BRKAPP-2020 - ACE Deployment in an Application Environment.pdf
-
Upload
ronaldo-gama -
Category
Documents
-
view
39 -
download
0
Transcript of BRKAPP-2020 - ACE Deployment in an Application Environment.pdf
BRKAPP-2020
ACE Deployment in an Application Environment
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 3
Agenda Load Balancing Today’s Web Application
- Benefits of Traffic Management
- Introduction to ACE
- Design Considerations
- Probes, Persistence, Predictors
- Resources
- SSL
Linking VMware VCenter manager to the ANM 5.1
Deploying VMware View w/Cisco ACE
- VMware View 4.0
Microsoft Deployments
- ACE for Microsoft Exchange 2010
- ACE for Microsoft SharePoint 2010
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 4
Load Balancing Today’s Web Applications
Virtual Data Center introduces new challenges for load balancers and application management
- Transition to Virtual Machines (VMs) using Vmware and Microsoft Hyper-V technology
- Servers that used to be stand-alone are now VMs
- Virtual data center requires orchestration of the application, VM server and switching infrastructure
What are the challenges?
Application Network
Manager (5.1)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 5
Application Delivery Controller
Benefits of Traffic Management - Why application delivery Controller:
- Availability
- Scalability
- Performance
- Security
ACE Load Balancer
The Cisco Application Control Engine (ACE) provides validated solutions for Microsoft applications
Cisco ACE30 Module
4–16 Gbps Cisco ACE 4710
0.5 – 4Gbps
Mobile phone
Client Access Server farm
Virtual IP
Web browser
Outlook (remote user)
Outlook (local user)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 6
Design Considerations
Routed Mode
Easy to deploy
Requires at least two IP subnets
Servers in dedicated IP subnet
One Armed
Load Balancer not inline
Allows direct server access
Requires Source NAT
Bridged Mode
Easy migration for servers
Requires one IP subnets
Recommend for non-LB traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 7
Introduction to ACE Load Balancer
Cisco ACE provides many advanced load balancing feature which can be applied to meet challengers with deploying today's applications
These features include:
1. Access-control (permit or deny a request)
2. Management traffic
3. TCP normalization/connection parameters
4. Server load balancing
5. Fix-ups/application inspection
6. Source NAT
7. Destination NAT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 8
Virtual Context Setup
Virtual contexts are virtualized ACEs. Each virtual context has independent configuration and dedicated resources assigned. One context can pull resources from another
Microsoft Exchange 2010
Microsoft SharePoint 2010
Cisco UCS
Virtual Virtualization of Microsoft Exchange 2010
A separate virtual machine for each of the roles: Two Client Access Server, Hub Transport, Four Mailbox in a DAG (Database Availability Group)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 9
Basic Load Balancing for ERP Applications
• Is the server active? How can you check?
Probes
• How can you balance the connections?
Predictors • How do you
keep the client connected to the same server?
Persistence
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 10
Health Probes
SAP Enterprise Portal
Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 11
Health Checks
Watch the expected status code
ACE/dc# telnet 169.145.90.16 50100
Trying 169.145.90.16...
Connected to 169.145.90.16.
Escape character is '^]'.
GET /nwa HTTP/1.1
Host: 169.145.90.16
HTTP/1.1 302 Found
server: SAP NetWeaver / AS Java 7.1
content-type: text/html
location:
http://169.145.90.16/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~local
navigation~wd/NWAApp
NetWeaver Web Administrator
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 12
Probe Defaults
Name Description Min Time
Max Time
Default
Interval Time between successful probes 2 65535 120
FailDetect Number of failed probes before marking as failed
1 65535 3
PassDetect Interval
Time to send a probe when a server is marked as failed
2 65535 300
PassDetect Count
Number of successful probes before marking the server as passed
1 65535 3
Open time for a successful 3-way handshake 1 65535 10
Receive time for getting a response, ie. send a GET, wait for a reply
1 65535 10
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 13
Probe Configuration Options
To configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic), use the fail-on-all command in real server host configuration mode
probe http BasicHTTP_02-probe-1
interval 5
passdetect interval 5
request method get url /index.html
expect status 200 499
open 10
probe scripted SQL_USER
interval 5
passdetect interval 10
script SQL_PROBE SQL_User Success 0
!
