat steps 4 - 6 to create the rest of the Virtual Routers.
6. Verify that the new entries were created on the Virtual Router Table page:
Backup Associated IP Addresses
1. From the menu, select AppDirector Redundancy VRRP Associated
- 46 -
IP Addresses to display the Associated IP Addresses Create page similar to
the one shown below:
2. Click the Create button
3. On the Associated IP Addresses Create page, enter the necessary
parameters as shown below:
Note: This association entry is a Virtual IP Interface. Since that IP address
functions as the default gateway address for each of the farm servers, we will need
the Backup AppDirector to assume responsibility for this IP if the Active device fails.
This is why it is defined in the Backup AppDirector’s table. The Association Table
from both devices should match when complete.
4. Click the Set button to save the parameters
5. Follow steps 2-4 to create the rest of the associated IP Addresses.
6. Verify that the new entries are created on the Associated IP Addresses page:
- 47 -
7. Go to AppDirector Redundancy VRRP Virtual Routers and on the
Virtual Router Table under VRID’s Up/Down select “All Up” and click on the
Set button to enable all Virtual Routers.
8. Make certain that the State of this VR is displayed as Backup in the Virtual
Router table.
- 48 -
Backup Mirroring
1. Go to AppDirector Redundancy Mirroring Backup Device
Parameters and set the mirroring status to enable:
2. Click the Set button to save the parameters.
3. Go to AppDirector Redundancy Mirroring Mirror Device
Parameters and create a new entry:
- 49 -
This sets the Master AD target address used for mirror traffic.
4. Click the Set button to save the parameters.
This completes VRRP redundancy configuration on the Backup AppDirector.
- 50 -
Appendix 1 – Primary AppDirector Configuration File
!
!Device Configuration
!Date: 07-01-2009 23:48:08
!DeviceDescription: AppDirector Global
!Base MAC Address: 00:03:b2:3d:41:c0
!Software Version: 1.06.07 (Build date Feb 13 2008, 23:50:02,Build#50)
!APSolute OS Version: 10.31-01.01(26):2.06.06
!
!
! The following commands will take effect only
! once the device has been rebooted!
!
manage snmp versions-after-reset set "v1 & v2c & v3"
!
! The following commands take effect immediately
! upon execution!
!
net linkaggr ports set 1 -t T-1
net linkaggr ports set 2 -t T-1
net ip-interface create 38.21.228.24 255.255.255.224 7
net ip-interface create 38.21.228.56 255.255.255.224 7
net ip-interface create 38.21.228.88 255.255.255.224 7
net ip-interface create 38.21.228.120 255.255.255.224 7
net ip-interface create 192.168.1.51 255.255.255.0 17
net route table create 0.0.0.0 0.0.0.0 38.21.228.30 -i 7
redundancy mode set VRRP
system mib2-name set WSC3GS08A
appdirector farm table setCreate EDGE_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm table setCreate CWA_HTTPS -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp HTTPS
appdirector farm table setCreate FRONTEND_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm table setCreate FRONTEND_AB -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp HTTPS
appdirector farm table setCreate DIRECTOR_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm server table create FRONTEND_SIP 38.21.228.15 None -sn \
FE_SIP_SVR_15 -id 6 -cn Enabled -sd FE_SIP_SVR_15 -nr 38.21.228.10
appdirector farm server table create FRONTEND_AB 38.21.228.16 None -sn \
