Radware AppDirector and Juniper Networks Infranet Controller

Implementation Guide

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089 USA408.745.20001.888 JUNIPERwww.juniper.net

Radware AppDirector and Juniper Networks Infranet Controller Solution Implementation Guide

Part Number: 801007-001 August 2008

Copyright ©2008, Juniper Networks, Inc.2


Table of ContentsSolution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Radware AppDirector Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Juniper Networks Infranet Controller (IC) Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Juniper Networks Infranet Controller Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Radware AppDirector Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Radware AppDirector and Juniper Networks Infranet Controller Architecture . . . . . . . . . . . . . . . . . . . 6

Radware Benefits for Juniper Networks Infranet Controller Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 7

Radware AppDirector and Juniper Networks Infranet Controller High Availability Interoperability

Tests and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Tests Conducted for Solution Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Primary AppDirector Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Initial Primary AppDirector Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Farm Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Layer 4 Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Client Network Address Translation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Adding Servers to the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Health Monitoring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Binding Health Checks to Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Primary AppDirector VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Backup AppDirector Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Initial Backup AppDirector Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Farm Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Layer 4 Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Client Network Address Translation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Adding Servers to the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Health Monitoring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Binding Health Checks to Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Backup AppDirector VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Copyright ©2008, Juniper Networks, Inc. 3


Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

High Availability Design Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Primary Configuration from OnDemand Switch 2 Platform . . . . . . . . . . . . . . . . . . . . . . . . 36

Backup Configuration from OnDemand Switch 2 Platform . . . . . . . . . . . . . . . . . . . . . . . . 44

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

List of FiguresFigure 1 . Juniper Networks Unified Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 2 . Infranet Controller and AppDirector Integration Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 7



Solution OverviewThe Juniper Networks® Infranet Controller and Radware AppDirector joint solution provides a highly available and scalable policy management service solution .

At the heart of the Juniper Networks Unified Access Control (UAC) solution is the Juniper Networks Infranet Controller (IC), a hardened policy management server that uses Juniper’s proven, best-in-class security and access control products . The Infranet Controller can push the UAC agent down to the endpoint to collect user authentication, endpoint security state, and device location information; or, alternatively, it can gather that same information in agentless mode .

As access networks grow and endpoints compete for both internal and external network access resources, the need remains to maintain response times and service availability, to help ensure the best quality of experience for the end user . AppDirector scales the Infranet Controller appliances and manages the health and user session state of Infranet Controller resources, dynamically protecting against session loss and ultimately insulating an access security layer service vital to the safety and successful access to network resources . Figure 1 shows a logical UAC topology including the Infranet Controller as the central policy enforcement manager .

ScopeThis document is intended for end users and technical systems engineers who will be deploying a joint Juniper Networks Infranet Controller – Radware AppDirector solution . This guide provides detailed configuration and setup information for implementing the joint solution .

Design Considerations

Radware AppDirector ProductsSoftware: AppDirector Version 1 .06 .07•

Platform: AppDirector OnDemand Switch 2 (ODS 2) •

Performance: Throughput support from 1 to 4 Gbps with license-based upgrades . OnDemand Switch 2 supports •5 million simultaneous user with a default 2 GB of RAM or 8 million simultaneous users with 4 GB of RAM

Juniper Networks Infranet Controller (IC) ProductsSoftware: Release 2 .1•

Platform: Juniper Networks IC 4000 and 6000•



Figure 1. Juniper Networks Unified Access Control

Access Point

Wireless

AAA ServersIdentity Stores

IEEE802.1X

UAC Agent

Central Policy Manager

Firewalls

ProtectedResources

Endpoint Pro�ling, User Authentication, and Endpoint Policy

Dynamic RoleProvisioning

User Access toProtected Resources

User Admissionto Network

AAA

NS

InfranetController

EnforcementPoints

L2 Switch

EX Series

Juniper Networks Infranet Controller OverviewAfter user or device credentials have been submitted, the Infranet Controller implements a comprehensive AAA engine for seamless deployment into almost all popular AAA settings .

After the credentials have been validated and the endpoint security state established, the Infranet Controller creates and implements a dynamic access policy for each user and session and pushes that policy to enforcement points throughout the network . The enforcement points can include:

Any vendor’s standards-compliant IEEE 802 .1X–enabled switches or access points•

Any Juniper Networks firewall and VPN platform, including the Juniper Networks Integrated Services •Gateway (ISG) with Intrusion Detection and Prevention (IDP) and the Juniper Networks Secure Services Gateway (SSG) secure routing platforms

Both types of products for even greater granularity•

The IC 6000 also integrates the RADIUS processing capabilities of Juniper Networks Steel-Belted Radius (SBR) servers, the de facto standard in RADIUS servers and appliances . This integration lets the IC 6000 support an IEEE 802 .1X transaction over vendor-agnostic, IEEE 802 .1X–enabled switches and access points when an endpoint attempts network access .

