load balancing microsoft iag using stingray traffic ... · deployment guide load balancing...

DEPLOYMENT GUIDE

Load balancing Microsoft IAG Using Stingray Traffic Manager with Microsoft IAG (Intelligent Application Gateway) Server

Deploying Stingray Traffic Manager with Microsoft IAG

© 2011 Riverbed Technology. All rights reserved. 1

Table of Contents Introduction .......................................................... ......................................................................................................................... 2

What is Stingray Traffic Manager? ............................................................................................................................................ 2 Stingray Traffic Manager VA (Virtual Appliance) for Windows ................................................................................................. 2

Deployment Architecture .............................................................................................................................................................. 3 Installing Stingray Traffic Manager VA for Windows .................................................................................................................. 4 Running the Initial Configuration Wizard .................................................................................................................................... 5

Configure Networking ............................................................................................................................................................... 5 Completing the wizard .............................................................................................................................................................. 5

Creating a Stingray Traffic Manager cluster ................................................................................................................................ 6 Join a Cluster wizard ................................................................................................................................................................ 6

Configuring Stingray Traffic Manager for the IAG Service ......................................................................................................... 7 Manage a new service wizard .................................................................................................................................................. 7 Creating a Traffic IP Group ...................................................................................................................................................... 8 Binding a service to a Traffic IP ............................................................................................................................................... 8

Session Persistence ...................................................................................................................................................................... 9 IP-based Session Persistence ................................................................................................................................................. 9 More powerful session persistence ........................................................................................................................................ 10

Configuring SSL decryption and re-encryption .............................................................................................................. 10 Transparent Session Affinity .......................................................................................................................................... 11

Summary ....................................................................................................................................................................................... 12 About Riverbed ............................................................................................................................................................................ 12



INTRODUCTION This document will show you how to deploy Riverbed® Stingray™ Traffic Manager with Microsoft® Intelligent Application Gateway (IAG) server. The IAG server is a SSL VPN device which was acquired by Microsoft from Whale Communications in July 2006. We will discuss using Stingray Traffic Manager to load balance IAG VPN services, to increase the availability and performance of your Microsoft edge services. In this white paper we will assume you are using Stingray Traffic Manager Load Balancer Virtual Appliance (VA) for Windows running on the same hardware as the IAG server. However the content is also relevant to customers using other variants of Zeus Stingray Traffic Manager or Stingray Traffic Manager Load Balancer software on different platforms, Stingray Traffic Manager or Stingray Traffic Manager Load Balancer Appliances, or Stingray Traffic Manager Virtual Appliances. What is Stingray Traffic Manager? Stingray Traffic Manager is an application Load Balancer and Traffic Manager. It operates at layer 7 (the application layer) of the OSI stack. Stingray Traffic Manager manages your application traffic, performing deep packet inspection and making dynamic routing decisions as it load balances traffic across your application infrastructure. Stingray Traffic Manager also monitors the availability of those applications and ensures that your clients receive the best possible service. Stingray Traffic Manager is fully fault tolerant and will cluster with other Stingray Traffic Manager instances to ensure high availability of your applications even if one of the Stingray Traffic Manager instances should fail. We often think of Stingray Traffic Manager as a toolkit, which with our powerful TrafficScript language, can implement almost any traffic routing logic you could ever require. Stingray Traffic Manager is available as software, as virtual appliances and as dedicated hardware appliances. It also comes in two main variants, full Stingray Traffic Manager, and Stingray Traffic Manager Load Balancer. Stingray Traffic Manager Load Balancer is the entry level load balancer and is perfectly suited for managing IAG and simple ISA services.

Stingray Traffic Manager VA (Virtual Appliance) for Windows Stingray Traffic Manager Virtual Appliance for Windows is a Microsoft Virtual Appliance which has been specially optimized for use with Microsoft Virtual Server. Stingray Traffic Manager Virtual Appliance for Windows includes a MMC snap-in component to allow configuration of the virtual appliance hardware from within the Windows 2003 host operating system. Stingray Traffic Manager Virtual Appliance for Windows, like all other Stingray Traffic Manager products, is configured for the most part through the Web UI (User Interface).



Deployment Architecture In this deployment guide, we shall install one copy of the Stingray Traffic Manager software on two separate IAG servers. By doing so, we can scale the capacity of the IAG servers and make the system resilient to any individual hardware or software failure. The following diagram shows a typical Stingray Traffic Manager VA for Windows/IAG deployment. The Stingray Traffic Manager instances on Server One and Server Two are clustered together. Stingray Traffic Manager uses Traffic IP Groups to manage the High Availability of a service. In this example the Stingray Traffic Manager cluster has raised two IP addresses in the TIP Group, 10.100.42.15 and 10.100.42.16. All connections to those addresses are load balanced across the instances of the IAG software.

Stingray Traffic Manager’s fault tolerance capabilities will ensure that the service will continue to be available in the event of either physical server failing.



Installing Stingray Traffic Manager Virtual Appliance for Windows An evaluation copy of the Stingray Traffic Manager Virtual Appliance for Windows can be downloaded from www.riverbed.com. Copy the installer onto each IAG server, and then execute the setup.exe application.

The setup application will extract the files required by the installer and then launch the installation process automatically. Follow the on-screen instructions to install Stingray Traffic Manager Virtual Appliance for Windows on to your server. During the installation process, you will be asked to select the network interfaces you would like to make available to Stingray Traffic Manager. These network interfaces will be used to receive external traffic from remote clients, to communicate with the IAG software running on each server in the cluster, and to receive management and administration traffic. It is generally sufficient to select just the external-facing network interface:

Each Stingray Traffic Manager systems in the cluster should be able to talk to a local interface connected to a common network subnet. Once installation is complete, you can access the Stingray Traffic Manager administration interface by clicking the application launcher in the Start menu.



Running the Initial Configuration Wizard The first time you connect to your newly installed Stingray Traffic Manager, you will be required to run the Initial Configuration Wizard.

Configure Networking When you configure networking, you will need to assign permanent IP addresses to the interfaces that you selected during the installation. You will need to ensure that you remember which physical interfaces you have mapped the virtual interfaces to (eth0, eth1, etc) and assign appropriate network addresses to them. The network settings must specify the same subnet as the corresponding interface on the host server, and a free IP address in that subnet must be chosen. All Stingray Traffic Managers in the cluster must be configured to use the same common subnet. Later on, we will configure floating IPs to host the VPN services themselves. These floating IP addresses must also reside in the common subnet.

In the configuration shown above, we have assigned 10.100.42.11/16 to eth0 and 192.168.50.11/24 to eth1. There are two network interfaces on this Virtual Appliance, but you may only need to use one. These addresses are used to the Stingray Traffic Manager Virtual Appliance itself. We will configure the HA (high availability) addresses later to host the IAG service.

Completing the wizard Follow the on-screen instructions to complete the Initial Configuration Wizard. You will be required to configure your DNS settings, Date and time zone, admin user password, and upload a valid Stingray Traffic Manager license. When complete, your Stingray Traffic Manager Virtual Appliance for Windows will be restarted. Click the link to access the new administration server.



Creating a Stingray Traffic Manager cluster Now that the Stingray Traffic Manager systems on each IAG server are configured, you should link them together into a Stingray Traffic Manager cluster. A cluster of Stingray Traffic Manager systems seamlessly share configuration and each member monitors the others and takes over if one if its peers fails. You can use the Administration interface on any one of the Stingray Traffic Manager systems to configure services across the entire cluster.

Join a Cluster wizard Access one of the Stingray Traffic Manager admin interfaces (it does not matter which one) and start the ‘Join a cluster’ configuration wizard:

Step through this wizard and indicate that you wish to join the cluster containing the other Stingray Traffic Manager system you have installed.

When the wizard completes, it will join the current Stingray Traffic Manager to the cluster formed by the existing cluster. The current Stingray Traffic Manager will share the same configuration as the existing cluster, including administration password. Later in this installation guide, you will configure a fault tolerant traffic IP address that floats between the clustered Stingray Traffic Manager systems. This traffic IP address will be the entry point for external access to services, and will always be available provided that at least one Stingray Traffic Manager system is functioning correctly.



Configuring Stingray Traffic Manager for the IAG Service Typically, your IAG service will consist of a HTTP connector and a HTTPS connector. The HTTP connector will primarily be used to redirect connections to the HTTPS service. On your Stingray Traffic Manager cluster, you will need to configure these two services.

Manage a new service wizard We will use a configuration wizard to create your new Stingray Traffic Manager services. From the Stingray Traffic Manager user interface, select the “Manage a new service” wizard from the wizards list on the top right of the home screen. The wizard will open in a new window; click the “Next” button to continue.

Call the service “Whale HTTPS”, the protocol should be SSL, with a sub-protocol of HTTPS. Stingray Traffic Manager will select the default port of 443, but you may change this if you want to run the service on a different port. After clicking “Next”, you will be asked to add the nodes for this service. You should add the IP addresses that the two IAG servers are listening on. The port will default to the same port you configured in the previous screen, but you can change that if your IAG servers are listening on a non-standard port. Clicking “Next” will take you to a summary screen, if everything looks correct then click the “Finish” button. The Stingray Traffic Manager will now create a Virtual Server (the service listener) and a Pool (a collection of nodes) for your new “Whale HTTPS” service, using the values you supplied to the wizard. You will need to repeat this process to create a “Whale HTTP” service, running on port 80, with a protocol of HTTP.



Creating a Traffic IP Group Stingray Traffic Manager will have created your service and bound it to all IP addresses on the Stingray Traffic Manager. However if we want this service to be Highly Available, we need to configure a group of floating IP addresses, which Stingray Traffic Manager will always keep running even in the event of a hardware failure. In Stingray Traffic Manager terminology, these IP addresses are called Traffic IPs, and they are grouped together, so that you can have more than one IP active at a time. Groups of Traffic IPs are called Traffic IP Groups. We will now configure one for your Whale service. Navigate to the Services section and then the “Traffic IP Groups” tab.

If you want the service to be active on both Stingray Traffic Managers in your cluster you will need to create a group containing 2 Traffic IP addresses. In the example above I have called the group “Whale Group” and I want it to be active on both my Stingray Traffic Managers. Therefore I have set 2 addresses in the IP Addresses field, 10.100.42.15 and 10.100.42.16. Clicking on “Create Traffic IP Group” will create the configuration and distribute it across the cluster. Next we need to bind our Whale HTTP and HTTPS services to this new TIP group.

Binding a service to a Traffic IP Navigate to the Services section again, but this time select the Virtual Server tab. For each of your services, “Whale HTTP” and “Whale HTTPS” click the edit button and then under Basic Settings, change “Listening on:” to “Traffic IP Groups”. When you select this setting, you should now see a list of configured Traffic IP Groups to pick from. Select the “Whale Group” you created above.

Stingray Traffic Manager will now bind your service to the IP addresses in the Traffic IP Group. In the event of one of your Stingray Traffic Managers failing, the IP that was hosted on that Stingray Traffic Manager will migrate across to the Stingray Traffic Manager which is still running and service will continue.



Session Persistence Many classes of requests from clients can be load-balanced across a pool of back-end servers. Multiple requests from one client can be shared across the back-ends with no disruption to service. However, there are certain exceptions, such as server applications, which depend upon storing information about a client locally, which may not readily be load-balanced in this way (e.g. IAG). If the established connection were to be sent to a different IAG backend server then a server application error would occur and the user would be disconnected. To prevent this from happening, we use Session Persistence. When Stingray Traffic Manager receives a new connection, it uses its load balancing logic to choose a node for that connection. Stingray Traffic Manager then records the chosen node in a session persistence map. When another connection in the same session is received, Stingray Traffic Manager uses the node that was chosen previously. In this way, all connections in the same ‘session’ are pinned to the same back-end node.

IP-based Session Persistence When IP-based persistence is used, Stingray Traffic Manager will track the originating client’s IP address for each request to the IAG pool. If Stingray Traffic Manager has already received traffic from this address, it will map requests to the same IAG backend it used previously. IP session maps are shared by all Stingray Traffic Manager machines in a cluster. Requests received by different Stingray Traffic Manager machines will be directed to the correct IAG back end, and if one Stingray Traffic Manager fails, the other Stingray Traffic Managers are aware of the IP session maps it was maintaining. To configure IP based session persistence, go the Catalog / Persistence configuration page and create a new Session Persistence class. Give it an appropriate name, and configure it to use IP-based session persistence:

Then, go to the Services / Pools / Whale HTTPS / Session Persistence configuration page and configure the ‘Whale HTTPS’ service to use the new session persistence class. It should be noted that when using IP-based persistence, if you have a lot of clients connecting from behind the same proxy, they will all be presenting the same IP address to the Stingray Traffic Managers and so all of these connections will be sent to the same backend IAG server. One of your IAG servers may therefore be working significantly harder than the others.



More powerful session persistence If the IP-based session persistence methods are not appropriate, it is possible to apply session persistence based on any data within the encrypted traffic – a login cookie, application identifier, user agent, or any other element in the request that is unique to each remote user. To do this, you can configure Stingray Traffic Manager to decrypt the incoming SSL traffic and inspect it. Stingray Traffic Manager can then optionally re-encrypt the traffic before sending it on to the IAG software. Have configured the decryption, you then configure a new session persistence class that detects and persists on the data you have identified. If necessary, Stingray Traffic Manager can use the ‘transparent session affinity’ persistence class that inserts a unique cookie into the first response message the client receives, and then identifies the client’s session using the value of the cookie. Configuring SSL decryption and re-encryption We will first need to extract the public certificate and private key from the IAG server so that it can be installed in the Stingray Traffic Manager tier. 1. Export (as a .pfx) the certificate and the private key from the IAG backend. Please consult your Microsoft Windows

documentation for the procedure to export the certificate and the private key. 2. Convert the pfx format into PEM format using the OpenSSL software1,2.

On Windows the command to run is: openssl.exe pkcs12 -in <drive:\path\to\cert>.pfx -nodes -out <\path\to\new\cert>.pem

3. Now go the Stingray Traffic Manager user interface and import the certificate and private server key. Go to the page

Catalogs / SSL / SSL Certificates Catalog / Import Certificate:

Import the certificate and private key, giving them an appropriate name. 4. Use the ‘SSL Decrypt a Service’ wizard to configure your existing SSL virtual server and pool to decrypt and re-encrypt the

traffic so that it can be inspected by the session persistence functionality. When you are asked to select a certificate for the SSL decryption, use the one that you imported and named in the previous step.

These four steps are sufficient to decrypt and re-encrypt traffic internally within Stingray Traffic Manager. Your users should not observe any difference; they should still be able to access their services via HTTPS as before. 1 http://www.openssl.org/ 2 http://gnuwin32.sourceforge.net/packages/openssl.htm



One difference in behaviour is that the IAG servers will negotiate their SSL connection with the Stingray Traffic Manager software, not the remote clients. Any client certificate checking that was performed on the IAG servers will no longer function. You can use the client certificate checking on Stingray Traffic Manager instead. Transparent Session Affinity Transparent Session Affinity is a very powerful session persistence method suitable for all types of HTTP traffic. It inserts a tracking cookie into the first response in each session; the cookie identifies the node in the pool that the response originated from. The remote client will present the tracking cookie on all subsequent requests, and the session persistence can then ensure that those requests are routed to the correct node so that the session is not broken. Follow the instructions above to create a new session persistence class. This time, select the ‘Transparent Session Affinity’ method:

Reconfigure the pool to use this session persistence class instead of the IP based one.



Summary Stingray Traffic Manager can be used to both load balance and provide fault tolerance for your IAG servers. The high availability features of Stingray Traffic Manager can ensure that a user can always connect to an IAG server despite the loss of one or more of your IAG servers. The load balancing algorithms of Stingray Traffic Manager can be used to distribute traffic amongst the IAG servers on a simple round robin basis to a more complicated “perceptive” algorithm, which takes into account the performance of each IAG backend node. A range of session persistence methods ensures that a connection sticks to a given IAG node while the use of SSL decryption by Stingray Traffic Manager offers a more powerful and customized way to make backend node choices.

About Riverbed Riverbed delivers performance for the globally connected enterprise. With Riverbed, enterprises can successfully and intelligently implement strategic initiatives such as virtualization, consolidation, cloud computing, and disaster recovery without fear of compromising performance. By giving enterprises the platform they need to understand, optimize, and consolidate their IT, Riverbed helps enterprises to build a fast, fluid and dynamic IT architecture that aligns with the business needs of the organization. Additional information about Riverbed (NASDAQ: RVBD) is available at www.riverbed.com.

Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com

Riverbed Technology Ltd. The Jeffreys Building Cowley Road Cambridge CB4 0WS United Kingdom Tel: +44 (0) 1223 568555

Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400

Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990

load balancing microsoft iag using stingray traffic ... · deployment guide load balancing...

Documents