FE_SIP_AB_16 -id 8 -cn Enabled -sd FE_SIP_AB_16 -nr 38.21.228.10
appdirector farm server table create EDGE_SIP 38.21.228.45 None -sn \
EDGE_SIP_SVR_45 -id 2 -sd EDGE_SIP_SVR_45
appdirector farm server table create EDGE_SIP 38.21.228.46 None -sn \
EDGE_SIP_SVR_46 -id 3 -sd EDGE_SIP_SVR_46
appdirector farm server table create FRONTEND_SIP 38.21.228.16 None -sn \
FE_SIP_SVR_16 -id 4 -cn Enabled -sd FE_SIP_SVR_16 -nr 38.21.228.10
appdirector farm server table create FRONTEND_AB 38.21.228.15 None -sn \
FE_SIP_AB_15 -id 7 -cn Enabled -sd FE_SIP_AB_15 -nr 38.21.228.10
appdirector farm server table create DIRECTOR_SIP 38.21.228.75 None -sn \
DIR_SIP_SVR_75 -id 9 -sd DIR_SIP_SVR_75
appdirector farm server table create DIRECTOR_SIP 38.21.228.76 None -sn \
DIR_SIP_SVR_76 -id 10 -sd DIR_SIP_SVR_76
appdirector farm server table create CWA_HTTPS 38.21.228.105 None -sn \
CWA_HTTPS_SVR105 -id 11 -sd CWA_HTTPS_SVR105
appdirector farm server table create CWA_HTTPS 38.21.228.106 None -sn \
CWA_HTTPS_SVR106 -id 12 -sd CWA_HTTPS_SVR106
redundancy interface-group set enable
redundancy mirror main client-status set enable
redundancy mirror address setCreate 38.21.228.25
redundancy backup-in-vlan set disable
appdirector farm connectivity-check httpcode setCreate EDGE_SIP \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate CWA_HTTPS \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate FRONTEND_SIP \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate FRONTEND_AB \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate DIRECTOR_SIP \
"200 - OK"
redundancy backup-fake-arp set enable
appdirector farm nhr setCreate 0.0.0.0 -ip 38.21.228.30 -fl 0
appdirector farm extended-params set EDGE_SIP -sc Enabled
- 51 -
appdirector farm extended-params set CWA_HTTPS -sc Enabled
appdirector farm extended-params set FRONTEND_SIP -nr 38.21.228.10 -sc \
Enabled
appdirector farm extended-params set FRONTEND_AB -nr 38.21.228.10 -sc \
Enabled
appdirector farm extended-params set DIRECTOR_SIP -sc Enabled
appdirector nat client address-range setCreate 38.21.228.10 -t \
38.21.228.10
appdirector nat client range-to-nat setCreate 38.21.228.1 -t \
38.21.228.30
appdirector nat client status set Enabled
redundancy backup-interface-group set disable
appdirector segmentation nhr-table setCreate DefaultNHR -ip \
38.21.228.30 -fl 0
appdirector l4-policy table create 38.21.228.58 Any Any 0.0.0.0 \
EDGE_VRRP -ta "Virtual IP Interface"
appdirector l4-policy table create 38.21.228.26 Any Any 0.0.0.0 \
FRONTEND_VRRP -ta "Virtual IP Interface"
appdirector l4-policy table create 38.21.228.90 Any Any 0.0.0.0 \
DIRECTOR_VRRP -ta "Virtual IP Interface"
appdirector l4-policy table create 38.21.228.122 Any Any 0.0.0.0 \
CWA_VRRP -ta "Virtual IP Interface"
appdirector l4-policy table create 38.21.228.1 TCP 5061 0.0.0.0 \
FRONTEND_SIP -fn FRONTEND_SIP
appdirector l4-policy table create 38.21.228.2 TCP 443 0.0.0.0 \
FRONTEND_AB -fn FRONTEND_AB
appdirector l4-policy table create 38.21.228.65 TCP 5061 0.0.0.0 \
DIRECTOR_SIP -fn DIRECTOR_SIP
appdirector l4-policy table create 38.21.228.33 TCP 5061 0.0.0.0 \
EDGE_SIP -fn EDGE_SIP
appdirector l4-policy table create 38.21.228.97 TCP 443 0.0.0.0 \
CWA_HTTPS -fn CWA_HTTPS
redundancy vrrp automated-config-update set Enabled
redundancy mirror main sid-status set enable
health-monitoring status set enable
health-monitoring response-level-samples set 0
