Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3

Transcription

1 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 3 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 This document describes how to setup and configure Alteon s AD2 (Alteon part # ) or AD3 (Alteon part # ), and Aladdin s esafe Gateway to provide a combined load-balancing and content filtering solution. Throughout this document, the Alteon units will be referred to as AD2/3. Overview The combined use of Alteon s ACEdirector AD2 1 or AD3 2 (referred to as AD2/3 throughout the remainder of this document) with esafe Gateway helps ensure a free flow of clean HTTP, FTP, and SMTP traffic, 24 hours a day, non-stop. Alteon s AD2/3 units distribute the flow of traffic among a number of esafe Gateway machines to allow them to filter a wider bandwidth at high speeds. Furthermore, if an esafe Gateway machine fails for any reason, all traffic is redistributed among the remaining esafe Gateway machines to ensure the continued flow of traffic. You can further increase redundancy to protect against temporary software failure of esafe Gateway s component modules by enabling each esafe Gateway machine to use the CI module of the other esafe Gateway machines. This setting slows down esafe Gateway s content filtering speeds. IP addresses Each AD2/AD3 has a number of ports, each of which can be assigned to a different IP address. When two AD2/AD3 units are used with esafe Gateway machines placed between them, esafe Gateway can filter out malicious and other undesirable FTP, HTTP, and SMTP traffic before this traffic reaches the LAN. Port 1 is used by the external AD2/AD3 to communicate with the Internet, and by the internal AD2/AD3 to communicate with the LAN. Communication between the two AD2/AD3 units is distributed over additional ports, with a separate esafe Gateway machine for each line of communication. In other words, a different esafe Gateway machine filters content for port 3 than the one that filters content for port 2. Unused ports should be defined as alternates for port 1, i.e., with the same IP address. Step 1. Define port 1 (default port) of each AD2/AD3 by assigning it the IP address that communicates with the Internet or LAN. Step 2. Assign private IP addresses for each esafe Gateway machine.

2 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 4 Step 3. Define port 2 of each AD2/AD3 to communicate with the relevant NIC of one of the esafe Gateway machines. Step 4. Define port 3 of each AD2/AD3 to communicate with the relevant NIC of a second esafe Gateway machine. Step 5. Repeat using a different AD2/AD3 port for each esafe Gateway machine. In the illustrated example, the content filtering load is balanced over two esafe Gateway machines. The public IP address assigned to port 1 of the external AD2/AD3 is /24. The public IP address assigned to port 1 of the internal AD2/AD3 is /24. An esafe Gateway machine with an external IP address of /24 and an internal IP address of /24 filters traffic over port 2. Another esafe Gateway machine with an external IP address of /24 and an internal IP address of /24 filters traffic over port Alteon part # Alteon part #

3 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 5 How to configure the AD2/AD3 Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Connect an ASCII terminal (or PC running terminal emulation software) to the AD2/AD3 to serve as a console. You need to configure the console with the following communication parameters: Baud = 9600 Data bits = 8 Stop bits = 1 Flow control = None Establish communication. To do this: a. Open a terminal session. b. Press the Enter key until you are asked for a password. c. Enter the password for access to the switch. The default super-user password is admin. Enter the following command lines: /boot/conf factory /boot/reset This resets the switch to the factory default. Answer No when asked if you want to run the setup program. This will allow you to manually configure and verify each step. Configure the VLAN information. In the above example, ports 2 and 3 are the physical ports that will link to esafe Gateway CRs. The commands for the above example are: cfg/vlan 1/ean /cfg/vlan 2/ena /cfg/vlan 2/add2 /cfg/vlan 3 ena /cfg/vlan 3/add3 apply Turn off Spanning Tree to prevent automatic partitioning of ports when there are multiple interfaces into the same subnet. /cfg/stp/off Assign IP addresses to each port. The command for port 1 of the external AD2/AD3 in the above example is: /cfg/ip/if 1/addr /mask /broad /cfg/ip/if 1/vlan 1 ena/apply The command for port 2 of the external AD2/AD3 in the above example is (the parameters that differ from the port 1 definitions are bolded and underlined to bring them to your attention): /cfg/ip/if 2/addr /mask /broad /cfg/ip/if 2/vlan 2 ena/apply The command for port 3 of the external AD2/AD3 in the above example is (the parameters that differ from the port 1 definitions are bolded and underlined to bring them to your attention): /cfg/ip/if 3/addr /mask /broad /cfg/ip/if 3/vlan 3 ena/apply

