WebMux™ Model 481SD/592SGQ User Guide Version 9.0.
Copyright© 1997-2012 CAI Networks, Inc. The information contained in this document is the property of CAI Networks, Inc. Neither receipt nor possession hereof confers or transfers any right to reproduce or disclose any part of the contents hereof, without the prior written consent of CAI Networks, Inc. No patent liability is assumed, however, with respect to the use of the information contained herein. Revision History 03/15/2012 revision 9000. Trademarks WebMux is a trademark of CAI Networks, Inc.
Table of Contents Packing List ......................................................................................................................................iv Section 1 Main Components.................................................................................................................. 5 1.1 Front View .................................................................................................................................. 5 1.1.1 Toggle Power Switch ...........................
5.6.1 Primary WebMux Information .........................................................................................25 5.7 NAT Mode Related Configuration ............................................................................................26 5.8 Transparent Mode or Single Network Mode Related Configuration.........................................28 5.9 Out-of-Path Related Configuration ...........................................................................................29 5.
Section 8 Initial Setup Change Through Browser................................................................................ 79 Section 9 Sample Configurations and Worksheets ............................................................................. 81 9.1 Initial Configuration Worksheets .............................................................................................. 81 9.2 Sample Configuration Worksheets ...................................................................................
Packing List • One (1) WebMux unit • One (1) User Manual • One (1) Warranty registration card - iv -
Section 1 Main Components 1.1 Front View 1.1.1 Toggle Power Switch This switch toggles power on and off. To power off, the switch must be pressed and held for 5 seconds. However, it is recommended that you do not regularly use this power switch to shut down the unit. Please use the LCD panel, web interface, or command line interface to issue a proper shut down. 1.1.2 Reset Button Press and release the reset button to reboot the WebMux. This is a hard reboot, not a factory reset.
1.2 Rear View 1.2.1 Server LAN Port Connect this port to the Server LAN switch or hub. This port connects to the servers and your local computers. It is the right most RJ45 socket. In Out-of Path configuration, this is the only port that needs to be connected. If your switch is capable of LACP (or port channel), you can connect both the Internet and Server ports and they will behave as a single port (Outof-Path mode ONLY). 1.2.
Section 2 WebMux Overview 2.1 Key Features The WebMux is a standalone network appliance designed primarily to load balance IP traffic to multiple servers. The WebMux includes the following key features. • Improves performance by distributing the traffic for a site or domain among multiple servers. No one server will be bogged down trying to service a particular site. • SSL Termination to reduce the cost of multiple certificates.
• Built-in Anti-Attack Security Function. Automatic protection against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Automatically block IP addresses that exceed the maximum threshold of concurrent connections for a specified amount of time. Works in NAT, Transparent, and OOP modes. • In-Path or Out-of-Path Load Balancing. In normal setup, the WebMux can be configured In-Path, to act as firewall in addition to the load balancer and health checker.
• Multiple Uplink/VLAN Support. Using the command line interface command, nwconfig, WebMux can be configured for use with Multiple ISPs. You can also use this command line tool to create multiple server subnets. Please see Appendix L for details. • Bond All Interfaces. In combination with 802.
Section 3 The WebMux Family The 1U WebMux family consists of three models. They are: • • • The WebMux 481SD The WebMux 592SGQ The WebMux 690PG The table below compares the features of the models. Model Number: 481SD 592SGQ 690PG Layer 4 Performance Maximum concurrent connections 1,440,000¹ 2,880,000¹ 5,760,000¹ Maximum transactions per second 65,000 100,000 400,000 Maximum throughput per second¹ 1.7 GBits 2.
Model Number: 481SD 592SGQ 690PG Yes Yes Fault Tolerance Diskless Design Port aggregation Yes Yes Yes Yes Optional Optional Optional Failover via Ethernet link Yes Yes Yes Service aware Yes Yes Yes Server aware Yes Yes Yes Backup server Yes Yes Yes Failover via network connection Security Network Address Translation (NAT) Yes Yes Yes TCP SYN protection Yes Yes Yes Address mapping Yes Yes Yes Port mapping Yes Yes Yes TCP DoS protection Yes Yes Yes Yes Yes Y
Model Number: 481SD 592SGQ 690PG 200W/500BTU 350W/1000BTU Miscellaneous Power and Heat (MAX at full load) 100W/300BTU Factory warranty 1 years 1 years 1 years Free telephone and email support 1 years 1 years 1 years Overnight pre-sent exchange unit Optional Optional Optional 24x7 Gold Premium Support Optional Optional Optional Yes Yes Yes 30-day money-back guarantee ¹Bond interfaces for max throughput in VLAN only mode ²With CAI-RSA3500 option card ³With CAI-RSA7000 option card
Next, a Virtual Farm or multiple farms must be configured on the WebMux. A virtual farm is a single representation of the servers to the clients. A farm consists of a group of servers that service the same domain, website or services. For example, to configure a farm (or virtual farm) to serve www.cainetworks.com: • First, Server 1 and Server 2 would each need the website www.cainetworks.
In most situations, the incoming traffic is in small requests, and return traffic from servers back to clients is large amount of data, pictures, or documents. Using Out-of-Path Mode will allow up to 100 times more traffic to be handled by the WebMux load balancer. The disadvantage for OOP/direct response is that the firewall protections built-in to the WebMux will no longer function. Users must provide their own firewall for incoming and outgoing traffic.
Section 4 Sample Configurations 4.1 Single WebMux (Two-Armed NAT Mode) • This installation requires one WebMux. • One WebMux interface (Internet) connects to the Router LAN. The other interface connects to the Server LAN. • The WebMux translates the Router LAN IP addresses to an internal non-routable class-C address. In this example, the netmask is 255.555.255.0. The IP address of the WebMux interface on the Router LAN is 205.133.156.220.
• Changes to the server: change the default gateway to 192.168.199.1, as well as the IP address to the 192.168.199.xxx subnet. If on the server there is a service attached to the IP address (HTTP/S, FTP, etc), please make sure the service will run on the new IP address. Note Although the WebMux can work with any IP address range, all server IP addresses should be Internet non-routable address so that the source address from the Internet does not conflict with the IP addresses on the Server LAN.