The IC 6000 is designed to address the needs of large enterprises, multinational organizations, and government agencies, with the capability to handle up to tens of thousands of concurrent endpoints . The IC 6000 includes a number of high-availability features, including a hot-swappable power supply and hard disk that are both field upgradeable . The IC 6000 can be deployed in multi-unit clusters to increase performance and provide additional scalability .



Radware AppDirector OverviewRadware AppDirector is an intelligent application delivery controller that provides scalability and application-level security for service infrastructure optimization, fault tolerance, and redundancy .

AppDirector combines the power of Radware multi-gigabit application switching hardware with APSolute OS service-smart networking to ensure local and global server availability and accelerated application performance and safeguard services with integrated intrusion prevention and denial of service (DoS) protection for fast, reliable, secure service delivery .

AppDirector uses advanced Layer 4 through 7 policies and granular service intelligence, enabling end-to-end service-smart networking and aligning service infrastructure operations with service front-end requirements to eliminate traffic surges, infrastructure bottlenecks, connectivity disconnects, and downtime for assured service access and full-service continuity and redundancy .

AppDirector enables fine-tuning of service behavior at all critical points, end to end, based on granular service-specific classification of packets to optimize traffic flows for a wide range of services, including support for Hypertext Transfer Protocol (HTTP), HTTP over Secure Sockets Layer (HTTPS), Multipurpose Internet Mail Extensions (MIME), Real-Time Streaming Protocol (RTSP), Simple Mail Transfer Protocol (SMTP), voice over IP (VoIP; Session Initiation Protocol, or SIP), streaming media (Real-Time Transfer Protocol, or RTP), RADIUS, Diameter, and secure Lightweight Directory Access Protocol (LDAP) applications .

AppDirector lets you get the most out of your service investments by maximizing the utilization of service infrastructure resources and enabling seamless consolidation and high scalability . Make your network adaptive and more responsive to your dynamic services and business needs with AppDirector fully integrated traffic classification and flow management, health monitoring and failure bypassing, traffic redirection, bandwidth management, intrusion prevention, and DoS protection .

For more information, please visit http://www .radware .com/ .

Radware AppDirector and Juniper Networks Infranet Controller ArchitectureThe AppDirector and Infranet Controller solution is designed to provide a highly scalable and highly available subsystem for deploying policy management infrastructure . The IC 6000 appliances are configured in an active-active cluster, with individual components queried for service availability by AppDirector . Using this important health monitoring information, AppDirector can calculate availability, and using existing load information, AppDirector can provide highly granular load distribution across Infranet Controller appliances . AppDirector maintains client sessions for persistency and works in conjunction with Infranet Controller state replication logic to ensure session survivability through Infranet Controller failover events . Together the two components help ensure zero loss of connectivity, offering a best-in-class solution . Figure 2 shows the high-availability architecture .



Figure 2. Infranet Controller and AppDirector Integration Topology

Network

IC 6000

Switch

Switch

Switch

AppDirector

AppDirector

IC C

lust

er A

.12

Cluster A10.0.0.12-14

10.0.0.10–Main VIPTCP 80, 443UDP 1812-13, 1645-6

Switch 110.0.0.5

Switch 210.0.0.6

AppDirector_AMGM: 192.168.3.195/24IP: 10.0.0.3/24

AppDirector_BMGM: 192.168.3.196/24IP: 10.0.0.4/24

IC 6000.13

IC 6000.14

IC 6000

IC C

lust

er B

.22

Cluster B10.0.0.22-24

IC 6000.23

IC 6000.24 VRRP

STRM

Radware Benefits for Juniper Networks Infranet Controller SolutionsJuniper and Radware have conducted complete interoperability testing and developed integrated solutions using the Radware AppDirector and Juniper Networks Infranet Controller products . This strong interoperability and integration provides a solution that delivers industry-leading scalability, security, and performance for those deploying policy management (UAC) solutions .

Radware AppDirector and Juniper Networks Infranet Controller High Availability Interoperability Tests and Configurations

This section describes the interoperability tests performed and presents the steps for configuring AppDirector . There are separate configuration steps to be taken on the primary (active) and backup AppDirector devices, so the configuration discussion is divided into two parts: one for the primary device, and one for the backup device .



Tests Conducted for Solution ValidationThe tests listed in Table 1 were conducted to ensure that the most appropriate solution was defined and validated . All tests were successfully completed using the AppDirector configurations that follow Table 1 .

Table 1. Tests Conducted for Solution Validation

Test Case Description

AppDirector: Virtual IP and service farm

Verify that the virtual IP address and service farm defined in the load balancer work as expected.

AppDirector: Dispatch algorithm

Verify that a new request follows the least connection policy (configured dispatch method).

AppDirector: Persistency or session affinity

Verify that the user agent connection stays with the same sever and maintains the selected server throughout the life of a session.

AppDirector high availability: Master failover

Verify that the load balancer high-availability setting prevents a single point of failure (SPOF) and that VRRP fails over properly.

AppDirector high availability: Backup assuming master Virtual Router Redundancy Protocol (VRRP) role

Verify that the load balancer maintains a client’s sessions during a failover event. This validates the state replication logic between AppDirector controllers, ensuring session survivability through failover.

AppDirector high availability: Master failback

Verify that Infranet Controller clients maintain connectivity and that VRRP role exchange occurs as expected.

Infranet Controller cluster: Failover

Verify that AppDirector detects Infranet Controller failure and dynamically manages new requests and reconnections to the available Juniper Networks Secure Access (SA) appliances.

Infranet Controller cluster: New service

Verify that AppDirector detects new Infranet Controller service elements without affecting existing sessions.

Primary AppDirector ConfigurationThis section details the step-by-step AppDirector configuration process, using the Web-based management GUI, for creating the Juniper Networks Infranet Controller and Radware AppDirector high-availability subsystem . Refer to Figure 2 for topology and addressing information .

Initial Primary AppDirector ConfigurationUsing a serial cable and a terminal emulation program, connect to AppDirector .1 .

The default console port settings are:

Bits per Second: 19200•

Data Bits: 8•

Parity: None•

Stop Bits: 1•

Flow Control: None•

Enter the following command to assign management IP address 192 .168 .3 .195 / 24 to interface 17 2 . (dedicated management interface) of AppDirector:

net ip-interface create 192.168.3.195 255.255.255.0 17

Note: Connectivity to AppDirector can be established at this time if the client resides on the same management subnet .

Enter the following command to assign IP address 10 .0 .0 .3/ 24 to interface 1 (production traffic 3 . connectivity) of AppDirector:




Enter the following command to create a default gateway route entry on AppDirector pointing to 10 .0 .0 .1:4 .

net route table create 0.0.0.0 0.0.0.0 10.0.0.1 -i 1

Using a browser, connect to the management IP address of AppDirector (192 .168 .3 .195) via HTTP or 5 . HTTPS . The default username and password are radware and radware .

Failure to establish a connection may be due to the following:

Incorrect IP address in the browser•

Incorrect IP address or default route configuration in AppDirector•

Failure to enable Web-based management or secure Web-based management in AppDirector•

If AppDirector can be successfully pinged, attempt to connect to it via Telnet or SSH . If the pinging or the Telnet or SSH connection is unsuccessful, reconnect to AppDirector via its console port . After you are connected, verify and correct the AppDirector configuration as needed .1

Farm ConfigurationFrom the menu, choose 1 . AppDirector > Farms > Farm Table to display the Farm Table page .

Click the 2 . Create button .

On the 3 . Farm Table Create page, enter the necessary parameters as shown here .

Click the 4 . Set button to save the parameters .


1To enable Web-based management from the console command-line interface, enter manage web status set enable .



On the 6 . Farm Table Create page, enter the necessary parameters as shown here .2

Click the 7 . Set button to save parameters .


On the 9 . Farm Table Create page, enter the necessary parameters as shown here:


Verify that the new entry was created on the11 . Farm Table page .

2Throughout this guide, items circled in red indicate settings that need to be entered or changed . Items not circled should be left at the default settings .



Layer 4 Policy ConfigurationFrom the menu, choose 1 . AppDirector > Layer 4 Farm Selection > Layer 4 Policy Table to display the Layer 4 policy table .

Note: In the design presented here, three virtual IP addresses are used to represent three farms:

Virtual IP Farm Ports in Use

10.0.0.10 MainCluster TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

10.0.0.11 ClusterA TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

10.0.0.21 ClusterB TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

When you specify port values in the Layer 4 policy table, an access list is automatically created for undefined values .


On the 3 . Layer 4 Policy Table Create page, enter the necessary parameters as shown here .

Note: This Layer 4 policy is for the main cluster HTTP traffic .

Click the4 . Set button to save the parameters .

On the 5 . Layer 4 Policy Table page, click the Create button .




Note: This Layer 4 policy is for main cluster HTTPS traffic .




Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic .












Verify that the new entries were created on the 23 . Layer 4 Policy Table page; your table should be similar to the one shown here .



Note: Repeat the Layer 4 policy definition process shown at the beginning of this section for both Cluster A and Cluster B virtual IP and port definitions . The policy definition values are the same as for the main cluster, so you can use the command-line interface (CLI) configuration file statements for the Layer 4 policies created so far and the same logic, adding the clusters and changing the Layer 4 policy name, virtual IP, and farm name . The Layer 4 policy definitions created above can be seen in the appendix . The new Layer 4 policy statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device .

Client Network Address Translation ConfigurationFrom the menu, choose 1 . AppDirector > NAT > Client NAT to display the Client NAT Global Parameters page .

On the 2 . Client NAT Global Parameters page, change the parameters as shown here .


Click the4 . Client NAT Intercept Table hyperlink at the top of the configuration window .

Click the5 . Create button .

On the 6 . Client NAT Intercept Table Create page, enter the necessary parameters as shown here .




Click the 8 . Client NAT Address Table hyperlink at the top of the configuration window .


On the 10 . Client NAT Address Table Create page, enter the necessary parameters as shown here .


From the menu, choose12 . AppDirector > Farms > Farm Table to display the Farm Table page .

Click the 13 . Extended Farm Parameters hyperlink near the top of the page .

On the 14 . Extended Farm Parameters page, click the MainCluster farm name and enter the necessary parameters as shown here .


On the 16 . Extended Farm Parameters page, click the ClusterA farm name and enter the necessary parameters as shown here .




On the 18 . Extended Farm Parameters page, click the ClusterB farm name and enter the necessary parameters as shown here .


Adding Servers to the FarmFrom the menu, choose 1 . AppDirector > Servers > Application Servers to display the Server Table page .

On the 2 . Server Table page, click the Create button .

On the 3 . Server Table Create page, enter the necessary parameters as shown here .


Create the second server using the information shown here .5 .




Create the third server using the information shown here .7 .




Create the fourth server using the information shown here .9 .


Create the fifth server using the information shown here .11 .




Create the sixth server using the information shown here .13 .


Note: Repeat the server-to-farm mapping policy definitions for both Cluster A and Cluster B . Notice from the mapping following table that Cluster A and B have only half the servers defined for the main cluster .

In the design presented here, three farms are mapped to six servers in the following way:

Farm Servers

MainCluster 12, 13, 14 and 22, 23, 24

ClusterA 12, 13, 14

ClusterB 22, 23, 24

Health Monitoring ConfigurationFrom the menu, choose 1 . Health Monitoring > Global Parameters to display the Health Monitoring Global Parameters page .

On the 2 . Health Monitoring Global Parameters page, change the parameters as shown here .




From the menu, choose 4 . Health Monitoring > Check Table to display the Health Monitoring Check Table page .

To create the health monitoring check for the first server, click the 5 . Create button .

On the 6 . HM Check Table Create page, enter the necessary parameters as shown here .


To create the health monitoring second check for Server 12, click the 8 . Create button .





Click the Create button .11 .









On the18 . HM Check Table Create page, enter the necessary parameters as shown here .



On the21 . HM Check Table Create page, enter the necessary parameters as shown here .


Note: Repeat the health check definitions for Servers 13, 14, 22, 23, and 24 . The policy values for the individual service checks are the same as the Server 12 entries . You can also use the CLI configuration file statements for the health check policies created so far and the same logic, adding the servers and making changes to their IP and server names . The health check server definitions presented here can be seen in the primary configuration file in the appendix . The new server statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device .



Binding Health Checks to ServersTo create the health monitoring binding for the first server, from the menu, choose 1 . Health Monitoring > Binding Table to display the Health Monitoring Binding Table page .


On the 3 . HM Binding Table Create page, enter the necessary parameters as shown here .



On the 6 . HM Binding Table Create page, enter the necessary parameters as shown here .


Verify that the new entry was created on the 8 . Health Monitoring Table page .



Note: Repeat the health check binding definitions for all ports defined on all the remaining servers: Servers 12, 13, 14, 22, 23, and 24 . Notice that each server port value maps to two farms according to the following table .

Farm Servers

MainCluster 12, 13, 14 and 22, 23, 24

ClusterA 12, 13, 14

ClusterB 22, 23, 24

The remaining health service check values for Server 12 follow the same binding logic as those created here, as do all port checks for Servers 13 and 14 . Servers 22, 23, and 24 map to both the main cluster and Cluster B farms . You can also to use the CLI configuration file statements for the health check policies created so far and the same logic, adding the check bindings by making changes to the check name and the logic farm and server mappings . The health check server definitions presented here can be seen in the primary configuration file in the appendix . The new server statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device .

Primary AppDirector VRRP ConfigurationNote: Radware offers two means of redundancy and failover between pairs of devices: proprietary and VRRP . Since VRRP is the more commonly used method within the industry, this section presents the steps to configure both AppDirector devices using that method .

From the menu, choose 1 . AppDirector > Redundancy > Global Configuration and set the parameters as shown here .

Click the 2 . Set button to save these changes .

Choose 3 . AppDirector > Redundancy > VRRP > Virtual Routers and create a new entry .




Choose 5 . AppDirector > Redundancy > VRRP > Associated IP Addresses and create a new entry .

Click the 6 . Set button to save the parameters . You should have a single entry in the Associated IP Addresses table, as shown here .

Create a second entry in the 7 . Associated IP Addresses table as shown here .

This is the main cluster virtual IP address .


Create another entry in the 9 . Associated IP Addresses table as shown here .



This is the Cluster A virtual IP address .


Create another entry in the 11 . Associated IP Addresses table as shown here .

This is the Cluster B virtual IP address .


Create another entry in the13 . Associated IP Addresses table as shown here .

This is the client NAT IP address .

Click the 14 . Set button to save the parameters . The Associated IP Addresses table should now contain five entries, as shown here .



Choose 15 . AppDirector > Redundancy > VRRP > Virtual Routers and click the link to If Index F-1 as shown here .

Change 16 . Admin Status to up, but leave all other settings unchanged as shown here .


On the 18 . Virtual Router Table page, verify that the State setting for this virtual router is master as shown here .



Choose 19 . AppDirector > Redundancy > Mirroring > Active Device Parameters and set the Client Table Mirroring status to enable as shown here .


Choose 21 . AppDirector > Redundancy > Mirroring > Mirror Device Parameters and create a new entry as shown here .

This sets the backup AppDirector target address used for mirror traffic .


This completes configuration of the primary AppDirector .



Backup AppDirector ConfigurationThe overall configuration of a backup AppDirector is almost identical in many ways to that of the primary (active) device . There are, however, several important differences, which are noted throughout these steps .

Initial Backup AppDirector ConfigurationUsing a serial cable and a terminal emulation program, connect to AppDirector .1 .

The default console port settings are:

Bits per Second: 19200•

Data Bits: 8•

Parity: None•

Stop Bits: 1•

Flow Control: None•

Enter the following command to assign management IP address 192 .168 .3 .196 / 24 to interface 17 2 . (dedicated management interface) of AppDirector:


Note: Connectivity to AppDirector can be established at this time if the client resides on the same management subnet .

Enter the following command to assign IP address 10 .0 .0 .4 / 24 to interface 1 (production traffic 3 . connectivity) of AppDirector:


Enter the following command to create a default gateway route entry on AppDirector pointing to 10 .0 .0 .1:4 .


Using a browser, connect to the management IP address of the backup AppDirector (192 .168 .3 .196) via 5 . HTTP or HTTPS . The default username and password are radware and radware .

Farm ConfigurationThe farm configuration is identical to that for the primary AppDirector . Please refer to the corresponding section for specific instructions .

Layer 4 Policy ConfigurationThe Layer 4 policy configuration is the same as for the primary AppDirector with one exception: Each 1 . Layer 4 policy should be configured with a Redundancy Status value of Backup . Here is the additional switch value required on the primary AD L4 policy CLI statements if desired for upload .

Here is the original Layer 4 policy for the primary device:

appdirector l4-policy table create 10.0.0.10 TCP 80 0.0.0.0 MainVIP-80 \ -fn MainCluster -ta HTTP

To use the statement for the backup device, change it as shown here in bold:

appdirector l4-policy table create 10.0.0.10 TCP 80 0.0.0.0 MainVIP-80 \ -fn MainCluster -ta HTTP -rs Backup

Note: In the design presented here, three virtual IP addresses are used to represent three farms:

Virtual IP Farm Ports in Use

10.0.0.10 MainCluster TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

10.0.0.11 ClusterA TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

10.0.0.21 ClusterB TCP: 80, 443, 11122 UDP: 1645, 1646, 1812, 1813

When you specify port values in the Layer 4 policy table, an access list is automatically created for undefined values .



Please refer to the primary AppDirector Layer 4 policy configuration instructions, keeping in mind that 2 . redundancy mode must be changed to Backup . Here is an example of the first policy in Backup status: Choose AppDirector > Layer 4 Farm Selection > Layer 4 Policy Table and create a new entry as shown here .

Note: The redundancy status for this farm has been set to Backup .

Client Network Address Translation ConfigurationThe client NAT configuration is identical to that for the primary AppDirector . Please refer to the corresponding section for specific instructions .

Adding Servers to the FarmThe server table configuration is identical to that for the primary AppDirector . Please refer to the corresponding section for specific instructions .

Health Monitoring ConfigurationThe health monitoring and check table configurations are identical to those for the primary AppDirector . Please refer to the corresponding section for specific instructions .

Binding Health Checks to ServersThe health monitoring binding table configuration is identical to that for the primary AppDirector . Please refer to the corresponding section for specific instructions .

Backup AppDirector VRRP ConfigurationOn the Backup AppDirector, choose1 . AppDirector > Redundancy > Global Configuration and change the settings shown here .




Choose 3 . AppDirector > Redundancy > VRRP > Virtual Routers and create a new entry as shown here .

Note: The priority on the backup AppDirector is set to 100; on the primary device, this value was set to 255 . The device with the higher priority will be the master of this virtual router .


Choose 5 . AppDirector > Redundancy > VRRP > Associated IP Addresses and create a new entry as shown here .

Create a second entry in the Associated IP Addresses table as shown here .6 .

This is the main cluster virtual IP address .


Create another entry in the Associated IP Addresses table as shown here .8 .



This is the Cluster A virtual IP address .



This is the Cluster B virtual IP address .



This is the client NAT IP address .


Choose 14 . AppDirector > Redundancy > VRRP > Virtual Routers and click the link to If Index F-1 as shown here .



Change 15 . Admin Status to up as shown here .


Verify that the 17 . State setting for the backup device for this virtual router is backup as shown here .

Choose 18 . AppDirector > Redundancy > Mirroring > Backup Device Parameters and set the mirroring status to enable as shown here .


Choose 20 . AppDirector > Redundancy > Mirroring > Mirror Device Parameters and create a new entry as shown here .

This sets the primary AppDirector target address used for mirror traffic .


This concludes the configuration of the backup AppDirector and the local high-availability solution . See the appendix for the actual configurations .



SummaryAs access networks grow and endpoints compete for both internal and external network access resources, enterprises need to maintain security, response times and service availability to ensure the best quality experience for end users . The Juniper Networks Infranet Controller-Radware AppDirector joint solution provides a highly available and scalable policy management service that does just that . The IC pushes the UAC agent down to the endpoint to collect user authentication, endpoint security state and device location information, or it can gather that same information in agentless mode . Radware AppDirector provides scalability and application-level security for service infrastructure optimization, fault tolerance and redundancy --ensuring local and global server availability and accelerated application performance while safeguarding services with integrated intrusion prevention and denial of service (DoS) protection . Together, the two components offer a best-in-class solution that helps enterprises get the most out of their infrastructure investments by maximizing the utilization and performance of their service resources .



Appendix

High Availability Design Configurations

Primary Configuration from OnDemand Switch 2 Platform

!Device Configuration

!Date: 01-04-2008 22:53:46

!DeviceDescription: AppDirector Global

!Base MAC Address: 00:03:b2:3d:38:c0

!Software Version: 1.06.07 (Build date Feb 13 2008, 23:50:02,Build#50)

!APSolute OS Version: 10.31-01.01(26):2.06.06

!

manage snmp versions-after-reset set “v1 & v2c & v3”




redundancy mode set VRRP

appdirector farm table setCreate MainCluster -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

appdirector farm table setCreate ClusterA -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

appdirector farm table setCreate ClusterB -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

appdirector farm server table create MainCluster 10.0.0.12 None -sn \

Server-12 -id 1 -rt 0.0.0.0 -cn Enabled -ba 10.0.0.13








server-23 -id 5 -rt 0.0.0.0 -cn Enabled -ba 10.0.0.24



appdirector farm server table create ClusterA 10.0.0.12 None -sn \








appdirector farm server table create ClusterB 10.0.0.22 None -sn \






redundancy interface-group set enable

redundancy mirror main client-status set enable

redundancy backup-in-vlan set disable

redundancy backup-fake-arp set enable

appdirector farm connectivity-check httpcode setCreate MainCluster \

“200 - OK”

appdirector farm connectivity-check httpcode setCreate ClusterA \

“200 - OK”

appdirector farm connectivity-check httpcode setCreate ClusterB \

“200 - OK”

net next-hop-router setCreate 10.0.0.1 -fl 1

appdirector farm nhr setCreate 0.0.0.0 -ip 10.0.0.1 -fl 1

appdirector farm extended-params set MainCluster -nr 10.0.0.2

appdirector farm extended-params set ClusterA -nr 10.0.0.2

appdirector farm extended-params set ClusterB -nr 10.0.0.2

appdirector nat client address-range setCreate 10.0.0.2 -t 10.0.0.2

appdirector nat client range-to-nat setCreate 0.0.0.0 -t 255.255.255.255

redundancy backup-interface-group set enable

appdirector segmentation nhr-table setCreate DefaultNHR -ip 10.0.0.1 -fl \ 1

appdirector l4-policy table create 10.0.0.10 TCP 80 0.0.0.0 MainVIP-80 \

-fn MainCluster -ta HTTP


-fn MainCluster -ta HTTPS

appdirector l4-policy table create 10.0.0.10 TCP 11122 0.0.0.0 \

MainVIP-11122 -fn MainCluster

appdirector l4-policy table create 10.0.0.10 UDP 1812 0.0.0.0 \











ClusterAVIP-80 -fn ClusterA -ta HTTP


ClusterAVIP-443 -fn ClusterA -ta HTTPS


ClusterAVIP-11122 -fn ClusterA










ClusterBVIP-80 -fn ClusterB -ta HTTP


ClusterBVIP-443 -fn ClusterB -ta HTTPS


ClusterBVIP-11122 -fn ClusterB









appdirector farm dns-persistency-params set MainCluster -gm 0.0.0.0

appdirector farm dns-persistency-params set ClusterA -gm 0.0.0.0

appdirector farm dns-persistency-params set ClusterB -gm 0.0.0.0

redundancy vrrp automated-config-update set Enabled

health-monitoring check create Server12-TCP-80 -id 1 -m “TCP Port” -p 80 \

-i 5 -r 3 -t 3 -d 10.0.0.12

health-monitoring check create Server12-SSL-443 -id 2 -m “SSL Hello” -p \

443 -i 5 -r 3 -t 3 -d 10.0.0.12

health-monitoring check create Server12-TCP-11122 -id 3 -m “TCP Port” -p \

11122 -i 5 -r 3 -t 3 -d 10.0.0.12

health-monitoring check create Server12-Ping-1812 -id 4 -p 1812 -i 5 -r \



3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


-i 5 -r 3 -t 3 -d 10.0.0.13


443 -i 5 -r 3 -t 3 -d 10.0.0.13

health-monitoring check create Server13-TCP-11122 -id 10 -m “TCP Port” \

-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


80 -i 5 -r 3 -t 3 -d 10.0.0.14


443 -i 5 -r 3 -t 3 -d 10.0.0.14


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


80 -i 5 -r 3 -t 3 -d 10.0.0.22


443 -i 5 -r 3 -t 3 -d 10.0.0.22




-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


80 -i 5 -r 3 -t 3 -d 10.0.0.23


443 -i 5 -r 3 -t 3 -d 10.0.0.23


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


80 -i 5 -r 3 -t 3 -d 10.0.0.24


443 -i 5 -r 3 -t 3 -d 10.0.0.24


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24

health-monitoring binding create 1 1








health-monitoring status set enable

redundancy vrrp virtual-routers create 1 1 -as up -p 255 -pip 10.0.0.3

redundancy vrrp associated-ip create 1 1 10.0.0.10





manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm

manage telnet status set enable

manage telnet server-port set 23

manage web status set enable

manage ssh status set enable

manage secure-web status set enable

redundancy arp-interface-group set Send

net l2-interface set 100001 -ad up

redundancy vrrp global-advertise-int set 0

manage snmp groups create SNMPv1 public -gn initial

manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly

manage snmp groups create SNMPv2c public -gn initial

manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly

manage snmp groups create UserBased radware -gn initial

manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly

manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn \

ReadOnlyView

manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn \

ReadOnlyView

manage snmp access create initial UserBased authPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly UserBased authPriv -rvn \

ReadOnlyView



manage snmp views create iso 1

manage snmp views create ReadOnlyView 1

manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.2.7.2 -cm excluded

manage snmp views create ReadOnlyView 1.3.6.1.6.3.18.1.1 -cm excluded


manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm \

excluded




manage snmp notify create allTraps -ta v3Traps

manage snmp users create radware -cf 0.0 -ap MD5 -akc \

27b3b471956b14d758029658921e092e -pp DES -pkc \

27b3b471956b14d758029658921e092e

manage snmp target-address create v3MngStations -tl v3Traps -p \

radware-authPriv

manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn \

public -sl noAuthNoPriv

manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c \

-sn public -sl noAuthNoPriv

manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm \

UserBased -sn radware -sl authPriv

manage snmp community create public -n public -sn public

manage telnet session-timeout set 120

manage telnet auth-timeout set 30

appdirector global connectivity-check tcp-timeout set 3

!File Signature: 5e329021c901f95404673d9fce626311

Backup Configuration from OnDemand Switch 2 Platform

!Device Configuration

!Date: 01-04-2008 22:53:46

!DeviceDescription: AppDirector Global

!Base MAC Address: 00:03:b2:3d:38:c0

!Software Version: 1.06.07 (Build date Feb 13 2008, 23:50:02,Build#50)

!APSolute OS Version: 10.31-01.01(26):2.06.06

!

manage snmp versions-after-reset set “v1 & v2c & v3”






redundancy mode set VRRP

appdirector farm table setCreate MainCluster -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

appdirector farm table setCreate ClusterA -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

appdirector farm table setCreate ClusterB -as Enabled -dm “Fewest Number of Users” -cm “No Checks”

























redundancy interface-group set enable

redundancy mirror backup status set enable

redundancy mirror address setCreate 10.0.0.3

redundancy backup-fake-arp set enable

appdirector farm connectivity-check httpcode setCreate MainCluster \

“200 - OK”



appdirector farm connectivity-check httpcode setCreate ClusterA \

“200 - OK”

appdirector farm connectivity-check httpcode setCreate ClusterB \

“200 - OK”

net next-hop-router setCreate 10.0.0.1 -fl 1

appdirector farm nhr setCreate 0.0.0.0 -ip 10.0.0.1 -fl 1

appdirector farm extended-params set MainCluster -nr 10.0.0.2

appdirector farm extended-params set ClusterA -nr 10.0.0.2

appdirector farm extended-params set ClusterB -nr 10.0.0.2

appdirector nat client address-range setCreate 10.0.0.2 -t 10.0.0.2

appdirector nat client range-to-nat setCreate 0.0.0.0 -t 255.255.255.255

redundancy backup-interface-group set enable

appdirector segmentation nhr-table setCreate DefaultNHR -ip 10.0.0.1 -fl \ 1


-fn MainCluster -ta HTTP -rs Backup


-fn MainCluster -ta HTTPS -rs Backup


MainVIP-11122 -fn MainCluster -rs Backup










ClusterAVIP-80 -fn ClusterA -ta HTTP -rs Backup


ClusterAVIP-443 -fn ClusterA -ta HTTPS -rs Backup


ClusterAVIP-11122 -fn ClusterA -rs Backup












ClusterBVIP-80 -fn ClusterB -ta HTTP -rs Backup


ClusterBVIP-443 -fn ClusterB -ta HTTPS -rs Backup


ClusterBVIP-11122 -fn ClusterB -rs Backup









appdirector farm dns-persistency-params set MainCluster -gm 0.0.0.0

appdirector farm dns-persistency-params set ClusterA -gm 0.0.0.0

appdirector farm dns-persistency-params set ClusterB -gm 0.0.0.0

redundancy vrrp automated-config-update set Enabled


-i 5 -r 3 -t 3 -d 10.0.0.12


443 -i 5 -r 3 -t 3 -d 10.0.0.12


11122 -i 5 -r 3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


3 -t 3 -d 10.0.0.12


-i 5 -r 3 -t 3 -d 10.0.0.13


443 -i 5 -r 3 -t 3 -d 10.0.0.13


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.13




3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


3 -t 3 -d 10.0.0.13


80 -i 5 -r 3 -t 3 -d 10.0.0.14


443 -i 5 -r 3 -t 3 -d 10.0.0.14


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


3 -t 3 -d 10.0.0.14


80 -i 5 -r 3 -t 3 -d 10.0.0.22


443 -i 5 -r 3 -t 3 -d 10.0.0.22


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


3 -t 3 -d 10.0.0.22


80 -i 5 -r 3 -t 3 -d 10.0.0.23


443 -i 5 -r 3 -t 3 -d 10.0.0.23




-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


3 -t 3 -d 10.0.0.23


80 -i 5 -r 3 -t 3 -d 10.0.0.24


443 -i 5 -r 3 -t 3 -d 10.0.0.24


-p 11122 -i 5 -r 3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24


3 -t 3 -d 10.0.0.24
















































health-monitoring status set enable

redundancy vrrp virtual-routers create 1 1 -as up -p 100 -pip 10.0.0.4






manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm

manage telnet status set enable

manage telnet server-port set 23



manage web status set enable

manage ssh status set enable

manage secure-web status set enable

redundancy arp-interface-group set Send

net l2-interface set 100001 -ad up

manage terminal prompt set AppDirector_B

manage snmp groups create SNMPv1 public -gn initial

manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly

manage snmp groups create SNMPv2c public -gn initial

manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly

manage snmp groups create UserBased radware -gn initial

manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly

manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn \

ReadOnlyView

manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn \

ReadOnlyView

manage snmp access create initial UserBased authPriv -rvn iso -wvn iso \

-nvn iso

manage snmp access create InitialReadOnly UserBased authPriv -rvn \

ReadOnlyView

manage snmp views create iso 1

manage snmp views create ReadOnlyView 1




manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm \

excluded




manage snmp notify create allTraps -ta v3Traps

manage snmp users create radware -cf 0.0 -ap MD5 -akc \

27b3b471956b14d758029658921e092e -pp DES -pkc \

27b3b471956b14d758029658921e092e

manage snmp target-address create v3MngStations -tl v3Traps -p \



radware-authPriv

manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn \

public -sl noAuthNoPriv

manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c \

-sn public -sl noAuthNoPriv

manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm \

UserBased -sn radware -sl authPriv

manage snmp community create public -n public -sn public

manage telnet session-timeout set 120

manage telnet auth-timeout set 30

appdirector global connectivity-check tcp-timeout set 3

!File Signature: 5e329021c901f95404673d9fce626311

54


Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

CORPORATE AND SALES HEADQUARTERS Juniper Networks, Inc. 1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100www.juniper.net

EMEA HEADQUARTERSJuniper Networks IrelandAirside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 Fax: 35.31.8903.601

APAC HEADQUARTERSJuniper Networks (Hong Kong)26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong Kong Phone: 852.2332.3636Fax: 852.2574.7803

To purchase Juniper Networks solutions, please contact your Juniper Networks sales representative at

1-866-298-6428 or authorized reseller.

About Juniper NetworksJuniper Networks, Inc . is the leader in high-performance networking . Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network . This fuels high-performance businesses . Additional information can be found at www .juniper .net .

Radware AppDirector and Juniper Networks Infranet Controller

Documents

Transcript of Radware AppDirector and Juniper Networks Infranet Controller