HP P4522A - Traffic Management Server Sa8220 User Manual Download Page 1

hp traffic director 

server appliances

user guide for the hp e-commerce 
traffic director server appliance 
sa8200/sa8220 and the hp traffic 
director server appliance sa7200/
sa7220

Summary of Contents for P4522A - Traffic Management Server Sa8220

Page 1: ...hp traffic director server appliances user guide for the hp e commerce traffic director server appliance sa8200 sa8220 and the hp traffic director server appliance sa7200 sa7220 ...

Page 2: ...ANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material Hewlett Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett Packard Warranty A copy of the specific warr...

Page 3: ...ppliances 2 Assumptions 3 Benefits 3 Specifications 6 Typographic Conventions 9 Chapter 2 Theory of Operations 11 General Operating Principles 12 Services 12 Layer 4 HOT Services 13 Layer 7 RICH Services all models except the SA7200 13 Out of Path Return OPR 14 FTP Limitations 14 ...

Page 4: ...oad Balancing Across Multiple Servers 23 Balancing Algorithms 23 Response Time Metrics 23 Primary and Backup Servers 24 Server Configuration Options 24 Source Address Preservation 24 Multi hop Source Address Preservation 25 RICH Expressions not available on the SA7200 25 Order of Expressions not available on the SA7200 26 Routing with Dual Interfaces 27 Prioritization and Policy Groups 28 Routing ...

Page 5: ...the Topology Screen 63 Topology Screen Toolbar 64 Online Help 64 Topology Screen Elements 65 Window Controls 66 Policy Manager Screen 67 Policy Manager Controls and Displays 68 Policy Manager Toolbar 68 Policy Manager s Pop up Menu 69 Policy Groups 69 Creating Policy Groups 70 Throttling 71 Deleting Policy Groups 71 Services 72 Creating Services 72 Additional Service Tab Controls and Displays 73 B...

Page 6: ...ng 96 Access Options 96 GUI Tab 97 CLI Tab 99 SNMP Tab 101 SNMP Agent 101 Multi Site Tab 103 Logging Tab 104 Specifying System Log Parameters 104 Viewing the Log File 105 Configuration Screen 107 Saving Configuration Files 108 Restoring Configuration Files 108 Deleting Configuration Files 109 Copying Configuration Files 109 Viewing Configuration Files 110 Resetting the Factory Configuration 112 Se...

Page 7: ...duction 134 Secure Shell Support 134 Online Help 134 Pipes 135 Syntax 136 Categorical List of CLI Commands 137 Global System Commands 137 Admin Commands 137 File Management Commands 138 CLI Commands 138 IRV Commands 138 GUI Commands 138 Routing Commands 139 Policy Group Commands 139 Service Commands 139 Server Commands 140 System Commands 140 Security Commands 141 SNMP Commands 142 SSL Commands SA...

Page 8: ...208 Scenario 1 Load Balancing a Web Site with Two Servers and the SA8220 in Inline Mode 208 Prerequisites for Scenario 1 209 Procedure for Scenario 1 209 Scenario 2 Load Balancing Servers with Source Address Preservation 214 Prerequisites for Scenario 2 215 Procedure for Scenario 2 215 Scenario 3 Routing Outbound Data Away from the SA8220 for OPR 217 Prerequisites for Scenario 3 218 Procedure for ...

Page 9: ...Images 248 Software Image Media 248 Saving Your Current Configuration 248 Downloading and Installing the Software 249 Rebooting with the New Image and Verifying Installation 250 Upgrading Under Serial Cable Failover Configuration 251 Appendix A Security Configuration 253 Recommended Security Configuration 253 Appendix B SSL Configuration 255 Obtaining Keys and Certificates 255 Copying and Pasting ...

Page 10: ...gure OPR for Windows 2000 273 Set the Loopback 273 Configure OPR for Windows NT 288 Set the Loopback 288 Run a Web Service on the Loopback Interface Using IIS 3 0 295 Run a Web Service on the Loopback Interface Using IIS 4 0 296 Configuring OPR for Apache Web Server on a UNIX machine 297 Appendix E Diagnostics and Troubleshooting 299 Running Diagnostics 299 Diagnostic LEDs 300 Power Indication 300...

Page 11: ...a Compliance Statement Industry Canada 312 CE Compliance Statement 312 CISPR 22 Statement 312 WARNING 313 AVERTISSEMENT 314 WARNUNG 315 AVVERTENZA 316 ADVERTENCIAS 317 Wichtige Sicherheitshinweise 318 Software License Agreements 321 Support Services 325 Support for your SA8220 325 U S and Canada 325 Europe 326 Asia 327 Latin America 328 Other Countries 328 Glossary 329 ...

Page 12: ...C O N T E N T S HP Traffic Director Server Appliances User Guide x Notes ...

Page 13: ...r ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models Introduction to the Traffic Director Server Appliances Assumptions Benefits Specifications Typographic Conventions ...

Page 14: ...tocols Fault Resistance The SA8220 managed configurations offer many features and capabilities that improve the availability and reliability of server based services Policy based Management The SA8220 allows system administrators to implement classes of service assign priority levels and set target response times Intelligent Content Routing SA8200 SA8220 only The SA8220 takes application aware rou...

Page 15: ...anagement technology eliminating errors and improving Quality of Service QoS This unique capability ensures that customers working with sensitive information or buying online receive timely responses do not see error messages and are confident that delivery of their information is kept private Up to 150 times SSL acceleration SA8200 SA8220 only E Commerce sites suffer dramatic performance degradat...

Page 16: ... very customers who are trying to make a purchase The SA8220 is essential to providing high performance and superior levels of service when building reliable scalable and secure e Commerce sites Off loading SSL handling from e Commerce servers improves overall site performance and customer response time Accelerated SSL processing eliminates over provisioning capacity Lower processing demands on th...

Page 17: ...y technology for transactions By monitoring content within the response sent back by the server Intelligent Session Recovery detects HTTP 400 500 or 600 series errors transparently rolls back the session and redirects the transaction to another server until the request is fulfilled Response time base prioritized service for secure transactions The SA8220 enables system administrators to implement ...

Page 18: ...soft Netscape etc X X X Any operating system UNIX Solaris Windows NT BSD BSDI AIX etc X X X Any server hardware SUN HP IBM Compaq SGI Intel based platforms etc X X X No practical limit on number of servers X X X System Administration Command line interface X X X Web based GUI X X X SNMP monitoring MIB II and Private MIB X X X Dynamic configuration through password protected serial console telnet S...

Page 19: ...phic processing from server X X X Dimensions Mounting Standard 19 inch rack mount X X X Height 3 5 inches 8 9 cm X X X Width 17 inches 43 2 cm X X X Depth 20 16 inches 51 21 cm for the SA7200 SA7220 and SA8220 Depth 23 75 inches 60 3 cm for the SA8200 X X X Weight 24 pounds 10 89 kg X X X Interface Connections Dual 10 100 Ethernet X X X TTY Serial console X X X Failover port X X X Transparent Oper...

Page 20: ...500 and 600 series errors for HTTP and HTTPS X X Response time based Priority for secure and non secure transactions Sets and enacts target response times X X Real time performance monitoring X X Automatic server weighting and tuning X X Server state aware sticky based on Source IP X X X SSL session ID X HTTP cookie X X System Fault Tolerance Single site single or multiple connections X X X Automa...

Page 21: ...ment damage WARNINGS alert you to potential hazards to life or limb Except for tables warnings are always found in the left margin NUMBERED LISTS indicate step by step procedures that you must follow in numeric order as shown below 1 This is the first step 2 This is the second step 3 This is the third step etc BULLETED LISTS indicate options or features available to you as shown below The first fe...

Page 22: ...u need to type at the command line appears in bold courier for example HP SA8220 config policygroup create gold Angled brackets designate where you enter variable parameters Straight brackets show parameter choices separated by vertical bars Braces show optional commands and parameters VERTICAL BARS separate the choices of input parameters within straight brackets You can choose only one of the se...

Page 23: ...SA8220 references refer to all models Also all references to RICH functionality or Expressions in this chapter do not apply to the SA7200 Services FTP Limitations Sticky Options SSL Acceleration SA8200 SA8220 only Load Balancing Across Multiple Servers Server Configuration Options Routing with Dual Interfaces Prioritization and Policy Groups Error Detection Serial Cable Failover ...

Page 24: ...e by receiving requests from the user and directing them for fulfillment to the most appropriate resource in the provider s server farm Services are defined and created within Policy Groups please see Prioritization and Policy Groups in Chapter 2 and are managed using the following commands NOTE The sample commands used in this chapter are meant as examples only config policygroup policy name serv...

Page 25: ... from the actual client In some environments it may be desirable to have the fulfillment server see the requests as if they were coming directly from the client The Source Address Preservation SAP mode of the SA8220 allows this to happen see Source Address Preservation for more detailed information Layer 7 RICH Services all models except the SA7200 The SA8220 allows more flexible service fulfillme...

Page 26: ...s not applicable to Layer 7 services Each server for which OPR is enabled must have its loopback interface configured to identify itself as the VIP of the brokered service This allows the server to respond directly to the client The server s loopback interface or an equivalent interface that will not respond to ARP requests must be configured before setting up the SA8220 for OPR For more informati...

Page 27: ...ent servers in clear text Sticky cookie must be used when the clients need to remain stuck to the same server between HTTPS and HTTP There is no sticky cookie requirement for HTTPS traffic Each brokered service can be configured with sticky cookie sticky IP or no sticky option enabled When a sticky option is configured all client requests identified according to the enabled sticky mode during a se...

Page 28: ...Y All cookie sticky RICH services will be stuck to the same server for the duration of the sticky timeout value Sticky timeout The current software version for the SA8220 treats the timeout differently for cookie versus source ip sticky With source ip sticky the timeout is reset with every connection from the client so that the timeout is effectively an idle time With cookie sticky the timeout sta...

Page 29: ...erful addition to any web site desiring high security levels It was specifically created to manage secure traffic going to and from critical applications It handles SSL traffic into and out of the customer s environment as well as providing load balancing fault management and error recovery The SA8220 includes cryptographic software features and hardware based acceleration It provides up to 1200 S...

Page 30: ...sion keys This method allows two parties to quickly establish each others identities and establish a secure connection Several encryption methods are employed Common ones are DES 3DES RC2 and RC4 Key size can be varied to determine the level of security desired A longer key is more secure The SA8220 supports all common keys and ciphers as well as the following encryption methods DES DES3 and RC2 R...

Page 31: ...Basic SSL Operations SA8220 1 Client connects to SA8220 with ClientHello includes ciphers supported 2 SA8220 responds with SSL ServerHello includes selected cipher session ID 3 SA8220 sends certificate for server 4 Client sends ClientKeyExchange message includes PK session key 5 SA8220 and client send ChangeCipherSpec message to indicate readiness 6 SA8220 and client send finished messages include...

Page 32: ... IP address thus allowing you to isolate the impact of the SSL processing Many users tune their sites for maximum performance by assigning HOT load balancing to all traffic except SSL One of other advantages of the SA8220 is its ability to recognize SSL session IDs This permits sticky or persistent sessions to be established on a given server HTTPS Redirect If desired you can specify a page to ret...

Page 33: ...ing identities When you enable this feature the SA8200 SA8220 verifies that client certificates are signed by a known CA Issued client certificates are expected to be in use for their entire validity period The CA periodically issues a signed data structure called a Certificate Revocation List CRL containing the serial numbers of all expired certificates You can configure the SA8200 SA8220 to obta...

Page 34: ...uest header before sending the request to the server The server can then extract the certificate from the request header and use it for authorization or other purposes The client certificate is inserted in the request header only once per session Requests following the initial request will be sent to the server with only the SSL session id in the header The SSL session id is unique for each sessio...

Page 35: ...In these situations round robin load balancing can provide equal distribution of client requests to each fulfillment server The balancing algorithm is specified with the command config policygroup name service name balancing robin load Response Time Metrics For both balancing algorithms servers can be assigned target response times These values indicate the desired average response time for reques...

Page 36: ...ord the SA8220 as the source of these requests When Source Address Preservation SAP is enabled however the SA8220 preserves the original source addresses of requests delivered to the server farm If you use the log files from your server farm to gather information based on client source addresses use Source Address Preservation SAP is controlled with the following command config policygroup name se...

Page 37: ...d Server 1 s default route is set to SA8220 Broker 2 The SA8220 Broker 2 doesn t need SAP enabled for this service since SAP is automatically used on MSAP requests from SA8220 Broker 1 Under this configuration the San Diego client s IP address will be preserved in the Boston fulfillment servers logs MSAP is enabled at the CLI with the following command config policygroup policy name service servic...

Page 38: ...fig policygroup name service name server name port port expression delete expression Order of Expressions not available on the SA7200 NOTE The and are allowed in expressions but they can only exist at the beginning or end of the expression Also a positive expression is required after a not expression otherwise the expression has no effect When using expressions in Layer 7 RICH operations the order...

Page 39: ...ing and failover configurations please see Failover Method Dependencies in Appendix C NOTE The SA8220 cannot route multiple subnets on one interface Terms pertinent to SA8220 routing are listed below The figure below shows an example of the SA8220 routing topology SA8220 Routing Topology Term Description Network side subnet The SA8220 interface attached to the side of the physical network on which...

Page 40: ...cy group management commands are listed below config policygroup create name config policygroup delete name config policygroup name throttle enable disable The policy group framework allows the prioritization of categories of client requests Each service defined in a policy group is assigned a priority within that group and a target response time When the average response time of a service exceeds...

Page 41: ...sts and Server 3 fulfills both HTTP and HTTPS requests The next figure illustrates server utilization after HTTPS response time exceeds 10 ms Target Response Time Exceeded Upon noticing a break in the target response time threshold the SA8220 scans the policy group s active service and server pools for shared resources In this example both the HTTP and HTTPS services use Server 3 To provide the gr...

