Beruflich Dokumente
Kultur Dokumente
BRKAPP-2020
@ciscoliveeurope, #CLEUR
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
BRKAPP-2020
Cisco Public
Agenda
Load Balancing Todays Web Application
- Benefits of Traffic Management - Introduction to ACE - Design Considerations - Probes, Persistence, Predictors - Resources - SSL
Microsoft Deployments
- ACE for Microsoft Exchange 2010 - ACE for Microsoft SharePoint 2010
BRKAPP-2020
Cisco Public
The Cisco Application Control Engine (ACE) provides validated solutions for Microsoft applications
Cisco ACE30 Module 416 Gbps
Cisco Public
Design Considerations
One Armed Load Balancer not inline
Bridged Mode
Easy migration for servers Requires one IP subnets Recommend for non-LB traffic
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
4. 5. 6. 7.
BRKAPP-2020
Cisco Public
Predictors
How can you balance the connections?
Probes
Persistence
BRKAPP-2020
Cisco Public
Health Probes
SAP Enterprise Portal
Configuration
BRKAPP-2020
Cisco Public
10
Health Checks
Watch the expected status code
NetWeaver Web Administrator ACE/dc# telnet 169.145.90.16 50100 Trying 169.145.90.16... Connected to 169.145.90.16. Escape character is '^]'. GET /nwa HTTP/1.1 Host: 169.145.90.16 HTTP/1.1 302 Found server: SAP NetWeaver / AS Java 7.1 content-type: text/html location: http://169.145.90.16/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~local navigation~wd/NWAApp
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Probe Defaults
Name Interval FailDetect PassDetect Interval PassDetect Count Open Receive Description Time between successful probes Number of failed probes before marking as failed Time to send a probe when a server is marked as failed Number of successful probes before marking the server as passed time for a successful 3-way handshake time for getting a response, ie. send a GET, wait for a reply Min Time 2 1 2 Max Time 65535 65535 65535 Default 120 3 300
1 1 1
3 10 10
BRKAPP-2020
Cisco Public
12
BRKAPP-2020
Cisco Public
13
ACE
Serverfarm
SYN to SYN-ACK
SYN to Close
Time between SYN send from ACE to SYN-ACK received from the server
Time between SYN send from ACE to FIN/RST received from the server
Time between HTTP request send from ACE to HTTP response received from the server
14
BRKAPP-2020
Cisco Public
serverfarm TCP80-SF predictor response app-req-to-resp rserver SERVER1 inservice rserver SERVER2 inservice
------------------------------------------connections----------real weight state current total failures ---+---------------------+------+------------+----------+----------+--------rserver: TCP80-SF 172.16.29.10:0 8 OPERATIONAL 0 239287 32 max-conns : , out-of-rotation count : min-conns : conn-rate-limit : , out-of-rotation count : bandwidth-rate-limit : , out-of-rotation count : retcode out-of-rotation count : average response time (usecs) : 228
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Session Persistence
When customers visits an e-commerce site, they usually start out by browsing the site Depending on the application, the site may require that the client become "stuck" to one server once the connection is established, or the application may not require this until the client starts to build a shopping cart This is known as stickiness or session persistence Prior to ACE 4.X, sticky connections require a resource class to be configured. If your forget ANM will send you the following message
BRKAPP-2020
Cisco Public
16
Cookie
client = a cookie value Static Dynamic Insert
SSL ID
client = SSL session ID
HTTP Redirect
LB Redirects to Specific (V)Server
RDP
SD, Session Directory. Routing Token = server IP + Port
SIP
Client = Session Call-ID
GPP
Regex matches on TCP and UDP data
Variation
custom
LB
LB
LB
Client
LB
LB
LB
Simplicity
Flexibility
No Cookie support
SIPspecific stickiness
Caveats
Proxies
SSL v3 Renegotiation
Specific to application
BRKAPP-2020
Cisco Public
17
BRKAPP-2020
Cisco Public
18
BRKAPP-2020
Cisco Public
19
BRKAPP-2020
20