redundancy vrrp virtual-routers create 7 26 -as up -p 250 -pip \
38.21.228.24
redundancy vrrp virtual-routers create 7 58 -as up -p 250 -pip \
38.21.228.56
redundancy vrrp virtual-routers create 7 90 -as up -p 250 -pip \
38.21.228.88
redundancy vrrp virtual-routers create 7 122 -as up -p 250 -pip \
38.21.228.120
redundancy vrrp associated-ip create 7 26 38.21.228.1
redundancy vrrp associated-ip create 7 26 38.21.228.2
redundancy vrrp associated-ip create 7 26 38.21.228.26
redundancy vrrp associated-ip create 7 58 38.21.228.33
redundancy vrrp associated-ip create 7 58 38.21.228.58
redundancy vrrp associated-ip create 7 90 38.21.228.65
redundancy vrrp associated-ip create 7 90 38.21.228.90
redundancy vrrp associated-ip create 7 122 38.21.228.97
redundancy vrrp associated-ip create 7 122 38.21.228.122
manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm
manage telnet status set enable
manage telnet server-port set 23
manage web status set enable
manage ssh status set enable
manage secure-web status set enable
redundancy arp-interface-group set Send
net l2-interface set 100001 -ad up
manage terminal prompt set WSC3GS08A
manage snmp groups create SNMPv1 public -gn initial
manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create SNMPv2c public -gn initial
manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create UserBased radware -gn initial
manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly
manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn \
ReadOnlyView
manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn \
ReadOnlyView
manage snmp access create initial UserBased authPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly UserBased authPriv -rvn \
ReadOnlyView
manage snmp views create iso 1
- 52 -
manage snmp views create ReadOnlyView 1
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.2.7.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.18.1.1 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.15.1.2.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm \
excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.4 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.5 -cm excluded
manage snmp notify create allTraps -ta v3Traps
manage snmp users create radware -cf 0.0 -ap MD5 -akc \
f03a22e55aecd6ba859214cd9f3a0a13 -pp DES -pkc \
f03a22e55aecd6ba859214cd9f3a0a13
manage snmp target-address create v3MngStations -tl v3Traps -p \
radware-authPriv
manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn \
public -sl noAuthNoPriv
manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c \
-sn public -sl noAuthNoPriv
manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm \
UserBased -sn radware -sl authPriv
manage snmp community create public -n public -sn public
manage telnet session-timeout set 5
manage telnet auth-timeout set 30
appdirector global connectivity-check tcp-timeout set 3
!File Signature: 5cd237ad2a92b9c1375ce84307df3e0a
Appendix 2 – Backup AppDirector Configuration File
!
!Device Configuration
!Date: 08-01-2009 01:45:31
!DeviceDescription: AppDirector Global
!Base MAC Address: 00:03:b2:3d:41:c0
!Software Version: 1.06.07 (Build date Feb 13 2008, 23:50:02,Build#50)
!APSolute OS Version: 10.31-01.01(26):2.06.06
!
!
! The following commands will take effect only
! once the device has been rebooted!
!
manage snmp versions-after-reset set "v1 & v2c & v3"
!
! The following commands take effect immediately
! upon execution!
!
