manualshive.com logo in svg

Avanu WebMux A400X, User Manual, Page: 58 / 116

Share
Download
Avanu WebMux A400X User Manual Download Page 58

   

   

58   

 

Client Whitelist for TCP Attacks: 

 

It may be necessary to allow certain IPs to make connections that may appear to be attacks. 
For example, if you have a third party company that regularly benchmarks your services for 
maximum load handling, you will need to allow that company uninterrupted access.  You can 
use a specific IP address or specify a network range (i.e. xxx.xxx.xxx.0/24).  Separate each 
entry with a colon (:). 

 

Duration to Block Attackers: 

 

This sets the amount of time to block attacker IP addresses.  It may not be desirable to block 
specific IP addresses indefinitely because of the dynamic nature of IP addresses used by the 
general public.  You may end up blocking out potential customers in the future.  Therefore, this 
setting allows you to set the IP blocking duration that suite your needs. 
 
Changing the settings in this page will not require a reboot and is effective once you click the 
confirm button. 

 
Activating Flood Control 
 

To get to the Flood Control settings of the WebMux, hover the mouse pointer over the security 
menu on top and then click on the flood control link. 

 
 
 
 
 
 
 
 
 
 
 
 
 

 

You will get to this screen: 

 

 
 
 
 
 
 
 
 
 
 
 
 
 

Summary of Contents for WebMux A400X

Page 1: ...WebMux Network Traffic Manager User Manual Models A400X A400XD A500X A500XD and A600X Version v11 0 00 Revision February 2015 www avanu com...

Page 2: ...ECTION II WEBMUX MAIN COMPONENTS 11 Front View 11 Rear View 12 SECTION III WEBMUX TOPOLOGY OVERVIEW 14 WebMux Topology Modes 14 Two Armed NAT Mode 14 Two Armed Transparent Mode 18 One Armed Single Net...

Page 3: ...ion Summary 32 SECTION V Management Console 43 Login 44 Start Login Page 44 User ID 44 Password 44 Login 45 Main Management Console 45 Save 46 Pause Resume 46 Adjusting Health Check Timeout for Each S...

Page 4: ...esses 52 SNAT 52 Insert X Forwarded For SNAT only 52 Adding Static Routes 53 Reconfigure 54 Security Settings 55 Allowed Remote Host IPs 55 TACACS Server Configuration 55 LDAP server IPv4 URL 55 LDAP...

Page 5: ...SSL Terminated HTTP Requests 70 Servers are HTTPS Servers Re encryption Layer 7 70 Servers Only Serve IPv4 Not IPv6 Layer 7 70 Farm Will Use MAP 70 Compress HTTP Traffic 70 SNAT 70 HTTP Server Respon...

Page 6: ...Compress HTTP traffic 79 HTTP Server Response Comparison String 79 HTTP Server URI 79 Delete 79 Add Server 79 Server IP Address 79 Label 80 Server Port Number 80 Weight 80 Run State 80 Modify Server 8...

Page 7: ...ux 97 Multiple Uplink VLAN Support 98 Important Considerations Pertaining Only to Additional Network Configurations 100 NAT Mode VLAN and Server LAN Gateway IP 100 Transparent Mode VLAN 101 Out of Pat...

Page 8: ...8...

Page 9: ...supporting an extensive range of applications and services Notice of Rights Copyright 2013 2015 AVANU Inc All rights reserved No part of any related WebMux documents may be reproduced or transmitted i...

Page 10: ...ion Form Contact Information Mailing Address AVANU 5205 Prospect Rd 135 143 San Jose CA 95129 5034 United States Service Center AVANU 15011 Parkway Loop Building 10 Suite D Tustin CA 92780 6522 United...

Page 11: ...N Indicator Under normal operations this indicates activity on the Management LAN interface Even if the system is not running there is still standby power If there is an active Ethernet connection in...

Page 12: ...It goes through lower case letters upper case letters numbers and symbols Left Arrow Button and Right Arrow Button These move the cursor left and right into data entry fields and back Note that the C...

Page 13: ...d Network Traffic ports are the ports used for Internet to Server load balancing The ports can be configured to all be on the same network in Transparent Single Network and Out of Path modes or on sep...

Page 14: ...all those modes Each mode has its advantages and disadvantages Two Armed NAT Mode The main purpose of the WebMux is to balance IP traffic amongst multiple web or other servers The diagram above shows...

Page 15: ...virtual farm or multiple farms must be configured on the WebMux A virtual farm is a single representation of the servers to the clients A farm consists of a group of servers that service the same doma...