4 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 6 Step 8. Setup static routes to channel traffic through each esafe Gateway CR machine. The command for the external AD2/AD3 in the above example is as follows: /cfg/ip/route add add /apply /save The command for the internal AD2/AD3 contains additional commands (bolded and underlined for emphasis). The commands for the above example is as follows: /cfg/ip/route add add /cfg/ip/gw 1 addr /ena /apply /save Step 9. Make sure IP forwarding is turned on and RIP turned off. /cfg/ip/fwrd/on /cfg/ip/rip/off Step 10. Enable server load balancing. /cfg/slb/on Step 11. Define the other AD2/AD3 as the real server. This enables the AD2/AD3 to test the integrity of the entire data path. The command for the external AD2/AD3 in the above example is as follows: /cfg/slb/real 1/rip /ena /cfg/slb/real 2/rip /ena /apply /save The command for the internal AD2/AD3 in the above example is as follows (differences bolded and underlined for emphasis): /cfg/slb/real 1/rip /ena /cfg/slb/real 2/rip /ena /apply /save Step 12. Create a real server group and add the real servers. /cfg/slb/group 1/metric hash/health http/cont health.htm/add 1/add 2 /apply /save Step 13. Create a virtual IP address to enable the HTTP integrity test to work. /cfg/slb/virt 1/service http /cfg/slb/virt 1/ena/vip Step 14. Define redirection and allow filter rules.

5 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 7 /cfg/slb/filt 100/ena/dip /dmask /proto any /cfg/slb/filt 224/ena/action redir/group 1 /apply /save Step 15. Add all of the filter rules to the external ports of each AD2/AD3 (normally port 1 and unused ports). /cfg/slb/port 1/filt ena/add 100/add 224 /apply /save

6 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 8 Installing esafe Gateway Minimum requirements Dedicated computer: Pentium III, 500 MHz or above, two Ethernet 10/100 Mbps NICs (not dual or quad). If you have 3COM NICs, the NIC monitor programs and drivers must be removed or disabled. (Only one NIC is needed for additional CI machines.) Hardware integration: The machine has been factory or vendor tested as a complete unit. It is strongly recommended that you disable all unnecessary services. Disk space: 5 GB free. SCSI-UW with NTFS recommended. Additional drives: CD-ROM drive or Internet connectivity (for installation). RAM: 256 MB or above (512 MB recommended). OS: Fresh installation of Windows NT 4 server/workstation (Intel version) with SP 6a (additional CI machines can also run under Windows 2000 with SP 1 or above). Do not install from an image unless the image is from a fresh installation! Make sure that the Windows OS for each machine containing a CI (esafe Gateway/Mail machine or remote CI machine) includes CABINET.DLL. If this file does not exist on the machine, esafe Gateway/Mail cannot scan CAB (cabinet) files. You can add this file by installing Internet Explorer 5.0 or above. Internet access (required for CR only): FTP access to enable software updates. Access to an external SMTP Mail Server that is configured to accept SMTP requests from the esafe Gateway/Mail machine (this is necessary to send warnings and alerts to administrators, senders and recipients). Resolving capability (definition and access to a DNS Server). Do not install additional software. You should disable all unnecessary services. Pre-installation Checklist The machines on which you will install esafe Gateway components, each meet the minimum requirements for those components. You are acquainted with network terminology, have a working knowledge of network management, and know how to configure IP routing. You have read the latest esafe Gateway/Mail Release Notes. The esafe Gateway machine does not have any other content inspection/anti-virus program installed. If it does, you must uninstall. The esafe Gateway and remote CI machines have a CD-ROM drive or Internet connectivity (for installation). You have administrator access to the esafe Gateway machine (and any additional CI machines). If you have a firewall, you have full administrator access to its policy manager. Decide where you want to place the esafe Gateway machine. If you have a firewall, the esafe Gateway machine is usually configured to operate between the firewall and the LAN (not in the DMZ). If you do not have a firewall, the esafe Gateway machine is installed as a gateway to your network (between the Router and the LAN). If your mail server is located in the DMZ, you must move it to the LAN (outside the DMZ) or have a mail relay in place. If you want to filter and keep the mail server in a DMZ, you must add esafe Mail in the DMZ.

7 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 9 Installation Step 1. Configure TCP/IP for Router Mode installation. a. Install two NICs into the esafe Gateway machine. b. Assign the IP addresses to the NICs. c. Make sure that the Enable IP Forwarding check box is selected on the esafe Gateway machine. If you fail to do this, files will not pass from the firewall to the LAN and vice-versa. Step 2. Connect the esafe Gateway machine. Step 3. Install the evaluation version of esafe Gateway software in Router Mode. Step 4. Install additional CIs - remember to set CI assignments. The number of CIs that an esafe Gateway machine can use is restricted by the license. Make sure that the license for EACH esafe Gateway/Mail machine covers the total number of CIs that it needs. This information is listed under Help About Registration Information. Step 5. Step 6. Step 7. Step 8. Test esafe Gateway. Test communication at all workstations and servers. a. Connect the CR between the AD2/AD3 units. DO NOT place any other hosts on this segment. b. Check your AD2/AD3 and other logs to make sure that traffic flows freely through the esafe Gateway machine, acting as a Windows NT router before you install the esafe Gateway/Mail software. Register. Install the software

8 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 10 Router mode installation Step 1. Step 2. Step 3. Install two NICs into the esafe Gateway machine. Make sure to remove or disable all NIC monitor programs and drivers. Take the IP address of the firewall/router s inner NIC and assign it to the inner NIC of the esafe Gateway machine. Before you continue, make sure that you are authorized to make changes to the firewall/router machine. Establish a network segment between the firewall/router and the esafe Gateway machine. c. Assign the new IP address to the inner NIC of the router/firewall. d. Assign the new IP address to the outer NIC of the esafe Gateway machine from the newly created network segment. e. Enable IP forwarding on esafe Gateway machine. Example: Step 4. Disable all unnecessary services and drivers, including the partial list below. services: Alerter Computer Browser DHCP Client Messenger Server Task Scheduler Net-Logon Workstation TCP/IP NetBIOS Helper

9 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 11 Network DDE Network DDE DSDM device drivers: Parallel ParPort ParVdm Serial WINS Client network bindings: NetBIOS WINS Client (TCP/IP) Additional changes to Windows NT that can improve performance and tighten security are described in appendix D. Step 5. At the firewall machine, create a permanent static route for the LAN that passes through the esafe Gateway machine. Sample routing command route add -p < > mask < > < > where: < > represents your default gateway. < > represents your network s netmask. < > represents the IP of the NIC in the CR that communicates with the firewall. Step 6. Copy the routing table of the firewall. To do this enter the following text into the command prompt: route print > rtable.txt Step 7. Connect the CR machine to the firewall/router on a dedicated Ethernet segment. Do not place any other hosts on this segment. Step 8. Boot the CR machine and make sure that workstations on the LAN can surf the Internet. Step 9. Check your firewall and other logs to make sure that traffic flows freely through the CR machine, acting as a Windows NT router before you install the esafe Gateway/Mail software. Step 10. Make sure that the network functions properly and there are no routing problems. Step 11. Run the Setup program from the CD-ROM or downloaded file. You can download the Setup program from ftp://ealaddin.com/pub/products/esg3.exe. If an older version or build of esafe Gateway with NitroInspection is already installed, you must uninstall the older version and reboot the machine before installing the new version. Step 12. Read and accept the terms of the license agreement. Updates to the virus signature tables will only take place during the period for which a registered esafe Gateway machine is licensed (or during the evaluation period). Evaluation versions stop working altogether at the end of the evaluation period unless they are registered.

10 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 12 Step 13. Select the component(s) to install. Select the desired product/installation mode.

11 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 13 Step 14. Define whether the esafe Gateway machine will sit in front of a proxy or firewall machine. Step 15. Check the path where esafe Gateway is to be installed and edit if necessary. Step 16. Select Evaluation or Registration. Evaluation allows you to work with and update esafe Gateway/Mail for 30 days, after which time esafe Gateway/Mail will block all monitored traffic. When a registered license expires esafe Gateway/Mail will continue to operate, but will not allow updates to software, virus tables, or any other components. In order to avoid licensing the wrong IP, it is recommended that you first install as Evaluation, wait until esafe Gateway is up and running, then register from the CR machine (see page 21). Step 17. Wait while the files are copied. Step 18. Select whether to use the SMTP module. If you have an SMTP server on the LAN, select Also monitor SMTP and enter the Internet Domain name (FQDN) and IP address of the internal SMTP Server. If you have more than one mail domain you can add it later after completing the initial installation via econsole (Adminstration SMTP Server Internal Mail Servers). Failure to enter the name and IP address of ALL internal SMTP Servers will cause esafe Gateway s SMTP module to block all incoming mail until you add this information to the configuration. Step 19. Decide whether to subscribe to the Early Detection Service (recommended). Step 20. At the end of the setup program, click. Step 21. Click Cancel when prompted to restart the computer. Step 22. Shutdown (not restart) Windows and turn off the machine. Step 23. Turn on the esafe Gateway machine and look for error messages during startup. Step 24. After you complete installation, enter Control Panel Services and make sure that the following services are started: esafe Gateway esafe Content Inspector Step 25. At this point the software is installed and you are ready to adapt the configuration to your needs as described in the esafe Gateway Administrator s Manual. Step 26. Select Start Programs econsole Gateway esafe econsole to open the econsole Manager.