net linkaggr ports set 1 -t T-1
net linkaggr ports set 2 -t T-1
net ip-interface create 192.168.1.51 255.255.255.0 17
net ip-interface create 38.21.228.25 255.255.255.224 7
net ip-interface create 38.21.228.57 255.255.255.224 7
net ip-interface create 38.21.228.89 255.255.255.224 7
net ip-interface create 38.21.228.121 255.255.255.224 7
redundancy mode set VRRP
system mib2-name set WSC3GS08A
appdirector farm table setCreate EDGE_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm table setCreate CWA_HTTPS -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp HTTPS
appdirector farm table setCreate FRONTEND_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm table setCreate FRONTEND_AB -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp HTTPS
appdirector farm table setCreate DIRECTOR_SIP -as Enabled -at 1200 -dm \
"Fewest Number of Users" -cm "TCP Port" -cp 5061
appdirector farm server table create FRONTEND_SIP 38.21.228.15 None -sn \
FE_SIP_SVR_15 -id 6 -cn Enabled -sd FE_SIP_SVR_15 -nr 38.21.228.10
appdirector farm server table create FRONTEND_AB 38.21.228.16 None -sn \
FE_SIP_AB_16 -id 8 -cn Enabled -sd FE_SIP_AB_16 -nr 38.21.228.10
appdirector farm server table create EDGE_SIP 38.21.228.45 None -sn \
EDGE_SIP_SVR_45 -id 2 -sd EDGE_SIP_SVR_45
appdirector farm server table create EDGE_SIP 38.21.228.46 None -sn \
EDGE_SIP_SVR_46 -id 3 -sd EDGE_SIP_SVR_46
appdirector farm server table create FRONTEND_SIP 38.21.228.16 None -sn \
FE_SIP_SVR_16 -id 4 -cn Enabled -sd FE_SIP_SVR_16 -nr 38.21.228.10
- 53 -
appdirector farm server table create FRONTEND_AB 38.21.228.15 None -sn \
FE_SIP_AB_15 -id 7 -cn Enabled -sd FE_SIP_AB_15 -nr 38.21.228.10
appdirector farm server table create DIRECTOR_SIP 38.21.228.75 None -sn \
DIR_SIP_SVR_75 -id 9 -sd DIR_SIP_SVR_75
appdirector farm server table create DIRECTOR_SIP 38.21.228.76 None -sn \
DIR_SIP_SVR_76 -id 10 -sd DIR_SIP_SVR_76
appdirector farm server table create CWA_HTTPS 38.21.228.105 None -sn \
CWA_HTTPS_SVR105 -id 11 -sd CWA_HTTPS_SVR105
appdirector farm server table create CWA_HTTPS 38.21.228.106 None -sn \
CWA_HTTPS_SVR106 -id 12 -sd CWA_HTTPS_SVR106
redundancy interface-group set enable
redundancy mirror backup status set disable
redundancy mirror main client-status set enable
redundancy mirror address setCreate 38.21.228.24
redundancy backup-in-vlan set disable
appdirector farm connectivity-check httpcode setCreate EDGE_SIP \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate CWA_HTTPS \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate FRONTEND_SIP \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate FRONTEND_AB \
"200 - OK"
appdirector farm connectivity-check httpcode setCreate DIRECTOR_SIP \
"200 - OK"
redundancy backup-fake-arp set enable
appdirector farm extended-params set EDGE_SIP -sc Enabled
appdirector farm extended-params set CWA_HTTPS -sc Enabled
appdirector farm extended-params set FRONTEND_SIP -nr 38.21.228.10 -sc \
Enabled
appdirector farm extended-params set FRONTEND_AB -nr 38.21.228.10 -sc \
Enabled
appdirector farm extended-params set DIRECTOR_SIP -sc Enabled
appdirector nat client address-range setCreate 38.21.228.10 -t \
38.21.228.10
appdirector nat client range-to-nat setCreate 38.21.228.1 -t \
38.21.228.30
appdirector nat client status set Enabled
redundancy backup-interface-group set enable
appdirector l4-policy table create 38.21.228.58 Any Any 0.0.0.0 \
EDGE_VRRP -ta "Virtual IP Interface" -rs Backup
appdirector l4-policy table create 38.21.228.26 Any Any 0.0.0.0 \
FRONTEND_VRRP -ta "Virtual IP Interface" -rs Backup
appdirector l4-policy table create 38.21.228.90 Any Any 0.0.0.0 \
DIRECTOR_VRRP -ta "Virtual IP Interface" -rs Backup
appdirector l4-policy table create 38.21.228.122 Any Any 0.0.0.0 \
CWA_VRRP -ta "Virtual IP Interface" -rs Backup
appdirector l4-policy table create 38.21.228.1 TCP 5061 0.0.0.0 \
FRONTEND_SIP -fn FRONTEND_SIP -rs Backup
appdirector l4-policy table create 38.21.228.2 TCP 443 0.0.0.0 \
FRONTEND_AB -fn FRONTEND_AB -rs Backup
appdirector l4-policy table create 38.21.228.65 TCP 5061 0.0.0.0 \
DIRECTOR_SIP -fn DIRECTOR_SIP -rs Backup