serverfarm host BasicHTTP_02
failaction purge
probe BasicHTTP_02-probe-1
probe SQL_USER
rserver 192.168.11.1 80
inservice
rserver 192.168.11.2 80
inservice
rserver 192.168.11.3 80
inservice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 14
Predictors - Application Response
Load balancing based on server response time; response time calculated over a configured number of samples and supports the following options
Time between HTTP request
send from ACE to HTTP
response received from the
server
Time between SYN send
from ACE to SYN-ACK
received from the server
Time between SYN send
from ACE to FIN/RST
received from the server
ACE Serverfarm
SYN to Close Application Request to Response SYN to SYN-ACK
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 15
Predictors - Application Response
Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request
serverfarm TCP80-SF
predictor response app-req-to-resp
rserver SERVER1
inservice
rserver SERVER2
inservice
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: TCP80-SF
172.16.29.10:0 8 OPERATIONAL 0 239287 32
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
average response time (usecs) : 228
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 16
Session Persistence
When customers visits an e-commerce site, they usually start out by browsing the site
Depending on the application, the site may require that the client become "stuck" to one server once the connection is established, or the application may not require this until the client starts to build a shopping cart
This is known as stickiness or session persistence
Prior to ACE 4.X, sticky connections require a resource class to be configured. If your forget ANM will send you the following message
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 17
Session Persistence Methods
How to Uniquely Identify a Client…
Source IP Cookie SSL ID HTTP
Redirect RDP SIP GPP
How Does It Work
Client= its SRC IP
client = a cookie value
client = SSL
session ID
LB Redirects to Specific (V)Server
SD, Session Directory. Routing Token = server IP + Port
Client = Session Call-ID
Regex matches on TCP and UDP data
Variation
Full IP Masked IP
Static
Dynamic
Insert
Full SSID
Offset custom
Info Stored on
LB LB LB Client LB LB LB
Good For Simplicity Flexibility No Cookie support
No State on LB
Recovering Disconnected WTS sessions
SIP-specific stickiness
Flexible for custom applications
Caveats Proxies HTTP only
Clear Test
SSL v3
Renegotiation
HTTP only
Absolute URLs
Bookmarks
No Token, needs to fall back to source IP
Specific to application
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 18
Basic ERP Web Load Balancing
Persistence Options
Configuration shows two different sticky options; HTTP Cookie and source IP sticky
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert
timeout 720
serverfarm HTTP-SF
!
sticky ip-netmask 255.255.240.0 address source IPSTICKY
serverfarm HTTPS-SF
!
policy-map type loadbalance first-match WEB-PM
class class-default
sticky-serverfarm COOKIESTICKY
policy-map type loadbalance first-match TCP80-PM
class class-default
sticky-serverfarm IPSTICKY
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 19
Basic ERP Web Load Balancing
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert browser-expire
serverfarm TCP80-SF
!
policy-map type loadbalance first-match HTTP-PM
class class-default
sticky-serverfarm COOKIESTICKY
policy-map multi-match LOADBALANCE
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
interface vlan 2
ip address 10.10.119.55 255.255.255.0
access-group input EVERYONE
service-policy input LOADBALANCE
service-policy input REMOTE-MGNT
no shutdown
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 20
Basic ERP Web Load Balancing
class-map match-all TCP80-CM
2 match virtual-address 10.10.119.112 tcp eq 80
!
rserver host SERVER1
ip address 10.10.119.1
inservice
rserver host SERVER2
ip address 10.10.119.222
inservice
probe tcp TCP80-PROBE
interval 10
port 80
passdetect interval 10
passdetect count 3
probe http HTTP-PROBE
interval 20
passdetect interval 5
request method get url /index.html
expect status 200 499
serverfarm TCP80-SF
probe TCP80-PROBE
probe HTTP-PROBE
predictor leastconns slowstart 200
rserver SERVER1
inservice
rserver SERVER2
inservice
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert browser-expire
serverfarm TCP80-SF
!
policy-map type loadbalance first-match HTTP-PM
class class-default
sticky-serverfarm COOKIESTICKY
policy-map multi-match LOADBALANCE
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
interface vlan 2
ip address 10.10.119.55 255.255.255.0
access-group input EVERYONE
service-policy input LOADBALANCE
service-policy input REMOTE-MGNT
no shutdown
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 21
Basic ERP Web Load Balancing
switch/SAP-Datacentre# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 151 , TCP data msgs sent : 152
Inspect parse result msgs : 0 , SSL data msgs sent : 495
sent
TCP fin/rst msgs sent : 8 , Bounced fin/rst msgs sent: 8
SSL fin/rst msgs sent : 18 , Unproxy msgs sent : 14
Drain msgs sent : 118 , Particles read : 1718
Reuse msgs sent : 0 , HTTP requests : 156
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 254 , HTTP redirects : 0
HTTP chunks : 37 , Pipelined requests : 0
HTTP unproxy conns : 14 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 110 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 3
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Where’s the Cookie?