Page 42: ...there are multiple address spaces such as a SA8220 on the 10 x x x network and a VIP on the 209 x x x then a routing protocol might be the best method to advertise the VIP When configuring routing on the SA8220 always match the router s configuration The SA8220 can be programmed to use RIP v1 RIP v2 or OSPF For example standalone mode HP SA8220 config route HP SA8220 config route info Route config...

Page 43: ...to IRV pings but ports stop responding then the dup syn interval threshold described below is used to decide if the server is declared dead Dup syn Interval The SA8220 dynamically calculates the threshold for the acceptable number of dropped packets within a given interval If at any time in this interval the number of dropped packets exceeds this threshold the server is considered dead After the s...

Page 44: ...he command config policygroup name service name server name port port http enable disable The SA8220 extends standard HTTP error handling by allowing the server to return a special 606 error code Detection and handling of 606 errors is separately configurable In this way standard errors may be passed to the client while 606 errors are handled transparently by the HP system If 606 error handling is...

Page 45: ...he Primary and Backup SA8220s need to know their own identity and the Online Identity by address and name to satisfy internal communication parameters The SA8220s own names and the shared online identity are automatically entered into their host files during failover configuration If Dual NIC is enabled the identities for both the Outside network side and Inside server side NICs are shared For inf...

Page 46: ...it not detected or may not be configured Is this machine Primary or Backup Primary Enter the Network s ONline IP Address 10 6 3 200 Enter the Network s Online hostname netonline Serial failover successfully configured If Dual NIC operation is enabled failover configuration looks like the example shown below monitor failover Specify failover method disabled serial route disabled serial Checking for...

Page 47: ...een saved 6 Boot the SA8220 monitor boot Do you really want to continue boot y Enter Boot which configuration active cfg Enter Please stand by the system is being booted Done Login Configure the Backup SA8220 1 Reboot the SA8220 that will be the Secondary and press a key at the prompt to enter the Boot Monitor 2 At the prompt type the following command monitor failover 3 Follow the prompts as list...

Page 48: ...figured monitor 4 Save the Backup configuration monitor save List of currently saved configuration file s You may save over an existing configuration file or enter a new name File name active cfg backup cfg cris cfg active cfg is the last booted configuration Enter configuration file name to cancel active cfg Configuration has been saved 5 Boot the SA8220 monitor boot current configuration list of...

Page 49: ...n followed by a list of status messages and their explanations 1 Log in to the SA8220 2 At the CLI prompt type the following command HP SA8220 info The status appears on the last line of the info command s output A description of the status message can be found below Failover Status Message Description The broker is ONLINE and serial failover is NONE disabled One of the SA8220s is configured for e...

Page 50: ...nected or cable NIC or HUB port failure The broker is BACKUP and ONLINE and the remote s state is NIC_FAILED The broker is PRIMARY and ONLINE the connection to the remote has TIMED OUT The serial cable connecting the SA8220s is disconnected The broker is BACKUP and IP_IN_USE_ERROR the connection to the remote has TIMED OUT Failover Status Message Description ...

Page 51: ...he online SA8220 The time this state persists depends on the number of VIPs and services configured The broker is PRIMARY BACKUP and CONFIGURATION_ ERROR Both SA8220s are configured as Primary or as Backup Neither SA8220 will come online until this condition is corrected The broker is PRIMARY BACKUP and DNS_FAILED The online IP address is missing form both the local host file and the DNS server Th...

Page 52: ...C H A P T E R 2 HP Traffic Director Server Appliances User Guide 40 Notes ...

Page 53: ...ollowing topics NOTE For ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models System Requirements Accessing the Boot Monitor Boot Monitor Commands ...

Page 54: ...rations if the latter becomes necessary Day to day operations are managed using the Graphical User Interface please see Graphical User Interface Chapter 4 or the Run Time CLI please see Command Line Interface Chapter 5 General categories of tasks performed by the Boot Monitor include Configure and display boot options including the configuration file Manage the boot configuration file system Confi...

Page 55: ...1 Interrupt the SA8220 s bootup sequence by pressing a key at the following prompt Press any key to stop autoboot In a few seconds the monitor prompt displays confirming that the Boot Monitor is running Using the Run Time CLI 1 Type this command at the prompt config sys autoboot disable 2 Then at the HP SA8220 prompt type this command reboot The monitor prompt displays confirming that the Boot Mon...

Page 56: ...l operating mode If Autoboot is disabled the restart sequence ends by displaying the Boot Monitor interface Example monitor autoboot Enable Autoboot yes no yes boot Boots the device with a specific configuration Variations on use of the reboot command are described below Reboot with No Configuration Changes 1 Type the boot command The Boot Monitor displays the current configuration prompts you for...

Page 57: ...fault Gateway 10 6 3 1 Domain None Primary name server None DHCP Disabled Failover mode Disabled Network NIC setup Auto Server NIC setup Auto NTP Disabled Autoboot Disabled Static Routes None RICH_Biased Enabled Do you really want to boot active cfg y 2 To boot to the normal operational prompt type y 3 To return to the monitor prompt type n Reboot with Configuration Changes When you use the boot c...

Page 58: ...e example below Current active configuration Product HP SA8220 Version 2 7 Patch Level 0 0 Build 12 Current time Tue Sep 12 17 02 05 2000 Hostname CSLab7k Network side NIC IP Address 10 6 3 21 Netmask 255 255 255 0 MAC address 0 a0 c9 ed 6c cc Service side NIC IP Address 10 6 5 21 Netmask 255 255 255 0 MAC address 0 d0 b7 6 c1 85 Default Gateway 10 6 3 1 Domain None Primary name server None DHCP D...

Page 59: ...onfiguration Regardless of the file you select the configuration file you are about to boot is displayed to ensure that the last file displayed is the configuration that is booted 4 If you select the default y the system boots to the normal operational prompt if you type n it returns to the monitor prompt Second Options 1 If you choose not to save the modified file the system displays a warning th...

Page 60: ... is not redisplayed If you select a file other than active cfg the file s contents are displayed to ensure that the last file displayed is the configuration that is booted 3 If you select the default y the system boots to the normal operational prompt if you type n it returns to the monitor prompt delete Deletes the specified configuration file Example monitor delete Select a configuration to dele...

Page 61: ... dhcp Enable DHCP yes no no dir Displays the list of saved boot configuration files dns Specifies the domain and optionally nameserver s The system prompts you for the required information Example Would you like to configure DNS yes no no monitor dns Would you like to configure DNS yes no no yes Enter Domain name to cancel mydomain com Enter the IP Address of the Primary name server to cancel 10 6...

Page 62: ... delete saved configuration files Parameter Setting All added user accounts Deleted Policy groups services and servers Deleted Route parameters Deleted CLI parameters Deleted IP address Deleted Default route Deleted Hostname Deleted Domain Deleted Name servers Deleted DHCP Disabled Dual NIC Disabled Failover mode Disabled Autoboot Disabled Autoboot timeout 5 seconds Added hosts in the host file De...

Page 63: ...tected or may not be configured Is this machine Primary or Backup Primary Enter the Network side Online IP Address 10 6 3 200 Enter the Server side Online Address 10 6 5 200 Enter the Network side Online hostname net onlinehost Enter the Server side Online hostname serv onlinehost Serial failover successfully configured gateway Specifies the default gateway Example monitor gateway Enter default ga...

Page 64: ...pecify the Ethernet speed and duplex mode of the SA8220 s network interface card Single NIC configuration example Auto configure the network NIC speed and duplex yes no yes no 1 100BaseTx 2 10BaseTx Select Media Type 1 or 2 1 2 Use Full Duplex n n Dual NIC configuration example Auto configure the Network side NIC speed and duplex yes no yes Auto configure the Server side NIC speed and duplex yes n...

Page 65: ... Netmask for Network side NIC 255 255 255 0 Enter Netmask for Service side NIC 255 255 255 0 rich bias not available on the SA7200 Optimizes RICH_HTTP service performance If your RICH_HTTP service responses consist mostly of files greater than 8K the enabled default setting of rich_bias will optimize performance If your site is experiencing performance problems and the RICH_HTTP service responses ...

Page 66: ...ng the SA8220 s system time and date If you select NTP you will be prompted for the IP address of the NTP server s you want to use If you set the date manually you will be prompted first for the timezone then for the date in 24 hour format Example with NTP monitor settime Use NTP enable Enter IP address of NTP server or return to end 209 218 240 1 Enter IP address of NTP server or return to end 20...

Page 67: ...now Fri Sep 29 05 38 38 GMT 13 2000 Enter the year YYYY 2000 Enter the month MM 09 Enter the day DD 29 Enter the hour HH 05 Enter the minute MM 38 Enter the seconds SS 38 Fri Sep 29 05 38 38 GMT 13 2000 Example 2 without NTP manual setting NOTE Example 2 is for setting the time using United States time US monitor settime Use NTP disable Select TIMEZONEs to list GMT US Other or q to quit GMT US Sel...

Page 68: ...time Use NTP disable Select TIMEZONEs to list GMT US Other or q to quit GMT O Select a TIMEZONE from the Other list 1 Bangkok 2 Belfast 3 Belgrade 4 Berlin 5 Brussels 6 Copenhagen 7 Hongkong 8 Israel 9 Japan 10 London 11 Madrid 12 Manila 13 Paris 14 Poland 15 Portugal 16 Prague 17 Rome 18 Singapore 19 Stockholm 20 Turkey 21 Warsaw 22 Zulu 23 Zurich Select a number between 1 and 23 q to quit 10 22 ...

Page 69: ...plex yes no yes DHCP is disabled for dual NIC operation Enter the hostname you would like to assign to the Network NIC CSLab7k Enter the IP address for the Network side NIC 10 6 3 21 Enter the IP address for the Server side NIC 10 6 5 21 Enter the Netmask for the Network side NIC 255 255 255 0 Enter the Netmask for the Server side NIC 255 255 255 0 255 255 255 0 Enter default gateway 10 6 3 1 Woul...

Page 70: ... and factory_reset will remove all static IP routes as part of its cleanup Example monitor static_routes Static Route information Enter Static route 1 dest IP to del q to quit 10 7 16 5 Enter Static route 1 gate IP to del q to quit 10 8 15 40 Enter Static route 2 dest IP to del q to quit 10 7 18 50 Enter Static route 2 gate IP to del q to quit 10 8 15 40 Enter Static route 3 dest IP to del q to qu...

Page 71: ...f reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models Before You Begin Logon Screen Topology Screen Policy Manager Screen Administration Screen Configuration Screen Tools Screen Statistics Screen ...

Page 72: ...ector Server Appliance SA7200 SA7220s have features and functions that are controlled through either the browser based Graphical User Interface GUI as discussed in this chapter or the Command Line Interface CLI as discussed in Chapter 5 In order to use the inside IP or inside online IP for administration the client must be on the same subnet as the inside interface or must have an alternate path b...

Page 73: ...ess or Location field type the SA8220 s address and specify port 1095 For example NOTE If Internet Explorer 5 01 or later is your browser you must add a trailing slash to the URL as shown in step 2 Also the default GUI port 1095 can be changed For details please see GUI Tab in this chapter http system_name 1095 where system_name is the actual name or IP address of your SA8220 3 Press Enter The Log...

Page 74: ... password is admin lowercase required To change them please see Users Tab in this chapter 4 In the space provided type your User name 5 In the space provided type your Password 6 Click Logon The Topology screen displays as shown on the next page The number of server icons varies depending upon your network configuration ...

Page 75: ...y Screen Displays a graphical representation of the current topological relationships between the SA8220 and network servers The SA8220 s status and Serial Cable failover if configured are also reflected here Serves as a gateway to the Administration and Policy Manager screens and the Configuration and Tools screens ...

Page 76: ...f the system and return you to the logon screen Configuration displays the Configuration Screen Administration displays the Administration Screen Tools displays the Tools Screen Policy Manager displays the Policy Manager Screen Statistics displays the Statistics Screen Log File displays the SA8220 s log file Online Help Online Help Button Located at the top right of the window the Help button is s...

Page 77: ...Policy Management screen by default but this can be changed in the Administration screen please see Administration Screen in this chapter Server Icon Servers are represented onscreen by vertical tower case icons as shown above Right clicking on a server icon displays a popup menu that can take you to other screens Double clicking the server icon takes you to the Statistics screen by default but th...

Page 78: ...for the largest display Move the slider control to the far left for the smallest display Background Zoom and Refresh Control The Topology screen elements can also be resized by right clicking on the background of the screen The popup menu shown above displays onscreen Zoom In enlarges the display and is the equivalent of moving the slider control to the right Zoom Out reduces the display and is th...

Page 79: ...icy Management the Policy Manager screen displays as shown below Policy Manager Screen The Policy Manager consists of a series of screens with multiple tabs that includes the controls used in the implementation of Policies The discrete items created altered and deleted in the course of Policy management are listed below Policy Groups Services Servers ...

Page 80: ...entioned hierarchy The Details display includes controls and status displays relating to the item selected in the Policies display and changes according to the type Policy Group Service or Server of the item selected If a Service or Server is selected then the Details screen contains two tabs each containing related controls The three types of items form a hierarchy policy groups contain Services ...

Page 81: ...enu shown below by right clicking in the Policies display Policy Manager s Pop up Menu Policy Groups Services are virtual resources provided to a client However Services can exist only in the context of Policy Groups Policy Groups are regarded as containers used to organize Services Therefore before Services can be defined Policy Groups must be created to contain them The Policy Manager s Policy G...

Page 82: ...w Policy Group 3 Type a name for the new Policy Group in the Policy Group Name field Policy Group names must adhere to the following conventions From 1 to 25 characters in length Any alphanumeric character Other eligible characters include hyphens periods and underscores _ Spaces must not be used NOTE The names of existing Policy Groups cannot be changed Within these restrictions the naming of Pol...

