Global Load Balance
Using Envoy with Firewalled Networks
Envoy sites communicate with each other using UDP-based Geographic Query Protocol (GQP).
Similarly, Envoy sites communicate with clients using the DNS protocol. If you protect one or
more of your Envoy sites with a network firewall, you must configure the firewall to permit the
Envoy packets to pass through.
To use Envoy with firewalled networks, you need to configure the firewalls so that the following
actions occur:
l
Envoy sites communicate with each other on UDP ports 5300 and 5301. The firewall must
allow traffic on these ports to pass between Envoy sites.
l
Envoy sites and clients can exchange packets on UDP port 53. The firewall must allow traffic
on this port to flow freely between an Envoy site and any Internet clients so that clients try-
ing to resolve host names via the Envoy DNS server can exchange packets with the Envoy
sites.
l
Envoy sites can send ICMP echo request packets out through the firewall and receive ICMP
echo response packets from clients outside the firewall. When a client attempts a DNS res-
olution, Envoy sites send an ICMP echo request (ping) packet to the client and the client
might respond with an ICMP echo response packet.
Using Envoy with NAT Devices
If an Envoy site is located behind a device (such as a firewall) that is performing Network Address
Translation (NAT) on incoming IP addresses, then you must specify the public (non-translated) IP
as the Site IP, and use the translated IP (the non-public IP) as the resource (cluster) IP in the
Envoy configuration.
This is because Envoy must return the public cluster IP to a requesting client in order for the client
to be able to contact that cluster -- since the request goes through the NAT device before it
reaches Equalizer. The NAT device translates the public cluster IP in the request to the non-public
cluster IP that is defined on Equalizer, and then forwards the packet to Equalizer.
The non-public cluster IP must still be specified as the resource IP for the site, as this is the IP
that Envoy will use internally to probe the availability of the resource (cluster) on the site.
516
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Summary of Contents for Equalizer GX Series
Page 18: ......
Page 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 42: ......
Page 52: ......
Page 64: ......
Page 72: ......
Page 76: ......
Page 228: ......
Page 238: ......
Page 476: ......
Page 492: ......
Page 530: ......
Page 614: ......
Page 626: ......
Page 638: ......
Page 678: ......
Page 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 754: ......
Page 790: ......
Page 804: ......
Page 842: ......
Page 866: ......