Default Header Parse Length 2K
parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy SAP-PM appl-parameter http advanced-options INSENSITIVE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 22
URL Parsing
class-map type http loadbala match-any URL-MATCHING
2 match http url .*
class-map type http loadbala match-any URL-IMAGE
2 match http url /image/.*
class-map match-all HTTP-CM
2 match virtual-address 172.16.1.73 tcp eq 80
serverfarm IMAGE-SF
probe IMAGE-PROBE
rserver IMAGE1
inservice
rserver IMAGE2
inservice
serverfarm WEB-SF
probe WEB-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
sticky http-cookie IMAGE-COOKIES IMAGECOOKIE
cookie insert browser-expire
serverfarm IMAGE-SF backup WEB-SF
sticky http-cookie WEB-COOKIES WEBCOOKIE
cookie insert browser-expire
serverfarm WEB-SF
!
policy-map type loadbala first-match HTTP-PM
class URL-IMAGE
sticky-serverfarm IMAGE-COOKIE
class URL-MATCHING
sticky-serverfarm WEB-COOKIE
policy-map multi-match L4
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
appl-para http advanced-option INSENSITIVE
Allocation of Resources
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 24
Virtual Context Setup
Every ACE device contains a special virtual context called "Admin", which has settings for the ACE device itself.
You can configure load balancing within the Admin context, it is recommended that you create separate virtual contexts for load balancing
The capacity of each ACE virtual context is determined by its resource class
If Admin context is not configured correctly admin could be starved of all resources
When configuring resource allocations in ACE, it is possible to allocate 100% of resources to non-Admin contexts, so that the Admin context is no longer reachable via ICMP, telnet, SNMP, etc
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 25
Recommended Settings for Admin Context
resource-class ADMIN
limit-resource conc-connections minimum 5.00 maximum equal-to-min
limit-resource mgmt-connections minimum 5.00 maximum equal-to-min
limit-resource rate bandwidth minimum 5.00 maximum equal-to-min
limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min
limit-resource rate mgmt-traffic minimum 5.00 maximum equal-to-min
limit-resource rate conc-connections minimum 5.00 maximum equal-to-min
!
resource-class STICKY
limit-resource all minimum 1.00 maximum unlimited
limit-resource acl-memory minimum 5.00 maximum equal-to-min
limit-resource conc-connections minimum 5.00 maximum equal-to-min
limit-resource rate bandwidth minimum 5.00 maximum equal-to-min
limit-resource rate connections minimum 5.00 maximum equal-to-min
limit-resource sticky minimum 6.00 maximum equal-to-min
limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min
Considerations when Load Balancing SSL Connections
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 27
SSL Server Offload
To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one SSL proxy service. An SSL proxy contains the certificate and key information needed to terminate HTTPS connections from the client or initiate them to the servers
ANM (Application Network Manager) provides you with a guided setup to import an SSL key pair into the ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 28
Sample SSL Key/Cert Pair
ACE shipped with a default RSA 1024 bit. Certificate is based on this key pair
The sample certificate and key are named cisco-sample-cert and cisco-sample-key
You can view the sample SSL key and cert
The sample SSL key and cert files can be exported using the ‘crypto export’ command
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 29
Basic SSL Load Balancing
Redirecting Clients to Use SSL
rserver redirect REDIRECT
webhost-redirection https://%h%p 302
inservice
!
serverfarm redirect REDIRECT-SF
rserver REDIRECT
inservice
!
class-map match-all HTTP
2 match virtual-address 172.16.1.73 tcp eq 80
!
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SF
!
policy-map multi-match LOADBALANCE
class HTTP
loadbalance vip inservice
loadbalance policy REDIRECT-PM
http://www.cisco.com/go/ace
https://www.cisco.com/go/ace
%h %p
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 30
SSL Server Offload Configuration
In order to configure SSL, you need to add the following to a L3 / L4 class map:
- ‘parameter-map type ssl’
- ‘ssl-proxy service’
- ‘policy-map’
parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites, close protocol behavior)
ssl-proxy is used to define the certificates and keys to be used in SSL connections
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 31
SSL Packet Flow With ACE
ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ! serverfarm WEB-PROTOCOLS rserver SERVER1 81 inservice rserver SERVER2 81 inservice probe HTTP-GET ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq 443
policy-map type loadbalance first-mat SSL-PM
class class-default
serverfarm WEB-PROTOCOLS
!
policy-map multi-match L4
class HTTPS-CM
loadbalance vip inservice
loadbalance policy SSL-PM
loadbalance vip icmp-reply
ssl-proxy server CLIENT-SSL
HTTP—200 Ok Response index.html HTTPS—GET index.html Accept-Encoding: gzip, deflate
HTTPS—Response
SSL Handshake
SYN (tcp—443)
SYN SYN/ACK ACK HTTP—GET index.html
L3 Flow
TCP Flow
Client Server 1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 32
Basic SSL Offload Example
rserver host SERVER1
ip address 192.168.1.1
inservice
rserver host SERVER2
ip address 192.168.1.2
inservice
!
probe http HTTP-GET
interval 5
port 81
passdetect interval 3
request method get url /secure/index.html
expect status 200 200
!
parameter-map type ssl CLIENT_PARAM
cipher RSA_WITH_RC4_128_MD5 priority 2
cipher RSA_WITH_AES_128_CBC_SHA priority 3
cipher RSA_WITH_AES_256_CBC_SHA priority 5
session-cache timeout 600
ssl-proxy service CLIENT-SSL
key mykey.pem
cert mycert.pem
ssl advanced-options CLIENT_PARAM
!
class-map match-all HTTPS-CM
2 match virtual-address 172.16.1.73 tcp eq 443
!
serverfarm WEB-PROTOCOLS
probe HTTPs-GET
rserver SERVER1 81
inservice
rserver SERVER2 81
inservice
!
sticky http-cook WEBCKE STICKYCKE
cookie insert
serverfarm WEB-PROTOCOLS
!
policy-map type load first-mat SSL
class class-default
sticky-serverfarm STICKYCKE
policy-map multi-match L4
class HTTPS-CM
loadbalance vip inservice
loadbalance policy SSL
loadbalance vip icmp-reply
ssl-proxy server CLIENT-SSL
ACE in a Virtualised Environment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 34
Application Network
Manager (5.1) Vmware VCenter
Server Farm
Application servers
ESX Cluster ACE Load Balancer
Application
VIP
VM
VM
A
A A
A
A
r2
r1 2
1
A
VM
A r3 3
SLB Team Server Team
Enabling a new server in a VM Environment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 35
Enabling a new server in a VM Environment
ANM 5.1 VCenter plug-in lets Sysadmins activate, suspend, configure and monitor rservers
Server Farm
Application servers
ESX Cluster ACE Load Balancer
Application
VIP
VM
VM
A
A A
A
A
r2
r1 2
1
A
VM
A r3 3
Vmware VCenter Sysadmin
Application Network
Manager (5.1)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 36
ANM 5.1 Plug-in for VMware VCenter
ACE Tab from ANM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 37
ANM 5.1 Plug-in for VMware VCenter
activate,
suspend,
configure
and monitor
rservers
Deploying VMware View 4.0 with Cisco ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 39
Why add a Cisco ACE?
Scalability: Larger deployments require multiple Security Servers or multiple Connection Servers
- Cisco ACE balances client connections across available connection servers
- VMware rates a single View Connection Server at 1,500 concurrent non-tunneled connections, and 30% less if tunneled
Fault Tolerance
- Cisco ACE detects the failure of View components, and directs traffic around the failure
Performance
- Reduce CPU usage on Connection Servers by offloading HTTPS cryptography
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 40
VMware View deployment with Cisco ACE
LAN Direct Deployment
- Display protocol does not pass through the View Connection Server
LAN Tunneled Deployment
- Display protocol Traffic is encapsulated in HTTPS and passes through the View Connection Server
Secure (DMZ) Tunneled Deployment
- Display protocol Traffic is encapsulated in HTTPS and passes through the View Security Server
- View Security Server does not participate in Active Directory, and can be safely placed in DMZ
General Types of View Deployments
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 41
LAN Tunneled Deployment w/ACE
VMware View deployment with Cisco ACE
More Secure – All traffic encapsulated in SSL. Virtual Desktop IP Addresses do not need to be reachable by clients
Offload Benefit – SSL cryptography offloaded by Cisco ACE, reducing CPU utilization on Connection Servers
Recommended for LAN deployments on secure networks. Connection Servers participate in Active Directory and should not be exposed to the Internet
View Client
ESX Cluster
Containing
Virtual Desktops
Cisco ACE
1. Authentication
2a. RDP
2b. RDP
Decrypted
2c. RDP Brokered
Connection
Servers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 42
Secure Tunneled Deployment (DMZ)
VMware View deployment with Cisco ACE
* Client RDP connection is
tunneled over HTTPS to
Security Server
View Client
ESX Cluster
Containing
Virtual Desktops
1. HTTP(S) – Authentication &
Desktop Selection
2. AJP/JMS Authentication
Security
Server
3. RDP Over HTTPS
4. RDP Un-Tunneled By
Security Server
2
4
1 3
Active Directory
Server
vCenter Connection
Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 43
Secure Tunneled Deployment (DMZ) w/ACE
VMware View deployment with Cisco ACE
Most Secure – All traffic encapsulated in SSL. No public exposure of Connection Servers
Requires careful planning, since Security Servers depend on their paired Connection Server
View Client
ESX Cluster
Containing
Virtual Desktops
ACE
1a. Authentication
2a. RDP
2b. RDP
Decrypted
2c. RDP Brokered
Security
Servers
1b. Authentication
Decrypted
1c. Authentication
Proxied
Connection
Servers
ACE for Microsoft Exchange
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 46
Application Solutions Validated with ACE
Comprehensive set of validated ACE solutions
This design guide presents an end-to-end solution architecture that demonstrates how enterprises can virtualize their Exchange 2010 environment on Cisco Unified Computing System
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/hypervexchange.html
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 47
Understanding Exchange Architecture
Mid
dle
Ti
er Exchange
Biz Logic
Mai
lbo
x MAPI RPC
Store
Exchange Components
OWA
Sync UM
Transport Agents
Mailbox Agents
WS
Entourage
Outlook / MAPI clients
DAV
Exchange 2007
Mid
dle
Ti
er
MAPI, RFR &
NSPI RPC
Exchange Core Biz Logic
Exchange Biz Logic
Mai
lbo
x
MAPI RPC
Store
Exchange Components
OWA
Sync UM
Transport Agents
Mailbox Agents
WS
Outlook / MAPI clients
Entourage
Exchange 2010
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 48
Exchange 2010 Middle Tier
New services in Exchange Server 2010 that reside on CAS
- Restrict all Outlook data access to a single common path by migrating Mailbox and Directory endpoints to CAS
What it handles:
- Outlook data connections go to RPC Client Access Service on CAS instead of connecting to Mailbox servers
- Address Book Service on CAS replaces DSProxy interface, handles all Outlook Directory connections
- Public folder connections connect directly to the Mailbox server, but through RPC Client Access Service running on backend
MB
Exchange CAS Array
Outlook Clients
GC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 49
Exchange 2010 ACE Load Balancing OWA
ACE can provide the following benefits:
Additional Data Centre Security using ACL
Layer 7 load balancing between server with HTTP Cookie session persistence
SSL termination
Health monitoring check Client Access Server status
HTTP to HTTPS Server Redirection
Possible TCP multiplexing and HTTP Compression
Access
Switch ACE
Microsoft
Active Directory
Outlook Web
Access (OWA)
Microsoft
Exchange CAS
Servers
Internet
Mailbox Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 50
Preventing Protocol Change to HTTP
SSL Connection
Attempt
Leaving the SSL
Domain
Not a Secure
Connection
HTTP/1.1 200 OK
Date: Tue, 12 Apr 2005 13:59:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 1164
<!--Copyright (c) 2000-2003 Microsoft Corporation. All rights reserved.-->
<!--CURRENT FILE== "IE5" "WIN32" frameset -->
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8">
<TITLE>Microsoft Outlook Web Access</TITLE>
<BASE href="http://example.com/exchange/highroller/">
</HEAD> Incorrectly (Insecure) Formatted Protocol
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 51
Preventing Protocol Change to HTTP
The CAS role is aware of the SSL-offload functionality of the ACE. To configure support for SSL-offloading on a CAS role, refer to: http://technet.microsoft.com/en-us/library/bb885060.aspx
Change Value data, type 1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 52
Exchange 2010 ACE Load Balancing Outlook Anywhere
ACE can provide the following benefits:
Additional Data Centre Security using ACL
Load balancing using the HTTP header-value "MSRPC―
Session persistence based on SOURCE-IP or http-header Authorization
SSL termination
Health monitoring check Client Access Server status
Access
Switch ACE
Microsoft
Active Directory
Outlook Anywhere
Microsoft
Exchange CAS
Servers
Internet
Mailbox Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 53
Outlook Anywhere Over HTTP
RPC_IN_DATA /rpc/rpcproxy.dll?exch-ace-tme.com:6004
HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: exch-ace-tme.com
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic Q0xJRU5UXG1kaXR0bWVyOmZvbw==
When using NTLM it is believed the hash value could change. Therefore you cannot use the Authorization header for session persistence. You will need to use source-ip stickiness
If ACE can use the User-Agent: MSRPC HTTP header to detect RPC over HTTP
This enables you to use the same VIP for OWA and Outlook Anywhere, therefore saving address space
ACE can use the Basic Authorization header for session persistence. This eliminates you having to use SOURCE-IP stickiness
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 54
Combined Outlook Anywhere and OWA ACE Configuration Health Checking
probe http msExchange02-probe-1
interval 60
passdetect interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
expect status 400 404
open 10
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 55
Combined Outlook Anywhere and OWA ACE Configuration CAS Server Farm and Session Persistence
serverfarm host msExchange02
failaction purge
predictor leastconns
probe msExchange02-probe-1
rserver 192.168.11.58 80
inservice
rserver 192.168.11.59 80
inservice
rserver 192.168.11.60 80
inservice
sticky http-header Authorization msExchange02-OutlookRPC
replicate sticky
serverfarm msExchange02
sticky http-cookie sessionid msExchange02-OutlookSession
replicate sticky
serverfarm msExchange02
policy-map type loadbalance first-match msExchange02_https-l7slb