appdirector l4-policy table create 38.21.228.33 TCP 5061 0.0.0.0 \
EDGE_SIP -fn EDGE_SIP -rs Backup
appdirector l4-policy table create 38.21.228.97 TCP 443 0.0.0.0 \
CWA_HTTPS -fn CWA_HTTPS -rs Backup
redundancy vrrp automated-config-update set Enabled
redundancy mirror main sid-status set enable
health-monitoring status set enable
health-monitoring response-level-samples set 0
redundancy vrrp virtual-routers create 7 26 -pip 38.21.228.57
redundancy vrrp virtual-routers create 7 58 -pip 38.21.228.57
redundancy vrrp virtual-routers create 7 90 -pip 38.21.228.57
redundancy vrrp virtual-routers create 7 122 -pip 38.21.228.57
redundancy vrrp associated-ip create 7 26 38.21.228.1
redundancy vrrp associated-ip create 7 26 38.21.228.2
redundancy vrrp associated-ip create 7 26 38.21.228.26
redundancy vrrp associated-ip create 7 58 38.21.228.33
redundancy vrrp associated-ip create 7 58 38.21.228.58
redundancy vrrp associated-ip create 7 90 38.21.228.65
redundancy vrrp associated-ip create 7 90 38.21.228.90
redundancy vrrp associated-ip create 7 122 38.21.228.97
redundancy vrrp associated-ip create 7 122 38.21.228.122
manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm
manage telnet status set enable
manage telnet server-port set 23
manage web status set enable
manage ssh status set enable
manage secure-web status set enable
redundancy arp-interface-group set Send
- 54 -
net l2-interface set 100001 -ad up
redundancy vrrp global-advertise-int set 0
manage terminal prompt set WSC3GS08A
manage snmp groups create SNMPv1 public -gn initial
manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create SNMPv2c public -gn initial
manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create UserBased radware -gn initial
manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly
manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn \
ReadOnlyView
manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn \
ReadOnlyView
manage snmp access create initial UserBased authPriv -rvn iso -wvn iso \
-nvn iso
manage snmp access create InitialReadOnly UserBased authPriv -rvn \
ReadOnlyView
manage snmp views create iso 1
manage snmp views create ReadOnlyView 1
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.2.7.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.18.1.1 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.15.1.2.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm \
excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.4 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.5 -cm excluded
manage snmp notify create allTraps -ta v3Traps
manage snmp users create radware -cf 0.0 -ap MD5 -akc \
f03a22e55aecd6ba859214cd9f3a0a13 -pp DES -pkc \
f03a22e55aecd6ba859214cd9f3a0a13
manage snmp target-address create v3MngStations -tl v3Traps -p \
radware-authPriv
manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn \
public -sl noAuthNoPriv
manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c \
-sn public -sl noAuthNoPriv
manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm \
UserBased -sn radware -sl authPriv
manage snmp community create public -n public -sn public
manage telnet session-timeout set 5
manage telnet auth-timeout set 30
redundancy force-down-ports-time set 0
appdirector global connectivity-check tcp-timeout set 3
!File Signature: 9aaf02e9a485d91550febbbce43628de
- 55 -
Technical Support
Radware offers technical support for all of its products through the Radware
Certainty Support Program. Please refer to your Certainty Support contract, or the
Radware Certainty Support Guide available at:
http://www.radware.com/content/support/supportprogram/default.asp.
For more information, please contact your Radware Sales representative or:
U.S. and Americas: (866) 234-5763
International: +972(3) 766-8666
© 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service
names are registered trademarks or trademarks of Radware in the U.S. and other countries. All
other trademarks and names are the property of their respective owners.
- 56 -

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project