Page 83: ...response times of higher priority services are met or all eligible servers have been throttled An eligible server is one that is shared by both higher and lower priority services Throttling affects all services within a Policy Group To enable or disable throttling for the selected Policy Group follow the steps below 1 Select the Enable Server Throttling check box see figure above 2 Click Apply Del...

Page 84: ... toolbar click New Service or right click in the Policies display and select New Service from the pop up menu The Service Details tab displays in the Details screen as shown below Service Details Tab NOTE All fields mentioned in steps 3 through 6 become read only after the service is created 3 In the Service Name field Type a name for the service 4 From the Service Type pull down menu click the de...

Page 85: ...p can be prioritized The SA8220 assures more server resources to Services with high priority numbers than to those with lower numbers The Priority setting is an integer from 1 highest priority to 5 lowest priority and the default is 1 Duplicate SYN Timeout This value is the time interval in microseconds after which the fulfillment server is declared dead if the dynamically calculated number of dup...

Page 86: ...thod of identifying requestors in such situations When Cookie sticky mode is enabled a cookie is given to requesting browsers Subsequent requests from clients who have received cookies contain identifying information allowing the SA8220 to direct them to a single server Cookie mode is available only for RICH_HTTP so it is not available on the SA7200 Sticky Timeout The current software version for ...

Page 87: ...esponse Time Requests for a Service using the Response Time algorithm are forwarded to the server that can fulfill them within the shortest time Round Robin Requests for a Service using the Round Robin algorithm are distributed evenly among the available servers 1 From the pull down menu click to select the desired Balance Algorithm for the Service selected in the Policies display If you select Re...

Page 88: ...rs After you create Services you must designate or create Servers to fulfill client requests for Services As Services must exist within Policy Groups a Server for example a fulfillment host must be mapped to a Service To create Servers follow the steps below 1 In the tree click an existing Service 2 In the Policy Manager toolbar Click Create Server or right click in the Policies display and click ...

Page 89: ...P address or server name known to the SA8220 via DNS or static host table This value cannot be changed after the server is created 4 If appropriate edit the Port field The default value is the port number of the Service under which this Server displays in the Tree This value cannot be changed after the server is created ...

Page 90: ...ers are given requests when a primary server is unavailable As primary servers become inactive backup servers are brought into service to handle requests Disabled Renders the server unavailable to accept client requests 6 From the drop down menu click to select the desired Server Mode This command enables or disables Source Address Preservation SAP on the named server When Out of Path Return OPR i...

Page 91: ...in sophisticated network topologies to require that requests pass through two cascaded SA8220s In such configurations the SA8220 topologically closest to the clients must be configured with the MSAP feature enabled In most configurations the default setting MSAP disabled must be used 606 Error Detection 606 is a user defined error code that is you can specify an application level error as a 606 er...

Page 92: ...the semicolon character into the RICH Expression List field according to the following usage Valid expressions include the following NOTE The and are allowed in expressions but they can only exist at the beginning or end of the expression Also a positive expression is required after a not expression otherwise the expression has no effect File type expressions such as gif or index html Path express...

Page 93: ...the Tree click the name of the Server to be deleted 2 In the Policy Manager toolbar click Delete or right click to display the menu and click the Delete Selected Item command Expression Yields gif All non GIF files gif All files because after specifying all the gif expression is never reached html home Matches all entries of the form home except HTML files home html Matches all files of the form h...

Page 94: ... tasks Administration Screen Settings Tab Settings Tab The Settings tab includes controls used to set the following System ID Edit this field to set the unit identifier The SA8220s are shipped with the unit serial number in this field You can use this control to change the identifier if your site requires alternate asset tracking information The new ID can be an alphanumeric value from 1 to 64 cha...

Page 95: ...s messages please see Status Information in Chapter 2 Software Tab The Software tab contains controls and displays allowing you to perform the following tasks Specify image category as either System software or Agent Software Agent software lists software components other than the SA8220 system image that may be installed on the unit such as the HP Multi Site Traffic Director Server Appliance SA92...

Page 96: ... Software The SA8220 provides sufficient local storage for five software images though at any time only one image is active and executing The System Software area of the Software tab displays the list of currently installed system images including the following details for each Image index number Active status yes no Product name ...

Page 97: ...es sufficient local storage for at least five Agent software images though at any time only one image is enabled To display the Agent Software area of the Software tab click Agent Software which displays the list of currently installed Multi Site Director Agent images as shown below Software Tab in Agent Software View Details displayed for each Agent include Image index number Active status yes no...

Page 98: ...rning you that the SA8220 will reboot as shown below Boot Warning Window NOTE You can also perform a soft reboot of the SA8220 by selecting the currently active software image and clicking Boot 4 Click Yes As the SA8220 reboots the screen shown below displays Reboot Screen You must close all browser windows to ensure your browser uses the newly activated Administration Application 5 Wait three to ...

Page 99: ...omer Support or your System Administrator to obtain the URL Key User and Password information For more details about software installation and updates please see Software Updates and Upgrades in Chapter 8 Deleting Software Images To delete a software image from the list of installed images 1 In the Software View box click the software type to be deleted 2 In the Installed Software box click the im...

Page 100: ...C H A P T E R 4 HP Traffic Director Server Appliances User Guide 88 4 Click Yes If you selected Agent Software the prompt shown below displays Delete Image Confirmation Agent View 5 Click Yes ...

Page 101: ...r names and permissions of all authorized users View the user names and permissions of all users currently logged on Promote your permissions level Log off all other users currently logged on The Administration Screen s Users tab is shown below Administration Screen Users Tab List of All Users The right hand side of the Users tab s Add Delete Users box contains a list of all users allowed to log o...

Page 102: ...sions and passwords 1 In the All Users List at the upper right sector of the tab click the user you want to modify 2 If you are changing the password type the new password in the Password field and then retype it in the Confirm Password field 3 Click Change 4 If you are changing the user s permissions click the appropriate button in the User Permissions box 5 Click Change Deleting Users To delete ...

Page 103: ...d in the Current Logon box at the tab s lower left List of Logged On Users The right hand side of the Current Logon box at the bottom of the Users tab displays a list of all currently logged on users their log on times their permissions and their log on method either the Command Line Interface or the GUI Logoff All Other Users NOTE Use Logoff All Users with care as it can leave the system in an am...

Page 104: ...Appliances User Guide 92 Routing Tab The Administration screen s Routing tab shown below contains controls that allow you to manage the following System Role Active Routing Protocol OSPF Protocol RIP Protocol Administration Screen s Routing Tab ...

Page 105: ...ration while the backup SA8220 monitors the primary and comes online if the primary fails The system roles are defined below To select the SA8220 s System Role 1 In the System Role box click the appropriate button Active Routing Protocol The SA8220 needs to know what your network s active routing protocol is either OSPF or RIP 1 In the Active Routing Protocol box click the appropriate radio button...

Page 106: ...the router dead interval of the ingress router The valid range is from 1 to 2 147 483 647 and the default is 40 Authentication type and key are security mechanisms to guarantee that routing information is exchanged only with trusted routers The type and key together comprise the authentication scheme An OSPF Area can have only one OSPF Authentication scheme NOTE Both sides of the OSPF connection m...

Page 107: ... policies Three modes are available Closed Open Custom Administration Screen s Security Tab Closed mode disables all remote administration capabilities Open mode enables all remote administration capabilities SA9200 agent traffic and IP Forwarding Custom mode allows you to specify filtering of traffic based on traffic port and source IP address ...

Page 108: ...ed you can choose among the access options in the Access security box To enable an option select the corresponding check box and verify that a check mark displays To disable click again to clear the check mark Available options are listed below CLI SSH Enable Secure Shell that is secure access to the unit s Command Line Interface Secure Shell operates like an ordinary telnet session but adds encry...

Page 109: ...logy Screen Choice of result from double clicking the Server icon in the Topology Screen Administration Screen s GUI Tab NOTE After changing this setting your browser disconnects You must restart your browser and connect it to the new port to resume using the administration application Admin HTTP Server Port Edit this field to designate the port on which the SA8220 s GUI application listens To cha...

Page 110: ... an integer between 0 and 120 A value of 0 disables timeout The default value is 30 The Double click Broker topology icon displays The drop down menu allows you to specify the destination within the GUI after double clicking a SA8220 icon in the topology screen The Double click Server topology icon displays The drop down menu allows you to specify the destination within the GUI after double clicki...

Page 111: ...hown below includes controls that allow you to configure the following aspects of the SA8220 s Command Line Interface SSH Port Telnet Port Telnet Sessions Timeout Prompt Login Attempts Enable more for screen paging Lines per screen Administration Screen s CLI Tab ...

Page 112: ... the idle timeout period before automatic logoff for CLI sessions This feature is disabled by setting the timeout value to 0 This timeout period is expressed in seconds 0 or 30 to 65535 The default is 900 seconds 15 minutes Use the Prompt field to set or change the root level prompt The default prompt is an abbreviation of the product s name for example HP SA8220 The Login Attempts field allows yo...

Page 113: ...t pass through the filter The SNMP Agent Start check box allows you to enable or disable the SA8220 s SNMP agent The default is Enabled The SNMP Port field allows you to specify the port on which the SA8220 receives SNMP requests Allowable port numbers are any unused ports 5020 through 65535 or 161 the default Use the Trap Port field to specify the port on which the SA8220 sends SNMP traps Allowab...

Page 114: ... ro or read write rw privilege and can be configured for use by a specific IP address or all IP addresses When the value any is used for ip address the community string can be used by all IP addresses For example the string community test ip 209 218 240 5 rights ro creates the community string test with read only privilege SNMP read only requests using community string test are accepted only from ...

Page 115: ...C1 in the trap sent to that address Multi Site Tab This tab contains controls for setting the port that communicates with the HP Multi Site Traffic Director Server Appliance SA9200 Administration Screen Multi Site Tab To specify the Multi Site Agent s port 1 In the Agent Port field type that port number Valid range is from 1 to 65535 and 1999 is the default We recommend using ports 1024 and higher...

Page 116: ...e logging of specific types of information and specify the log file size Administration Screen s Logging Tab Specifying System Log Parameters The following log levels are available 1 In the System Log Levels box select the check boxes for those types of system information you want the log file to reflect To record all available information types click Select All 2 In the System Log File box type t...

Page 117: ...tion Screen 105 Viewing the Log File 1 To view the log file click View Log The System Log File displays as shown below Logging Tab s File Contents Window The File Contents window s Actions menu contains two items Filter Mail To ...

Page 118: ...isplayed in the File Contents window 1 Select or clear the appropriate check boxes to specify the types or categories of messages you want to display 2 Click Apply or Cancel to abort Log Mail To Window The Mail To dialog box shown above allows you to email the contents of the log file 1 In the Address field type the email address to which you want to send the log file ...

Page 119: ...creen The Configuration screen shown below includes controls that allow you to save restore send and receive SA8220 configuration information in individual ASCII files You can save configuration files on the SA8220 and send them to a remote TFTP server or retrieve them The Configuration screen also has a provision for restoring the factory default configuration Configuration Screen ...

Page 120: ...in the Saved Configurations list Restoring Configuration Files To restore a configuration file 1 In the Saved Configurations list click the name of the file you wish to restore 2 Click Restore A message displays prompting you to confirm the operation as shown below NOTE Username commands are not valid in configuration files The save config and restore config operations do not include username data...

Page 121: ...Confirmation Window 3 To delete the file click Yes or No to abort Copying Configuration Files To copy an existing configuration file under a new name 1 In the Saved Configurations list click the name of the file you wish to copy 2 Click Copy A message displays prompting you to provide a file name as shown below Copy New Filename Window Valid characters are letters digits _ and File names cannot be...

Page 122: ...the SA8200 SA8220 This function is still available on the SA7200 SA7220 1 In the Saved Configurations list click the name of the file whose contents you want to view 2 On the SA8200 SA8220 Click View The right hand panel of the Configuration screen displays the message below as shown below The View operation is not permitted on this device for security reasons Please use the CLI to view configurat...

Page 123: ...he Configuration screen displays the contents of the selected file as shown below Configuration File View on the SA7200 SA7220 2 If the file is too large to fit entirely in the window as shown above use the scroll bars to navigate through the file 3 Click View again to close the file contents display ...

Page 124: ...eter Default Setting Route Role Standalone Protocol None OSPF area Backbone Hello interval 10 seconds Dead interval 40 seconds RIP version 2 0 Static routes static_route None RICH Bias all models except the SA7200 rich_bias Enabled HTTPS Redirect SA8200 SA8220 only Redirect None CLI CLI SSH port 22 CLI port 23 Prompt Product name Maximum telnet sessions 3 Scrolling Disabled Idle timeout 900 second...

Page 125: ...hown below Reset Confirmation Window 2 To confirm the operation click Yes or No to abort GUI broker action 0 Policy Manager server action 1 Statistics Security acl Cleared custom access control Disabled custom forwarding Disabled custom ssh Enabled custom telnet Disabled custom gui Disabled custom snmp Disabled security mode Closed Type Parameter Default Setting ...

Page 126: ... you want to send 2 In the Send Receive Configuration box click Put 3 In the tftp Host field type the name of the host where you will send the file 4 Optional In the Remote Directory field type the directory of the remote host where you want to save the file 5 Click Transfer To retrieve a configuration file from a remote TFTP server 1 In the Send Receive Configuration box click Get 2 In the tftp H...

Page 127: ... A P T E R 4 Tools Screen 115 Tools Screen The SA8220 s Tools screen shown below provides network diagnostic tools for your convenience ARP Ether Ping Netstat Nslookup Reboot Trace Traceroute Tools Screen ...

Page 128: ...is command displays the SA8220 s ARP table To use the command 1 From the Command menu click arp 2 Click Run 3 After a few seconds the ARP information displays in the Results window as shown below The Tools Screen Displaying ARP Results 4 To clear the Results window click Clear ...

