Vous êtes sur la page 1sur 78

ACE Deployment in an Application Environment

BRKAPP-2020

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda
Load Balancing Todays Web Application
- Benefits of Traffic Management - Introduction to ACE - Design Considerations - Probes, Persistence, Predictors - Resources - SSL

Linking VMware VCenter manager to the ANM 5.1


Deploying VMware View w/Cisco ACE
- VMware View 4.0

Microsoft Deployments
- ACE for Microsoft Exchange 2010 - ACE for Microsoft SharePoint 2010

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Load Balancing Todays Web Applications


What are the challenges?
Virtual Data Center introduces new challenges for load balancers and application management
- Transition to Virtual Machines (VMs) using Vmware and Microsoft Hyper-V technology - Servers that used to be stand-alone are now VMs - Virtual data center requires orchestration of the application, VM server and switching infrastructure

Application Network Manager (5.1)


BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Application Delivery Controller


Benefits of Traffic Management - Why application delivery Controller:
- Availability - Scalability - Performance - Security
Web browser ACE Load Balancer Outlook (remote user) Outlook (local user) Client Access Server farm Mobile phone Virtual IP

The Cisco Application Control Engine (ACE) provides validated solutions for Microsoft applications
Cisco ACE30 Module 416 Gbps
Cisco Public

Cisco ACE 4710 0.5 4Gbps


BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Design Considerations
One Armed Load Balancer not inline

Allows direct server access


Requires Source NAT Routed Mode Easy to deploy Requires at least two IP subnets Servers in dedicated IP subnet

Bridged Mode
Easy migration for servers Requires one IP subnets Recommend for non-LB traffic
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Introduction to ACE Load Balancer


Cisco ACE provides many advanced load balancing feature which can be applied to meet challengers with deploying today's applications

These features include:

1. Access-control (permit or deny a request) 2. Management traffic 3. TCP normalization/connection parameters

4. 5. 6. 7.

Server load balancing Fix-ups/application inspection Source NAT Destination NAT

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Virtual Context Setup


Virtual contexts are virtualized ACEs. Each virtual context has independent configuration and dedicated resources assigned. One context can pull resources from another

Microsoft Exchange 2010 Microsoft SharePoint 2010


Cisco UCS

Virtual Virtualization of Microsoft Exchange 2010


A separate virtual machine for each of the roles: Two Client Access Server, Hub Transport, Four Mailbox in a DAG (Database Availability Group)
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Basic Load Balancing for ERP Applications

Is the server active? How can you check?

Predictors
How can you balance the connections?

How do you keep the client connected to the same server?

Probes

Persistence

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Health Probes
SAP Enterprise Portal

Configuration

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Health Checks
Watch the expected status code

NetWeaver Web Administrator ACE/dc# telnet 169.145.90.16 50100 Trying 169.145.90.16... Connected to 169.145.90.16. Escape character is '^]'. GET /nwa HTTP/1.1 Host: 169.145.90.16 HTTP/1.1 302 Found server: SAP NetWeaver / AS Java 7.1 content-type: text/html location: http://169.145.90.16/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~local navigation~wd/NWAApp
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

11

Probe Defaults
Name Interval FailDetect PassDetect Interval PassDetect Count Open Receive Description Time between successful probes Number of failed probes before marking as failed Time to send a probe when a server is marked as failed Number of successful probes before marking the server as passed time for a successful 3-way handshake time for getting a response, ie. send a GET, wait for a reply Min Time 2 1 2 Max Time 65535 65535 65535 Default 120 3 300

1 1 1

65535 65535 65535

3 10 10

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Probe Configuration Options


To configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic), use the fail-on-all command in real server host configuration mode
probe http BasicHTTP_02-probe-1 interval 5 passdetect interval 5 request method get url /index.html expect status 200 499 open 10 probe scripted SQL_USER interval 5 passdetect interval 10 script SQL_PROBE SQL_User Success 0 ! serverfarm host BasicHTTP_02 failaction purge probe BasicHTTP_02-probe-1 probe SQL_USER rserver 192.168.11.1 80 inservice rserver 192.168.11.2 80 inservice rserver 192.168.11.3 80 inservice

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Predictors - Application Response


Load balancing based on server response time; response time calculated over a configured number of samples and supports the following options

ACE

Serverfarm

SYN to SYN-ACK

SYN to Close

Application Request to Response

Time between SYN send from ACE to SYN-ACK received from the server

Time between SYN send from ACE to FIN/RST received from the server

Time between HTTP request send from ACE to HTTP response received from the server
14

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Predictors - Application Response


Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request

serverfarm TCP80-SF predictor response app-req-to-resp rserver SERVER1 inservice rserver SERVER2 inservice
------------------------------------------connections----------real weight state current total failures ---+---------------------+------+------------+----------+----------+--------rserver: TCP80-SF 172.16.29.10:0 8 OPERATIONAL 0 239287 32 max-conns : , out-of-rotation count : min-conns : conn-rate-limit : , out-of-rotation count : bandwidth-rate-limit : , out-of-rotation count : retcode out-of-rotation count : average response time (usecs) : 228
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

15

Session Persistence

When customers visits an e-commerce site, they usually start out by browsing the site Depending on the application, the site may require that the client become "stuck" to one server once the connection is established, or the application may not require this until the client starts to build a shopping cart This is known as stickiness or session persistence Prior to ACE 4.X, sticky connections require a resource class to be configured. If your forget ANM will send you the following message

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Session Persistence Methods


How to Uniquely Identify a Client
Source IP How Does Client= its SRC IP It Work
Full IP Masked IP

Cookie
client = a cookie value Static Dynamic Insert

SSL ID
client = SSL session ID

HTTP Redirect
LB Redirects to Specific (V)Server

RDP
SD, Session Directory. Routing Token = server IP + Port

SIP
Client = Session Call-ID

GPP
Regex matches on TCP and UDP data

Variation

Full SSID Offset

custom

Info Stored on Good For

LB

LB

LB

Client

LB

LB

LB

Simplicity

Flexibility

No Cookie support

No State on LB HTTP only

Recovering Disconnected WTS sessions No Token, needs to fall back to source IP

SIPspecific stickiness

Flexible for custom applications

Caveats

Proxies

HTTP only Clear Test

SSL v3 Renegotiation

Absolute URLs Bookmarks

Specific to application

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Basic ERP Web Load Balancing


Persistence Options
Configuration shows two different sticky options; HTTP Cookie and source IP sticky
sticky http-cookie ILIKECOOKIES COOKIESTICKY cookie insert timeout 720 serverfarm HTTP-SF ! sticky ip-netmask 255.255.240.0 address source IPSTICKY serverfarm HTTPS-SF ! policy-map type loadbalance first-match WEB-PM class class-default sticky-serverfarm COOKIESTICKY policy-map type loadbalance first-match TCP80-PM class class-default sticky-serverfarm IPSTICKY

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Basic ERP Web Load Balancing


sticky http-cookie ILIKECOOKIES COOKIESTICKY cookie insert browser-expire serverfarm TCP80-SF ! policy-map type loadbalance first-match HTTP-PM class class-default sticky-serverfarm COOKIESTICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM interface vlan 2 ip address 10.10.119.55 255.255.255.0 access-group input EVERYONE service-policy input LOADBALANCE service-policy input REMOTE-MGNT no shutdown

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Basic ERP Web Load Balancing


class-map match-all TCP80-CM 2 match virtual-address 10.10.119.112 ! rserver host SERVER1 ip address 10.10.119.1 inservice rserver host SERVER2 ip address 10.10.119.222 inservice probe tcp TCP80-PROBE interval 10 port 80 passdetect interval 10 passdetect count 3 probe http HTTP-PROBE interval 20 passdetect interval 5 request method get url /index.html expect status 200 499 tcp eq 80 serverfarm TCP80-SF probe TCP80-PROBE probe HTTP-PROBE predictor leastconns slowstart 200 rserver SERVER1 inservice rserver SERVER2 inservice sticky http-cookie ILIKECOOKIES COOKIESTICKY cookie insert browser-expire serverfarm TCP80-SF ! policy-map type loadbalance first-match HTTP-PM class class-default sticky-serverfarm COOKIESTICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM interface vlan 2 ip address 10.10.119.55 255.255.255.0 access-group input EVERYONE service-policy input LOADBALANCE service-policy input REMOTE-MGNT no shutdown
Cisco Public

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

20

Basic ERP Web Load Balancing


Wheres the Cookie? Default Header Parse Length 2K
parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy SAP-PM appl-parameter http advanced-options INSENSITIVE

switch/SAP-Datacentre# show stats http +------------------------------------------+ +-------------- HTTP statistics -----------+ +------------------------------------------+ LB parse result msgs sent : 151 , TCP data msgs sent : Inspect parse result msgs : 0 , SSL data msgs sent : sent TCP fin/rst msgs sent : 8 , Bounced fin/rst msgs sent: SSL fin/rst msgs sent : 18 , Unproxy msgs sent : Drain msgs sent : 118 , Particles read : Reuse msgs sent : 0 , HTTP requests : Reproxied requests : 0 , Headers removed : Headers inserted : 254 , HTTP redirects : HTTP chunks : 37 , Pipelined requests : HTTP unproxy conns : 14 , Pipeline flushes : Whitespace appends : 0 , Second pass parsing : Response entries recycled : 110 , Analysis errors : Header insert errors : 0 , Max parselen errors : Static parse errors : 0 , Resource errors : Invalid path errors : 0 , Bad HTTP version errors :
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