• Both WebMuxes connect to the Router LAN, and to the Server LAN. Each WebMux interface has a unique IP address. • The registered Internet IP address range is a class C address range. • The IP address of the WebMuxes’ Virtual Farms must be in the same network range as the Internet router. • The WebMux translates the Router LAN IP addresses to an internal non-routable class A address. In this example, the subnet-mask is 255.0.0.0.
4.3 Installation without IP Address Change (Two-Armed Transparent Mode) Transparent Mode is another WebMux configuration that allows you to keep the existing IP addresses of your servers. Like Out-of-Path Mode, the servers and the WebMux will be on the same IP network. However, physically, the servers will be connected to the WebMux in the same way they would be for NAT mode, on the server LAN port. The “internet” port on the WebMux is connected towards the Firewall/Router.
For single WebMux setup, any kind of switch will work, since there is only one bridge path exist on the network. No Spanning Tree Protocol is required. 4.4 Installation without IP Address Change (One-Armed Single Network Mode) Single Network Mode configuration is simple, with only one interface connected to the network. You can use either the Internet Port or the Server Port of the WebMux, but only ONE of them. The WebMux and the servers are also all on the same subnet.
4.5 Installation without IP Address Change (One-Armed Out-of-Path Mode) The above diagram is an example about how to configure the WebMux in Out-of-Path Mode without changing the IP addresses of the web servers and other servers that already exist on the network. This is particularly helpful when the changing of an existing network of servers causes problems. In this configuration, all the servers still remain on the same IP network and can communicate.
through the real network interface. In other words, the loopback adapter cannot have the gateway specified. Please refer to Appendix A and B for more details on how to configure the loopback adapter on servers. In case the server is running Windows 2003/2008, the route created when adding loopback adapter cannot be deleted; please make sure the loopback adapter metric has a higher number. 2) If your service binds to any specific IP address, add the loopback adapter’s IP address to that service.
Section 5 Configuring the WebMux 5.1 Before you Start Please collect the information about names and IP addresses designated by the arrows in the network topology below. 5.2 Network Terminology A Virtual Farm includes the WebMux and the servers under it. Functionally, it acts as a single unit on a network. For example, http://www.you.com is one virtual server farm; https://www.me.com is another farm, and ftp://ftp.cainetworks.com is the third farm.
takes the Internet traffic and distributes it to the servers behind it. The LAN connecting the WebMux and real servers together is called Server LAN. WebMux has four modes: 2 Arm NAT Mode, 2 Arm Transparent Mode, 1 Arm Single Network Mode, and 1 Arm Out-of-Path Mode. In NAT mode, the WebMux boxes are connected to both Router LAN and Server LAN. At least one WebMux is needed to define the Router LAN and the Server LAN. We will explain other modes in detail in later chapters.
• Turn on the WebMux. Turn on the switch on the back of the WebMux and push the power-on button in the front momentarily. You will see the version number like this: • After self-test, hold down the Check-Mark button on the WebMux until the LCD displays the first question—“Enter WebMux host name.” • During the initial configuration, you will be asked to provide names and IP addresses. (See next section.) Each item is explained in the order it is asked. • Answer the questions. Reboot.
Is this a Primary WebMux? If this is the Primary, answer Yes. If this is the Secondary WebMux, answer No. The secondary WebMux automatically gets configuration information from the Primary once it sets up. If this is the only WebMux, answer Yes. 5.6.1 Primary WebMux Information This question is not asked for the Secondary WebMux. Is this WebMux running solo without a backup WebMux? If the Primary WebMux is running in a standalone configuration (see sample configuration— Standalone WebMux.), answer Yes.
to go back to clients (up to 100X more than on the specification chart); it also does not require a change to the server IP address. The screens will cycle among the modes until you select yes on one of them. Once one is selected it will continue to the next setup screen. Continue on to the related mode in the following pages. 5.7 NAT Mode Related Configuration Enter Router LAN WebMux Proxy IP Address: This is the IP address that the WebMux uses as the external IP address when it functions as a proxy.
These IP addresses cannot be your Internet registered addresses. They must be Internet nonroutable. For example, you can assign addresses in a 10.0.0.0 network address range, or a 192.168.199.0, etc. Enter Server LAN Network IP Address Mask: This is the network mask of the Server LAN. For a class A network, it may be 255.0.0.0. For a class C network, it may be 255.255.255.0. Enter Router LAN VLAN ID (optional): This is the optional VLAN ID tag that will be used for the Router LAN (Internet) interface.
Enter Server LAN Gateway IP address: This IP address is on WebMux. It will be the Default Gateway entry for all the servers on the Server LAN. This address will ’float’ between the primary and secondary WebMux. If the Primary went down, the address entered here will float to the backup. Please pay very careful attention that THIS IS NOT YOUR EXTERNAL ROUTER/GATEWAY IP. The IP address you put here will be assigned to the Server LAN interface. Make sure it is a unique IP address.
Enter Server LAN VLAN ID (optional): Note The VLAN ID is used for full 802.1q VLAN support. In Single Network Mode the Router LAN VLAN ID and Server LAN VLAN ID still pertain to the specific ports on the WebMux and they cannot be the same value. Even though you only need to use one of the ports in Single Network Mode, it is important that your switch setting matches the value of the port you are connecting to.
Enter Server LAN Network IP Address Mask: This is the network mask of the Server LAN. For a class A network, it may be 255.0.0.0. For a class C network, it may be 255.255.255.0. Enter Server LAN VLAN ID (optional): Note The VLAN ID is used for full 802.1q VLAN support. Enter Server LAN Gateway IP address (optional): This is an optional configuration that is used only if you are going to do SSL termination or Layer 7 load balancing.
Clear Allowed Host File? The allowed host file prevents any unauthorized access to the WebMux Management Console. If a workstation’s IP address is not in the allowed host file, that computer will not be able to reach the WebMux management console through the network. However, sometimes a wrong IP address is entered so that no computer can access the browser management console. At that point, clearing the allowed host file will allow any browser to access it.
port collision in case passive FTP is one of the other farms. Using port number below 1024 will not require setting up an “admin farm IP.” Discard Changes Made? If you select Yes at this point, all the changes made will be discarded and you will exit the setup mode. By default the answer is NO; all the changes will be saved. Only when you select NO (do not discard changes), changes will be saved to the internal solid state storage. Changes will take effect after next reboot.
