In the scenario that you have two View Security servers and two View Connection servers... What happens if one of the connection servers crashes – how does the security server that it is paired with know to halt traffic on that leg so that all the connections use the secondary security server and connection server pair? Otherwise – it makes no sense to have two security servers as you’re not getting true redundancy via the load-balancer.
For the Load Balancer in front of the Security Servers, you should healthcheck the Security Servers with "GET /favicon.ico HTTP/1.0". That way, if a Security Server is down or its paired Connection Server is down, traffic will route to the other Security Server(s).
The documentation for the mainstream Load Balancer vendors has details on setting them up in this way to get complete fault tolerance.
Mark
I guess it depends on how you are doing your load balancing. If your using something like DNS round robin then yes that would be a problem but if your using something that has more intelligence maybe it removes the bad pair from the equation and simply routes to the good security server/connection broker.
For the Load Balancer in front of the Security Servers, you should healthcheck the Security Servers with "GET /favicon.ico HTTP/1.0". That way, if a Security Server is down or its paired Connection Server is down, traffic will route to the other Security Server(s).
The documentation for the mainstream Load Balancer vendors has details on setting them up in this way to get complete fault tolerance.
Mark
Thanks much! Can you provide any details on how F5 might accomplish this?
ITTech2002 wrote:
Thanks much! Can you provide any details on how F5 might accomplish this?
Well F5 certainly can 🙂
Try this - http://www.f5.com/pdf/white-papers/dell-f5-vmware-view-wp.pdf but contact F5 because depending on your F5 version, there is probably newer information. It is a very common deployment scenario.
Mark
You should set your load balancer up to probe multiple items....
1. Probe that port 80 traffic is working on the security server.
2. Probe that the view connection server service is started on the view connection server that the security server is attached to.
Mickelonis wrote:
You should set your load balancer up to probe multiple items....
1. Probe that port 80 traffic is working on the security server.
2. Probe that the view connection server service is started on the view connection server that the security server is attached to.
The advantage of the "GET /favicon.ico HTTP/1.0" to the Security Server is that it tests the health of the Security Server *and* paired Connection Server. This means that you don't have to poll the Connection Server directly in this case.
Mark
To expand on what Mark said, you have to explicitly ensure:
* Ensure you get a 200 response back, you will still get a response if the backend CS is down but it will be a 503.
* You test using HTTPS if it's enabled on the server, most of the time this is the case. When HTTPS is enabled, HTTP is simply a local status/redirect page served from the security server and so will give you a false positive.
Can you give a little more detail on this setup? My firewall/F5 guy is not getting back a 200 like he would expect. He is able to see a response via the command line of 503 and 302 (443 is encrypted).
Regards,
Ben Mitchell
FTB Server Team
FirstTennesseeBank wrote:
Can you give a little more detail on this setup? My firewall/F5 guy is not getting back a 200 like he would expect. He is able to see a response via the command line of 503 and 302 (443 is encrypted).
Regards,
Ben Mitchell
FTB Server Team
You are seeing 302 because you're testing the http port, as mentioned above this will either display a link or redirect you to https depending on the version of View you're using. You can only reliably test using an actual https connection on 443.
That is correct. I'm being told that we can't view HTTPS because it's encrypted. He is using the following command to check the server. I'm not sure I'm explaining what we want done to our F5/Firewall guy. But below is what he told me has in the F5.
Send String = GET / \r\n\r\n
Recieve String = view
Cipher List = DEFAULT+SHA+3DES+kEDH
Regards
Ben Mitchell
FTB Server Support
I'm sorry, I don't have an F5 device so can't give you specific instructions. I'd hope you can tell it to do the SSL handshake then write the test inside the encryption layer. Your test is looking for "view" in the response, you should be explicitly looking for an HTTP status code of 200.
Once I was able to explain the goal to our Risk guy he was able to set it up and get it working. Thanks everyone!!
Regards,
Ben Mitchell