152 495 8 14 1718 156 0 0 0 0 0 0 3 0 0


21

URL Parsing
class-map type http loadbala match-any URL-MATCHING 2 match http url .* class-map type http loadbala match-any URL-IMAGE 2 match http url /image/.* class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 serverfarm IMAGE-SF probe IMAGE-PROBE sticky http-cookie IMAGE-COOKIES IMAGECOOKIE rserver IMAGE1 cookie insert browser-expire inservice serverfarm IMAGE-SF backup WEB-SF rserver IMAGE2 sticky http-cookie WEB-COOKIES WEBCOOKIE inservice cookie insert browser-expire serverfarm WEB-SF serverfarm WEB-SF probe WEB-PROBE ! rserver SERVER1 policy-map type loadbala first-match HTTP-PM inservice class URL-IMAGE rserver SERVER2 sticky-serverfarm IMAGE-COOKIE inservice class URL-MATCHING sticky-serverfarm WEB-COOKIE policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM appl-para http advanced-option INSENSITIVE

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Allocation of Resources

Virtual Context Setup


Every ACE device contains a special virtual context called "Admin", which has settings for the ACE device itself. You can configure load balancing within the Admin context, it is recommended that you create separate virtual contexts for load balancing

The capacity of each ACE virtual context is determined by its resource class If Admin context is not configured correctly admin could be starved of all resources
When configuring resource allocations in ACE, it is possible to allocate 100% of resources to non-Admin contexts, so that the Admin context is no longer reachable via ICMP, telnet, SNMP, etc
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

24

Recommended Settings for Admin Context


resource-class ADMIN limit-resource conc-connections minimum 5.00 maximum equal-to-min limit-resource mgmt-connections minimum 5.00 maximum equal-to-min limit-resource rate bandwidth minimum 5.00 maximum equal-to-min limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min limit-resource rate mgmt-traffic minimum 5.00 maximum equal-to-min limit-resource rate conc-connections minimum 5.00 maximum equal-to-min ! resource-class STICKY limit-resource all minimum 1.00 maximum unlimited limit-resource acl-memory minimum 5.00 maximum equal-to-min limit-resource conc-connections minimum 5.00 maximum equal-to-min limit-resource rate bandwidth minimum 5.00 maximum equal-to-min limit-resource rate connections minimum 5.00 maximum equal-to-min limit-resource sticky minimum 6.00 maximum equal-to-min limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

Considerations when Load Balancing SSL Connections

SSL Server Offload


To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one SSL proxy service. An SSL proxy contains the certificate and key information needed to terminate HTTPS connections from the client or initiate them to the servers

ANM (Application Network Manager) provides you with a guided setup to import an SSL key pair into the ACE

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Sample SSL Key/Cert Pair


ACE shipped with a default RSA 1024 bit. Certificate is based on this key pair The sample certificate and key are named cisco-sample-cert and ciscosample-key You can view the sample SSL key and cert

The sample SSL key and cert files can be exported using the crypto export command

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Basic SSL Load Balancing


Redirecting Clients to Use SSL
rserver redirect REDIRECT webhost-redirection https://%h%p 302 %h %p inservice ! http://www.cisco.com/go/ace serverfarm redirect REDIRECT-SF rserver REDIRECT inservice ! https://www.cisco.com/go/ace class-map match-all HTTP 2 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match REDIRECT-PM class class-default serverfarm REDIRECT-SF ! policy-map multi-match LOADBALANCE class HTTP loadbalance vip inservice loadbalance policy REDIRECT-PM
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

29

SSL Server Offload Configuration


In order to configure SSL, you need to add the following to a L3 / L4 class map:
- parameter-map type ssl - ssl-proxy service - policy-map

parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites, close protocol behavior) ssl-proxy is used to define the used certificates and keys to be in SSL connections

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

SSL Packet Flow With ACE


Client SYN (tcp443) SYN SYN/ACK ACK SSL Handshake HTTPSGET index.html Accept-Encoding: gzip, deflate HTTPSResponse L3 Flow HTTPGET index.html HTTP200 Ok Response index.html TCP Flow Server 1

ssl-proxy service CLIENT-SSL policy-map type loadbalance first-mat SSL-PM key mykey.pem class class-default cert mycert.pem serverfarm WEB-PROTOCOLS ! ! serverfarm WEB-PROTOCOLS policy-map multi-match L4 rserver SERVER1 81 inservice class HTTPS-CM rserver SERVER2 81 loadbalance vip inservice inservice loadbalance policy SSL-PM probe HTTP-GET loadbalance vip icmp-reply ! ssl-proxy server CLIENT-SSL class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq 443