LCD Brightness: Pressing the “down” button at the “Power off?” screen will bring you to the LCD Brightness screen. This screen will allow you adjust the brightness of the LCD backlight. The setting will default at 50. Valid values are from 0 to 100. The setting is activated when you press the check mark button. Going back to this screen will bring the value back to the default of 50.
Section 6 Management Console After the Initial Configuration, you should be able to use a web browser to connect to the WebMux. The web browser interface does all of the WebMux management. The following sections explain each of the easy ways to use the management console screens.
6.1 Login Start Login Page: Start a web browser from your management workstation. Set URL to https://webmuxip:webmuxport/ webmuxip is the IP address of the WebMux on the server LAN. webmuxport is the management port address of the WebMux. The default ports are 24 for an unsecured connection, and 35 for the secured connection. Use http instead of https on the URL line if you decide to use port 24 for unsecured communications.
Password: Fill in the correct password for the selected User ID. The password is case sensitive. The default passwords are: ID Password superuser superuser webmux webmux It is recommended to change the passwords periodically. No new user ID can be added. Login: After entering the correct password, click Login. Note For first time setup, please login as superuser and go to the Administration Setup by clicking the Setup button.
6.2 Main Management Console Once logged in to the Management Console, the main screen will show. To continue configuring the WebMux, the normal steps are: Hover the mouse pointer over the four main menus on the top (main, network, security, and miscellaneous) to navigate the different setup screens.
6.2.1 Save On the main management console, clicking on the Save button will cause the WebMux to save its configuration. Changes made to the “Farm” and “Server” will take effect immediately without saving. However, changes are not saved permanently to the solid state storage until the “Save” button is clicked. Unsaved farm/server settings will be lost during power outage or WebMux reboot. 6.2.2 Pause/ Resume The status screen automatically refreshes frequently to provide most up to date status.
6.3 Network Setup After logging into management console as superuser, click on the network menu. You will come to this screen: IPv6 96-bit Address Prefix: To load balance in IPV6, you will set the option field of an IPv6 address prefix. The IPv4 addresses will be appended to this prefix. For example, if you assigned 192.168.12.21 for the WebMux’s server LAN IP and you assigned fec0:: as the IPv6 prefix, the WebMux’s complete IPv6 address will be fec0::192.168.12.21 (or fec0::c0a8:c15).
Server for email notification: The WebMux can send email notifications. Enter the IP address of the email server that will forward the notifications. Note Because the WebMux does not resolve names, this entry must be an IP address. Also, you must allow relaying from the WebMux IP on your email server in order to accept emails from the WebMux. Addresses for email notification: Enter the email addresses to be notified. Separate multiple addresses with a colon. For example: johndoe@anywhere.
WebMux https control port: Since the WebMux is load balancing incoming HTTPS traffic, the HTTPS port for the management console must be set to a different port. By default, the port is 35. You can change the port to any port that is not being load balanced, if so desired. The front push buttons can also change this. SNMP UDP Port: SNMP on the WebMux is active and uses port 161 by default. You can change the port here. Or you can enter “0” or “none” or leave blank to disable SNMP altogether.
No: The WebMux will NOT route incoming IP packets through the WebMux, except IP packets for farm IP/port. This is the default setting. Front Network Verification: The WebMux checks the availability of the front network by checking on the IP address you configured as your “external gateway ip” (your router IP). The selection here determines the protocol used to check the connectivity of that IP address. It can be “none,” “ARP,” “TCP Connection,” or “ping.
Reset Stranded TCP Connections: When a server failed to function, there could be many TCP connections still in TCP_WAIT state. If this set to “Yes,” when client tries to access the failed server, the WebMux will pretend the server is sending TCP Reset to the client, thus freeing all the TCP_WAIT state connections. Default setting is “Yes” to conserve resources.
You should see this screen: Routes displayed that are “grayed out” cannot be modified. To add a route, make sure “make indicated changes” is selected in the drop down menu, click the “add” checkbox, and fill in the remaining fields. Click the “confirm” button. Your new route should appear along with a “delete” checkbox. You can click on the “delete” checkbox and click confirm to delete the selected route.
6.3.2 Reconfigure The reconfigure button will bring you to the initial network settings page. More details about this are covered in Section 8 “Initial Setup Change Through Browser.
6.4 Security Settings Allowed remote host IPs: The WebMux management console and diagnostic login only allow logins from these IP addresses to establish a management session. You can access from more than one IP address by specifying all the allowed IP addresses separated by a “:” (except use “,” as divider for IPv6 addresses). You can put the netmask following the IP address to specify the range of hosts that can access the management console. For example, 192.168.12.0/24 will allow all hosts in 192.168.
ICMP Packet input policy: Accept: The WebMux will allow all ICMP packets to travel through the WebMux. For CLI arp commands working properly, this must be accept. Deny: The WebMux will NOT allow any ICMP packets to travel through the WebMux. Note During installation, having the ability to PING the other hosts on the networks is typically useful. When the installation is complete, setting the “ICMP packet policy” to DENY, is recommended as a security precaution. 6.4.
6.4.3 Activating the Anti-Attack Feature To get to the Anti-Attack settings of the WebMux, hover the mouse over the security menu on top and then click on the AAD link. You will see this screen: TCP Connection Attack Threshold: This will set the maximum number of concurrent connection a client can make before the WebMux will consider it an attack. You do not want to set this value too low because most of time servers will experience several concurrent connections during normal operations.
Duration to block attackers: This sets the amount of time to block attacker IP addresses. It may not be desirable to block specific IP addresses indefinitely because of the dynamic nature of IP addresses used by the general public. You may end up blocking out potential customers in the future. Therefore, this setting allows you to set the IP blocking duration that suite your needs. Changing the settings in this page will not require a reboot and is effective once you click the confirm button.