switch/SAP-Datacentre# show stats http +------------------------------------------+ +-------------- HTTP statistics -----------+ +------------------------------------------+ LB parse result msgs sent : 151 , TCP data msgs sent : Inspect parse result msgs : 0 , SSL data msgs sent : sent TCP fin/rst msgs sent : 8 , Bounced fin/rst msgs sent: SSL fin/rst msgs sent : 18 , Unproxy msgs sent : Drain msgs sent : 118 , Particles read : Reuse msgs sent : 0 , HTTP requests : Reproxied requests : 0 , Headers removed : Headers inserted : 254 , HTTP redirects : HTTP chunks : 37 , Pipelined requests : HTTP unproxy conns : 14 , Pipeline flushes : Whitespace appends : 0 , Second pass parsing : Response entries recycled : 110 , Analysis errors : Header insert errors : 0 , Max parselen errors : Static parse errors : 0 , Resource errors : Invalid path errors : 0 , Bad HTTP version errors :
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Parsing
class-map type http loadbala match-any URL-MATCHING 2 match http url .* class-map type http loadbala match-any URL-IMAGE 2 match http url /image/.* class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 serverfarm IMAGE-SF probe IMAGE-PROBE sticky http-cookie IMAGE-COOKIES IMAGECOOKIE rserver IMAGE1 cookie insert browser-expire inservice serverfarm IMAGE-SF backup WEB-SF rserver IMAGE2 sticky http-cookie WEB-COOKIES WEBCOOKIE inservice cookie insert browser-expire serverfarm WEB-SF serverfarm WEB-SF probe WEB-PROBE ! rserver SERVER1 policy-map type loadbala first-match HTTP-PM inservice class URL-IMAGE rserver SERVER2 sticky-serverfarm IMAGE-COOKIE inservice class URL-MATCHING sticky-serverfarm WEB-COOKIE policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM appl-para http advanced-option INSENSITIVE
BRKAPP-2020
Cisco Public
22
Allocation of Resources
The capacity of each ACE virtual context is determined by its resource class If Admin context is not configured correctly admin could be starved of all resources
When configuring resource allocations in ACE, it is possible to allocate 100% of resources to non-Admin contexts, so that the Admin context is no longer reachable via ICMP, telnet, SNMP, etc
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
BRKAPP-2020
Cisco Public
25
ANM (Application Network Manager) provides you with a guided setup to import an SSL key pair into the ACE
BRKAPP-2020
Cisco Public
27
The sample SSL key and cert files can be exported using the crypto export command
BRKAPP-2020
Cisco Public
28
29
parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites, close protocol behavior) ssl-proxy is used to define the used certificates and keys to be in SSL connections
BRKAPP-2020
Cisco Public
30
ssl-proxy service CLIENT-SSL policy-map type loadbalance first-mat SSL-PM key mykey.pem class class-default cert mycert.pem serverfarm WEB-PROTOCOLS ! ! serverfarm WEB-PROTOCOLS policy-map multi-match L4 rserver SERVER1 81 inservice class HTTPS-CM rserver SERVER2 81 loadbalance vip inservice inservice loadbalance policy SSL-PM probe HTTP-GET loadbalance vip icmp-reply ! ssl-proxy server CLIENT-SSL class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq 443
BRKAPP-2020
Cisco Public
31
serverfarm WEB-PROTOCOLS probe HTTPs-GET rserver SERVER1 81 inservice rserver SERVER2 81 inservice ! sticky http-cook WEBCKE STICKYCKE cookie insert serverfarm WEB-PROTOCOLS ! policy-map type load first-mat SSL class class-default sticky-serverfarm STICKYCKE policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL
443
32
Cisco Public
Application servers
Server Farm
r3 r2 r1
A A A
VM A 3 VM A VM A
Application VIP A
Vmware VCenter
SLB Team
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Server Team
34
Enabling a new server in a VM Environment ANM 5.1 VCenter plug-in lets Sysadmins activate, suspend, configure and monitor rservers
ACE Load Balancer ESX Cluster Application servers Server Farm
r3 r2 r1
A A A
VM A 3 VM A 2 VM A
Application VIP A
Vmware VCenter
Sysadmin
35
BRKAPP-2020
Cisco Public
36
37
Fault Tolerance
- Cisco ACE detects the failure of View components, and directs traffic around the failure