12 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 14 Step 27. Check that the IP address of the CR appears in blue. This may take a few seconds. If the IP address does not appear, you have a problem and should refer to Troubleshooting. Step 28. Double-click the CR and create a password. Step 29. Check the SMTP parameters needed for sending alerts and define or edit them if necessary. a. Run econsole and enter the configuration module (click Configuration). If you need detailed instructions, consult the Administrator s manual. b. To scan for more than one domain, go to Administration SMTP Server Internal Mail Servers and enter the additional domains. c. Go to Administration Alerts Alert Recipients and define alert recipients. d. Go to Administration Alerts File & Other Params and enter an address into the Senders field with a domain name that will allow alerts to pass through the anti-spoofing mechanism of the SMTP server that will receive the alerts. e. If you want all of your alerts to be sent via a specific SMTP server, enter it into the Outgoing SMTP server field. If you leave this field blank esafe Gateway will use the DNS lookup. Step 30. Test esafe Gateway operation by downloading the virus test file fromhttp:// This file is not an actual virus and cannot replicate. It was developed by the European Institute of Computer Research and anti-virus vendors for the sole purpose of testing scan engines to make sure that they are working. For more extensive tests, see the Administrator s Manual. Step 31. This completes the installation process. You can now use econsole to monitor operation and edit the configuration.

13 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 15 Registration Evaluation mode allows you to work with and update esafe Gateway/Mail for 30 days, after which time esafe Gateway/Mail will block all monitored traffic. When a registered license expires, esafe Gateway will continue to operate, but will not allow software and virus table updates. If you are ugprading from build 96 or above, you can use the same license key. If you are ugprading from version 2.1 to a NitroInspection CR, you must use a new license key that your vendor can supply. In order to register, you need your login name and password. If you need to move a license to another machine, you must contact the VAR or distributor who sold you the license, then update your registration before you can create a new license key 3. You can create a cold-restart backup machine with an exact copy of the CR and the same license. If your CR has a hardware or other failure, you can connect the cold-restart backup machine in its place to keep your Internet gateway open while you troubleshoot the problem. Step 1. Generate a license key. a. Make sure you have your login name and password for entering the licensing center. If you do not have either of these, contact your vendor. b. Click Get License if you are in the installation procedure or connect to the esafe Licensing Center at If possible, connect from the esafe Gateway/Mail machine. c. Make sure to select the correct product and operation mode. d. Choose Issue license from the menu and follow the instructions that appear on screen. Make sure that the IP address listed is for the esafe Gateway/Mail machine that you want to license; we recommend that you register the IP address taken from the firewall. Step 2. Select Start Programs esafe Gateway/Mail Enter Registration Number from your Windows Desktop. Step 3. Enter your name, company name and license key into the Registration window, and click. Step 4. Review the details and click. If you discover an error, click Back and make the corrections. If you forget your license key and need to reinstall, you can use your login name and password to retrieve it from the esafe Licensing Center at Make sure to register the esafe Gateway for the total number of CIs needed. 3. The license key consists of five parts separated by hyphens. The first part is a two letter product code, the second is a 7 digit number, the third part is an 8 digit number, the fourth part consists of 14 digits, and the last part contains 8 digits. For example: EF

14 Load Balancing for esafe Gateway 3.0 when using Alteon s AD2 or AD3 page 16 Allowing the AD2/3 test files without scanning The AD2/3 units continually send the test files through to test communication. Under the default configuration this file is scanned time and again. If you add the AD2/3 units to the Trusted Servers List for Blocking and Scanning the test files will not identify a CI failure. If this is the only CI available to the esafe Gateway machine, all files that need to be scanned will either be blocked or allowed without scanning according to the Block if a scanner error occurs check box setting. Consequently the AD2/3 will not compensate, i.e., it will not redirect all new files to other CR machines. You can avoid this situation by adding the other esafe Gateway machines to the list of CIs used and/or adding CI machines to the internal LAN. In either case, you must add the static routes (passing through the internal AD2/3) to the NT routing table of the esafe Gateway machine. If you add CIs to the internal LAN, you must be careful to avoid assigning conflicting IP addresses to the internal LAN and the virtual subnets created between the AD2/3 units and esafe Gateway machines. The number of CIs that aesafe Gateway machine can use is restricted by the license. Make sure that the license for EACH esafe Gateway machine covers the total number of CIs that it needs. This information is listed under Help About Registration Information.