6.5 Miscellaneous Settings The miscellaneous screen will show the events log by default. 6.5.1 Show Event This button will display all the events since the WebMux’s last reboot. The event includes server failure or state change. 6.5.2 Logout It is not recommended to leave the management browser logged in unattended. Click the Logout button to close the session. The “Login” screen will re-appear. 6.5.
Download: This feature allows the SAVED (not necessarily the active) configuration to be saved at the Administrative Browser workstation. Be sure you have saved your farm configurations from the main screen before exporting your configuration to ensure that you are getting your most recent changes. Click on the Click Here to display the configuration. Choose ’File->Save As’ from the browser menu to save it as a text file. Changes can be made to this file and uploaded to the WebMux.
Year: Enter the year. Enter all 4 digits. Hour: Enter the hour of the day. Use the 24 hour clock, or military time. Minute: Enter the minute of the hour. Time Zone: Select the time or hour offset to the UTC (GMT) time. You can set the WebMux to your local time, if your time zone is selected here. Confirm/Cancel: Click Confirm to execute the date and time change. Click Cancel to return to the previous screen WITHOUT making any date or time changes.
Section 7 Setting Up Load Balancing 7.1 Add Farm Back at the “main” screen of the Main Management console, click the “Add Farm” button to add a virtual site for the services you want to provide. The “add farm” screen will appear: Farm IP address: This is the IP address of the new farm. For SSL terminated traffic, each farm must have its own IP address. The farm address could be the Internet known address or the address has been translated by your firewall.
the corresponding IP addresses in the status screen. Although labels can be anything, it is better to have meaningful and unique label for each farm. Since version 5.6, the label field is also used as the host name in “HOST:” MIME header to when checking HTTP servers. The “HOST:” MIME header is essential in virtual hosting as that will determine which site is being accessed. The format of the farm label should be the site host name (i.e. www.xyz.com), max length 75 bytes.
Service: The service selection determines the type of service running on the servers in the farm and how the WebMux will check the server health status. The service type selection will create a farm using the well-known port for that service type. If a port other than a well-known port for TCP or UDP service is to be used, then choose one of the “Generic” selections and enter the port number in the PORT NUMBER field. You do will not need to specify the port number if the service protocol is on the list.
Scheduling method: The scheduling method is the way in which traffic is distributed among the servers in the farm. Eight different methods are supported. If you are using a shopping cart service, a persistent scheduling method is recommended.
more than once in a single farm. This scheduling method will allow you to have several name based virtual hosts on a single physical server with one IP address. Client to server persistence is enabled in this scheduling method. SSL Termination: Selecting an SSL key in this section will enable SSL termination for this farm. The HTTP service and POP3 service terminate to ports 443 and 995, respectively, and will allow you to choose any port for the clear traffic to the servers.
Compress HTTP Traffic: Selecting “yes” to this option will activate the WebMux HTTP compression. If the client web browser sends out a MIME header that states that it accepts compressed data. The WebMux will compress HTTP data to the client browser. If the WebMux detects that the servers in the farm are already compressing the data, the WebMux will not perform compression. Instead, it will let the compressed data from the servers pass through without additional processing.
7.2 Enabling SSL Termination By default, the SSL termination is NOT on. The following description is about enabling SSL termination for an HTTP farm. In the “Add Farm” screen, select “HTTP—hypertext transfer protocol (TCP)” in the “service” section. In the “SSL Termination” section, choose from any key other than “none” (see the SSL Keys section about importing your SSL keys). This will enable SSL termination on the HTTP farm.
The WebMux allows SSL termination from any port to the farm port. If your SSL/TLS traffic is other than the standard HTTPS traffic, you may want to specify the SSL traffic port in the “SSL port” field. The WebMux will listen to that SSL port, terminate the encrypted traffic from that port into the farm port, and re-encrypt the return traffic from the server to the clients. 7.3 SSL Keys The WebMux supports SSL V2, SSL V3, and TLS V1 with RSA key length from 512, 1024, and 2048.
At the bottom of the screen you will see the option to choose encryption protocols allowed: This will enable you to restrict SSL connections that do not follow the minimum protocol. If there are already active farms using SSL Termination, then changing this setting will require you to reboot the WebMux to activate changes. If you decide not to reboot, existing farms will run under the previous criteria and new farms will follow the new criteria.
You can click a key number to generate keys, copy and paste signed certificates: You can view, copy and paste keys into the two windows. You should backup your private key and save in a secure place. Each private key and public key pair must match to be able to work properly. If you plan to generate new keys, click on the drop down box above the private key window to select the “use newly generated” item with the desired key length, and then click on the “Submit” button.
After submitting the selection, you will see this next screen: Enter all the necessary information. Click on the “Confirm” button to complete the key generation. A certificate request will be generated. BE SURE TO COPY AND SAVE THIS BEFORE YOU CONTINUE. When you are done saving the certificate request, you can click on the “Confirm” button. You will be taken back to the dialog boxes that will display the newly created private key. You should make a backup copy of that as well.
able to directly transfer your existing key and certificate from your Linux server. For Windows IIS keys and certificates, you will need to convert them to PEM format. Please refer to our support site for instructions: http://www.cainetworks.com/support/how-to-convert-ssl.html You can get OpenSSL for Windows at: http://www.slproweb.com/products/Win32OpenSSL.html If you would rather, you may contact us at support@cainetworks.com and we can do the conversion for you.
that will determine which site is being accessed. The format of the farm label should be the site host name (i.e., www.xyz.com), max length 75 bytes. Without a label specified, a 401 (Unauthorized) error code is still considered a live server. If you have a label specified and the server returns error code 401, then the WebMux will consider that server dead. For both IIS and Apache servers doing virtual hosting, the farm name label must be an existing web site name on the server.
SNAT: Selecting YES in this field will enable SNAT for this farm only. This option is not available when SNAT is enabled system-wide in the network management or when running in Single Network Mode. Compress HTTP traffic: Enable or disable HTTP compression. When enabled the MIME header “X-WebMuxCompression: true” will be appended to the server response MIME header. (NOT supported in Out-of-Path Mode, except when used in a Layer 7 Farm). Delete: Click this button to delete the entire farm.