Performance
- Reduce CPU usage on Connection Servers by offloading HTTPS cryptography
BRKAPP-2020
Cisco Public
39
BRKAPP-2020
Cisco Public
40
More Secure All traffic encapsulated in SSL. Virtual Desktop IP Addresses do not need to be reachable by clients Offload Benefit SSL cryptography offloaded by Cisco ACE, reducing CPU utilization on Connection Servers Recommended for LAN deployments on secure networks. Connection Servers participate in Active Directory and should not be exposed to the Internet
Connection Servers
BRKAPP-2020
41
1. HTTP(S) Authentication & Desktop Selection 2. AJP/JMS Authentication 3. RDP Over HTTPS 4. RDP Un-Tunneled By Security Server
Security Server 2 4
vCenter
Connection Server
BRKAPP-2020
42
Most Secure All traffic encapsulated in SSL. No public exposure of Connection Servers
Requires careful planning, since Security Servers depend on their paired Connection Server
Connection Servers
BRKAPP-2020
43
Comprehensive set of validated ACE solutions This design guide presents an end-to-end solution architecture that demonstrates how enterprises can virtualize their Exchange 2010 environment on Cisco Unified Computing System
http://www.cisco.com/en/US/docs/soluti ons/Enterprise/Data_Center/App_Net working/hypervexchange.html
BRKAPP-2020
Cisco Public
46
Exchange Components
WS
Mailbox Agents
OWA Sync
Transport Agents
OWA Sync
Transport Agents
UM
UM
Entourage
Middle Tier
Mailbox
Middle Tier
Mailbox
DAV
BRKAPP-2020
Cisco Public
47
What it handles:
- Outlook data connections go to RPC Client Access Service on CAS instead of connecting to Mailbox servers - Address Book Service on CAS replaces DSProxy interface, handles all Outlook Directory connections - Public folder connections connect directly to the Mailbox server, but through RPC Client Access Service running on backend Exchange CAS Array
MB
GC
BRKAPP-2020
Cisco Public
48
Internet
ACE Access Switch Microsoft Exchange CAS Servers
Mailbox Server
49
HTTP/1.1 200 OK Date: Tue, 12 Apr 2005 13:59:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Content-Length: 1164 <!--Copyright (c) 2000-2003 Microsoft Corporation. All rights reserved.--> <!--CURRENT FILE== "IE5" "WIN32" frameset --> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8"> <TITLE>Microsoft Outlook Web Access</TITLE> <BASE href="http://example.com/exchange/highroller/ "> Incorrectly (Insecure) Formatted Protocol </HEAD>
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
The CAS role is aware of the SSL-offload functionality of the ACE. To configure support for SSL-offloading on a CAS role, refer to: http://technet.microsoft.com/en-us/library/bb885060.aspx
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Outlook Anywhere
Internet
ACE Access Switch Microsoft Exchange CAS Servers
Mailbox Server
Session persistence based on SOURCE-IP or http-header Authorization SSL termination Health monitoring check Client Access Server status
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
53
BRKAPP-2020
Cisco Public
54
Combined Outlook Anywhere and OWA ACE Configuration CAS Server Farm and Session Persistence
serverfarm host msExchange02 failaction purge predictor leastconns Persist on Authorization Header for Outlook Anywhere probe msExchange02-probe-1 rserver 192.168.11.58 80 inservice rserver 192.168.11.59 80 on User-Agent Header for Outlook Anywhere Load Balance inservice rserver class-map 192.168.11.60 type 80 http loadbalance match-any msExchange02-cond inservice Persist on sessionID Header for OWA description RPC 2 match http header User-Agent header-value "MSRPC" sticky http-header Authorization msExchange02-OutlookRPC replicate sticky serverfarm msExchange02 sticky http-cookie sessionid msExchange02-OutlookSession replicate sticky serverfarm msExchange02 policy-map type loadbalance first-match msExchange02_https-l7slb class msExchange02-cond sticky-serverfarm msExchange02-OutlookRPC class class-default sticky-serverfarm msExchange02-OutlookSession
BRKAPP-2020
Cisco Public
55
Internet
ACE Access Switch Microsoft Exchange CAS Servers
Mailbox Server
BRKAPP-2020
Cisco Public
56
class-map match-all msExchange02_other 2 match virtual-address 192.168.10.105 any serverfarm host msExchange02-others failaction purge predictor leastconns rserver 192.168.11.58 inservice rserver 192.168.11.59 inservice rserver 192.168.11.60 inservice sticky ip-netmask 255.255.255.255 address source MAPI-RPC-SRC-IP replicate sticky serverfarm msExchange02-others policy-map type loadbalance first-match msExchange02_other-l7slb class class-default sticky-serverfarm MAPI-RPC-SRC-IP
BRKAPP-2020
Cisco Public
57
BRKAPP-2020
Cisco Public
58
BRKAPP-2020
Cisco Public
59
BRKAPP-2020
Cisco Public
60
What Is Microsoft SharePoint Server 2010? Microsoft SharePoint Server 2010 is a portal-based collaboration platform for creating, managing and sharing documents and Web services SharePoint 2010 enables users to create "Sharepoint Portals" that include shared workspaces, applications, blogs, wikis and other documents accessible through a Web browser
BRKAPP-2020
Cisco Public
62
Logical Architecture
A SharePoint 2010 Serverfarm is a 3 Tier Architecture, which consists of: Web Front End Server(s) Application Server(s) Database Server(s) The Web Server role provides Web content to clients. The Application Server role provides SharePoint 2010 services such as search queries, Office Web Applications and crawling and indexing content The Database Server stores Content and Configuration information.
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Browser
Client App
Config DB
Content DB
Custom DB
63
BRKAPP-2020
Cisco Public
64
SharePoint 2010 Topologies SharePoint Server 2010 can be deployed in a serverfarm environment when hosting a large number of sites, when the best possible performance is required, or if the scalability of a multi-tier topology is needed A Serverfarm consists of one or more servers dedicated to running the SharePoint Server 2010 application Serverfarm environments can encompass a wide range of topologies, and can include many servers or as few as two servers Because a Serverfarm deployment of SharePoint Server 2010 can be complex, Microsoft recommends that you plan your deployment
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
BRKAPP-2020
Cisco Public
66
BRKAPP-2020
Cisco Public
67
ACE Load Balancing SharePoint 2010 SP 2010 Web Front End Servers
WFE Servers
SP 2010
DB Tier
App. Servers
ACE
68
HTTP
OOB Probes
L4 Load Balancing for Application Traffic In-Band & OOB WFE Server Health Checking Session Persistence maintained with HTTP Cookie Insertion
BRKAPP-2020
Cisco Public
69
serverfarm host msSharePoint01-80 for Failed HTTP Connections failaction purge predictor leastconns probe msSharePoint01-probe-1 inband-health check remove 100 reset 500 resume-service 300 rserver WFE01 80 inservice rserver WFE02 80 inservice parameter-map type http msSharePoint01-http_params Required for Cookie Insertion persistence-rebalance on HTTP 1.1 Persistent Connections set content-maxparse-length 8192
BRKAPP-2020
Cisco Public
70
BRKAPP-2020
Cisco Public
71
BRKAPP-2020
Cisco Public
72
BRKAPP-2020
Cisco Public
73
BRKAPP-2020
Cisco Public
74
Summary
Load Balancing Todays Web Application
- Benefits of Traffic Management - Introduction to ACE - Design Considerations - Probes, Persistence, Predictors - Resources - SSL
Microsoft Deployments
- ACE for Microsoft Exchange 2010 - ACE for Microsoft SharePoint 2010
BRKAPP-2020
Cisco Public
75
Recommended Reading
BRKAAP- 2005
Or use the Cisco Live Mobile App to complete the surveys from your phone, download the app at www.ciscolivelondon.com/connect/mobile/app.html
1. Scan the QR code (Go to http://tinyurl.com/qrmelist for QR code reader software, alternatively type in the access URL above) 2. Download the app or access the mobile site 3. Log in to complete and submit the evaluations
http://m.cisco.com/mat/cleu12/
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
BRKAPP-2020
Cisco Public
78
Thank you.
BRKAPP-2020
Cisco Public
79