Page 129: ...s the Ethernet interface values To use the command 1 From the Command menu click ether 2 Click Run 3 The Ethernet interface information displays in the Results window as shown below Tools Screen Displaying Ether Results 4 To clear the Results window click Clear ...

Page 130: ...splays a message reflecting the response time from the target device If the SA8220 receives no reply it displays a message indicating that the target device is not responding To ping a network device 1 From the Command menu click ping 2 In the Parameters field type the host name or IP address of the target device 3 Click Run After a few seconds the Ping information displays in the Results window a...

Page 131: ... not try to use DNS to resolve IP addresses p protocol Where protocol can be either ip icmp igmp tcp or udp Forms of the netstat command include No switches displays active network connections r displays the device s forwarding table rs displays the device s forwarding table statistics s displays protocol statistics i displays interface configuration information is displays interface statistics 3 ...

Page 132: ...C H A P T E R 4 HP Traffic Director Server Appliances User Guide 120 Tools Screen Displaying Netstat Results 4 To clear the Results window click Clear ...

Page 133: ...ost name or address or to get the IP address of a machine of which you know only the host name To use nslookup 1 From the Command menu click nslookup 2 In the Parameters field type the host name or IP address of the target device 3 Click Run After a few seconds the nslookup information displays in the Results window as shown below Tools Screen Displaying Nslookup Results 4 To clear the Results win...

Page 134: ...ot Confirmation 1 To reboot click Yes or No to abort As the SA8220 reboots the above screen displays and prompts you to close your browser window Reboot Notification 2 Close all browser windows to ensure that your browser uses the newly activated administration application 3 Wait a few minutes typically three to five for the SA8220 to finish rebooting before running the administration application ...

Page 135: ...interface s snaplen T type F file P w file H tftp host D tftp path Switches enclosed in brackets are optional The w F H and D switches are required A complete listing of the switches for the trace command is found in the following table Example The command below TFTPs my filter from dhcp8 var tftpboot my filter to the SA8220 captures five packets using the expressions in the my filter file and the...

Page 136: ...uired parameter i interface Specify an interface to capture packets from exp0 or exp1 for dual homed devices n Don t convert addresses to names N Don t print domain name qualification of host names p Change the interface to promiscuous mode every packet is captured P Preserves the filter expression file on the SA8220 for future use so that it is not TFTPed after the first use q Output less protoco...

Page 137: ...ssion file is empty all packets on the net will be captured The expression primitives can be combined using parentheses and or not or and and or or v Slightly more verbose output vv Even more verbose output w file The trace output file Required parameter x Output each packet in hex X Output each packet in hex and ASCII Switch Description ...

Page 138: ...t has a network number of net src net net True if the IP source address of the packet has a network number of net net net True if the IP source or destination address of the packet has a network number of net net net mask mask True if the IP address matches net with the specific netmask net net len True if the IP address matches net a netmask len bits wide dst port port True if the packet is IP TC...

Page 139: ... route from the SA8220 to another device 1 From the Command menu click traceroute 2 In the Parameters field type the host name or IP address of the target device 3 Click Run After a few seconds the Traceroute information displays in the Results window as shown below Tools Screen Displaying Traceroute Results 4 To clear the Results window click Clear ...

Page 140: ...ces and servers the available statistics are listed below Average Response Time ms Average Connections per Second NOTE Statistics for open connections in RICH mode on the SA8220 and the SA7220 are not available Open Connections Service or Server Uptime To display the Statistics screen 1 In the Topology screen s toolbar click the Statistics icon Statistics Screen Controls The Statistics Screen show...

Page 141: ...in which you want those statistics displayed Type This pull down list allows you to specify the type of statistics that are available System Server or Service Items Select the specific System Services or Servers whose statistics you wish to view You can select multiple like items from this list Statistics Box Graph Options Graph Button Window Options Selection List Selection Buttons Arrow Buttons ...

Page 142: ...ng Area The style selected in this list is applied to each statistical category at the time it is selected with the right arrow button as described above Legend After the Legend check box is selected a legend displays at the bottom of the Graph window for this data series This legend identifies each selected statistical category by color and symbol as it displays on the graph When disabled the leg...

Page 143: ... a single composite graph Multiple Graphs Displays each data series in its own graph X Gridlines Displays the graph s vertical grid lines the default is enabled Y Gridlines Displays the graph s horizontal grid lines the default is enabled NOTE Statistics gathering generates network overhead and increasing the refresh rate that is lowering the Refresh Intervals value increases that overhead Refresh...

Page 144: ...ou ve defined multiple data series and have enabled Multiple Graphs by clicking Graph at the bottom of the Statistics Screen Graph Window with Bar Display The meaning of the graph depends upon the items and statistics that you have selected For example the graph above shows a bar display of CPU Utilization for one system SA8220 only Although the figure above is grey scaled in this text each plot d...

Page 145: ...llowing topics NOTE For ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models CLI Introduction Categorical List of CLI Commands Run Time CLI Command Reference ...

Page 146: ...ng admin for both the user ID and password You can use the change_password command discussed in this chapter to change the CLI password Online Help The SA8220 provides online CLI command help in six forms 1 Type help to describe help features 2 Type help commands to display the list of commands you can enter at the current prompt 3 Type help ttychars to display a list of special terminal editing c...

Page 147: ...displayed HP SA8220 info grep SNMP The above command filters the output of the info command using grep such that only lines containing SNMP are displayed Pipes to grep can be cascaded HP SA8220 config policygroup test service info grep Primary grep serv1 com The above command displays only lines containing Primary AND serv1 com The output of a command can be directed to both grep and more but the ...

Page 148: ...ween straight brackets separated by vertical bars Braces Optional commands or parameters appear between braces Boldface Commands that you enter after the CLI prompt appear in boldface type The prompt appears in normal typeface to distinguish it from the command text Vertical bar Separates choices of input parameters within straight brackets You can choose only one of the set of choices separated b...

Page 149: ...ime CLI Command Reference in this chapter Global System Commands These commands manage general functions and are described later in this chapter Tab key arp back box exit ether force rwa halt help history info logout netstat options nslookup ping quit reboot remove reset top toplevel trace traceroute who Admin Commands These commands are described in later in this chapter config admin info config ...

Page 150: ...ts tries config cli more enable disable config cli port port config cli prompt prompt config cli screenlines nlines config cli ssh port sshport config cli telnet sessions nsessions config cli timeout nseconds config cli username name password password level ro rw rwa config cli users IRV Commands The Intelligent Resource Verification commands are described later in this chapter config irv config i...

Page 151: ...es certificate headername cipher used headername source ip headername ssl id headername config policygroup policy name throttle enable disable Service Commands These commands are described later in this chapter config policygroup policy name service create service name vip ipaddr port port type TCP UDP RICH_HTTP sticky disable src ip cookie sticky timeout seconds backups enable disable response mi...

Page 152: ...pply to the SA7200 config policygroup policy name service service name server server name port port mode brokered sap opr type primary backup msap enable disable 606 enable disable http enable disable expression create expression expression delete expression all System Commands These commands are described later in this chapter config sys config sys autoboot enable disable config sys hosts info co...

Page 153: ...e config sys security custom acl add ip xxx xxx xxx xxx config sys security custom acl add netmask xxx xxx xxx xxx xx config sys security custom acl delete ip xxx xxx xxx xxx config sys security custom acl delete netmask xxx xxx xxx xxx xx config sys security custom acl info config sys security custom forwarding enable disable config sys security custom gui enable disable config sys security custo...

Page 154: ...SA8220 only These commands modify the SSL configuration They can be used to set the defaults for configuring certificates in the policy group and are described later in this chapter config policygroup policy name service service name key create delete import export info config policygroup policy name service service name key certificate create delete import export info config policygroup policy na...

Page 155: ...nfig logging sys enable config logging sys disable config logging output info config logging output logsize config logging output viewlog config logging output maillog Show Commands These commands are described later in this chapter show admin info show cli info show gui info show irv info show msd info show policygroup info show policygroup policy name info show policygroup policy name service in...

Page 156: ...ice service name server server name port info NOTE Expressions do not apply to the SA7200 show policygroup policy name service service name server server name port port expression show policygroup policy name service service name server server name port port info show route info show ssl info show stats info show stats service vip vport port show stats service vip vport port server ipaddr port por...

Page 157: ... config arp Displays the SA8220 s ARP table back Brings you up one level in the CLI command tree box top toplevel Brings you back to the beginning root level of the CLI branch command tree exit logout quit Exit the CLI ether Display the Ethernet interface values force rwa NOTE The use of force rwa potentially allows conflicts among users of equivalent authorization If a user with Read Write All au...

Page 158: ...ace Can be exp0 or exp1 for dual homed device n Do not try to use DNS to resolve IP addresses p protocol Where protocol can be either ip icmp igmp tcp or udp Forms of the netstat command include No switches displays active network connections r displays the device s forwarding table rs displays the device s forwarding table statistics s displays protocol statistics i displays interface configurati...

Page 159: ...xit logout Exit the CLI reboot Reboots the SA8220 reset NOTE Reset causes all policy groups services and servers to be deleted This operation will disable all remote administration access Use command config sys security to enable remote access Resets the SA8220 to its original factory configuration as listed below Note that only parameters set within the CLI are affected Networking parameters cont...

Page 160: ...al is set to 40 seconds RIP version is set to 2 0 Security Settings acl is cleared custom access control is disabled custom forwarding is disabled custom ssh is enabled custom telnet is disabled custom gui is disabled custom snmp is disabled custom ms agent is disabled security mode is set to closed SNMP Settings sysContact is set to a null sysName is set to the host name of the unit sysLocation i...

Page 161: ... file and a filter file Press return when prompted for a filter file if you do not have one It is simply a text file containing an arbitrarily long tcpdump style expression which trace can use trace switches expression Available switches a Attempt to use the DNS to convert address to names c int Exit after receiving int packets by default the command automatically exits after 60 seconds e Print th...

Page 162: ... ehost ether src ehost true if the ethernet source address is ehost ether host ehost true if either the ethernet source or destination address is ehost gateway host true if the packet used host as a gateway dst net net true if the IP destination address of the packet has a network number of net src net net true if the IP source address of the packet has a network number of net net net true if the ...

Page 163: ...rnet broadcast packet ip broadcast true if the packet is an IP broadcast packet traceroute Displays the route that packets travel to the network host traceroute ipaddr hostname where hostname is the name of the network host ipaddr is the network host s IP address who Displays the list of currently logged on users with their permission levels and whether they are logged on using the CLI or GUI who ...

Page 164: ...ort number This is the port where the admin GUI listens for connections The Admin GUI allows the user to configure the unit using a graphical user interface config admin port port where port is the GUI http port You can select any available port between 1 and 65535 The default is 1095 Command Description cat Displays contents of the specified saved configuration file cat filename where filename is...

Page 165: ...Because the TFTP protocol has no user logon or validation sites that support it typically enforce some file access restrictions Such restrictions are specific to each site and vary widely in scope and methods Example put default cfg to tftp 192 168 10 1 default cfg remove Removes a configuration file remove filename where filename is name of the configuration file to be removed restore NOTE Userna...

Page 166: ...here filename is the name of the configuration file to be restored the default file name is default cfg save NOTE Username commands are not valid in configuration files that is save config and restore config operations do not include username data Use the command config cli username to restore usernames Saves the current CLI configuration to a file of the specified name This information is saved i...

Page 167: ...ng the connection config cli login attempts tries where tries is a number from 1 to 30 config cli more Sets scrolling of the output display to one page at a time or to continuous display config cli more enable disable where enable allows you to scroll one page at a time disable results in continuous scrolling config cli port NOTE If you are logged in using telnet do not use this command Doing so w...

Page 168: ... of concurrent inbound remote CLI logon sessions config cli telnet sessions nsessions where nsessions is the number of allowed sessions 1 to 8 and the default is 3 config cli ssh port NOTE If you are logged in using SSH do not use this command Doing so will change the port parameters and you will be disconnected Sets the Secure Shell SSH port number config cli ssh port port where port is a valid p...

Page 169: ...d or update a user config cli username name password password level ro rw rwa where name is the logon name must be from 2 to 16 alphanumeric characters with no spaces and the first character must be alpha password is the password must be from 2 to 16 alphanumeric characters with no spaces level is the authorization level ro read only rw read and write and rwa read write all config cli users View t...

Page 170: ...fig irv ping interval Sets the IRV ping interval config irv ping interval positive integer between 0 and 10 000 0 where ping interval is a the number of seconds from 0 to 100 000 To disable IRV set the ping interval to 0 Command Description config gui broker action Specifies the start screen within the GUI when you double click a SA8220 icon in the topology screen config gui broker action 0 5 wher...

Page 171: ...out seconds where seconds is an integer between 0 and 120 A value of 0 disables timeout and the default value is 30 config gui server action Specifies the start screen within the GUI when you double click a server icon in the topology screen config gui server action 0 5 where 0 5 is an integer between 0 and 5 that indicates one of the following destination screens 0 Policy Manager 1 Statistics def...

Page 172: ...set to standalone then protocol must be set to none If role is set to primary or backup then protocol must be set to OSPF or RIP such as config route role standalone protocol none For example config route role standalone protocol disable or config route role primary protocol ospf Command Description config route ospf area NOTE ospf area must be set to the same OSPF area as the ingress router to wh...

Page 173: ...tication key a string of from one to eight characters double quotes and spaces excluded The default is none Both sides of the OSPF connection must use the same authentication type and key Specifies the OSPF authentication mode Router Authentication type and key are security mechanisms to guarantee that routing information is exchanged only with trusted routers The type and key together comprise th...

Page 174: ...the SA8220 disable disables both RIP and OSPF protocols config route rip version Specifies the RIP version 1 or 2 config route rip version 1 2 where 1 or 2 enables RIP version 1 or 2 respectively config route role Specifies the SA8220 s role as Standalone Primary or Backup The default is Standalone config route role standalone primary backup where standalone enables the SA8220 s standalone mode pr...