Server Port Number: If the port number specified in the farm setup is the same as the real server’s port number, you can leave this as “same.” In NAT mode, the WebMux can perform port forwarding from the farm IP port to the server IP port if you specify a server port that is different from the farm port. CAUTION Like the IP address, once created, the port number cannot be changed. To correct the port number, the server needs to be deleted and a new one to be created. Weight: Scheduling priority weight.
Last Resort Standby—The server will be put into STANDBY state. Unless all other servers are out of services, this server will not be switch in. This will allow the last server to show a different web page from others. 7.6 Add L7 Server If setting up a Layer 7 farm, the add server screen will be similar to this: Two options extra options are available: Match Pattern Pattern is anchored Match Pattern: This is the pattern that will need to match the client request data to access this server.
Virtual Host Load Directing: If you selected Layer 7 virtual host load directing with cookies as the scheduling method, the add server screen will look slightly different: In this screen, you will need to specify the virtual host name of the server you are adding. The WebMux will use this host name when it does the server health check and as the match pattern to direct clients to the correct site. 7.7 Modify Server Modify Server can be invoked by clicking on the server IP address on the Status screen.
Weight: Scheduling priority weight. Valid integer numbers are between 0 and 100. Changing the weight to zero will stop the incoming connections while all existing connections continue until time out or connection is terminated by client and server. Although all numbers from 1 to 100 will allow traffic to go through, using a smaller weight number in each server will have the best load distributing result.
IP Address: Add an IP address to the current farm configuration. The IP address can be the same as long as the port number does not duplicate any existing IP/port combinations. Label: The label is displayed on the column to the left of the corresponding IP addresses in the main status screen. Although labels can be anything, it is better to have meaningful and unique label for each farm. The label field is also used as the host name in “HOST:” MIME header to when checking HTTP servers.
7.9 Add Gateway Farm Gateway Farms allow you to load balance outgoing traffic between multiple external gateways. The gateways can be routers, proxy servers, firewalls or edge servers. The gateways will be balanced in a Weighted Round Robin Persistent fashion. By default, incoming traffic will be replied through the gateway it came from. To create a gateway farm, click on the “Add Farm” button from the main status screen.
Label: You can enter a label for reference purposes. The use of the label for gateways is optional. Click the “Confirm” button to create the gateway farm. Your status screen will look something like this: Your original default external gateway will be automatically added to the gateway farm. Click on the gateway farm IP on the grey line above the router IP to add more gateways to the gateway farm. Click on the “Add Gateway” button to add more gateways IPs to your gateway farm.
IP Address: Enter the IP address of your gateway. Label: The label here is used only for reference purposes. Weight: Scheduling priority weight. Valid integer numbers are between 1 and 100. Run State Active—The gateway will be put into service immediately after it is added. If there are gateways in the farm in Standby, WebMux will activate a Standby gateway in its place if it goes out of service.
have created a gateway farm, the status of your external route is determined by the availability of any one of the gateways in your gateway farm. As with a single default gateway the type of health checking done on the router IPs is determined by the “front network verification” protocol setting in the Administrator Setup page (see section 6.3). If you click on the “nh” link under the “service” column, you will get to the “modify service timeout page.
7.10 Modify Health Check User may change the healthcheck behavior by modify and enable custom healthck, modifying the HTTP server respond code behavior, and change the healthcheck TCP timeout value. To modify the healthcheck timeout: To modify the custom healthcheck: URL for Custom Service Check: Sometimes the WebMux built-in server health check is not enough for special needs.
allowed responses. The URL is truncated to 255 bytes (to be a string of at most 256 bytes with a terminating null). The response from the server must fit in 4k, including all nondisplay tag and headers etc. This custom CGI code must complete within 15 seconds or the server is considered dead. The custom defined service also allows for CGI code responses that allow the server to change its own weight and announce such change to a remote syslog daemon.
7.11 Monitor Traffic History Chart To monitor the traffic history, WebMux keep some of its statistics information in the memory during running. Please note these inforamtion will be lost once WebMux is rebooted.
Section 8 Initial Setup Change Through Browser You may want to change the basic settings for the WebMux through browser interface, for example, when the WebMux located in a hosting center across the country. If one has information about the WebMux current basic settings, one could change those parameters through browser. On the browser, enter the following URL: https://webmux_ip:webmux_manage_port/cgi-bin/rec For example, if your webmux_ip is 192.168.12.
The next question on the screen asks to set the time in the WebMux. The WebMux uses its clock to set the cookie for the management browser. When a WebMux manager is logged in for more than 8 hours without activity, the WebMux will log out the user based on the cookie. If the clock is off by more than 8 hours, the manager will not be able to login in to the WebMux. This section on the “rec” screen will allow the manager to correct the clock if it is off.
Section 9 Sample Configurations and Worksheets 9.
Entry Question Primary Secondary Server LAN VLAN ID (optional) Administration Setup Information External Gateway Address Remake /home/WebMux/conf/passwd Y/N Y/N Y N Administration HTTP Port Number Secure Administration HTTP Port # Is this WebMux primary WebMux running solo without backup Y/N Reboot? Y/N Y/N 9.2 Sample Configuration Worksheets 9.2.1 Standalone WebMux NAT Mode Configuration Before WebMux Installation Equipment IP Address Internet Router (or Firewall) Address 205.133.156.
Administration HTTP Port Number 24 Secure Administration HTTPS Port Number 35 Is this WebMux primary Y WebMux running solo without backup Y Reboot? Y You will also need to change the Web server IP address to 192.168.199.10, and its default gateway to 192.168.199.1. Add a farm for 205.133.156.200 and add a server to the farm at 192.168.199.10. You can then add more servers at 192.168.199.20 and 192.168.199.30. You can also add additional farm at 205.133.156.
Webserver(s) Default Gateway 10.1.1.1 Web Site IP Address 10.1.1.200/255.255.0.0 Configuration After WebMux Installation Question Entry Host Name webmux Domain Name cainetworks.com NAT, Transparent, Single Network or Out-of-Path Out-of-Path WebMux Server LAN Information Server LAN WebMux IP Address 10.1.2.254 (any) Server LAN WebMux IP Address Mask 255.255.0.0 Server LAN WebMux farm IP Address 10.1.1.200 Server LAN VLAN ID (optional) 102 Server LAN gateway IP address 10.1.1.