Page 16: ...er LAN The other interface connects to the server LAN The WebMux translates the router LAN IP addresses to private Class C addresses In this example the netmask is 255 555 255 0 The IP address of the...

Page 17: ...ice will run on the new IP address Although the WebMux can work with any IP address range all servers IP should be private addresses If there is a firewall between the WebMux and the Internet router a...

Page 18: ...133 156 210 Servers 2 and 3 serve Farm 2 Changes to the servers change the default gateway to 10 1 1 1 as well as the IP addresses to the 10 3 1 10 20 30 addresses If there is a service on the server...

Page 19: ...balance any traffic targeted to the farm address and let all other traffic flow through like a network cable This simplifies some network configuration but isolating the server is an additional requi...

Page 20: ...rmware older than 8 7 09 you may notice the server LAN side is not accessible For single WebMux setup any kind of switch will work since there is only one bridge path exist on the network No Spanning...

Page 21: ...Mux will not alter the tag If the traffic is not for the HTTP port WebMux will not insert the XFF header for the traffic Enabling XFF header insertion is optional on a per farm basis If your host soft...

Page 22: ...antage for OOP direct response is that the firewall protections built in to the WebMux will no longer function Users must provide their own firewall for incoming and outgoing traffic Also when using S...

Page 23: ...witch that allows you to create Link Aggregation Groups LAG sometimes called EtherChannel or Port Channel the Internet port and Server port on the WebMux can both be connected to the switch and they w...

Page 24: ...e as a single interface and effectively double the amount of data throughput Prior to version 8 2 03 the Internet port was deactivated in Out of Path Mode IPv6 Considerations The WebMux can load balan...

Page 25: ...t If the primary unit goes down the secondary unit will activate the Server LAN gateway IP on itself to ensure that the real servers will always have a valid default gateway to use After these setting...

Page 26: ...to ensure that high availability is intact Also the secondary unit has a safeguard to not take over immediately if it just recently gave back to the primary unit After about 5 minutes the secondary u...

Page 27: ...th ports not connected or reports no link level connection should failover to secondary d Front network verification enabled with one farm configured See the explanation in NAT mode e Multiple uplink...

Page 28: ...here The highest number meaning 1000 is higher than 100 You need to make sure that the Loopback Adapter has the highest number in the routing table Giving a lower number means a higher priority You w...

Page 29: ...rvers Don t forget to add the proper farm IP to each virtual host configuration With IPv6 addresses add the IPv6 address of the FARM to lo adaptor Also be sure that the routing table has an IPv6 entry...

Page 30: ...add this command to the bootup script ifconfig lo0 1 farm_ip_address up FreeBSD ifconfig l o0 inet farm_ip_address netmask 255 255 255 255 alias Oracle Solaris ifconfig lo0 1 FARM_IP_ADDR ifconfig lo0...

Page 31: ...of another set of servers on port 443 and the third farm works on a set of servers on port 21 The WebMux supports combining 80 443 ports as one single farm so that same client browsing the site in HT...

Page 32: ...tions if needed Make a new drawing for the new setup with the WebMux and the web farm in place This will be used as a guide for setup and preparation of all the necessary material and equipment Collec...

Page 33: ...vice statistics screen will appear Run the Management Browsers Initial Configuration Enter WebMux Host Name Enter the host name of the WebMux Use the right arrow to move the position the up and down a...

Page 34: ...tion It provides the best security for isolating servers from any other part of the networks Two Armed Transparent Mode or One Armed Single Network Mode provides the convenience of preserving your ser...

Page 35: ...address to allow faster name resolution in UNIX or Linux operating systems In an installation with a primary and secondary WebMux a unique IP address is required for each WebMux interface that connec...

Page 36: ...d Continue to the Common Configuration section Transparent Mode or Single Network Mode Related Configuration Enter Bridge IP Address This will be the IP address of the WebMux on the network so that yo...

Page 37: ...at one should add this IP address to your servers etc hosts file along with the gateway IP address to allow faster name resolution especially on Linux UNIX systems For additional information reference...

Page 38: ...so that no computer can access the browser management console At that point clearing the allowed host file will allow any browser to access it By default the allowed host list is empty so that any IP...

Page 39: ...l the changes will be saved Only when you select NO do not discard changes changes will be saved to the internal solid state storage Changes will take effect after next reboot The next question will b...

Page 40: ...hosts but not reset the password or change one option and not change the others Bond All Interfaces Setup As of firmware version 8 5 04 when you specify a non zero VLAN ID in NAT Mode or Transparent M...

Page 41: ...channel interface should now be part of both VLAN 100 and VLAN 200 using TAGGED VLAN Now configure the switch to use ports 3 4 5 and 6 for the Front Internet LAN The devices connected these ports wil...

Page 42: ...ssuming that it already has a 192 168 11 0 24 address you should now be able to ping the WebMux svr LAN IP address of 192 168 11 21 Setting Up the Management Port The management port on the WebMux is...

Page 43: ...trative GUI does all of the WebMux management The following sections explain how to use the management console screens Login Main Management Console Network Setup Adding Static Routes Reconfigure Secu...

Page 44: ...for unsecured communications The port number can be changed per your specification in the network management section of the network menu The following login page will appear In order to use a browser...

Page 45: ...agement console to HTTPS connections only go to the network management screen by clicking on the network menu and make the WebMux HTTP control port number to 0 For customers who have configured TACACS...

Page 46: ...frequently to provide the most up to date statuses You can use the Pause button to freeze the auto refresh After clicking the Pause button the button will change to Resume and the auto refresh will s...

Page 47: ...47 IP address and server LAN gateway address to the server s name resolution table will help resolve this problem Please reference the Frequently Asked Questions section for more information...

Page 48: ...N IP and you assigned fec0 as the IPv6 prefix the WebMux unit s complete IPv6 address will be fec0 192 168 12 21 or fec0 c0a8 c15 For additional information reference the section on IPv6 Consideration...

Page 49: ...H KEY DESCRIPTION INFO STATS LCD display messages NOTICE LOGIN Successful browser login logout NOTICE SETUP Significant access and changes to setup and configuration items NOTICE EVENT Same as paper m...

Page 50: ...ls help shows the commands how to use these commands are not supported When this entry is blank any diagnostic access is denied This entry should remain blank under normal operations Default port numb...

Page 51: ...Network Verification IP Address You can specify a different IP address for the WebMux to use to check the front network It can be the router in front of the WebMux or a router in your ISP s WAN It can...

Page 52: ...led server the WebMux will pretend the server is sending TCP Reset to the client thus freeing all the TCP_WAIT state connections The default setting is YES to conserve resources Front Proxy Addresses...

Page 53: ...kbox and click confirm to delete the selected route Please remember that even though a new route is immediately active once you click the confirm button it is not automatically saved and will get lost...

Page 54: ...unit you need to make sure you also click the save button on the main console screen in order to propagate the changes made to the backup unit Reconfigure The Reconfigure button will bring you to the...

Page 55: ...rong IP addresses are entered the Web Management Administrative Console login might not be possible Use the setup mode on the LCD panel to clear the allowed host list This field is blank by default TA...

Page 56: ...olicy Accept The WebMux will allow all ICMP packets to travel through the WebMux For CLI arp commands working properly this must be accept Deny The WebMux will NOT allow any ICMP packets to travel thr...

Page 57: ...Anti Attack To get to the Anti Attack settings of the WebMux hover the mouse over the security menu on top and then click on the AAD link You will see this screen TCP Connection Attack Threshold This...

Page 58: ...he amount of time to block attacker IP addresses It may not be desirable to block specific IP addresses indefinitely because of the dynamic nature of IP addresses used by the general public You may en...

Page 59: ...ects the maximum allowable packet bursts Timeout in Seconds This setting will control duration in seconds that the connection blocking will be upheld Flood Control Display The Flood Control Display sc...

Page 60: ...60...

Page 61: ...ate change Download and Upload Backup and Restore Download This feature allows the saved not necessarily the active configuration to be saved at the Web Interface Administrative Browser workstation Be...

Page 62: ...t you could save the configuration and upload all settings to the WebMux so that you do not need to go through step by step configuration requires both WebMux units on the same firmware revision Set C...

Page 63: ...button to close the session The Login screen will re appear Shutdown The shutdown button will bring you to a confirmation screen to power off the WebMux Reboot Changes to TACACS server configuration s...

Page 64: ...for Count This will stop the capture when this number of packets have been reached Timeout in seconds This will stop the capture when the timeout period in seconds has been reached Help This will tak...

Page 65: ...h farm must have its own IP address The farm address could be the Internet known address or the address has been translated by your firewall For example if you want to create an HTTP farm for www mydo...

Page 66: ...P address the WebMux does not need to do anything extra other than load balancing all the packets for that particular farm If the service is HTTP then any web server software Microsoft IIS or Apache c...

Page 67: ...om the WebMux All servers talk to each other freely across the WebMux Load balancing occurs when the farm IP is accessed In Out of Path Mode only the Server LAN port is connected and the farm s must u...

Page 68: ...select Generic TCP and specify port number 0 SERVICE PROTOCOL COMMON PORT DNS Domain Name Service TCP 53 FTP File Transfer Protocol TCP 21 HTTP Hypertext Transfer Protocol TCP 80 HTTPS Secure Hyperte...

Page 69: ...nd 995 respectively and will allow you to choose any port for the clear traffic to the servers When using the generic or custom services specifying the clear traffic port for the service in the port n...

Page 70: ...If the WebMux detects that the servers in the farm are already compressing the data the WebMux will not perform compression Instead it will let the compressed data from the servers pass through witho...

Page 71: ...ue through to be forwarded to the servers in this farm Layer 7 Request URI Path Perl Regex Match When a string is entered in this field the request URI the part after the domain name will be examined...

Page 72: ...en you only want encrypted traffic to reach your servers Tag SSL terminated HTTP Requests If the Servers are HTTPS Servers Re encryption setting is set to No traffic between the WebMux to your servers...

Page 73: ...512 to 8192 RSA key length 1024 is also called 128 bit strong encryption At the bottom of the screen you will see the option to choose encryption protocols allowed This will enable you to restrict SS...

Page 74: ...se newly generated item with the desired key length and then click on the Submit button This process is also known as generating a CSR or generating a Certificate Signing Request This is the process w...

Page 75: ...e certificate dialog box select use new certificate pasted in and click on the Confirm button to save it into the WebMux Generally you will receive three certificates The one whose identity is your em...

Page 76: ...de SSL authentication It is not for the intermediate certificate Importing Your Existing Private Key and Certificate If you already have an existing key and certificate in PEM format importing them in...

Page 77: ...ous certificate DO NOT paste any text into the CA certificate text box The CA certificate field is for a completely different function known as Client Side SSL Authentication For normal farm SSL Termi...

Page 78: ...xisting web site name on the server For addiontal information reference the section on Virtaul Hosting Issues within this User Manual Farm Scheduling Method Ten 10 different methods are supported Leas...

Page 79: ...Farm HTTP Server Response Comparison String When a string is entered in this field WebMux HTTP Health Check will search the first 1024 bytes in the HTTP content String is a case sensitive match HTTP...

Page 80: ...anged to zero the WebMux will not send new connections but will maintain all current connections to the server The connections will gradually reduce to zero as current clients sessions terminated When...

Page 81: ...not be switch in This will allow the last server to show a different web page from others Modify Server Modify Server can be invoked by clicking on the server IP address on the Status screen Destinati...

Page 82: ...eights will also have an effect on the number of standby servers that are activated If the failed active server had a weight of 20 and there are two standby servers with the weight of 10 the WebMux wi...

Page 83: ...If you have a label specified and the server returns error code 401 then the WebMux will consider that server dead For both Microsoft IIS and Apache servers doing virtual hosting the farm name label m...

Page 84: ...WebMux Compression true will be appended to the server response MIME header NOT supported in Out of Path Mode Add Gateway Farm Gateway Farms allow you to load balance outgoing traffic between multiple...

Page 85: ...r a label for reference purposes The use of the label for gateways is optional Click the Confirm button to create the gateway farm Your status screen will look something like this Your original defaul...

Page 86: ...its run state to Active again through the browser interface This will give system administrators time to fix the system or reboot the gateway once some software hardware update is completed Favorite A...

Page 87: ...determined by the front network verification protocol setting in the Network Setup section of this User Manual If you click on the nh link under the service column you will get to the modify service...

Page 88: ...200 and a plain text page beginning with one of the allowed responses The URL is truncated to 255 bytes to be a string of at most 256 bytes with a terminating null The response from the server must f...

Page 89: ...g that can be passed to your custom health check script For example the actual request from the WebMux will include the query string custom farm IP PORT server IP PORT alive 1 standby 0 favorite 0 las...

Page 90: ...rt in the farm configuration the WebMux will do Generic TCP port check on the server port As long as the port is open and responding to TCP connect the server will be considered alive The conditions w...

Page 91: ...nitor Traffic History Chart To monitor the traffic history WebMux keep some of its statistics information in the memory during running Please note that this information will be lost once WebMux is reb...

Page 92: ...efault superuser s password is superuser However the actual superuser s password may have been changed by the system administrator If you could not remember the superuser s password someone has to go...

Page 93: ...x is equipped with a CLI utility Here are examples of CLI commands Once the diagnose ports set superuser could use ssh or telnet to access the CLI commands to help troubleshoot network problems or ser...

Page 94: ...e the default boot partition to the other one brctl manually manipulate Ethernet bridge properties when the WebMux is in Transparent Mode checkssl verifies key and certificate For example checkssl 1 w...

Page 95: ...ping command for IPv6 poweroff initiates the proper shutdown sequence putallsettings allows you to import your saved all settings files putconfig restore farm server settings from your PC to WebMux rd...

Page 96: ...t 192 168 10 98 always appear to be sent from one of your public IP addresses i e 66 1 1 98 on the WebMux you can use this iptables command iptables t nat I POSTROUTING s 192 168 10 98 d 192 168 10 98...

Page 97: ...eference the Access CLI Commands section within this User Manual You may also specify VLAN tagging for these networks VLAN tagging is optional If it is used the switches to which the WebMux is connect...

Page 98: ...ink VLAN Support As of version 8 5 00 the WebMux support load balancing multiple uplink capabilities You can configure this feature using the command line interface command nwconfig additional network...

Page 99: ...help usage print this usage message i ipaddr IPADDR WebMux unit s IP address on the network is IPADDR e g 192 168 14 22 L list PATTERN list existing additional network configurations whose name match...

Page 100: ...additional network configuration with nwconfig the additional network will use the same VLAN ID that you specified for your original network configuration Even though the WebMux allows for this kind...

Page 101: ...o come from You will have problems with Windows servers if you use a farm IP that is the same as the main IP This is because Windows utilizes the MS Loopback Adapter with the farm IP When the WebMux s...

Page 102: ...first time setup and one time use Once you have configured the WebMux via the configuration wizard additional configuration modifications should be done via the WebMux management GUI Each wizard will...

Page 103: ...103...

Page 104: ...xy IP Address Router LAN Network IP Address Mask Router LAN VLAN ID optional Server LAN Information NAT and OOP Server LAN WebMux IP Address Server LAN Gateway IP Address optional for OOP Server LAN N...

Page 105: ...ation Server LAN WebMux IP Address 192 168 199 251 Server LAN Gateway IP Address 192 168 199 1 Server LAN Network IP Address Mask 255 255 255 0 Server LAN VLAN ID optional 102 Administration Setup Inf...

Page 106: ...10 Bridge IP Network Mask 255 255 255 0 WebMux farm IP Address 205 133 156 200 front Router LAN VLAN ID optional 101 back Server LAN VLAN ID optional 102 Administration Setup Information External Gate...

Page 107: ...loopback adapter 10 1 1 200 Route Deletion 10 1 1 200 Administration Setup Information WebMux External Gateway IP address 10 1 1 1 Remake home WebMux conf passwd Y Administration HTTP Port Number 24...

Page 108: ...Mux Proxy IP Address 205 133 156 200 205 133 156 200 Router LAN Network IP Address Mask 255 255 255 0 255 255 255 0 Router LAN VLAN ID optional 101 101 Server LAN Information Server LAN WebMux IP Addr...

Page 109: ...STANDBY No A weight of 0 indicates that the server will not accept any new connections The state is considered neither ACTIVE nor STANDBY This is to quiet the new connections for the server so that it...

Page 110: ...er hosts in my internal network Yes The function that allows the web servers to talk to services such as the credit card validation allows the WebMux to function as a proxy server for any host in the...

Page 111: ...ary WebMux cannot reach to the front router LAN gateway or if it cannot see any server in any farm then it will consider that the primary was disconnected or powered down purposely by operator Why can...

Page 112: ...iving product Upon approval a RMA number will be issued by AVANU s Customer Service for the return and must be visible on the outside shipping container Customer is responsible for freight and carrier...

Page 113: ...s 8 00 am to 5 00 pm Pacific time Product technical support Monday to Friday except US Holidays 8 00 am to 5 00 pm Pacific time Premium Annual Service Program First year must be purchased with the Web...

Page 114: ...r Responsibilities In order to avoid the risk of charges for issues not covered by your limited warranty issues that are not due to defects in materials and workmanship on AVANU WebMux products you wi...

Page 115: ...ONS INTENDED FOR THE WEBMUX PRODUCT About the Support Disclaimer The Support provision covers product configuration and basic remote installation support up to the first sixty days 60 from purchase da...

Page 116: ...e required for all warranty repair service or sales returns AVANU has the right to refuse any shipment without a RMA number AVANU has the right to offer promotional programs at any time where the Limi...

Reviews:

No comments