Page 175: ...ese restrictions the naming of Policy Groups is at your discretion though convenient naming schemes might include serial names Group1 Group2 etc or names that reflect a Policy Group s content such as e CommerceGrp or HTTP_Group Command Description config policygroup create Creates a new Policy Group config policygroup create policy name where policy name is the name of the Policy Group to create c...

Page 176: ...s throttling of services to meet specified response times config policygroup policy name throttle enable disable where policy name is the name of the policy group enable enables throttling disable disables throttling config policygroup service backups Enables or disables servers designated as backup to come on line if necessary to assure target response times config policygroup policy name service...

Page 177: ... line The service name ipaddr and port cannot be changed once you enter this command Creates a service The default type is TCP Config policygroup policy name service create service name vip ipaddr port port type TCP UDP RICH_HTTP where policy name is the name of an existing Policy Group service name is the name of the service you want to create ipaddr is the virtual IP address xxx xxx xxx xxx port...

Page 178: ...sting policy group service name is the name of the service microseconds is the time interval within which to count dropped packets You can specify a value from 1000 to 2 147 483 647 and the default is 500 000 config policygroup service enable Enables the specified service config policygroup policy name service service name enable where policy name is the name of an existing policy group service na...

Page 179: ...recognized CA such as Verisign Sets the name used in the HeaderNameField of the HTTP headers inserted when header or header certificate are enabled on a per service basis config policygroup policy name service service name header name certificate headername cipher used headername source ip headername ssl id headername where policy name is the name of the policy group service name is the name of th...

Page 180: ...econds is the number of milliseconds the service should take to respond to a request This value is ignored unless throttling is activated in the Policy Group You can specify a value from 1 to 2 147 483 647 and the default is 50 config policygroup service server timeout Specifies the amount of time a client request waits for the server to respond before trying the next available server If no server...

Page 181: ...re rerouted transparently to the client to the next available server When disabled the error is sent back to the requesting client config policygroup policy name service service name server server name port port 606 enable disable where policy name is the name of an existing Policy Group service name is the name of the service server name is the name of the server port is the server port enable en...

Page 182: ...d Policy Group service server config policygroup policy name service service name server server name port port expression create expression where policy name is the name of an existing policy group service name is the name of the service server name is the name of the server port is the server port expression is any valid expression Valid expressions include File type expressions such as gif or in...

Page 183: ...xpression where policy name is the name of an existing policy group service name is the name of the service server name is the name of the server port is the server port expression is any valid expression config policygroup service server port expression info not available on the SA7200 Lists the named expression config policygroup policy name service service name server server name port port expr...

Page 184: ...ror detection disable disables HTTP error detection config policygroup service server port mode NOTE OPR requires the use of servers loopback adapters For more details please see Configuring Out of Path Return in Appendix D Enables or disables Source Address Preservation SAP on the named server When OPR is enabled the CLI configured server port is ignored and the configured server service port is ...

Page 185: ...nder two circumstances First when the primary servers are unable to meet the configured target response times a backup server is used if and only if backups is enabled for this service Second backup servers are given requests when a primary server is unavailable As primary servers become inactive backup servers are brought into service to handle requests Specifies the server type of the named serv...

Page 186: ... sending a cookie to requesting browsers which identifies subsequent requests as coming from the same client config policygroup policy name service service name sticky disable src ip cookie where policy name is the name of an existing Policy Group service name is the name of the service disable disables sticky ports src ip enables Source IP Address sticky mode cookie enables Cookie mode available ...

Page 187: ... restart sequence ends by displaying the Boot Monitor interface Autoboot is disabled by default For more details please see Boot Monitor in Chapter 3 config sys autoboot enable disable config sys hosts info Displays the contents of the SA8220 s host file config sys hosts info config sys hosts delete Deletes the specified entry from the host file config sys hosts delete ipaddress config sys hosts a...

Page 188: ...he prompt to the config sys msd branch config sys msd config sys msd info Shows the current Multi Site Agent information config sys msd info config sys msd port Sets the Multi Site Agent port config sys msd port port where port is an integer from 1 to 65535 and the default is 1999 We recommend using free ports 1024 and higher config sys software Changes the prompt to the config sys software branch...

Page 189: ...a ftp protocol Once installed images are selected for execution by using the command config sys software boot config sys software install url key license key user user name password password passive enable disable where url is a valid URL identifying the software image to download It must be of the form ftp host path name license key is a valid HP license key for the software image and SA8220 unit...

Page 190: ...s enable a multi site agent delete a multi site agent or install a new multi site agent config sys software ms software info enable index delete index install url user user password pass where index is the integer index of the installed multi site agent to make active or delete url is the complete TFTP or FTP URL of an install agent user is a valid username pass is a valid password Command Descrip...

Page 191: ...sable Disabled by default config sys security custom acl add ip Adds an IP address to the access control list config sys security acl add ip xxx xxx xxx xxx config sys security custom acl add netmask Adds a netmask in dotted decimal notation to the access control list config sys security acl add netmask xxx xxx xxx xxx xx config sys security custom acl delete ip Deletes an IP address from the acce...

Page 192: ...tors can only log on to the GUI and perform administration tasks through a web browser config sys security custom gui enable disable Disabled by default config sys security custom info Displays the current state of the custom configuration If the mode displayed is custom then the displayed configuration is the active one The default custom configuration is SSH access only config sys security custo...

Page 193: ...onfig sys security mode open closed custom where mode is one of the following open permits all administration tasks to be performed without restriction from all IP addresses and enables IP forwarding IP forwarding allows direct access to servers at their real IP addresses closed allows administration to be performed only from the serial port custom enables the configuration displayed by config sys...

Page 194: ...accepted on requests from any IP address ro means the community string has read only privilege rw means the community string has read write privilege The default community strings are public any ro and private any rw config sys snmp community delete Deletes a community string that the SA8220 can accept on incoming SNMP requests config sys snmp community delete string ip ip address any where string...

Page 195: ...string for the MIB II variable sysContact The default is NULL config sys snmp sysContact string where string is a string of displayable characters config sys snmp sysLocation Specifies a string for the MIB II variable sysLocation The default is NULL config sys snmp sysLocation string where string is a string of displayable characters config sys snmp sysName Specifies a string for the MIB II variab...

Page 196: ... all traps sent to the IP address config sys snmp trap delete community Deletes a host from the trap receiver list config sys snmp trap delete ip address community community string where ip address is the IP address of the host you want to delete from the trap receiver list community string is an identifier associated with specified access rights config sys snmp trap info Displays the trap receive...

Page 197: ...e viewed or changed by using the ssl dn command config policygroup policy name service service name key certificate create life life name name email email state state organization org unit unit locality loc country country where policy name is the name of a policy group service name is the name of a service life is the number of days the certificate remains valid range is 1 365 days the default is...

Page 198: ...mple HP SA8220 service service key certificate delete config policygroup service key certificate export NOTE If no URL is provided the certificate will be exported to the console Exports a certificate Certificates can be exported to the console or to a remote machine via ftp config policygroup policy name service service name key certificate export url where policy name is the name of a policy gro...

Page 199: ...user username password password where policy name is the name of a policy group service name is the name of a service url is a valid URL identifying the certificate file to download It must be in the form ftp host path name user is the username password is the password config policygroup service key client ca NOTE Client certificates are actually loaded in the browser Certificates from the CA that...

Page 200: ...rs The SSL session ID will also be sent The config policygroup service header names command may be used to configure the header names field for the client certificate and SSL session ID config policygroup policy name service service name key client ca header certificate disable enable where policy name is the name of a policy group service name is the name of a service disable the default disables...

Page 201: ... text from a certificate server s console window then paste it into the SA8220 s console window To paste in a CRL type the import command and press Enter The CLI prompts you to paste in the certificate When finished type three periods on a separate line then press Enter config policygroup service key client ca revocation info Displays detailed information about the CRL config policygroup policy na...

Page 202: ...tes are not checked against the CRL the default setting enable means that client certificates are validated against the CRL config policygroup service key client ca revocation refresh NOTE The refresh command supports both DER and PEM format revocation lists Sets the interval at which the SA8220 will download the CRL from a certificate server config policygroup policy name service service name key...

Page 203: ... username is the optional username to access the URL password is the optional password to access the URL none clears the URL Examples of the url parameter url ftp ftp newhost com myrevoke crl user anonymous sets the URL path to myrevoke crl on the host ftp newhost com using the FTP protocol with the username of anonymous and no password url http www myhost com 9800 CertEnroll server crl sets the U...

Page 204: ...here policy name is the name of a policy group service name is the name of a service config policygroup service key export NOTE If no URL is provided the private key will be displayed on the console Exports a private key The private key can be either exported to the console or to a remote machine via ftp config policygroup policy name service service name key export url where policy name is the na...

Page 205: ...ame password password where policy name is the name of a policy group service name is the name of a service url is a valid URL identifying the private key file to download it must be in the form ftp host path name username is the username password is the password For example importing a private key via FTP Import ftp remotehost key pem user anonymous config policygroup service key redirect Specifi...

Page 206: ... information is used The default DN information can be viewed or changed by using the ssl dn command config policygroup policy name service service name key signrequest create name name email email state state organization org unit unit locality loc country country password password company company where policy name is the name of a policy group service name is the name of a service name is the co...

Page 207: ...ice name is the name of a service For example HP SA8220 service service key signrequest delete config policygroup service key signrequest export Exports a signing request The request can be exported to the console or to a remote machine via FTP config policygroup policy name service service name key signrequest export url where policy name is the name of an existing policy group service name is th...

Page 208: ...hers with 168 bit encryption triple DES medium all ciphers with 128 bit and above encryption including high low all ciphers with 64 bit and above encryption including medium and high export all export ciphers only custom user defined cipher default use the default specified value in the config ssl level config ssl cache Enables or disables the SA8220 s SSL session reuse capability Enabling the cac...

Page 209: ...sts unless otherwise specified config ssl dn name name email email state state organization org unit unit locality loc country country where name is the common server s name email is the email address state is the name of your state or province organization is the name of your company or organization unit your organizational section locality is the name of your city or locality config ssl redirect...

Page 210: ...e in the SSL handshake phase The value applies to all SSL enabled services config ssl suite all high medium low export custom where all all supported ciphers including export ciphers high all ciphers with 168 bit encryption triple DES medium all ciphers with 128 bit and above encryption including high low all ciphers with 64 bit and above encryption including medium and high export all export ciph...

Page 211: ...nfig logging sys info Displays the current system logging mask settings and available logging mask config logging sys enable Enables the system logging mask enable mask where mask is one of the following general trace audit debug statistic security warning error config logging sys disable Disables the system logging mask disable mask where mask is one of the following general trace audit debug sta...

Page 212: ...debug and information logging trace function level trace logging audit audit trail logging debug debug information logging statistic statistical information logging security security information logging warning warning statement logging error error statement logging config logging output maillog Review the log file externally The log file must be sent to an SMTP email address for review config log...

Page 213: ...s show cli users show gui info Displays the GUI configuration show gui info show irv info Displays the current IRV ping interval show irv info show msd info Displays the current multi site agent information show msd info show policygroup info To display the configurations of ALL policy groups show policygroup info To display the configuration of a SPECIFIED policy group show policygroup policy nam...

Page 214: ...info SA8200 SA8220 only Displays SSL private key information show policygroup policy name service service name key info where policy name is the name of the policy group service name is the name of the service show policygroup service key certificate info SA8200 SA8220 only Displays SSL certificate information show policygroup policy name service service name key certificate info where policy name...

Page 215: ...ce name key client ca revocation info policy name is the name of the policy group service name is the name of the service show policygroup service server info To display server information for ALL servers show policygroup policy name service service name server info where policy name is the name of the policy group service name is the name of the service To display server information for a SPECIFI...

Page 216: ...me server server name port port expression info where policy name is the name of the policy group service name is the name of the service server name is the name of the server port is the server port show policygroup service server port info Displays configuration for a specified server show policygroup policy name service service name server server name port port info where policy name is the nam...

Page 217: ...statistics for a specified server show stats service vip vport vport server ipaddr port port where vip is the service IP address VIP vport is the VIP port ipaddr is the server IP address port is the server port show sys date Displays the system date show sys date show sys info NOTE If you need to contact Customer Support you may be asked to provide this information Displays the following system in...

Page 218: ...ftware info Displays a list of installed software images their image index product version and build numbers show sys software info show sys software ms software info Displays all current installed multi site software versions show sys software ms software info Command Description ...

Page 219: ...ces refer to all models Scenario 1 Load Balancing a Web Site with Two Servers and the SA8220 in Inline Mode Scenario 2 Load Balancing Servers with Source Address Preservation Scenario 3 Routing Outbound Data Away from the SA8220 for OPR Scenario 4 Content Routing SA7220 and SA8200 SA8220 only Scenario 5 Using SSL Acceleration SA8200 SA8220 only Scenario 6 Using CRLs SA8200 SA8220 only ...

Page 220: ... An Internet Service Provider ISP wants to set up a load balanced two server web site named Acme Web with the SA8220 operating in Dual NIC mode described below The service is HTTP and the website s address is 10 1 1 201 The figure below shows an example Network Diagram for Scenario 1 The next figure shows the data flow diagram for scenario 1 Data Flow Diagram for Scenario 1 Client Switch Server Se...

Page 221: ...ected to the router and the inside subnet is connected to the switch The SA8220 must be physically installed on the network and its Boot Monitor and routing protocol configurations must be complete For more information please see the Getting Started Guide Procedure for Scenario 1 NOTE Remember that all commands you need to type at the terminal appear in bold in this text 1 Type the SA8220 initial ...

Page 222: ...r save List of currently saved configuration file s You may save over an existing configuration file or enter a new name File name active cfg bobs failover backup cfg active cfg is the last booted configuration Enter configuration file name to cancel active cfg monitor save List of currently saved configuration file s You may save over an existing configuration file or enter a new name File name a...