If using multiple VLAN configuration, please note the VLAN IP address cannot be used for FARM address. FARM address must be an address within that VLAN and other than the VLAN IP address. 9.2.4 A Redundant Installation Configuration Before WebMux Installation Equipment IP Address Internet Router (or Firewall) Address 205.133.156.1 Webserver(s) Default Gateway 205.133.156.1 Web Site IP Address 205.133.156.
Section 10 Contact Information For latest product and support information, please visit our web site at: http://www.cainetworks.com To reach us by e-mail: Support: support@cainetworks.com Sales: sales@cainetworks.
Section 11 FAQs I can’t login with my browser. It always says you are not logged in. To use your browser to manage the WebMux, it must be set to accept all cookies. Because the cookie is set to expire in 8 hours, you also need to make sure your system clock set correctly using GMT. The message is an indication that your system clock is off. Please refer to page 84 on how to set the system clock of the WebMux. I can’t login with my browser because the WebMux does not respond.
How come my servers in the farm are showing in red color from time to time, even the servers are okay? Your servers are trying to resolve the WebMux’s IP address to name so it could log them into log file. To avoid this problem, set the servers not resolve the IP addresses. You can also try adding all the IP address to the /etc/hosts file on your servers. For example, www.mydomain.com 1.2.3.4 // use your real IP address webmuxgw 192.168.199.1 // server lan gateway webmuxip 192.168.199.
What can I do if the service that I want to load balance is not in the list? The WebMux already supports many different services. If your service is not in the list, you could use generic TCP and/or UDP to set your farm. If that is still not good enough, you may contact us for developing a special service aware module for you. In most cases, there is a very reasonable fee to be charged.
Section 12 Regulations 12.1 Notice to the USA Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules. Operation is subject to the following conditions: 1. This device may not cause harmful interference, and 2. This device must accept any interference received including interference that may cause undesired operation.
Appendix A How to Add a Loopback Adapter For Out-of-Path Mode, a loopback adapter or device similar in function is required. This appendix lists a few different ways to add such a device for different OSes. A.1 Installing the MS Loopback Adapter 1. Click Add Hardware -> Add a new device -> No, I want to select the hardware from a list, and select Microsoft Loopback Adapter from the list and click OK. 2. At the MS Loopback Adapter Card Setup screen hit OK to the default of 802.3 3.
select Disable NetBIOS over TCP/IP. Click OK in the various windows to make all the changes permanent. Beginning with Windows Server 2008, the default networking has moved to the “strong host” model as outlined in RFC 1122.
For SUSE Enterprise Linux 9: You can use YAST to set up a Virtual Interface and add the farm IP. Login as root, and add this command to the bootup script: iptables -t nat -A PREROUTING -d -j DNAT —to-dest For HP/UX 11.00 and 11i: Please make sure PHNE_26771 and related patches applied first. Login as root, and add this command to the bootup script: ifconfig lo0:1 farm_ip_address up For FreeBSD: ifconfig lo0 inet farm_ip_address netmask 255.255.255.
Appendix B How to Make Route Delete Reboot Persistent These instructions are for Windows 2000/NT systems. This is not necessary for Windows 2003 or 2008 systems. 1. In a Windows system, go to boot drive root by cd C:\ 2. Use a text editor to create a text file, in which it contains one line: route delete 10.1.0.0 mask 255.255.0.0 10.1.1.200 3. In above file 10.1.0.0 is the network destination, 255.255.0.0 is the Netmask for the network, and 10.1.1.
Appendix C Virtual Hosting Issues Servers serving more than one web site may do virtual hosting. The WebMux supports virtual hosting by checking the virtual server’s response. There are three different situations for the WebMux to handle. If the service is HTTPS, there is no way to do virtual hosting on the same IP address. However, each HTTPS farm can be on a different IP address on the same server.
Appendix D Sample Custom CGI Code The custom cgi-bin checking program may be written in Java, VB, C, or Perl, for example, or it may be a WB or shell script. Here is sample script written for the linux shell bash which sees if an SSH daemon is running as its check criterion. #!/bin/bash echo “Content-type: text/plain” echo # blank line if ps -C sshd &>/dev/null ; then echo “OK” # response from server goes here, see list below.
Also, the MIME header of the custom health check request will include the “Host:” and “User-Agent:.” The “Host:” MIME header will be the label you used for the farm (not the label you use for the server). The “User-Agent:” MIME header will show “WebMux health check for :.” Note The HTTP server will also have its own environment variables that you can utilize for your custom health check script.
Appendix E Access CLI Commands Once the diagnose ports set, superuser could use ssh or telnet to access the CLI commands to help troubleshoot network problems or server problems. There are maximum two diagnose ports. By default they are 77:87. The first one will be SSH and second one will be Telnet. If there is only one port specified, only SSH access is allowed. “ssh –l superuser –p port_number WebMux_ip_address” Can be issued from any Linux/Unix computer.
poweroff - initiates the proper shutdown sequence putconfig - restore farm/server settings from your PC to WebMux reboot - initiates a soft reboot. restart - restarts the WebMux’s internal processes without rebooting the hardware. rec - allowing configure basic WebMux IP without using pushbutton. route - manipulate or display the routing table. Settings made here ARE reboot persistent. sysinit - allows you to create a custom startup script. (Useful for making custom iptables rules reboot permanent, etc.).
Appendix F Extended Regular Expressions Extended Regular Expressions is powerful system for filtering and matching string patterns. Although you may be familiar with the wildcard characters used in DOS or Linux command lines, such as the “?” and “*,” it is important to point out that these characters do not mean the same thing in Extended Regular Expressions. The “?” and “*” are called quantifiers and they by themselves do not represent actual characters.
Items with either OO or “Object Oriented” or “Object-Oriented” on one line. OO|([oO]bject( |\-)[oO]riented) To search for characters other than letters or digits put a “\” in front of them. S\/SL These examples were taken from the following web page: http://www.csci.csusb.edu/dick/samples/egrep.html You can also find helpful information at http://en.wikipedia.