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

Basic SSL Offload Example


rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! probe http HTTP-GET interval 5 port 81 passdetect interval 3 request method get url /secure/index.html expect status 200 200 ! parameter-map type ssl CLIENT_PARAM cipher RSA_WITH_RC4_128_MD5 priority 2 cipher RSA_WITH_AES_128_CBC_SHA priority 3 cipher RSA_WITH_AES_256_CBC_SHA priority 5 session-cache timeout 600 ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_PARAM ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq !
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved.

serverfarm WEB-PROTOCOLS probe HTTPs-GET rserver SERVER1 81 inservice rserver SERVER2 81 inservice ! sticky http-cook WEBCKE STICKYCKE cookie insert serverfarm WEB-PROTOCOLS ! policy-map type load first-mat SSL class class-default sticky-serverfarm STICKYCKE policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL

443
32

Cisco Public

ACE in a Virtualised Environment

Enabling a new server in a VM Environment


ACE Load Balancer ESX Cluster

Application servers
Server Farm
r3 r2 r1
A A A

VM A 3 VM A VM A

Application VIP A

Application Network Manager (5.1)

Vmware VCenter

SLB Team
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Server Team
34

Enabling a new server in a VM Environment ANM 5.1 VCenter plug-in lets Sysadmins activate, suspend, configure and monitor rservers
ACE Load Balancer ESX Cluster Application servers Server Farm
r3 r2 r1
A A A

VM A 3 VM A 2 VM A

Application VIP A

Application Network Manager (5.1)


BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Vmware VCenter

Sysadmin

35

ANM 5.1 Plug-in for VMware VCenter

ACE Tab from ANM

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

ANM 5.1 Plug-in for VMware VCenter

activate, suspend, configure and monitor rservers


BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

37

Deploying VMware View 4.0 with Cisco ACE

Why add a Cisco ACE?


Scalability: Larger deployments require multiple Security Servers or multiple Connection Servers
- Cisco ACE balances client connections across available connection servers - VMware rates a single View Connection Server at 1,500 concurrent non-tunneled connections, and 30% less if tunneled

Fault Tolerance
- Cisco ACE detects the failure of View components, and directs traffic around the failure

Performance
- Reduce CPU usage on Connection Servers by offloading HTTPS cryptography

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

VMware View deployment with Cisco ACE


General Types of View Deployments
LAN Direct Deployment
Display protocol does not pass through the View Connection Server

LAN Tunneled Deployment


- Display protocol Traffic is encapsulated in HTTPS and passes through the View Connection Server

Secure (DMZ) Tunneled Deployment


- Display protocol Traffic is encapsulated in HTTPS and passes through the View Security Server - View Security Server does not participate in Active Directory, and can be safely placed in DMZ

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

VMware View deployment with Cisco ACE


LAN Tunneled Deployment w/ACE
1. Authentication 2a. RDP 2b. RDP Decrypted 2c. RDP Brokered Cisco ACE View Client

More Secure All traffic encapsulated in SSL. Virtual Desktop IP Addresses do not need to be reachable by clients Offload Benefit SSL cryptography offloaded by Cisco ACE, reducing CPU utilization on Connection Servers Recommended for LAN deployments on secure networks. Connection Servers participate in Active Directory and should not be exposed to the Internet

Connection Servers
BRKAPP-2020

ESX Cluster Containing Virtual Desktops


2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

41

VMware View deployment with Cisco ACE


Secure Tunneled Deployment (DMZ)
View Client 3 1 * Client RDP connection is tunneled over HTTPS to Security Server

1. HTTP(S) Authentication & Desktop Selection 2. AJP/JMS Authentication 3. RDP Over HTTPS 4. RDP Un-Tunneled By Security Server

Security Server 2 4

Active Directory Server

vCenter

Connection Server

ESX Cluster Containing Virtual Desktops


Cisco Public

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

42

VMware View deployment with Cisco ACE


Secure Tunneled Deployment (DMZ) w/ACE
1a. Authentication View Client 1b. Authentication Decrypted 1c. Authentication Proxied 2a. RDP 2b. RDP Decrypted 2c. RDP Brokered

Most Secure All traffic encapsulated in SSL. No public exposure of Connection Servers
Requires careful planning, since Security Servers depend on their paired Connection Server