Page 223: ...ask 255 255 255 0 MAC address 0 d0 b7 7f 46 34 Default Gateway 10 6 2 1 Domain tcslab mycompany com Primary name server 10 6 5 11 DHCP Disabled Failover mode Disabled Network NIC speed duplex Auto Server NIC speed duplex Auto NTP Disabled Autoboot Disabled Static Routes None RICH Biased Enabled Select a boot configuration from the following files active cfg bobs failover backup cfg Boot configurat...

Page 224: ...yping this command HP SA8220 config policygroup create gold policygroup gold created 3 To move the prompt to that level type the name of the new policy group HP SA8220 config policygroup gold Add HTTP Service and VIP 1 To add HTTP service with a virtual IP address of 30 1 1 201 on port 80 to policy group gold type this command HP SA8220 config policygroup gold service create http vip 30 1 1 201 po...

Page 225: ...tells the SA8220 that serv1 acme com can fulfill requests arriving at 30 1 1 201 on port 80 2 To add server serv2 acme com type this command HP SA8220 config policygroup gold service http server create serv2 acme com port 80 Server serv2 acme com port 80 has been created The SA8220 is now configured for load balancing a Web site with two servers When HTTP requests arrive at VIP 30 1 1 201 on port ...

Page 226: ...nt s address remains as the source address of packets forwarded to the server thus ensuring the maintenance of a record of client addresses in the server logs This scenario illustrates the steps required to enable Source Address Preservation and configure the SA8220 to broadcast routes The figure below shows the network diagram for scenario 2 Network Diagram for Scenario 2 The next figure shows th...

Page 227: ...te a Policy Group 1 To create a policy group first move the prompt to the policy group level by typing this command HP SA8220 config policygroup 2 To specify the new policy group s name saptest in this example type this command HP SA8220 config policygroup create saptest policy group saptest created 3 To move the prompt to that level type the name of the policy group just created HP SA8220 config ...

Page 228: ...server create serv1 prime com port 80 Server serv1 prime com port 80 has been created This tells the SA8220 that serv1 prime com can fulfill requests arriving at 30 1 1 201 on port 80 2 Move the prompt again by typing this command HP SA8220 config policygroup saptest service sap server serv1 prime com port 80 3 To finish type this command HP SA8220 config policygroup saptest service sap server ser...

Page 229: ... the client OPR sends requests to a back end server and allows the server to respond through its own default gateway thus bypassing the SA8220 altogether OPR requires that the server s loopback adapter be installed and configured with the VIP as an alias and that the server be programmed with a default gateway address other than that of the SA8220 The figure below shows the network diagram for sce...

Page 230: ...for Scenario 3 Connect to the SA8220 1 Telnet to the SA8220 and log on as the administrator admin The Command Line prompt appears as shown below HP SA8220 Create a Policy Group 1 To create a policy group first move the prompt to the policy group level by typing this command HP SA8220 config policygroup 2 To specify the new policy group s name oprtest in this example type this command HP SA8220 con...

Page 231: ... type this command HP SA8220 config policygroup oprtest service OPR server create serv1 prime com port 80 Server serv1 prime com port 80 has been created This command tells the SA8220 that serv1 prime com can fulfill requests arriving at 10 1 1 201 on port 80 2 To move the prompt type this command HP SA8220 config policygroup oprtest service OPR serv1 prime com port 80 NOTE We recommend that you t...

Page 232: ...se to run the most processor intensive processes such as CGI scripts on the most powerful servers while placing the less processor bound files on slower servers The SA8220 then sends requests for CGI scripts to the faster servers thus avoiding the slowdowns that would occur if the slow servers were relied upon The figure below shows the network diagram for scenario 4 Network Diagram for Scenario 4...

Page 233: ...s Boot Monitor and routing protocol configurations must be complete please see the Getting Started Guide Procedure for Scenario 4 Connect to the SA8220 1 Telnet to the SA8220 and log on as the administrator admin The Command Line prompt appears as shown below HP SA8220 Client Broker S erver S YN S YN S YN ACK S YN ACK ACK ACK Get URL Get URL Data Data Client Broker S erver S YN S YN S YN ACK S YN ...

Page 234: ...IP address of 10 1 1 201 on port 80 to policy group richtest type this command HP SA8220 config policygroup richtest service create rich vip 30 1 1 201 port 80 type RICH_HTTP This creates a new RICH service on the SA8220 using the RICH_HTTP protocol at IP address 30 1 1 201 listening on TCP port 80 2 To move the prompt to the service level type service rich HP SA8220 config policygroup richtest se...

Page 235: ...me com port 80 expression create jpg HP SA8220 config policygroup richtest service rich server serv1 prime com port 80 expression create gif 2 To verify the setup of serv1 prime com type this command at the prompt HP SA8220 config policygroup richtest service rich server serv1 prime com port 80 expression info Policy group richtest Service rich Server Name serv1 prime com Status Port Type Weight M...

Page 236: ...test Service rich Server Name serv2 prime com Status Port Type Weight Mode MSAP 606 HTTP Active 80 Primary 1 BROKERED Off On Off Index Expressions 1 cgi bin The SA8220 now directs requests to specific servers according to the content requested serv2 receives requests entailing CGI scripts files located in the cgi bin directory while all other requests go to serv1 Determine the Routing Method for V...

Page 237: ...ion The SA8220 can be programmed to use RIP v1 RIP v2 or OSPF For example HP SA8220 config route HP SA8220 config route info Route configuration Broker role standalone RIP Info Active no Version 2 OSPF Info Active no Area backbone Hello interval 10 Router dead interval 40 Authentication type simple Authentication key your key ...

Page 238: ...essing SA8220 Used For SSL Processing In the conventional secure web server setup protected data is accessed using the HTTPS HTTP over SSL on port 443 In this example we add a new web server Serv3 which along with Serv2 defined in Scenario 4 hosts this data and accesses it through VIP 10 1 1 201 on port 443 We assume the data is accessed on server port 80 to isolate it from normal HTTP traffic It ...

Page 239: ...command HP SA8220 config policygroup richtest 3 To add the new service to the richtest policy group type this command HP SA8220 config policygroup richtest service create SSL vip 10 1 1 201 port 443 type RICH_HTTP Service SSL created 4 To move the prompt to the service SSL level type this command HP SA8220 config policygroup richtest service SSL NOTE An existing key may be imported using the key i...

Page 240: ... port 80 has been created Scenario 6 Using CRLs SA8200 SA8220 only The SA8220 can be configured to work with Client 1 Lists CRLs In this scenario the SA8220 uses a CRL to validate that a client certificate is not expired i e does not appear in the CRL For more information on CRLs please see Appendix B Prerequisites for Scenario 6 A Web server A SA8220 A valid client authentication CA certificate A...

Page 241: ...cy group type this command HP SA8220 config policygroup richtest service SSL You will see HP SA8220 config policygroup richtest service SSL 3 To navigate to client ca type the following command HP SA8220 config policygroup richtest service SSL key client ca You will see HP SA8220 config policygroup richtest service SSL key client ca 4 To import the ca certificate from the PKI server type the follo...

Page 242: ...VYpbwyNu1UxQBNYfG 27vd95rCNe4XDy34j0HB4LMmmHRVn3HxiypWQZhmBlmSeBJz kkLV4Y62IoGcypqnfLbEF VoYdQ8cprHkpFIAPuCkCAwEAAa OB6TCB5jAdBgNVHQ4EFgQUG mshG5BnnVLidK97NuMXAi0lk kwgbYGA1UdIwSBrjCBq4AUG mshG5BnnVLidK97NuMXAi0 lkmhgY kgYwwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD YWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xDjAMBgNV BAoTBUludGVsMQ0wCwYDVQQLEwRFTkdSMRowGAYDVQQDExFB bmRyZWFzIEFVVEhPUklUWTEWMBQGCSqGSIb3DQEJA...

Page 243: ... the CRL from your PKI type the following command policygroup richtest service SSL key client ca revocation refresh now This downloads the CRL from your PKI server 10 1 2 64 to the SA8220 You will see Refresh completed revocation list was obtained from ftp 10 1 2 64 Certsrv myCA crl 9 To set up the SA8220 to periodically update the CRL type the following command policygroup richtest service SSL ke...

Page 244: ...e the CRL feature for the SA8220 type the following command policygroup richtest service SSL key client ca revocation policygroup richtest service SSL key client ca revocation mode enable You will see Mode changed to enable policygroup richtest service SSL key client ca revocation ...

Page 245: ...d to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models Standards Compliance HP MIBTree Trap Summary Displaying SNMP Parameters Configuring Community Authentication and Security Parameters Configuring Trap Parameters Other Configurable SNMP Parameters ...

Page 246: ... mode open for all remote system access Monitor the SA8220 s health Monitor health of a redundant SA8220 and failover readiness Monitor the SA8220 s load as indicated by CPU utilization connection count and connections per second Monitor status and performance of server farm Monitor status and performance of services VIP port presented to clients Monitor HTTP server errors and HTTP errors recovere...

Page 247: ...s MIB tree for a better understanding of this section HP s MIB Tree All HP enterprise MIBs and MIB objects are defined under the management branch of the HP tree All sysObjectIds that identify HP products are defined under the hpServer AppliancesSystem branch of the HP tree ...

Page 248: ...ystem and SNMP groups An SNMP SET on all other groups returns a noAccess error for SNMPv2c or a noSuchName error for SNMPv1 The SA8220 supports the coldStart linkUp linkDown and authenticationfailure standard SNMP traps hpserver header my hpserver header my contains the objects that define the top level branches of the HP MIB tree It also contains all the sysObjectIds defined for HP Traffic Direct...

Page 249: ...nce of TCP connections between the SA8220 and servers are monitored This performance data is stored in the serverTcpTable For each configured server mapping used for load balancing a service VIP PORT the following data is maintained in the serverTcpTable state up or down serverState how long this server has been up serverUpTime response time serverRspTm number of established TCP connection instanc...

Page 250: ...T in serviceTcpTable Per VIP PORT pair the following data is available State up or down serviceState Length of time the service has been up serviceUpTime Response time serviceRspTm Number of established TCP connections serviceConnCnt TCP connections established per second serviceCps Trap thresholds are available in the MIB for serviceRspTm serviceConnCnt and serviceCps Different threshold settings...

Page 251: ... brokerCpuUtilHiWater a brokerCpuUtilAlert trap is sent While in alert if brokerCpuUtil dips to brokerCpuUitlLoWater a brokerCpuUtilNormal trap is sent High and low water thresholds provide hysteresis and prevent the spurious generation of traps If the high water threshold is set to 0 no traps are sent Trap thresholds for Director connection count can be configured such that if the connection coun...

Page 252: ...ts the error and resubmits the HTTP request to another server for fulfillment Each server is tried in sequence until the HTTP request is fulfilled If the HTTP request is fulfilled the client sees a successful completion of the request Otherwise the client receives a 503 error from the Director httpRedirects is the number of times during the hour that the Director redirected a request to a server h...

Page 253: ...low and high water thresholds are not necessary for hysteresis invalidHttpRequests returns the number of invalid HTTP requests received by the Director during the hour httpServerErrs is the number of timeouts HTTP errors and HTTP 606 errors received from servers during the hour hpssl acceleration mib my NOTE This MIB is available only on the SA8200 SA8220 hpssl acceleration_mib my defines objects ...

Page 254: ...ue goes to overflow for the current hour hpuser mib my The MIB file hpuser mib my contains definitions for the operatorLogin and operatorLogout traps Trap Summary The following list summarizes the traps generated by the SA8220 For details about a particular trap please read the description of each MIB above or read the documentation within the MIB file Traps are generated by SNMPv2c Standard SNMP ...

Page 255: ... SNMP tab displays all SNMP parameters In the CLI type this command to display all SNMP parameters show sys snmp info Ensure that the SA8220 s IP Filtering security mechanism allows IP access to SNMP otherwise SNMP requests will not pass through the filter Configuring Community Authentication and Security Parameters The SA8220 SNMP supports community based authentication An unlimited number of com...

Page 256: ... read only privilege SNMP read only requests using community string test will be accepted only from IP address 209 218 240 1 By default the following community strings are defined public ro any private rw any The SA8220 has an IP filtering capability accessible through the Administration Security tab or the config sys security command Make sure that security is configured so that SNMP request pack...

Page 257: ...ity NOC1 sends traps to IP address 209 218 240 5 and causes the SA8220 SNMP agent to include the community string NOC1 in the trap Other Configurable SNMP Parameters The following CLI commands are used to display and configure general SNMP parameters config sys snmp info config sys snmp port port config sys snmp sysContact string config sys snmp sysName string config sys snmp sysLocation string NO...

Page 258: ...C H A P T E R 7 HP Traffic Director Server Appliances User Guide 246 Notes ...

Page 259: ...ing topics NOTE For ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models Upgrading or Updating Your System Software Downloading and Installing the Software ...

Page 260: ...nd install new software images on the SA8220 using the CLI command config sys software install Software Image Media Depending on the circumstances you may receive your software update or upgrade from CD ROM as part of a new software kit or you can download it from an HP software Web site In either case the distribution consists of a single large binary file of approximately 50 MB The first step in...

Page 261: ...ute the update image If you are upgrading from a SA7200 to a SA7220 you need a license key Contact HP Customer Support to obtain a key You need the ftp server s hostname a user name password and the image s filename 2 When you have these items type this command from the CLI config sys software install Below are some examples of syntax for ftp downloads NOTE The examples shown here are for illustra...

Page 262: ...nstallation the show sys software info command may display the image as installed but the downloaded image is not safe to use Use config sys software delete to delete the image and repeat the installation before continuing If the problem persists contact HP Customer Support The data above indicates that version 2 4 of SA8220 software has been installed and is ready for service 1 Verify your connec...

Page 263: ... install_image user username password password This downloads the new image and installs it on System B 4 At System B s CLI type this command config sys autoboot disable This ensures that System B pauses at the Boot Monitor 5 Boot System A with the newly installed software image allow System A to boot and enter the Boot Monitor by pressing a key at the appropriate prompt during the boot sequence b...