class msExchange02-cond
sticky-serverfarm msExchange02-OutlookRPC
class class-default
sticky-serverfarm msExchange02-OutlookSession
Load Balance on User-Agent Header for Outlook Anywhere
class-map type http loadbalance match-any msExchange02-cond
description RPC
2 match http header User-Agent header-value "MSRPC"
Persist on Authorization Header for Outlook Anywhere
Persist on sessionID Header for OWA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 56
ACE Load Balancing Exchange 2010 Clients (MAPI-RPC)
ACE can provide the following benefits:
Additional Data Centre Security using ACL
Load balancing MAPI-RPC using least-conns predictor
Session persistence based on SOURCE-IP
Access
Switch ACE
Microsoft
Active Directory
Exchange 2010
Client
Microsoft
Exchange CAS
Servers
Internet
Mailbox Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 57
MAPI-RPC ACE Configuration
class-map match-all msExchange02_other
2 match virtual-address 192.168.10.105 any
serverfarm host msExchange02-others
failaction purge
predictor leastconns
rserver 192.168.11.58
inservice
rserver 192.168.11.59
inservice
rserver 192.168.11.60
inservice
sticky ip-netmask 255.255.255.255 address source MAPI-RPC-SRC-IP
replicate sticky
serverfarm msExchange02-others
policy-map type loadbalance first-match msExchange02_other-l7slb
class class-default
sticky-serverfarm MAPI-RPC-SRC-IP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 58
Simplifying All of the Above with ANM 5.1 Application Templates
Only Required to Provide:
VIP IP
CAS IP Addresses
SSL Cert/Key Location
NAT Required?
ANM Does the rest!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 59
Simplifying All of the Above with ANM 5.1 Application Templates
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 60
access-list vip-acl remark Created to permit IP traffic to VIP.
access-list vip-acl line 50 extended permit ip any host 192.168.10.105
script file name CITRIX_XML_BROKER_PROBE
script file name CITRIX_XML_BROKER_PROBE_3DES_SHA
probe http msExchange02-probe-1
interval 60
passdetect interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
expect status 400 404
open 10
rserver host 192.168.11.58
ip address 192.168.11.58
inservice
rserver host 192.168.11.59
ip address 192.168.11.59
inservice
rserver host 192.168.11.60
ip address 192.168.11.60
inservice
rserver redirect msExchange02_http
webhost-redirection https://%H/owa 302
inservice
serverfarm host msExchange02
failaction purge
predictor leastconns
probe msExchange02-probe-1
rserver 192.168.11.58 80
inservice
rserver 192.168.11.59 80
inservice
rserver 192.168.11.60 80
inservice
serverfarm host msExchange02-others
failaction purge
predictor leastconns
rserver 192.168.11.58
inservice
rserver 192.168.11.59
inservice
rserver 192.168.11.60
inservice
serverfarm redirect msExchange02_redir
failaction purge
rserver msExchange02_http
inservice
sticky http-header Authorization msExchange02-OutlookRPC
replicate sticky
serverfarm msExchange02
sticky http-cookie sessionid msExchange02-OutlookSession
replicate sticky
serverfarm msExchange02
sticky ip-netmask 255.255.255.255 address source MAPI-
RPC-SRC-IP
replicate sticky
serverfarm msExchange02-others
ssl-proxy service msExchange02-termination
key msExchange02-msExch02key.pem
cert msExchange02-msExch02cert.pem
class-map type http loadbalance match-any msExchange02-cond
description RPC
2 match http header User-Agent header-value "MSRPC"
class-map match-all msExchange02_http
2 match virtual-address 192.168.10.105 tcp eq www
class-map match-all msExchange02_https
2 match virtual-address 192.168.10.105 tcp eq https
class-map match-all msExchange02_other
2 match virtual-address 192.168.10.105 any
policy-map type loadbalance first-match msExchange02_http-l7slb
class class-default
serverfarm msExchange02_redir
policy-map type loadbalance first-match msExchange02_https-l7slb
class msExchange02-cond
sticky-serverfarm msExchange02-OutlookRPC
class class-default
sticky-serverfarm msExchange02-OutlookSession
policy-map type loadbalance first-match msExchange02_other-l7slb
class class-default
sticky-serverfarm MAPI-RPC-SRC-IP
policy-map multi-match int10
class msExchange02_http
loadbalance vip inservice
loadbalance policy msExchange02_http-l7slb
class msExchange02_https
loadbalance vip inservice
loadbalance policy msExchange02_https-l7slb
nat dynamic 1 vlan 11
ssl-proxy server msExchange02-termination
class msExchange02_other
loadbalance vip inservice
loadbalance policy msExchange02_other-l7slb
nat dynamic 1 vlan 11
interface vlan 10
ip address 192.168.10.254 255.255.255.0
access-group input vip-acl
service-policy input int10
no shutdown
ACE Configuration Created by ANM 5.1 System Template
Microsoft SharePoint 2010 with ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 62
What Is Microsoft SharePoint Server 2010?
Microsoft SharePoint Server 2010 is a portal-based collaboration platform for creating, managing and sharing documents and Web services
SharePoint 2010 enables users to create "Sharepoint Portals" that include shared workspaces, applications, blogs, wikis and other documents accessible through a Web browser
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 63
Logical Architecture
A SharePoint 2010 Serverfarm is a 3 Tier Architecture, which consists of:
Web Front End Server(s)
Application Server(s)
Database Server(s)
The Web Server role provides Web content to clients.
The Application Server role provides SharePoint 2010 services such as search queries, Office Web Applications and crawling and indexing content
The Database Server stores Content and Configuration information.
Browser Client App
SharePoint
Web Front End
SharePoint
Application Server
Config
DB
Content
DB
Custom
DB
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 64
Minimum Requirements for a SharePoint 2010 Installation
The following components are required for a minimum installation of SharePoint 2010:
SharePoint Server 2010 (This is 64-bit only)
64-bit Windows Server 2008 SP2 or 64-bit Windows Server 2008 R2
64-bit SQL Server 2008 or 64-bit SQL Server 2005
SQL 2005 x64 SP3 CU3
SQL 2008 x64 SP1 CU2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 65
SharePoint 2010 Topologies
SharePoint Server 2010 can be deployed in a serverfarm environment when hosting a large number of sites, when the best possible performance is required, or if the scalability of a multi-tier topology is needed
A Serverfarm consists of one or more servers dedicated to running the SharePoint Server 2010 application
Serverfarm environments can encompass a wide range of topologies, and can include many servers or as few as two servers
Because a Serverfarm deployment of SharePoint Server 2010 can be complex, Microsoft recommends that you plan your deployment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 66
Large Topology Considerations
Although Microsoft Windows 2008 Server can provide software-based load balancing, Cisco ACE can offer higher performance
ACE also provides server health monitoring, and TCP connection management and HTTP optimization using HTTP compression and hardware SSL termination
Virtualization within ACE allows a single pair to serve multiple SharePoint applications as well as other Microsoft and non-Microsoft enterprise applications
It is possible to collapse a multi-tier architecture onto a single pair of ACE devices without the need to order and configure additional equipment
Microsoft Exchange 2010
Microsoft SharePoint 2010
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 67
The GSS probes the ACE load balancers to retrieve the Web front-ends health and load information
Based on this information the GSS can load balance the users request to the best available data centre
The GSS then provides user stickiness for all users sequential request
The GSS is authoritative for the WWW. The GSS will only provide a A record if the Web front-ends health is available
Large Topology Considerations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 68
ACE Load Balancing SharePoint 2010 Web Front End Servers
ACE can provide the following benefits:
Additional Data Centre Security using ACL
Layer 4/7 load balancing between Clients and SharePoint WFE servers with session persistence based upon HTTP Cookie insertion
SSL termination
Health monitoring (Including In-Band) for guaranteed service availability
DB
Tier
ACE SharePoint 2010
Users
SP 2010
WFE Servers
SP 2010
App. Servers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 69
ACE Load Balancing SharePoint 2010 Web Front End Servers
ACE Load Balancing Services
SSL Termination for Portal Traffic
L4 Load Balancing for Application Traffic
In-Band & OOB WFE Server Health Checking
Session Persistence maintained with HTTP Cookie Insertion
ACE SharePoint 2010
User
Microsoft
SharePoint 2010
WFE Servers
HTTPS HTTP
SSL
Termination
In-band Health
Checking
&
OOB Probes
Cookie Insertion
for
Session Persistence
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 70
SharePoint 2010 Portal ACE Configuration probe http msSharePoint01-probe-1
interval 5
passdetect interval 30
expect status 401 401
open 15
rserver host WFE01
ip address 192.168.11.1
inservice
rserver host WFE02
ip address 192.168.11.2
inservice
serverfarm host msSharePoint01-80
failaction purge
predictor leastconns
probe msSharePoint01-probe-1
inband-health check remove 100 reset 500 resume-service 300
rserver WFE01 80
inservice
rserver WFE02 80
inservice
parameter-map type http msSharePoint01-http_params
persistence-rebalance
set content-maxparse-length 8192
Required for Cookie Insertion
on HTTP 1.1 Persistent
Connections
In-Band Health Checking
for Failed HTTP Connections
OOB Health Checking
for Failed WFE Servers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 71
SharePoint 2010 Portal ACE Configuration
sticky http-cookie SPLB-Port msSharePoint01-WFE-Portal
cookie insert browser-expire
replicate sticky
serverfarm msSharePoint01-80
sticky http-cookie SPLB-WFE msSharePoint01-WFE-Apps
cookie insert browser-expire
replicate sticky
serverfarm msSharePoint01
policy-map type loadbalance first-match msSharePoint01_https-l7slb
class class-default
compress default-method deflate
sticky-serverfarm msSharePoint01-WFE-Portal
policy-map type loadbalance first-match msSharePoint01_other-l7slb
class class-default
compress default-method deflate
sticky-serverfarm msSharePoint01-WFE-Apps
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 72
Simplifying All of the Above with ANM 5.1 Application Templates
Only Required to Provide:
VIP IP
WFE Server IP Addresses
SSL Cert/Key Location
NAT Required?
ANM Does the rest!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 73
Simplifying All of the Above with ANM 5.1 Application Templates
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 74
ACE Configuration Created by ANM 5.1 System Template
access-list vip-acl-1 remark Created to permit IP traffic to VIP.
access-list vip-acl-1 line 10 extended permit ip any host 192.168.10.100
probe http msSharePoint01-probe-1
interval 5
passdetect interval 30
expect status 401 401
open 15
probe icmp msSharePoint01-probe-2
interval 2
passdetect interval 60
rserver host 192.168.11.1
ip address 192.168.11.1
inservice
rserver host 192.168.11.2
ip address 192.168.11.2
inservice
rserver host 192.168.11.3
ip address 192.168.11.3
inservice
serverfarm host msSharePoint01
failaction purge
predictor leastconns
probe msSharePoint01-probe-2
inband-health check remove 100 reset 500 resume-service 300
rserver 192.168.11.1
inservice
rserver 192.168.11.2
inservice
rserver 192.168.11.3
inservice
serverfarm host msSharePoint01-80
failaction purge
predictor leastconns
probe msSharePoint01-probe-1
inband-health check remove 100 reset 500 resume-service 300
rserver 192.168.11.1 80
inservice
rserver 192.168.11.2 80
inservice
rserver 192.168.11.3 80
inservice
parameter-map type http msSharePoint01-http_params
persistence-rebalance
set content-maxparse-length 8192
sticky http-cookie SPLB-Port msSharePoint01-WFE-Portal
cookie insert browser-expire
replicate sticky
serverfarm msSharePoint01-80
sticky http-cookie SPLB-WFE msSharePoint01-WFE-Apps
cookie insert browser-expire
replicate sticky
serverfarm msSharePoint01
ssl-proxy service msSharePoint01-termination
key msSharePoint01-msExch02key.pem
cert msSharePoint01-msExch02cert.pem
class-map match-all msSharePoint01_https
2 match virtual-address 192.168.10.100 tcp eq https
class-map match-all msSharePoint01_other
2 match virtual-address 192.168.10.100 any
policy-map type loadbalance first-match msSharePoint01_https-l7slb
class class-default
compress default-method deflate
sticky-serverfarm msSharePoint01-WFE-Portal
policy-map type loadbalance first-match msSharePoint01_other-l7slb
class class-default
compress default-method deflate
sticky-serverfarm msSharePoint01-WFE-Apps
policy-map multi-match int10
class msSharePoint01_https
loadbalance vip inservice
loadbalance policy msSharePoint01_https-l7slb
appl-parameter http advanced-options msSharePoint01-http_params
ssl-proxy server msSharePoint01-termination
class msSharePoint01_other
loadbalance vip inservice
loadbalance policy msSharePoint01_other-l7slb
loadbalance vip icmp-reply active
interface vlan 10
access-group input vip-acl-1
service-policy input int10
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 75
Summary
Load Balancing Today’s Web Application
- Benefits of Traffic Management
- Introduction to ACE
- Design Considerations
- Probes, Persistence, Predictors
- Resources
- SSL
Linking VMware VCenter manager to the ANM 5.1
Deploying VMware View w/Cisco ACE
- VMware View 4.0
Microsoft Deployments
- ACE for Microsoft Exchange 2010
- ACE for Microsoft SharePoint 2010
BRKAAP- 2005
Recommended Reading
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 77
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 78
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2020 79
Thank you.