ACE Security Servers

Connection Servers
BRKAPP-2020

ESX Cluster Containing Virtual Desktops


Cisco Public

2012 Cisco and/or its affiliates. All rights reserved.

43

ACE for Microsoft Exchange

Application Solutions Validated with ACE

Comprehensive set of validated ACE solutions This design guide presents an end-to-end solution architecture that demonstrates how enterprises can virtualize their Exchange 2010 environment on Cisco Unified Computing System
http://www.cisco.com/en/US/docs/soluti ons/Enterprise/Data_Center/App_Net working/hypervexchange.html

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Understanding Exchange Architecture


Exchange 2007
Entourage

Exchange 2010 Exchange Components


WS
Outlook / MAPI clients
Mailbox Agents

Exchange Components
WS
Mailbox Agents

OWA Sync

Transport Agents

OWA Sync

Transport Agents

UM

UM

Entourage

Middle Tier
Mailbox

Exchange Biz Logic

Outlook / MAPI clients

MAPI, Exchange RFR & Biz Logic NSPI RPC


Exchange Core Biz Logic

Middle Tier

Mailbox

MAPI RPC Store

DAV

MAPI RPC Store

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

Exchange 2010 Middle Tier


New services in Exchange Server 2010 that reside on CAS
- Restrict all Outlook data access to a single common path by migrating Mailbox and Directory endpoints to CAS
Outlook Clients

What it handles:
- Outlook data connections go to RPC Client Access Service on CAS instead of connecting to Mailbox servers - Address Book Service on CAS replaces DSProxy interface, handles all Outlook Directory connections - Public folder connections connect directly to the Mailbox server, but through RPC Client Access Service running on backend Exchange CAS Array

MB

GC

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Exchange 2010 ACE Load Balancing OWA


Microsoft Active Directory

Outlook Web Access (OWA)

Internet
ACE Access Switch Microsoft Exchange CAS Servers

ACE can provide the following benefits:


Additional Data Centre Security using ACL Layer 7 load balancing between server with HTTP Cookie session persistence SSL termination Health monitoring check Client Access Server status HTTP to HTTPS Server Redirection Possible TCP multiplexing and HTTP Compression
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Mailbox Server

49

Preventing Protocol Change to HTTP

SSL Connection Attempt Leaving the SSL Domain

Not a Secure Connection

HTTP/1.1 200 OK Date: Tue, 12 Apr 2005 13:59:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Content-Length: 1164 <!--Copyright (c) 2000-2003 Microsoft Corporation. All rights reserved.--> <!--CURRENT FILE== "IE5" "WIN32" frameset --> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8"> <TITLE>Microsoft Outlook Web Access</TITLE> <BASE href="http://example.com/exchange/highroller/ "> Incorrectly (Insecure) Formatted Protocol </HEAD>
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

50

Preventing Protocol Change to HTTP

Change Value data, type 1

The CAS role is aware of the SSL-offload functionality of the ACE. To configure support for SSL-offloading on a CAS role, refer to: http://technet.microsoft.com/en-us/library/bb885060.aspx
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

51

Exchange 2010 ACE Load Balancing Outlook Anywhere


Microsoft Active Directory

Outlook Anywhere

Internet
ACE Access Switch Microsoft Exchange CAS Servers

ACE can provide the following benefits:


Additional Data Centre Security using ACL Load balancing using the HTTP header-value "MSRPC

Mailbox Server

Session persistence based on SOURCE-IP or http-header Authorization SSL termination Health monitoring check Client Access Server status
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

52

Outlook Anywhere Over HTTP


If ACE can use the User-Agent: MSRPC HTTP header to detect RPC over HTTP This enables you to use the same VIP for OWA and Outlook Anywhere, therefore saving address space ACE can use the Basic Authorization header for session persistence. This eliminates you having to use SOURCE-IP stickiness
RPC_IN_DATA /rpc/rpcproxy.dll?exch-ace-tme.com:6004 HTTP/1.1 Accept: application/rpc When using NTLM it is believed the hash value could User-Agent: MSRPC change. Therefore you cannot use the Authorization Host: exch-ace-tme.com header for session persistence. You will need to use Content-Length: 1073741824 source-ip stickiness Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache Authorization: Basic Q0xJRU5UXG1kaXR0bWVyOmZvbw==
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

53

Combined Outlook Anywhere and OWA ACE Configuration Health Checking


probe http msExchange02-probe-1 interval 60 passdetect interval 60 passdetect count 2 request method get url /exchweb/bin/auth/owalogon.asp expect status 400 404 open 10

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Combined Outlook Anywhere and OWA ACE Configuration CAS Server Farm and Session Persistence
serverfarm host msExchange02 failaction purge predictor leastconns Persist on Authorization Header for Outlook Anywhere probe msExchange02-probe-1 rserver 192.168.11.58 80 inservice rserver 192.168.11.59 80 on User-Agent Header for Outlook Anywhere Load Balance inservice rserver class-map 192.168.11.60 type 80 http loadbalance match-any msExchange02-cond inservice Persist on sessionID Header for OWA description RPC 2 match http header User-Agent header-value "MSRPC" sticky http-header Authorization msExchange02-OutlookRPC replicate sticky serverfarm msExchange02 sticky http-cookie sessionid msExchange02-OutlookSession replicate sticky serverfarm msExchange02 policy-map type loadbalance first-match msExchange02_https-l7slb class msExchange02-cond sticky-serverfarm msExchange02-OutlookRPC class class-default sticky-serverfarm msExchange02-OutlookSession

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

ACE Load Balancing Exchange 2010 Clients (MAPI-RPC)

Microsoft Active Directory

Exchange 2010 Client

Internet
ACE Access Switch Microsoft Exchange CAS Servers

ACE can provide the following benefits:


Additional Data Centre Security using ACL Load balancing MAPI-RPC using least-conns predictor

Mailbox Server

Session persistence based on SOURCE-IP

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

MAPI-RPC ACE Configuration

class-map match-all msExchange02_other 2 match virtual-address 192.168.10.105 any serverfarm host msExchange02-others failaction purge predictor leastconns rserver 192.168.11.58 inservice rserver 192.168.11.59 inservice rserver 192.168.11.60 inservice sticky ip-netmask 255.255.255.255 address source MAPI-RPC-SRC-IP replicate sticky serverfarm msExchange02-others policy-map type loadbalance first-match msExchange02_other-l7slb class class-default sticky-serverfarm MAPI-RPC-SRC-IP

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

Simplifying All of the Above with ANM 5.1 Application Templates

Only Required to Provide:


VIP IP CAS IP Addresses SSL Cert/Key Location NAT Required? ANM Does the rest!

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

Simplifying All of the Above with ANM 5.1 Application Templates

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

ACE Configuration Created by ANM 5.1 System Template


access-list vip-acl remark Created to permit IP traffic to VIP. serverfarm host msExchange02 multi-match int10 access-list vip-aclpurge line 50 extended policy-map permit ip any host 192.168.10.105 failaction ssl-proxy service msExchange02-termination class msExchange02_http predictor leastconns key msExchange02-msExch02key.pem loadbalance vip inservice script file name CITRIX_XML_BROKER_PROBE probe msExchange02-probe-1 cert msExchange02-msExch02cert.pem loadbalance policy msExchange02_http-l7slb script file name192.168.11.58 CITRIX_XML_BROKER_PROBE_3DES_SHA rserver 80 class msExchange02_https inservice class-map type http loadbalance match-any loadbalance vip msExchange02-cond inservice probe http msExchange02-probe-1 rserver 192.168.11.59 80 description RPC loadbalance policy msExchange02_https-l7slb intervalinservice 60 2 match http header User-Agent header-value "MSRPC" nat dynamic 1 vlan 11 passdetect interval 60 rserver 192.168.11.60 80 class-map match-all msExchange02_http ssl-proxy server msExchange02-termination passdetect count 2 inservice match virtual-address 192.168.10.105 tcp eq www class msExchange02_other request method 2host get url /exchweb/bin/auth/owalogon.asp serverfarm msExchange02-others class-map match-all msExchange02_https loadbalance vip inservice expectfailaction status 400purge 404 2 match virtual-address 192.168.10.105 tcp eq https loadbalance policy msExchange02_other-l7slb open 10 predictor leastconns class-map match-all msExchange02_other nat dynamic 1 vlan 11 rserver 192.168.11.58 2 match virtual-address 192.168.10.105 any rserver host 192.168.11.58 inservice interface vlan 10 ip address 192.168.11.58 rserver 192.168.11.59 policy-map type loadbalance first-match msExchange02_http-l7slb ip address 192.168.10.254 255.255.255.0 inservice inservice class class-default access-group input vip-acl rserver rserver host 192.168.11.59 192.168.11.60 serverfarm msExchange02_redir service-policy input int10 ip address 192.168.11.59 inservice policy-map type loadbalance first-match msExchange02_https-l7slb no shutdown inservice serverfarm redirect msExchange02_redir class msExchange02-cond rserver failaction host 192.168.11.60 purge sticky-serverfarm msExchange02-OutlookRPC ip address 192.168.11.60 rserver msExchange02_http class class-default inservice inservice sticky-serverfarm msExchange02-OutlookSession rserver redirect msExchange02_http policy-map type loadbalance first-match msExchange02_other-l7slb webhost-redirection https://%H/owa 302 sticky http-header Authorization msExchange02-OutlookRPC class class-default inservice replicate sticky sticky-serverfarm MAPI-RPC-SRC-IP serverfarm msExchange02 sticky http-cookie sessionid msExchange02-OutlookSession replicate sticky serverfarm msExchange02 sticky ip-netmask 255.255.255.255 address source MAPIRPC-SRC-IP replicate sticky serverfarm msExchange02-others

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

Microsoft SharePoint 2010 with ACE

What Is Microsoft SharePoint Server 2010? Microsoft SharePoint Server 2010 is a portal-based collaboration platform for creating, managing and sharing documents and Web services SharePoint 2010 enables users to create "Sharepoint Portals" that include shared workspaces, applications, blogs, wikis and other documents accessible through a Web browser

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

Logical Architecture
A SharePoint 2010 Serverfarm is a 3 Tier Architecture, which consists of: Web Front End Server(s) Application Server(s) Database Server(s) The Web Server role provides Web content to clients. The Application Server role provides SharePoint 2010 services such as search queries, Office Web Applications and crawling and indexing content The Database Server stores Content and Configuration information.
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Browser

Client App

SharePoint Web Front End

SharePoint Application Server

Config DB

Content DB

Custom DB

63

Minimum Requirements for a SharePoint 2010 Installation


The following components are required for a minimum installation of SharePoint 2010: SharePoint Server 2010 (This is 64-bit only) 64-bit Windows Server 2008 SP2 or 64-bit Windows Server 2008 R2 64-bit SQL Server 2008 or 64-bit SQL Server 2005

SQL 2005 x64 SP3 CU3


SQL 2008 x64 SP1 CU2

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

SharePoint 2010 Topologies SharePoint Server 2010 can be deployed in a serverfarm environment when hosting a large number of sites, when the best possible performance is required, or if the scalability of a multi-tier topology is needed A Serverfarm consists of one or more servers dedicated to running the SharePoint Server 2010 application Serverfarm environments can encompass a wide range of topologies, and can include many servers or as few as two servers Because a Serverfarm deployment of SharePoint Server 2010 can be complex, Microsoft recommends that you plan your deployment
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

65

Large Topology Considerations


Although Microsoft Windows 2008 Server can provide software-based load balancing, Cisco ACE can offer higher performance
ACE also provides server health monitoring, and TCP connection management and HTTP optimization using HTTP compression and hardware SSL termination Virtualization within ACE allows a single pair to serve multiple SharePoint applications as well as other Microsoft and non-Microsoft enterprise applications It is possible to collapse a multi-tier architecture onto a single pair of ACE devices without the need to order and configure additional equipment

Microsoft SharePoint 2010 Microsoft Exchange 2010

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Large Topology Considerations


The GSS probes the ACE load balancers to retrieve the Web front-ends health and load information Based on this information the GSS can load balance the users request to the best available data centre The GSS then provides user stickiness for all users sequential request The GSS is authoritative for the WWW. The GSS will only provide a A record if the Web front-ends health is available

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

ACE Load Balancing SharePoint 2010 SP 2010 Web Front End Servers
WFE Servers

SP 2010

DB Tier

App. Servers

SharePoint 2010 Users

ACE

ACE can provide the following benefits:


Additional Data Centre Security using ACL Layer 4/7 load balancing between Clients and SharePoint WFE servers with session persistence based upon HTTP Cookie insertion SSL termination Health monitoring (Including In-Band) for guaranteed service availability
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

68

ACE Load Balancing SharePoint 2010 Web Front End Servers


SSL Termination Cookie Insertion HTTPS for SharePoint 2010 User Session Persistence
ACE

HTTP

Microsoft SharePoint 2010 WFE Servers

In-band Health Checking &

ACE Load Balancing Services


SSL Termination for Portal Traffic

OOB Probes

L4 Load Balancing for Application Traffic In-Band & OOB WFE Server Health Checking Session Persistence maintained with HTTP Cookie Insertion

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

SharePoint 2010 Portal ACE Configuration


probe http msSharePoint01-probe-1 interval 5 passdetect interval 30 expect status 401 401 open 15 rserver host ip address inservice rserver host ip address inservice WFE01 192.168.11.1 WFE02 192.168.11.2
In-Band Health Checking OOB Health Checking for Failed WFE Servers

serverfarm host msSharePoint01-80 for Failed HTTP Connections failaction purge predictor leastconns probe msSharePoint01-probe-1 inband-health check remove 100 reset 500 resume-service 300 rserver WFE01 80 inservice rserver WFE02 80 inservice parameter-map type http msSharePoint01-http_params Required for Cookie Insertion persistence-rebalance on HTTP 1.1 Persistent Connections set content-maxparse-length 8192

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

SharePoint 2010 Portal ACE Configuration


sticky http-cookie SPLB-Port msSharePoint01-WFE-Portal cookie insert browser-expire replicate sticky serverfarm msSharePoint01-80 sticky http-cookie SPLB-WFE msSharePoint01-WFE-Apps cookie insert browser-expire replicate sticky serverfarm msSharePoint01 policy-map type loadbalance first-match msSharePoint01_https-l7slb class class-default compress default-method deflate sticky-serverfarm msSharePoint01-WFE-Portal policy-map type loadbalance first-match msSharePoint01_other-l7slb class class-default compress default-method deflate sticky-serverfarm msSharePoint01-WFE-Apps

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

Simplifying All of the Above with ANM 5.1 Application Templates

Only Required to Provide:


VIP IP WFE Server IP Addresses SSL Cert/Key Location NAT Required? ANM Does the rest!

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

Simplifying All of the Above with ANM 5.1 Application Templates

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

73

ACE Configuration Created by ANM 5.1 System Template


sticky http-cookie SPLB-Port msSharePoint01-WFE-Portal serverfarm host msSharePoint01 policy-map multi-match int10 access-list vip-acl-1 remark Created to permit IP traffic to VIP. cookie insert browser-expire failaction purge class msSharePoint01_https access-list vip-acl-1 line 10 extended permit ip any host 192.168.10.100 replicate sticky loadbalance vip inservice predictor leastconns serverfarm msSharePoint01-80 probe msSharePoint01-probe-2 loadbalance policy msSharePoint01_https-l7slb probe http msSharePoint01-probe-1 sticky http-cookie SPLB-WFE msSharePoint01-WFE-Apps inband-health check remove 100 reset 500http resume-service 300 appl-parameter advanced-options msSharePoint01-http_params interval 5 cookie insert browser-expire rserver 192.168.11.1 ssl-proxy server msSharePoint01-termination passdetect interval 30 replicate sticky inservice class msSharePoint01_other expect status 401 401 serverfarm msSharePoint01 rserver 192.168.11.2 loadbalance vip inservice open 15 inservice probe icmp msSharePoint01-probe-2 loadbalance policy msSharePoint01_other-l7slb ssl-proxy service msSharePoint01-termination 192.168.11.3 loadbalance vip icmp-reply active interval rserver 2 key msSharePoint01-msExch02key.pem inservice passdetect interval 60 serverfarm cert host msSharePoint01-msExch02cert.pem msSharePoint01-80 interface vlan 10 failaction purge access-group input vip-acl-1 rserver host 192.168.11.1 class-map match-all msSharePoint01_https predictor leastconns service-policy input int10 ip address 192.168.11.1 2 match virtual-address 192.168.10.100 tcp eq https probe msSharePoint01-probe-1 inservice class-map match-all msSharePoint01_other inband-health check remove 100 reset 500 resume-service 300 rserver host 192.168.11.2 2 match virtual-address 192.168.10.100 any rserver 192.168.11.1 80 ip address 192.168.11.2 inservice inservice rserver 192.168.11.2 80 rserver host 192.168.11.3 policy-map inservice ip address 192.168.11.3 type loadbalance first-match msSharePoint01_https-l7slb class class-default rserver 192.168.11.3 80 inservice compress default-method deflate inservice sticky-serverfarm msSharePoint01-WFE-Portal policy-map type msSharePoint01-http_params loadbalance first-match msSharePoint01_other-l7slb parameter-map type http class class-default persistence-rebalance compress default-method set content-maxparse-length 8192 deflate sticky-serverfarm msSharePoint01-WFE-Apps

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Summary
Load Balancing Todays Web Application
- Benefits of Traffic Management - Introduction to ACE - Design Considerations - Probes, Persistence, Predictors - Resources - SSL

Linking VMware VCenter manager to the ANM 5.1


Deploying VMware View w/Cisco ACE
- VMware View 4.0

Microsoft Deployments
- ACE for Microsoft Exchange 2010 - ACE for Microsoft SharePoint 2010

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

75

Recommended Reading
BRKAAP- 2005

Please complete your Session Survey


We value your feedback
Don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the surveys from your phone, download the app at www.ciscolivelondon.com/connect/mobile/app.html
1. Scan the QR code (Go to http://tinyurl.com/qrmelist for QR code reader software, alternatively type in the access URL above) 2. Download the app or access the mobile site 3. Log in to complete and submit the evaluations

http://m.cisco.com/mat/cleu12/
BRKAPP-2020 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

77

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

Thank you.

BRKAPP-2020

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79