Page 264: ...or Server Appliances User Guide 252 11 At the prompt type the new password This password must also consist of 8 to 128 characters 12 If desired type the following command in System B s CLI to enable autoboot config sys autoboot enable ...

Page 265: ... 5 1 If you have not already done so change the admin password by typing the config cli username command 2 Set security to closed or custom mode typing the config sys security mode closed custom command Closed mode restricts administration to the serial port By default the custom mode enables both SSH and the serial port You can view the current settings of your system typing the config sys securi...

Page 266: ...our control type the following command config sys security custom acl add netmask ip address mask length 4 If you want to use SNMP reads and traps should be restricted to the specific IP s of logging hosts or administration machines Type the following commands for this purpose The system must be in custom mode and SNMP access must be enabled config sys snmp community delete public ip any config sy...

Page 267: ...es for production use must be obtained from a recognized Certificate Authority Keys and certificates are necessary for the successful operation of the SA8220 for e Commerce traffic processing There are three ways to obtain them Obtain a certificate from Verisign or another Certificate Authority CA Create a new key or certificate on the SA8220 The SA8220 supports certificates in PEM format ...

Page 268: ...dow 2 Click and drag to select the item 3 After the item is selected open the Edit menu and click Copy or type ctrl c 4 Open the window where you will paste the data and position the cursor at the appropriate point 5 In the Edit menu click Paste or type ctrl v To paste an item key certificate signing request etc into HyperTerminal 1 Display the item in the appropriate application window then click...

Page 269: ...ndering the certificate invalid Also for optimal security one or more fields must be modified to make the DN unique 4 1 To create a key type the following command HP SA8220 config policygroup name service name key create 512 1024 2 To create the signing request type the following command HP SA8220 config policygroup name service name key signrequest create DN parameters Where the optional DN param...

Page 270: ...he process delete the key and start again To paste in a key 1 Type the import command and press Enter The CLI prompts you to paste in the key 2 When finished type three periods on a separate line then press Enter 3 When the procedure is complete you can type info at the prompt to verify the key s transfer to the SA8220 An alternative method for importing an existing key is to ftp the key as shown ...

Page 271: ...lete the certificate and start again To paste in a certificate 1 Type the import command and press Enter The CLI prompts you to paste in the certificate 2 When finished type three periods on a separate line then press Enter 3 When the procedure is complete you can type info at the prompt to verify the certificate s transfer to the SA8220 An alternative method for importing an existing certificate ...

Page 272: ...ds input as part of creating a certificate are called a Distinguished Name DN Procedure 1 To create a key type this command HP SA8220 config policygroup name service name key create 512 1024 2 To create a certificate type this command HP SA8220 config policygroup name service name key create certificate DN parameters NOTE Alternatively default DN parameters can be specified using the config ssl dn...

Page 273: ...hained certificates When the browser gets the certificate from the server along with the intermediate CA it will verify the certificate the intermediate CA and the root CA to determine the GSC capability The root CA is normally installed in the browser but not the intermediate CA So the SA8220 should be able to send both the certificate and the intermediate CA Using the CLI If the certificate is n...

Page 274: ...CATE BEGIN CERTIFICATE MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkq hkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNOTcwNDE3MDAwMDAwWhcN OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMr SPVyzWgNGrN0Y7uxWLaYRSLsEY3HTjOLYlohJGyawEK0Rak6 2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ 4PC NlVBp4xZkZ9 G3hg9FXUbF...

Page 275: ... typed in step 5 must differ from the DN information typed in step 6 5 Now generate the client CA by typing this command openssl req new x509 config openssl cnf key ca_key pem out ca_cert pem 6 Generate the client certificate signing request by typing this command openssl req new config openssl cnf key key pem out csr pem 7 Sign the client certificate request by typing this command openssl x509 re...

Page 276: ...rom the openSSL source directory 3 Create a private key for the SA8220 CA certificate by typing this command openssl genrsa out ca_key pem 1024 4 Create the CA certificate SA8220 by typing this command openssl req new x509 config openssl cnf key ca_key pem out ca_cert pem 5 Import this file to the SA8220 6 Create a private key for the signing request by typing this command openssl genrsa out clien...

Page 277: ...by typing this command openssl ca gencrl out crl pem Using Ciphers with the SA8220 The SA8220 only supports RSA key exchange and authentication Diffie Hellman including Anonymous and Ephemeral key exchange authentication and DSS authentication are not supported Use the set cipher command to specify the cipher The command prompts you for the cipher strength as shown below The default cipher value i...

Page 278: ...SHA SSLv3 RSA RSA IDEA 128 SHA1 M RC4 SHA SSLv3 RSA RSA RC4 128 SHA1 M RC4 MD5 SSLv3 RSA RSA RC4 128 MD5 M DES CBC SHA SSLv3 RSA RSA DES 56 SHA1 L DES CBC3 MD5 SSLv2 RSA RSA 3DES 168 MD5 H IDEA CBC MD5 SSLv2 RSA RSA IDEA 128 MD5 M RC2 CBC MD5 SSLv2 RSA RSA RC2 128 MD5 M RC4 MD5 SSLv2 RSA RSA RC4 128 MD5 M RC4 64 MD5 SSLv2 RSA RSA RC4 64 MD5 L DES CBC MD5 SSLv2 RSA RSA DES 56 MD5 L EXP DES CBC SHA ...

Page 279: ...s not enabled enable it as follows config policygroup policygroup name service service name header enable 3 Enable header certificate as follows config policygroup policygroup name service service name key client ca header certificate enable 4 Be default header certificate is disabled 5 For more information on header certificates please see HTTP Header Option Fields in Chapter 2 and config policyg...

Page 280: ...A P P E N D I X B HP Traffic Director Server Appliances User Guide 268 Notes ...

Page 281: ...herwise all SA8220 references refer to all models The failover modes are described below Failover Mode Description Disabled No failover method is selected Serial Cable Failover An out of band failover mode that uses the serial cable to share both configuration and failure status Routed Failover An in band failover mode that employs routing protocols ...

Page 282: ... subnet only on outside Same subnet only on outside Same subnet only on outside DHCP Not with Serial No No No HOT Yes Yes Yes Yes 5 HOT and SAP Yes 1 Yes 1 Yes 1 Yes 1 4 OPR Yes needs router N A Yes No RICH Yes Yes Yes Yes 5 RICH and SAP Yes 1 Yes 1 Yes 1 Yes 1 4 Routed VIP ARPing No uses loopback Requires router No uses loopback Same subnet only on outside DHCP Yes Requires router No No HOT Yes R...

Page 283: ... must have static routes from brokered subnet to server side subnet Serial Cable Failover AND Routed 2 VIP ARPing N A Same subnet only on outside N A Same subnet only on outside DHCP No No No No HOT Yes Yes Yes Yes 5 HOT and SAP Yes 1 Yes 1 Yes 1 Yes 1 4 OPR Yes N A Yes No RICH Yes Yes Yes Yes 5 RICH and SAP Yes 1 Yes 1 Yes 1 Yes 1 4 Failover Mode Feature Single Interface with outside router Dual ...

Page 284: ...A P P E N D I X C HP Traffic Director Server Appliances User Guide 272 Notes ...

Page 285: ...t the Loopback 1 From the Start menu click Settings 2 Open the Control Panel as shown in the following figure NOTE For ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models ...

Page 286: ...A P P E N D I X D HP Traffic Director Server Appliances User Guide 274 Windows 2000 Control Panel 3 Double click Add Remove Hardware 4 The Add Remove Hardware Wizard appears as show below ...

Page 287: ...A P P E N D I X D Configure OPR for Windows 2000 275 Add Remove Hardware Wizard 5 Click Next to bring up the Choose a Hardware Task screen as shown in the next figure ...

Page 288: ... P E N D I X D HP Traffic Director Server Appliances User Guide 276 Choose a Hardware Task Screen 6 Select Add Troubleshoot a device 7 Click Next to bring up a Devices list as shown in the following figure ...

Page 289: ...A P P E N D I X D Configure OPR for Windows 2000 277 Devices List 8 Highlight Add a new device 9 Click Next to bring up the Find New Hardware screen as shown in the next figure ...

Page 290: ...E N D I X D HP Traffic Director Server Appliances User Guide 278 Find New Hardware Screen 10 Select No to search for new hardware 11 Click Next to bring up the Hardware Type screen as shown in the next figure ...

Page 291: ...A P P E N D I X D Configure OPR for Windows 2000 279 Hardware Type Screen 12 Click Network Adapters 13 Click Next to bring up the Select Network Adapter screen as shown in figure ...

Page 292: ...iances User Guide 280 Select Network Adapter Screen 14 Under Manufacturers scroll down to Microsoft 15 Under Network Adapter select Microsoft Loopback Adapter 16 Click Next to bring up the Start Hardware Installation screen as shown in the next figure ...

Page 293: ...A P P E N D I X D Configure OPR for Windows 2000 281 Start Hardware Installation Screen 17 Click Next to bring up the Completing the Add Remove Hardware Wizard screen as shown below ...

Page 294: ... N D I X D HP Traffic Director Server Appliances User Guide 282 Completing the Add Remove Hardware Wizard Screen 18 Click Finish 19 To configure the Loopback open the Control Panel as shown in the next figure ...

Page 295: ...A P P E N D I X D Configure OPR for Windows 2000 283 Windows 2000 Control Panel 20 Double click the Network and Dial up Connections icon to bring up the next screen shown in the next figure ...

Page 296: ...r Server Appliances User Guide 284 Network and Dial up Connections Screen 21 Highlight Local Area Connection 2 the Loopback Adapter 22 From the menu bar select File Properties to bring up the Properties screen as shown in the next figure ...

Page 297: ...A P P E N D I X D Configure OPR for Windows 2000 285 Location Area Connection 2 Properties Screen 23 Scroll down to Internet Protocol TCP IP as shown in the next figure and double click ...

Page 298: ...A P P E N D I X D HP Traffic Director Server Appliances User Guide 286 Select Internet Protocol TCP IP 24 The Internet Protocol TCP IP Properties screen appears as shown in the next figure ...

Page 299: ...Protocol TCP IP Properties Screen 25 In the IP address field type the Virtual IP VIP address of the SA8220 26 In the Subnet Mask field type the subnet mask appropriate for your environment 27 Leave the Default Gateway field blank 28 Click OK 29 Reboot the computer ...

Page 300: ... NT Set the Loopback 1 From the Start menu click on Settings then open the Control Panel 2 The Control Panel appears as shown below NOTE OPR is not available for SSL enabled services Windows NT Control Panel 3 Double click on the Network icon The Network dialog appears as shown in the next figure ...

Page 301: ...A P P E N D I X D Configure OPR for Windows NT 289 Network Adapter Setting 4 Click the Adapters tab 5 Click Add The Select Network Adapter dialog appears as shown in the next figure ...

Page 302: ...or Server Appliances User Guide 290 Choosing the MS Loopback Adapter 6 From the Network Adapter list select MS Loopback Adapter and click OK The MS Loopback Adapter Card Setup dialog appears as shown in the next figure Adapter Card Setup ...

Page 303: ...s are not found on your system the Windows NT Setup dialog appears as shown in the next figure Copying Windows NT Files 8 If necessary specify where Windows NT can find the files and click Continue The files will load on your system and the MS Loopback Adapter appears in the Network Adapters list as shown in the next figure ...

Page 304: ...A P P E N D I X D HP Traffic Director Server Appliances User Guide 292 MS Loopback Adapter Installed 9 Click the Protocols tab The protocol settings appear as shown in the next figure ...

Page 305: ... D I X D Configure OPR for Windows NT 293 Protocol Settings 10 From the Network Protocols list click TCP IP Protocol 11 Click Properties The Microsoft TCP IP Properties dialog appears as shown in the next figure ...

Page 306: ...pull down menu select the MS Loopback Adapter 13 Click Specify an IP address 14 In the IP address field type the Virtual IP VIP address of the SA8220 15 In the Subnet Mask field type the subnet mask appropriate for your environment 16 Leave the Default Gateway field blank 17 Click Apply 18 Click OK 19 Reboot the computer ...

Page 307: ...anager console appears double click the WWW service The WWW Service Properties for machine name dialog box appears where machine name is the name of your system 3 In the TCP Port field type the port number of the OPR service on the SA8220 4 Select the Directories tab and click Add The Directory Properties appears 5 Browse and click to select the home directory for the server 6 Click the Home Direc...

Page 308: ...Right click Default Web Service or the predefined service for this Windows NT server and click the Properties option The service name Properties dialog box appears 5 In the TCP Port field type the port number of the OPR service on the SA8220 6 To save and close this dialog box click Ok 7 From the Internet Information Server node right click the machine name node Click New and then click Web Site T...

Page 309: ...r www conf Port port_number ServerName the fully qualified name for this server machine 3 Configure a virtual service in the same file vip is the virtual IP configured on the SA8220 to handle OPR VirtualHost vip ServerName vip ServerAdmin admin mailserver DocumentRoot usually var www docs ErrorLog var log httpd vip error_log TransferLog var log httpd vip access_log CustomLog var log httpd vip acce...

Page 310: ...A P P E N D I X D HP Traffic Director Server Appliances User Guide 298 Notes ...

Page 311: ...ostics NOTE For ease of reading all models are referred to as the SA8220 throughout this document Unless noted otherwise all SA8220 references refer to all models This section describes the available diagnostic information and in field diagnostics ...

Page 312: ... self test POST and application restart sequences There are four LEDs on the front panel as shown below Diagnostic LEDs Power Indication The front panel Power LED connects directly to the unit s power supply If the Power LED is not illuminated power is not connected to the unit or the unit s power supply has failed Power Status Act 1 Act 2 Power Status Act 1 Act 2 ...