Appendix G Notes on IPv6 Because IPv6 uses the colon (:) symbol in the address, there are special considerations needed when using the IPv6 address in a web browser because the colon (:) is also used to denote a port number (i.e. 192.168.12.21:24). Because accessing the WebMux’s web management requires access to port 24, you cannot simply put the IPv6 address in the address bar of the browser like you would for an IPv4 address. You must enclose the address in brackets ([]).
Appendix H WebMux SNMP MIB Query ID .1.3.6.1.4.1.27182.3.1.1.1.11.0 caiWebMuxActive.0 SYNTAX INTEGER { true(1), false(2) } DESCRIPTION “Whether this WebMux unit is active.” .1.3.6.1.4.1.27182.3.1.1.1.7.0 caiWebMuxCPUSpeed.0 SYNTAX Integer32 UNITS “MHz” DESCRIPTION “The clock speed of the CPU(s) in this unit.” .1.3.6.1.4.1.27182.3.1.1.1.9.0 caiWebMuxCPUUsage.0 SYNTAX Unsigned32 UNITS “%” DESCRIPTION “The current CPU usage expressed as a percentage.” .1.3.6.1.4.1.27182.3.1.1.1.8.0 caiWebMuxCPUs.
.1.3.6.1.4.1.27182.3.1.1.3.1.7.x.y caiWebMuxFarmAddressPort.x.y SYNTAX Unsigned32 (1..65535) DESCRIPTION “A TCP or UDP port number used to access the service provided by this server farm.” .1.3.6.1.4.1.27182.3.1.1.3.1.2.x.y caiWebMuxFarmAddressRowStatus.x.y SYNTAX INTEGER { active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6) } DESCRIPTION “The status of this row. As this table is read-only, the value of this object will always be active(1) at the present time.” .1.3.6.1.4.
.1.3.6.1.4.1.27182.3.1.1.2.1.2.x caiWebMuxFarmRowStatus.x SYNTAX INTEGER { active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6) } DESCRIPTION “The status of this row. As this table is read-only, the value of this object will always be active(1) at the present time.” .1.3.6.1.4.1.27182.3.1.1.2.1.3.x caiWebMuxFarmScheduling.x SYNTAX OCTET STRING (0..255) DESCRIPTION “The load balancing algorithm used to distribute incoming connections amongst the servers of this farm.” .1.3.6.
.1.3.6.1.4.1.27182.3.1.1.1.10.0 caiWebMuxMemoryUsage.0 SYNTAX Unsigned32 UNITS “%” DESCRIPTION “The current memory usage expressed as a percentage.” .1.3.6.1.4.1.27182.3.1.1.1.4.0 caiWebMuxModel.0 SYNTAX OBJECT IDENTIFIER DESCRIPTION “An object identifier uniquely identifying which model of WebMux this is. The possible set of identifiers is given under the caiWebMuxFamily sub-tree. Note that the SNMPv2-MIB object sysObjectID.0 will have the same value as this object in all cases.” .1.3.6.1.4.1.27182.3.1.1.
.1.3.6.1.4.1.27182.3.1.1.4.1.10.x.y caiWebMuxServerConnectionsPerSec.x.y SYNTAX Gauge32 DESCRIPTION “The current rate of connections being serviced by this server.” .1.3.6.1.4.1.27182.3.1.1.4.1.14.x.y caiWebMuxServerError.x.y SYNTAX Integer32 DESCRIPTION “most recent error code for server if available” .1.3.6.1.4.1.27182.3.1.1.4.1.7.x.y caiWebMuxServerL7Pattern.x.y SYNTAX OCTET STRING (0..255) DESCRIPTION “The layer 7 pattern to match a request against for this server.” .1.3.6.1.4.1.27182.3.1.1.4.1.8.x.
.1.3.6.1.4.1.27182.3.1.1.4.1.12.x.y caiWebMuxServerState.x.y SYNTAX Unsigned32 DESCRIPTION “The current state of this server. The bits have the following meaning: Bit 0x0001 0x0002 0x0020 0x0040 ” Meaning If bit set server is available If bit set WebMux will send traffic to this server If bit set always try to use this server if it is available If bit set, only try to use this server if no other server in the farm is available .1.3.6.1.4.1.27182.3.1.1.4.1.13.x.y caiWebMuxServerWeight.x.
Appendix I Special Details about Out-of-Path Mode Since firmware version 8.2.03, the WebMux bonds the “Internet” and “Server” ports in a Link Aggregation Group. If you have switch that has “LAG,” or “Ether Channel,” or “Port Channel” capabilities, the “Internet” and “Server” interfaces will behave as a single interface and effectively double the amount of data throughput. Prior to version 8.2.03, the “Internet” port was deactivated in Out-of-Path Mode.
Appendix J Tagged VLAN and WebMux VLANs may be untagged and tagged. To use untagged VLANs, also known as port based VLANs, no additional configuration of the WebMux is necessary. To the WebMux it appears as if no VLANs are used, and VLAN configuration is done on the switches. This appendix will discuss using tagged VLANs, also known as 802.1q VLANs for the original networks configured on the WebMux.
In Out-of-Path Mode, you only have one VLAN ID to assign for the original network since the WebMux only uses one network for both incoming traffic from clients and outgoing traffic to the servers. In Out-of-Path Mode, the Internet LAN interface and Server LAN interface are bonded in a Link Aggregation Group, and both interfaces have identical configuration (unless the port bonding is specifically disabled—see Appendix J).
Appendix K Multiple Uplink/VLAN Support As of version 8.5.00, the WebMux support load balancing multiple uplink capabilities. You can configure this feature using the command line interface command: nwconfig—additional network configuration add/list/delete/install tool With multiple uplink, you can configure the WebMux to use multiple ISPs and gateways. The WebMux uses source based routing to be sure that packets that came in from one ISP will return through the same ISP.
-m|—netmask NETMASK network mask for the network is NETWORK, e.g., 255.255.255.0 -n|—network NETWORK address of the network is NETWORK, e.g., 192.168.14.0 -r|—router-vid VID VLAN ID for the network for the router in transparent mode -s|—server-vid VID VLAN ID for the network for the servers in transparent mode -p|—prefix PREFIX network mask as a prefix width is PREFIX, e.g., 24 -v|—vid VID VLAN ID for the network is VID default: original VLAN tag For example: nwconfig -A newISP -i 192.168.14.
and secondary units. In NAT mode, the Router (Internet) LAN and Server LAN interfaces are deactivated when the unit is in standby to eliminate duplicate IP address issues and to allow you to conserve available IP addresses. In the original network configuration you had to specify a “server LAN gateway IP” to be used as the servers’ default gateway IP address. The “server LAN gateway IP” is a floating IP address that is available only on the active WebMux in a WebMux pair.
Appendix L Bond All Interfaces Setup Guide As of firmware version 8.5.04, when you specify a non-zero VLAN ID in NAT Mode or Transparent Mode, you will be given an additional option to “Bond rtr/svr NI”. This feature allows you to use the “Internet” and “Server” ports as a “single” bonded interface (also known as Port Channel or Link Aggregation Group).
When you create a port channel, a new interface may be created designated by 1/1 for example. Next, you will assign the VLAN IDs to the PORT-CHANNEL interface (1/1). First, configure the port-channel interface to “participate” or “include” VLAN 100 and make sure that it is TAGGED. Then, configure the port-channel interface to “participate” or “include” VLAN 200 and make sure that it is TAGGED. The port-channel interface should now be part of both VLAN 100 and VLAN 200 using TAGGED VLAN.
Appendix M How to Add Commands to WebMux Startup Sequence Sometimes there is a need to add commands to the WebMux startup sequence so that certain commands can be reboot persistent. In 8.5.02 firmware release and later, there is a new superuser command “sysinit” provided for the user to add iptables command or other commands to the startup sequence.
Appendix N Using Client Side SSL Certificate Authentication on the WebMux WebMux can authenticate visiting browsers by installing client side SSL certificates. With client side SSL certificate authentication, unauthrourized visitor can be dropped or directed to a different page. 1. Create the Certificate Authority using OpenSSL. a. Generate a private key: openssl genrsa -out ca.key 1024 b. Generate a certificate request: openssl req -new -key ca.key -out ca.csr Fill in all the proper fields. c.
b. Select an unused key slot (key 3, for example): c. Open the ca.crt file created in step 1 as a text file. d. Copy and paste the text in to the CA certificate text box. Be sure to select “use new CA certificate pasted in and add the line “CAFILE level 2” on the very top. e. Click the confirm button. 3. Create a private key and generate a certificate request. a. Using OpenSSL: i. Create the private key: openssl genrsa -out webmux.key 1024 ii. Open the “webmux.
iv. Your certificate request is saved in the file “webmux.csr” 4. Self-sign the certificate request and import the certificate into the WebMux. a. Use openssl to sign the certificate request with the CA using the ca.key and ca.crt created in step 1: openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key \ -CAcreateserial-in webmux.csr -out webmux.crt b. Open “webmux.crt” as a text file and copy and paste into the certificate text box: c. Click the “Confirm” button. 5.
i. Go back to the Certificate Manager and click on the “Your Certificates” tab. Click on “Import”: ii. Select the “client.p12” file created in step 7: iii. Click the “OK” button. b. For Internet Explorer: i. Go to the Tools menu and select Internet Options.
ii.
iii. In the Certificates windows, click on the Personal tab: iv. Click on the Import button. You will see this screen.
v. Click the Browse button: vi.
vii. Enter the password you created at 7a: viii.
ix. Click the Finish button: x. The Certificate has been imported: 9. To enable client side certificate authentication on the WebMux: a. Create a farm with SSL termination using the key slot that has the CA certificate imported. b. Select “tag SSL-terminated HTTP requests”.
Appendix O Configuring End to End SSL Load Balancing End to End SSL Load Balancing allows you to enable SSL on the front end between the client and the WebMux farm, but also on the back end between the WebMux and the real servers for added security. This section shows you how to create a farm with End to End SSL Load Balancing. 1. Create a farm as you normally would, but be sure to select the following options for the farm: a. Use HTTP service. b. Select any Layer 7 scheduling method.
2. Click the submit button and you should be back at the main console screen with the newly added farm showing. 3. Click on the farm IP and add servers as you normally would. You can just add the server IP address and leave the rest of the fields as is: 4. Click the submit button. 5. Be sure to click the “save” button so you do not lose your farm configuration.
Index 128bit, 60 ACTIVE, 67, 74, 87 Add, 34, 37, 53, 64, 66, 68, 69, 83, 91 Add Gateway Farm, 72 Allowed, 31, 33, 46, See Anti-Attack, 8, 48 arp, 47, 98 Bond All Interfaces, 9, 115 certificate, 63 Certificate Signing Request, 62 Client Side SSL, 9, 118 Compliance, 90 cookie expire, 56 cookies, 8, 35, 56, 68, 87 CSR, 62 Custom Defined, 55 default, 16, 17, 19, 21, 25, 30, 31, 32, 35, 36, 38, 40, 41, 42, 44, 46, 47, 59, 77, 79, 83, 84, 91, 92, 95, 98, 102, 112, 113, 114 Default Gateway, 15, 17, 28, 81, 82, 83,
Proxy, 7, 26, 81, 82, 83, 85 public key, 62 Reboot, 24, 32, 52, 82, 83, 84, 85, 91 re-encryption, 14, 57 Round-Robin, 10 route, 20, 30, 41, 54, 84, 91, 94, 99 Router LAN, 12, 15, 16, 17, 22, 23, 24, 26, 81, 82, 83, 85, 88 routes, 12, 43, 94 scheduling, 56, 65 secondary, 16 Server LAN, 6, 12, 15, 16, 17, 23, 26, 27, 28, 29, 30, 81, 82, 84, 85, 87 server return code, 77 Single network mode, 8, 13 SNAT, 8, 43, 117 SNMP, 103 Spanning Tree Protocol, 19 SSL, 7, 30, 54, 59, 60 SSL termination, 21, 30, 37, 54, 57,