Page 313: ...ribed in the next section Run time LED Diagnostics Run time LED Diagnostics At run time the LEDs provide information about unit activity as described below Status LED Blinks on and off quickly when serving as the active or standalone SA8220 Blinks on and off slowly when configured for serial cable failover and serving as the backup SA8220 Continuous on or off indicates a unit that has stopped resp...

Page 314: ...ime error indications Act 1 Act 2 Condition Off Off No NIC activity Slow blink Off 1 100 connections per second Fast blink Off 100 300 connections per second Solid Off 300 400 connections per second Solid Blink 400 600 connections per second Solid Solid 600 connections per second Status Act 1 Act 2 Condition Off Off Flash NIC failure Off Blink Off Rich Application Failure applies only when serial ...

Page 315: ...SA8220 must be able to resolve its own hostname via DNS both forward and reverse The client machine on which the browser is running must also be able to resolve its own hostname using DNS both forward and reverse GUI Administrative interface initialization fails DNS name resolution is incomplete The client machine s host name must be DNS resolvable by the SA8220 If DNS is not used use the config s...

Page 316: ...to negotiate correctly An attempt to connect to the CLI Administrative interface results in the message CLI not ready Domain configuration is incorrect or incomplete Verify that the domain is correct If it is incorrect use the dns command at the Boot Monitor prompt to re enter the correct information Reboot the SA8220 and restart for changes to take effect DNS resolution is set on the SA8220 but i...

Page 317: ...ualifiedDomainName Example 10 1 1 2 Broker1 Broker1 mycompany com Client connects directly to the fulfillment server bypassing the SA8220 Timing issue with routers Define a static route for the SA8220 on the router Unexpected routing behavior Keepalive option is enabled on the fulfillment servers when configured with the sticky option on the SA8220 Turn off Keepalive on the fulfillment servers whe...

Page 318: ...nt discards the response since the destination is that of the server and not the SA8220 Configure the client and server to reside on different subnets For OPR configurations the loopback adapter is not configured on the fulfillment server s For instructions on configuring the loopback adapter on the server s please see Set the Loopback in Appendix D Round Robin Load Balancing works abnormally The ...

Page 319: ...r Appliance SA8200 SA8220s and HP Traffic Director Server Appliance SA7200 SA7220s each have a dust filter element mounted behind the front grille and in front of the dual intake fans This filter is washable and must be cleaned every six months at a minimum If you use your SA8220 in an abnormally dusty environment clean the filter more often You need not interrupt the SA8220 s operation to perform...

Page 320: ...m filter element 2 Remove the foam filter element from its recess 3 Replace the grille and its screws while the filter element is being cleaned 4 Wash the filter in warm water and set aside to dry 5 Allow the filter to dry thoroughly before reinstalling in the SA8220 6 When the filter element is dry remove the SA8220 s front grille and replace the filter in its recess ensuring that its entire peri...

Page 321: ...Regulatory Information Taiwan Class A EMI Statement VCCI Class A Japan ...

Page 322: ...uipment VCCI If this equipment is used in a domestic environment radio disturbance may arise When such trouble occurs the user may be required to take corrective actions WARNING This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Internal access to HP equipment is intended only for qualified ...

Page 323: ...ich can be determined by turning this equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Change the direction of the radio or TV antenna To the extent possible relocate the radio TV or other receiver away from the product Plug the product into a different electrical outlet so that the product and the receiver are on different bra...

Page 324: ...al apparatus set out in the interference causing equipment standard entitled Digital Apparatus ICES 003 of the Canadian Department of Communications CE Compliance Statement This e Commerce Traffic Director Server Appliance SA8200 SA8220 or Traffic Director Server Appliance SA7200 SA7220 complies with the EU Directive 89 336 EEC using the EMC standards EN55022 Class A and EN50082 1 This product als...

Page 325: ...y electrical devices In regions that are susceptible to electrical storms we recommend you plug your system into a surge suppressor and disconnect telecommunication lines to your modem during an electrical storm Provided with a properly grounded wall outlet Do not attempt to modify or use the supplied AC power cord if it is not the exact type required Ensure that the system is disconnected from it...

Page 326: ...s appareils électriques Dans les régions sujettes aux orages magnétiques il est recomandé de brancher votre système à un supresseur de surtension et de débrancher toutes les lignes de télécommunications de votre modem durant un orage Muni d une prise murale correctement mise à la terre Ne pas utiliser ni modifier le câble d alimentation C A fourni s il ne correspond pas exactement au type requis A...

Page 327: ...rische Stürme auftreten mit einem Überspannungsschutzgerät verbunden sein während eines elektrischen Sturms sollte keine Verbindung der Telekommunikationsleitungen mit dem Modem bestehen mit einer geerdeten Wechselstromsteckdose ausgerüstet sein Versuchen Sie nicht das mitgelieferte Netzkabel zu ändern oder zu verwenden wenn es sich nicht um genau den erforderlichen Typ handelt Das System darf wed...

Page 328: ...ampi magnetici prodotti da dispositivi elettrici In aree soggette a temporali è consigliabile collegare il sistema ad un limitatore di corrente In caso di temporali scollegare le linee di comunicazione dal modem Dotata di una presa a muro correttamente installata Non modificare o utilizzare il cavo di alimentazione in c a fornito dal produttore se non corrisponde esattamente al tipo richiesto Prim...

Page 329: ...es tormentas eléctricas se recomienda conectar su sistema a un eliminador de sobrevoltage y desconectar el módem de las líneas de telecomunicación durante las tormentas Previsto de una toma de tierra correctamente instalada No intente modificar ni usar el cable de alimentación de corriente alterna si no se corresponde exactamente con el tipo requerido Asegúrese de que cada vez que se quite la cubi...

Page 330: ...ffnungen dienen zur Luftzirkulation die das Gerät vor Überhitzung schützt Sorgen Sie dafür daß diese Öffnungen nicht abgedeckt werden 8 Beachten Sie beim Anschluß an das Stromnetz die Anschlußwerte 9 Die Netzanschlußsteckdose muß aus Gründen der elektrischen Sicherheit einen Schutzleiterkontakt haben 10 Verlegen Sie die Netzanschlußleitung so daß niemand darüber fallen kann Es sollete auch nichts ...

Page 331: ...ät ist gefallen und oder das Gehäuse ist beschädigt f Wenn das Gerät deutliche Anzeichen eines Defektes aufweist 16 Bei Reparaturen dürfen nur Orginalersatzteile bzw den Orginalteilen entsprechende Teile verwendet werden Der Einsatz von ungeeigneten Ersatzteilen kann eine weitere Beschädigung hervorrufen 17 Wenden Sie sich mit allen Fragen die Service und Repartur betreffen an Ihren Servicepartner...

Page 332: ...R E G U L A T O R Y HP Traffic Director Server Appliances User Guide 320 Notes ...

Page 333: ...NDLED WITH ANOTHER PRODUCT YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND HP SOFTWARE LICENSE TERMS License Grant HP grants you a license to Use one copy of the Software Use means storing loading installing executing or displaying the Software You may not modify the Software or disable any licensing or control features of the Software If the Software is licensed for concurrent use you ...

Page 334: ...statute you will provide HP with reasonably detailed information regarding any intended disassembly or decompilation You may not decrypt the Software unless necessary for the legitimate use of the Software Transfer Your license will automatically terminate upon any transfer of the Software Upon transfer you must deliver the Software including any copies and related documentation to the transferee ...

Page 335: ...er Appliances User Guide 323 whichever is applicable You have only those rights provided for such Software and any accompanying documentation by the applicable FAR or DFARS clause or the HP standard software agreement for the product involved ...

Page 336: ...S O F T W A R E HP Traffic Director Server Appliances User Guide 324 Notes ...

Page 337: ... the hostname Cipher Any encryption algorithm either symmetric or public key operating either as a data stream or divided into blocks Client Authentication A means of requesting client certificate for the purpose of verifying identities Client CA See Client Authentication CRL Certificate Revocation List a timestamped list identifying revoked certificates containing serial numbers DHCP Dynamic Host...

Page 338: ...ressed in dotted decimal notation For example 10 0 0 1 IP Service A network accessible IP accessible Application Protocol For example HTTP FTP and the like For administration purposes services are identified by Virtual IP Port KB Kilobytes or thousands of bytes of data Key A public key and private key pair used to encrypt decrypt messages Key Strength Length in bits of keys used in data encryption...

Page 339: ...r than the one established for the original connection This method typically results in faster delivery of the requested content to the client OSPF Open shortest path first Policy Rules used to effect changes in server resource apportionment according to conditions and thresholds established by a system administrator Policy Group A set of services chosen and prioritized to automate network perform...

Page 340: ...quest Required for a request for certificate authentication by a Certificate Authority SNMP Simple Network Management Protocol SSH Secure shell SSL Secure Socket Layer Protocol developed by Netscape for encrypted transmission over TCP IP networks setting up a secure end to end link Target Response Time A time expressed in milliseconds representing the ideal maximum time required to serve requests ...

Page 341: ...Support Services Support for yourSA8220 U S and Canada For hardware service and telephone support contact An HP authorized reseller or HP Customer Support Center at 1 800 633 3600 ...

Page 342: ...420 2 613 07 310 Denmark 3929 4099 English non UK 44 20 7512 5202 Finland 02 03 47 288 France 01 43 62 3434 Germany 0180 525 8143 Greece 30 0 16196411 Hungary 36 1 382 1111 Ireland 01 662 5525 Israel 972 9 952 4848 Italy 02 2 641 0350 Netherlands 020 6068751 Norway 22 11 6299 Poland 48 22 8659800 Portugal 21 317 6333 Russia 7095 797 3520 South Africa RSA 086 000 1030 Outside RSA 27 11 258 9301 Spa...

Page 343: ...g 800 96 2598 India 91 11 6826035 Indonesia 0800 21511 Japan 0120 220 119 Korea 82 2 32700911 Malaysia 60 3 2931811 or 1 800 881811 New Zealand Upper North Island 09 356 6640 Lower North Island 04 499 2026 South Island 03 365 9805 People s Republic of China 86 8008105959 Philippines 63 2 811 0643 Singapore 65 2725300 Taiwan 866 080 010055 886 2 7170055 Thailand 66 2 6613891 Vietnam Hanoi 84 4 9430...

Page 344: ... 8380 Brazil Sao Paulo 11 3747 7799 All Others 0800 15 77 51 Chile 800 360 9999 Columbia 9 800 91 9477 Guatemala 1 800 999 5305 Mexico Ciudad de Mexico 5258 9922 All Others 800 472 6684 Peru 0 800 10111 Puerto Rico 1 877 232 0589 Venezuela Caracas 207 8488 All Others 800 47 777 Other Countries For hardware service contact your local authorized reseller or HP sales office For telephone support cont...

Page 345: ...g tab 104 multi site tab 103 routing tab 92 security screen 95 settings tab 82 SNMP tab 101 software tab 83 users tab 89 B balance strategy 75 response time 75 round robin 76 boot monitor commands autoboot 44 boot 44 delete 48 dhcp 49 dns 49 dual 49 factory_reset 50 failover 51 gateway 51 help 51 host 52 info 52 ip 52 load 53 netmask 53 rich_bias 53 save 54 ...

Page 346: ...38 155 137 134 137 admin 134 arp 137 autoboot 42 back 137 boot 35 36 210 box 137 cat 138 config admin info 137 config admin port 137 config cli 138 config gui 138 config irv 138 config logging 143 config policygroup 12 23 24 25 26 28 32 139 142 212 260 config route 139 config ssl 143 config sys 140 copy 138 dir 138 dup syn 31 ether 137 exit 137 failover 33 35 force rwa 137 get 138 halt 137 help 13...

Page 347: ...me 302 server status detection 31 ethernet interface value 117 expressions adding to server configuration 223 224 order of 26 F factory defaults resetting 112 failover configuration 33 method dependencies 269 modes 269 router 33 93 serial cable 33 63 93 file management commands 138 152 cat 138 copy 138 dir 138 get 138 put 138 remove 138 restore 138 restore verbose 138 save 138 FTP limitations of 1...

Page 348: ...gon 61 netstat 119 nslookup 121 ping 118 policy groups 69 policy manager 67 policy manager screen 67 reboot 122 RICH controls 79 servers 76 services 72 statistical screen 128 tools screen 115 topology screen 63 trace command 123 traceroute command 127 H Help online 64 HOT services see services HP MIBs tree 235 HTTP adding service 212 219 error detection 32 80 header information 267 monitor table 2...

Page 349: ...ation 214 Web site with two servers 208 log file viewing 105 logging system log parameters 104 logging commands 143 199 config logging 143 loopback setting 273 288 M MIBs broker connection count 239 connections second 239 CPU Utilization 239 hpbroker mib my 237 242 hpl7 broker mib my 240 hpssl acceleration mib my 241 hpuser mib my 242 HTTP monitor table 240 Layer 4 service 238 server availability ...

Page 350: ...3 routing 27 217 active protocol 93 content 220 determine method for VIP 224 routing commands 139 160 config route 139 routing tables S SAP 24 214 215 adding servers 216 secure shell support 96 134 setting 99 Secure Sockets Layer see SSL security 253 configuration 253 security commands 141 179 config sys 140 serial cable failover 33 failover configuration 33 serial cable failover 33 upgrading unde...

Page 351: ...image 87 downloading 249 install new images 87 installing 249 license agreement 321 system 84 upgrading 248 Source Address Preservation see SAP SSH see secure shell support SSL 261 acceleration 226 228 commands 142 185 config policygroup 142 config ssl 143 monitor table 241 statistical screen graph options 130 statistics 205 status information 37 sticky options 15 grouping services 17 modes 74 per...

Page 352: ...Server Appliances User Guide 340 topology screen elements 65 policy manager 67 troubleshooting 303 U upgrade failover configuration 251 system software 248 V VIP 73 215 238 adding 212 219 222 W Web Service loopback interface 295 296 ...

Reviews: