Radware AppDirector and Juniper Networks Infranet Controller Solution Implementation Guide

Transcription

1 Implementation Guide Radware AppDirector and Juniper Networks Infranet Controller Solution Implementation Guide Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA JUNIPER Part Number: August 2008

2 Table of Contents Solution Overview Scope Design Considerations... 4 Radware AppDirector Products... 4 Juniper Networks Infranet Controller (IC) Products Juniper Networks Infranet Controller Overview Radware AppDirector Overview... 6 Radware AppDirector and Juniper Networks Infranet Controller Architecture Radware Benefits for Juniper Networks Infranet Controller Solutions... 7 Radware AppDirector and Juniper Networks Infranet Controller High Availability Interoperability Tests and Configurations Tests Conducted for Solution Validation Primary AppDirector Configuration Initial Primary AppDirector Configuration Farm Configuration Layer 4 Policy Configuration Client Network Address Translation Configuration Adding Servers to the Farm Health Monitoring Configuration Binding Health Checks to Servers Primary AppDirector VRRP Configuration Backup AppDirector Configuration Initial Backup AppDirector Configuration Farm Configuration Layer 4 Policy Configuration Client Network Address Translation Configuration Adding Servers to the Farm Health Monitoring Configuration Binding Health Checks to Servers Backup AppDirector VRRP Configuration Copyright 2008, Juniper Networks, Inc.

3 Summary Appendix High Availability Design Configurations Primary Configuration from OnDemand Switch 2 Platform Backup Configuration from OnDemand Switch 2 Platform About Juniper Networks List of Figures Figure 1. Juniper Networks Unified Access Control Figure 2. Infranet Controller and AppDirector Integration Topology... 7 Copyright 2008, Juniper Networks, Inc. 3

4 Solution Overview The Juniper Networks Infranet Controller and Radware AppDirector joint solution provides a highly available and scalable policy management service solution. At the heart of the Juniper Networks Unified Access Control (UAC) solution is the Juniper Networks Infranet Controller (IC), a hardened policy management server that uses Juniper s proven, best-in-class security and access control products. The Infranet Controller can push the UAC agent down to the endpoint to collect user authentication, endpoint security state, and device location information; or, alternatively, it can gather that same information in agentless mode. As access networks grow and endpoints compete for both internal and external network access resources, the need remains to maintain response times and service availability, to help ensure the best quality of experience for the end user. AppDirector scales the Infranet Controller appliances and manages the health and user session state of Infranet Controller resources, dynamically protecting against session loss and ultimately insulating an access security layer service vital to the safety and successful access to network resources. Figure 1 shows a logical UAC topology including the Infranet Controller as the central policy enforcement manager. Scope This document is intended for end users and technical systems engineers who will be deploying a joint Juniper Networks Infranet Controller Radware AppDirector solution. This guide provides detailed configuration and setup information for implementing the joint solution. Design Considerations Radware AppDirector Products Software: AppDirector Version Platform: AppDirector OnDemand Switch 2 (ODS 2) Performance: Throughput support from 1 to 4 Gbps with license-based upgrades. OnDemand Switch 2 supports 5 million simultaneous user with a default 2 GB of RAM or 8 million simultaneous users with 4 GB of RAM Juniper Networks Infranet Controller (IC) Products Software: Release 2.1 Platform: Juniper Networks IC 4000 and Copyright 2008, Juniper Networks, Inc.

5 Figure 1. Juniper Networks Unified Access Control Central Policy Manager Infranet Controller AAA AAA Servers Identity Stores User Access to Protected Resources Protected Resources Endpoint Profiling, User Authentication, and Endpoint Policy Dynamic Role Provisioning Access Point L2 Switch NS IEEE 802.1X Firewalls Wireless EX Series UAC Agent User Admission to Network Enforcement Points Juniper Networks Infranet Controller Overview After user or device credentials have been submitted, the Infranet Controller implements a comprehensive AAA engine for seamless deployment into almost all popular AAA settings. After the credentials have been validated and the endpoint security state established, the Infranet Controller creates and implements a dynamic access policy for each user and session and pushes that policy to enforcement points throughout the network. The enforcement points can include: Any vendor s standards-compliant IEEE 802.1X enabled switches or access points Any Juniper Networks firewall and VPN platform, including the Juniper Networks Integrated Services Gateway (ISG) with Intrusion Detection and Prevention (IDP) and the Juniper Networks Secure Services Gateway (SSG) secure routing platforms Both types of products for even greater granularity The IC 6000 also integrates the RADIUS processing capabilities of Juniper Networks Steel-Belted Radius (SBR) servers, the de facto standard in RADIUS servers and appliances. This integration lets the IC 6000 support an IEEE 802.1X transaction over vendor-agnostic, IEEE 802.1X enabled switches and access points when an endpoint attempts network access. The IC 6000 is designed to address the needs of large enterprises, multinational organizations, and government agencies, with the capability to handle up to tens of thousands of concurrent endpoints. The IC 6000 includes a number of high-availability features, including a hot-swappable power supply and hard disk that are both field upgradeable. The IC 6000 can be deployed in multi-unit clusters to increase performance and provide additional scalability. Copyright 2008, Juniper Networks, Inc. 5

6 Radware AppDirector Overview Radware AppDirector is an intelligent application delivery controller that provides scalability and applicationlevel security for service infrastructure optimization, fault tolerance, and redundancy. AppDirector combines the power of Radware multi-gigabit application switching hardware with APSolute OS service-smart networking to ensure local and global server availability and accelerated application performance and safeguard services with integrated intrusion prevention and denial of service (DoS) protection for fast, reliable, secure service delivery. AppDirector uses advanced Layer 4 through 7 policies and granular service intelligence, enabling end-to-end service-smart networking and aligning service infrastructure operations with service front-end requirements to eliminate traffic surges, infrastructure bottlenecks, connectivity disconnects, and downtime for assured service access and full-service continuity and redundancy. AppDirector enables fine-tuning of service behavior at all critical points, end to end, based on granular servicespecific classification of packets to optimize traffic flows for a wide range of services, including support for Hypertext Transfer Protocol (HTTP), HTTP over Secure Sockets Layer (HTTPS), Multipurpose Internet Mail Extensions (MIME), Real-Time Streaming Protocol (RTSP), Simple Mail Transfer Protocol (SMTP), voice over IP (VoIP; Session Initiation Protocol, or SIP), streaming media (Real-Time Transfer Protocol, or RTP), RADIUS, Diameter, and secure Lightweight Directory Access Protocol (LDAP) applications. AppDirector lets you get the most out of your service investments by maximizing the utilization of service infrastructure resources and enabling seamless consolidation and high scalability. Make your network adaptive and more responsive to your dynamic services and business needs with AppDirector fully integrated traffic classification and flow management, health monitoring and failure bypassing, traffic redirection, bandwidth management, intrusion prevention, and DoS protection. For more information, please visit Radware AppDirector and Juniper Networks Infranet Controller Architecture The AppDirector and Infranet Controller solution is designed to provide a highly scalable and highly available subsystem for deploying policy management infrastructure. The IC 6000 appliances are configured in an active-active cluster, with individual components queried for service availability by AppDirector. Using this important health monitoring information, AppDirector can calculate availability, and using existing load information, AppDirector can provide highly granular load distribution across Infranet Controller appliances. AppDirector maintains client sessions for persistency and works in conjunction with Infranet Controller state replication logic to ensure session survivability through Infranet Controller failover events. Together the two components help ensure zero loss of connectivity, offering a best-in-class solution. Figure 2 shows the high-availability architecture. 6 Copyright 2008, Juniper Networks, Inc.

7 Figure 2. Infranet Controller and AppDirector Integration Topology Main VIP TCP 80, 443 UDP , IC Cluster A Cluster A IC 6000 IC 6000 IC 6000 Switch STRM Network Switch Switch Switch Switch IC 6000 IC Cluster B Cluster B IC 6000 IC 6000 AppDirector VRRP AppDirector AppDirector_A MGM: /24 IP: /24 AppDirector_B MGM: /24 IP: /24 Radware Benefits for Juniper Networks Infranet Controller Solutions Juniper and Radware have conducted complete interoperability testing and developed integrated solutions using the Radware AppDirector and Juniper Networks Infranet Controller products. This strong interoperability and integration provides a solution that delivers industry-leading scalability, security, and performance for those deploying policy management (UAC) solutions. Radware AppDirector and Juniper Networks Infranet Controller High Availability Interoperability Tests and Configurations This section describes the interoperability tests performed and presents the steps for configuring AppDirector. There are separate configuration steps to be taken on the primary (active) and backup AppDirector devices, so the configuration discussion is divided into two parts: one for the primary device, and one for the backup device. Copyright 2008, Juniper Networks, Inc. 7

8 Tests Conducted for Solution Validation The tests listed in Table 1 were conducted to ensure that the most appropriate solution was defined and validated. All tests were successfully completed using the AppDirector configurations that follow Table 1. Table 1. Tests Conducted for Solution Validation Test Case AppDirector: Virtual IP and service farm AppDirector: Dispatch algorithm AppDirector: Persistency or session affinity AppDirector high availability: Master failover AppDirector high availability: Backup assuming master Virtual Router Redundancy Protocol (VRRP) role AppDirector high availability: Master failback Infranet Controller cluster: Failover Infranet Controller cluster: New service Primary AppDirector Configuration Description Verify that the virtual IP address and service farm defined in the load balancer work as expected. Verify that a new request follows the least connection policy (configured dispatch method). Verify that the user agent connection stays with the same sever and maintains the selected server throughout the life of a session. Verify that the load balancer high-availability setting prevents a single point of failure (SPOF) and that VRRP fails over properly. Verify that the load balancer maintains a client s sessions during a failover event. This validates the state replication logic between AppDirector controllers, ensuring session survivability through failover. Verify that Infranet Controller clients maintain connectivity and that VRRP role exchange occurs as expected. Verify that AppDirector detects Infranet Controller failure and dynamically manages new requests and reconnections to the available Juniper Networks Secure Access (SA) appliances. Verify that AppDirector detects new Infranet Controller service elements without affecting existing sessions. This section details the step-by-step AppDirector configuration process, using the Web-based management GUI, for creating the Juniper Networks Infranet Controller and Radware AppDirector high-availability subsystem. Refer to Figure 2 for topology and addressing information. Initial Primary AppDirector Configuration Using a serial cable and a terminal emulation program, connect to AppDirector. The default console port settings are: Bits per Second: Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None Enter the following command to assign management IP address / 24 to interface 17 (dedicated management interface) of AppDirector: net ip-interface create Note: Connectivity to AppDirector can be established at this time if the client resides on the same management subnet. 3. Enter the following command to assign IP address / 24 to interface 1 (production traffic connectivity) of AppDirector: net ip-interface create Copyright 2008, Juniper Networks, Inc.

9 4. Enter the following command to create a default gateway route entry on AppDirector pointing to : 5. net route table create i 1 Using a browser, connect to the management IP address of AppDirector ( ) via HTTP or HTTPS. The default username and password are radware and radware. Failure to establish a connection may be due to the following: Incorrect IP address in the browser Incorrect IP address or default route configuration in AppDirector Failure to enable Web-based management or secure Web-based management in AppDirector If AppDirector can be successfully pinged, attempt to connect to it via Telnet or SSH. If the pinging or the Telnet or SSH connection is unsuccessful, reconnect to AppDirector via its console port. After you are connected, verify and correct the AppDirector configuration as needed. 1 Farm Configuration 1. From the menu, choose AppDirector > Farms > Farm Table to display the Farm Table page. 2. Click the Create button. 3. On the Farm Table Create page, enter the necessary parameters as shown here. 4. Click the Set button to save the parameters. 5. Click the Create button. 1 To enable Web-based management from the console command-line interface, enter manage web status set enable. Copyright 2008, Juniper Networks, Inc. 9

10 6. On the Farm Table Create page, enter the necessary parameters as shown here Click the Set button to save parameters. 8. Click the Create button. 9. On the Farm Table Create page, enter the necessary parameters as shown here: 10. Click the Set button to save the parameters. 11. Verify that the new entry was created on the Farm Table page. 2 Throughout this guide, items circled in red indicate settings that need to be entered or changed. Items not circled should be left at the default settings. 10 Copyright 2008, Juniper Networks, Inc.

11 Layer 4 Policy Configuration 1. From the menu, choose AppDirector > Layer 4 Farm Selection > Layer 4 Policy Table to display the Layer 4 policy table. Note: In the design presented here, three virtual IP addresses are used to represent three farms: Virtual IP Farm Ports in Use MainCluster TCP: 80, 443, UDP: 1645, 1646, 1812, ClusterA TCP: 80, 443, UDP: 1645, 1646, 1812, ClusterB TCP: 80, 443, UDP: 1645, 1646, 1812, 1813 When you specify port values in the Layer 4 policy table, an access list is automatically created for undefined values. 2. Click the Create button. 3. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Note: This Layer 4 policy is for the main cluster HTTP traffic. 4. Click the Set button to save the parameters. 5. On the Layer 4 Policy Table page, click the Create button. 6. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Copyright 2008, Juniper Networks, Inc. 11

12 Note: This Layer 4 policy is for main cluster HTTPS traffic. 7. Click the Set button to save the parameters. 8. On the Layer 4 Policy Table page, click the Create button. 9. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic. 10. Click the Set button to save the parameters. 11. On the Layer 4 Policy Table page, click the Create button. 12. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. 12 Copyright 2008, Juniper Networks, Inc.

13 Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic. 13. Click the Set button to save the parameters. 14. On the Layer 4 Policy Table page, click the Create button. 15. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic. 16. Click the Set button to save the parameters. 17. On the Layer 4 Policy Table page, click the Create button. 18. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Copyright 2008, Juniper Networks, Inc. 13

14 Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic. 19. Click the Set button to save the parameters. 20. On the Layer 4 Policy Table page, click the Create button. 21. On the Layer 4 Policy Table Create page, enter the necessary parameters as shown here. Note: This Layer 4 policy is for main cluster Infranet Controller communication traffic. 22. Click the Set button to save the parameters. Verify that the new entries were created on the 23. Layer 4 Policy Table page; your table should be similar to the one shown here. 14 Copyright 2008, Juniper Networks, Inc.

15 Note: Repeat the Layer 4 policy definition process shown at the beginning of this section for both Cluster A and Cluster B virtual IP and port definitions. The policy definition values are the same as for the main cluster, so you can use the command-line interface (CLI) configuration file statements for the Layer 4 policies created so far and the same logic, adding the clusters and changing the Layer 4 policy name, virtual IP, and farm name. The Layer 4 policy definitions created above can be seen in the appendix. The new Layer 4 policy statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device. Client Network Address Translation Configuration 1. From the menu, choose AppDirector > NAT > Client NAT to display the Client NAT Global Parameters page. 2. On the Client NAT Global Parameters page, change the parameters as shown here. 3. Click the Set button to save parameters. 4. Click the Client NAT Intercept Table hyperlink at the top of the configuration window. 5. Click the Create button. 6. On the Client NAT Intercept Table Create page, enter the necessary parameters as shown here. Copyright 2008, Juniper Networks, Inc. 15

16 7. Click the Set button to save parameters. 8. Click the Client NAT Address Table hyperlink at the top of the configuration window. 9. Click the Create button. 10. On the Client NAT Address Table Create page, enter the necessary parameters as shown here. 11. Click the Set button to save the parameters. 12. From the menu, choose AppDirector > Farms > Farm Table to display the Farm Table page. 13. Click the Extended Farm Parameters hyperlink near the top of the page. 14. On the Extended Farm Parameters page, click the MainCluster farm name and enter the necessary parameters as shown here. 15. Click the Set button to save parameters. 16. On the Extended Farm Parameters page, click the ClusterA farm name and enter the necessary parameters as shown here. 17. Click the Set button to save the parameters. 16 Copyright 2008, Juniper Networks, Inc.

17 18. On the Extended Farm Parameters page, click the ClusterB farm name and enter the necessary parameters as shown here. 19. Click the Set button to save the parameters. Adding Servers to the Farm 1. From the menu, choose AppDirector > Servers > Application Servers to display the Server Table page. 2. On the Server Table page, click the Create button. 3. On the Server Table Create page, enter the necessary parameters as shown here. 4. Click the Set button to save the parameters. 5. Create the second server using the information shown here. Copyright 2008, Juniper Networks, Inc. 17

18 6. Click the Set button to save the parameters. 7. Create the third server using the information shown here. 8. Click the Set button to save the parameters. 18 Copyright 2008, Juniper Networks, Inc.

19 9. Create the fourth server using the information shown here. 10. Click the Set button to save the parameters. 11. Create the fifth server using the information shown here. 12. Click the Set button to save the parameters. Copyright 2008, Juniper Networks, Inc. 19

20 13. Create the sixth server using the information shown here. 14. Click the Set button to save the parameters. Note: Repeat the server-to-farm mapping policy definitions for both Cluster A and Cluster B. Notice from the mapping following table that Cluster A and B have only half the servers defined for the main cluster. In the design presented here, three farms are mapped to six servers in the following way: Farm Servers MainCluster 12, 13, 14 and 22, 23, 24 ClusterA 12, 13, 14 ClusterB 22, 23, 24 Health Monitoring Configuration 1. From the menu, choose Health Monitoring > Global Parameters to display the Health Monitoring Global Parameters page. 2. On the Health Monitoring Global Parameters page, change the parameters as shown here. 3. Click the Set button to save the parameters. 20 Copyright 2008, Juniper Networks, Inc.

21 4. From the menu, choose Health Monitoring > Check Table to display the Health Monitoring Check Table page. 5. To create the health monitoring check for the first server, click the Create button. 6. On the HM Check Table Create page, enter the necessary parameters as shown here. 7. Click the Set button to save the parameters. 8. To create the health monitoring second check for Server 12, click the Create button. 9. On the HM Check Table Create page, enter the necessary parameters as shown here. Copyright 2008, Juniper Networks, Inc. 21

22 10. Click the Set button to save the parameters. 11. Click the Create button. 12. On the HM Check Table Create page, enter the necessary parameters as shown here. 13. Click the Set button to save the parameters. 14. Click the Create button. 15. On the HM Check Table Create page, enter the necessary parameters as shown here. 16. Click the Set button to save the parameters. 22 Copyright 2008, Juniper Networks, Inc.

23 17. Click the Create button. 18. On the HM Check Table Create page, enter the necessary parameters as shown here. 19. Click the Set button to save the parameters. 20. Click the Create button. 21. On the HM Check Table Create page, enter the necessary parameters as shown here. 22. Click the Set button to save the parameters. Note: Repeat the health check definitions for Servers 13, 14, 22, 23, and 24. The policy values for the individual service checks are the same as the Server 12 entries. You can also use the CLI configuration file statements for the health check policies created so far and the same logic, adding the servers and making changes to their IP and server names. The health check server definitions presented here can be seen in the primary configuration file in the appendix. The new server statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device. Copyright 2008, Juniper Networks, Inc. 23

24 Binding Health Checks to Servers 1. To create the health monitoring binding for the first server, from the menu, choose Health Monitoring > Binding Table to display the Health Monitoring Binding Table page. 2. Click the Create button. 3. On the HM Binding Table Create page, enter the necessary parameters as shown here. 4. Click the Set button to save the parameters. 5. Click the Create button. 6. On the HM Binding Table Create page, enter the necessary parameters as shown here. 7. Click the Set button to save the parameters. 8. Verify that the new entry was created on the Health Monitoring Table page. 24 Copyright 2008, Juniper Networks, Inc.

25 Note: Repeat the health check binding definitions for all ports defined on all the remaining servers: Servers 12, 13, 14, 22, 23, and 24. Notice that each server port value maps to two farms according to the following table. Farm Servers MainCluster 12, 13, 14 and 22, 23, 24 ClusterA 12, 13, 14 ClusterB 22, 23, 24 The remaining health service check values for Server 12 follow the same binding logic as those created here, as do all port checks for Servers 13 and 14. Servers 22, 23, and 24 map to both the main cluster and Cluster B farms. You can also to use the CLI configuration file statements for the health check policies created so far and the same logic, adding the check bindings by making changes to the check name and the logic farm and server mappings. The health check server definitions presented here can be seen in the primary configuration file in the appendix. The new server statements can be appended to the existing configuration file by choosing File > Configuration > Send to Device. Primary AppDirector VRRP Configuration Note: Radware offers two means of redundancy and failover between pairs of devices: proprietary and VRRP. Since VRRP is the more commonly used method within the industry, this section presents the steps to configure both AppDirector devices using that method. 1. From the menu, choose AppDirector > Redundancy > Global Configuration and set the parameters as shown here. 2. Click the Set button to save these changes. 3. Choose AppDirector > Redundancy > VRRP > Virtual Routers and create a new entry. Copyright 2008, Juniper Networks, Inc. 25

26 4. Click the Set button to save the parameters. 5. Choose AppDirector > Redundancy > VRRP > Associated IP Addresses and create a new entry. 6. Click the Set button to save the parameters. You should have a single entry in the Associated IP Addresses table, as shown here. 7. Create a second entry in the Associated IP Addresses table as shown here. This is the main cluster virtual IP address. 8. Click the Set button to save the parameters. 9. Create another entry in the Associated IP Addresses table as shown here. 26 Copyright 2008, Juniper Networks, Inc.

27 This is the Cluster A virtual IP address. 10. Click the Set button to save the parameters. 11. Create another entry in the Associated IP Addresses table as shown here. This is the Cluster B virtual IP address. 12. Click the Set button to save the parameters. 13. Create another entry in the Associated IP Addresses table as shown here. This is the client NAT IP address. Click the 14. Set button to save the parameters. The Associated IP Addresses table should now contain five entries, as shown here. Copyright 2008, Juniper Networks, Inc. 27

28 15. Choose AppDirector > Redundancy > VRRP > Virtual Routers and click the link to If Index F-1 as shown here. 16. Change Admin Status to up, but leave all other settings unchanged as shown here. 17. Click the Set button to save the parameters. 18. On the Virtual Router Table page, verify that the State setting for this virtual router is master as shown here. 28 Copyright 2008, Juniper Networks, Inc.

29 19. Choose AppDirector > Redundancy > Mirroring > Active Device Parameters and set the Client Table Mirroring status to enable as shown here. 20. Click the Set button to save the parameters. 21. Choose AppDirector > Redundancy > Mirroring > Mirror Device Parameters and create a new entry as shown here. This sets the backup AppDirector target address used for mirror traffic. 22. Click the Set button to save the parameters. This completes configuration of the primary AppDirector. Copyright 2008, Juniper Networks, Inc. 29

30 Backup AppDirector Configuration The overall configuration of a backup AppDirector is almost identical in many ways to that of the primary (active) device. There are, however, several important differences, which are noted throughout these steps. Initial Backup AppDirector Configuration Using a serial cable and a terminal emulation program, connect to AppDirector. The default console port settings are: Bits per Second: Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None Enter the following command to assign management IP address / 24 to interface 17 (dedicated management interface) of AppDirector: net ip-interface create Note: Connectivity to AppDirector can be established at this time if the client resides on the same management subnet Enter the following command to assign IP address / 24 to interface 1 (production traffic connectivity) of AppDirector: net ip-interface create Enter the following command to create a default gateway route entry on AppDirector pointing to : net route table create i 1 Using a browser, connect to the management IP address of the backup AppDirector ( ) via HTTP or HTTPS. The default username and password are radware and radware. Farm Configuration The farm configuration is identical to that for the primary AppDirector. Please refer to the corresponding section for specific instructions. Layer 4 Policy Configuration 1. The Layer 4 policy configuration is the same as for the primary AppDirector with one exception: Each Layer 4 policy should be configured with a Redundancy Status value of Backup. Here is the additional switch value required on the primary AD L4 policy CLI statements if desired for upload. Here is the original Layer 4 policy for the primary device: appdirector l4-policy table create TCP MainVIP-80 \ -fn MainCluster -ta HTTP To use the statement for the backup device, change it as shown here in bold: appdirector l4-policy table create TCP MainVIP-80 \ -fn MainCluster -ta HTTP -rs Backup Note: In the design presented here, three virtual IP addresses are used to represent three farms: Virtual IP Farm Ports in Use MainCluster TCP: 80, 443, UDP: 1645, 1646, 1812, ClusterA TCP: 80, 443, UDP: 1645, 1646, 1812, ClusterB TCP: 80, 443, UDP: 1645, 1646, 1812, 1813 When you specify port values in the Layer 4 policy table, an access list is automatically created for undefined values. 30 Copyright 2008, Juniper Networks, Inc.

31 2. Please refer to the primary AppDirector Layer 4 policy configuration instructions, keeping in mind that redundancy mode must be changed to Backup. Here is an example of the first policy in Backup status: Choose AppDirector > Layer 4 Farm Selection > Layer 4 Policy Table and create a new entry as shown here. Note: The redundancy status for this farm has been set to Backup. Client Network Address Translation Configuration The client NAT configuration is identical to that for the primary AppDirector. Please refer to the corresponding section for specific instructions. Adding Servers to the Farm The server table configuration is identical to that for the primary AppDirector. Please refer to the corresponding section for specific instructions. Health Monitoring Configuration The health monitoring and check table configurations are identical to those for the primary AppDirector. Please refer to the corresponding section for specific instructions. Binding Health Checks to Servers The health monitoring binding table configuration is identical to that for the primary AppDirector. Please refer to the corresponding section for specific instructions. Backup AppDirector VRRP Configuration On the Backup AppDirector, choose 1. AppDirector > Redundancy > Global Configuration and change the settings shown here. Copyright 2008, Juniper Networks, Inc. 31

32 2. Click the Set button to save the parameters. 3. Choose AppDirector > Redundancy > VRRP > Virtual Routers and create a new entry as shown here. Note: The priority on the backup AppDirector is set to 100; on the primary device, this value was set to 255. The device with the higher priority will be the master of this virtual router. 4. Click the Set button to save the parameters. 5. Choose AppDirector > Redundancy > VRRP > Associated IP Addresses and create a new entry as shown here. 6. Create a second entry in the Associated IP Addresses table as shown here. This is the main cluster virtual IP address. 7. Click the Set button to save the parameters. 8. Create another entry in the Associated IP Addresses table as shown here. 32 Copyright 2008, Juniper Networks, Inc.

33 This is the Cluster A virtual IP address. 9. Click the Set button to save the parameters. 10. Create another entry in the Associated IP Addresses table as shown here. This is the Cluster B virtual IP address. 11. Click the Set button to save the parameters. 12. Create another entry in the Associated IP Addresses table as shown here. This is the client NAT IP address. 13. Click the Set button to save the parameters. Choose 14. AppDirector > Redundancy > VRRP > Virtual Routers and click the link to If Index F-1 as shown here. Copyright 2008, Juniper Networks, Inc. 33

34 15. Change Admin Status to up as shown here. 16. Click the Set button to save the parameters. 17. Verify that the State setting for the backup device for this virtual router is backup as shown here. 18. Choose AppDirector > Redundancy > Mirroring > Backup Device Parameters and set the mirroring status to enable as shown here. 19. Click the Set button to save the parameters. 20. Choose AppDirector > Redundancy > Mirroring > Mirror Device Parameters and create a new entry as shown here. This sets the primary AppDirector target address used for mirror traffic. 21. Click the Set button to save the parameters. This concludes the configuration of the backup AppDirector and the local high-availability solution. See the appendix for the actual configurations. 34 Copyright 2008, Juniper Networks, Inc.

35 Summary As access networks grow and endpoints compete for both internal and external network access resources, enterprises need to maintain security, response times and service availability to ensure the best quality experience for end users. The Juniper Networks Infranet Controller-Radware AppDirector joint solution provides a highly available and scalable policy management service that does just that. The IC pushes the UAC agent down to the endpoint to collect user authentication, endpoint security state and device location information, or it can gather that same information in agentless mode. Radware AppDirector provides scalability and application-level security for service infrastructure optimization, fault tolerance and redundancy --ensuring local and global server availability and accelerated application performance while safeguarding services with integrated intrusion prevention and denial of service (DoS) protection. Together, the two components offer a best-in-class solution that helps enterprises get the most out of their infrastructure investments by maximizing the utilization and performance of their service resources. Copyright 2008, Juniper Networks, Inc. 35

36 Appendix High Availability Design Configurations Primary Configuration from OnDemand Switch 2 Platform!Device Configuration!Date: :53:46!DeviceDescription: AppDirector Global!Base MAC Address: 00:03:b2:3d:38:c0!Software Version: (Build date Feb , 23:50:02,Build#50)!APSolute OS Version: (26): ! manage snmp versions-after-reset set v1 & v2c & v3 net ip-interface create net ip-interface create net route table create i 1 redundancy mode set VRRP appdirector farm table setcreate MainCluster -as Enabled -dm Fewest Number of Users -cm No Checks appdirector farm table setcreate ClusterA -as Enabled -dm Fewest Number of Users -cm No Checks appdirector farm table setcreate ClusterB -as Enabled -dm Fewest Number of Users -cm No Checks appdirector farm server table create MainCluster None -sn \ Server-12 -id 1 -rt cn Enabled -ba appdirector farm server table create MainCluster None -sn \ Server-13 -id 2 -rt cn Enabled -ba appdirector farm server table create MainCluster None -sn \ Server-14 -id 3 -rt cn Enabled -ba appdirector farm server table create MainCluster None -sn \ Server-22 -id 4 -rt cn Enabled -ba appdirector farm server table create MainCluster None -sn \ server-23 -id 5 -rt cn Enabled -ba appdirector farm server table create MainCluster None -sn \ Server-24 -id 6 -rt cn Enabled -ba appdirector farm server table create ClusterA None -sn \ Server-12 -id 7 -rt cn Enabled -ba appdirector farm server table create ClusterA None -sn \ Server-13 -id 8 -rt cn Enabled -ba appdirector farm server table create ClusterA None -sn \ Server-14 -id 9 -rt cn Enabled -ba Copyright 2008, Juniper Networks, Inc.

37 appdirector farm server table create ClusterB None -sn \ Server-22 -id 10 -rt cn Enabled -ba appdirector farm server table create ClusterB None -sn \ server-23 -id 11 -rt cn Enabled -ba appdirector farm server table create ClusterB None -sn \ Server-24 -id 12 -rt cn Enabled -ba redundancy interface-group set enable redundancy mirror main client-status set enable redundancy backup-in-vlan set disable redundancy backup-fake-arp set enable appdirector farm connectivity-check httpcode setcreate MainCluster \ OK appdirector farm connectivity-check httpcode setcreate ClusterA \ OK appdirector farm connectivity-check httpcode setcreate ClusterB \ OK net next-hop-router setcreate fl 1 appdirector farm nhr setcreate ip fl 1 appdirector farm extended-params set MainCluster -nr appdirector farm extended-params set ClusterA -nr appdirector farm extended-params set ClusterB -nr appdirector nat client address-range setcreate t appdirector nat client range-to-nat setcreate t redundancy backup-interface-group set enable appdirector segmentation nhr-table setcreate DefaultNHR -ip fl \ 1 appdirector l4-policy table create TCP MainVIP-80 \ -fn MainCluster -ta HTTP appdirector l4-policy table create TCP MainVIP-443 \ -fn MainCluster -ta HTTPS appdirector l4-policy table create TCP \ MainVIP fn MainCluster appdirector l4-policy table create UDP \ MainVIP fn MainCluster appdirector l4-policy table create UDP \ MainVIP fn MainCluster appdirector l4-policy table create UDP \ MainVIP fn MainCluster appdirector l4-policy table create UDP \ MainVIP fn MainCluster Copyright 2008, Juniper Networks, Inc. 37

38 appdirector l4-policy table create TCP \ ClusterAVIP-80 -fn ClusterA -ta HTTP appdirector l4-policy table create TCP \ ClusterAVIP-443 -fn ClusterA -ta HTTPS appdirector l4-policy table create TCP \ ClusterAVIP fn ClusterA appdirector l4-policy table create UDP \ ClusterAVIP fn ClusterA appdirector l4-policy table create UDP \ ClusterAVIP fn ClusterA appdirector l4-policy table create UDP \ ClusterAVIP fn ClusterA appdirector l4-policy table create UDP \ ClusterAVIP fn ClusterA appdirector l4-policy table create TCP \ ClusterBVIP-80 -fn ClusterB -ta HTTP appdirector l4-policy table create TCP \ ClusterBVIP-443 -fn ClusterB -ta HTTPS appdirector l4-policy table create TCP \ ClusterBVIP fn ClusterB appdirector l4-policy table create UDP \ ClusterBVIP fn ClusterB appdirector l4-policy table create UDP \ ClusterBVIP fn ClusterB appdirector l4-policy table create UDP \ ClusterBVIP fn ClusterB appdirector l4-policy table create UDP \ ClusterBVIP fn ClusterB appdirector farm dns-persistency-params set MainCluster -gm appdirector farm dns-persistency-params set ClusterA -gm appdirector farm dns-persistency-params set ClusterB -gm redundancy vrrp automated-config-update set Enabled health-monitoring check create Server12-TCP-80 -id 1 -m TCP Port -p 80 \ -i 5 -r 3 -t 3 -d health-monitoring check create Server12-SSL-443 -id 2 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d health-monitoring check create Server12-TCP id 3 -m TCP Port -p \ i 5 -r 3 -t 3 -d health-monitoring check create Server12-Ping id 4 -p i 5 -r \ 38 Copyright 2008, Juniper Networks, Inc.

39 3 -t 3 -d health-monitoring check create Server12-Ping id 5 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server12-Ping id 6 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server12-Ping id 7 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server13-TCP-80 -id 8 -m TCP Port -p 80 \ -i 5 -r 3 -t 3 -d health-monitoring check create Server13-SSL-443 -id 9 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d health-monitoring check create Server13-TCP id 10 -m TCP Port \ -p i 5 -r 3 -t 3 -d health-monitoring check create Server13-Ping id 11 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server13-Ping id 12 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server13-Ping id 13 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server13-Ping id 14 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server14-TCP-80 -id 15 -m TCP Port -p \ 80 -i 5 -r 3 -t 3 -d health-monitoring check create Server14-SSL-443 -id 16 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d health-monitoring check create Server14-TCP id 17 -m TCP Port \ -p i 5 -r 3 -t 3 -d health-monitoring check create Server14-Ping id 18 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server14-Ping id 19 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server14-Ping id 20 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server14-Ping id 21 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server22-TCP-80 -id 22 -m TCP Port -p \ 80 -i 5 -r 3 -t 3 -d health-monitoring check create Server22-SSL-443 -id 23 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d Copyright 2008, Juniper Networks, Inc. 39

40 health-monitoring check create Server22-TCP id 24 -m TCP Port \ -p i 5 -r 3 -t 3 -d health-monitoring check create Server22-Ping id 25 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server22-Ping id 26 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server22-Ping id 27 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server22-Ping id 28 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server23-TCP-80 -id 29 -m TCP Port -p \ 80 -i 5 -r 3 -t 3 -d health-monitoring check create Server23-SSL-443 -id 30 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d health-monitoring check create Server23-TCP id 31 -m TCP Port \ -p i 5 -r 3 -t 3 -d health-monitoring check create Server23-Ping id 32 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server23-Ping id 33 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server23-Ping id 34 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server23-Ping id 35 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server24-TCP-80 -id 36 -m TCP Port -p \ 80 -i 5 -r 3 -t 3 -d health-monitoring check create Server24-SSL-443 -id 37 -m SSL Hello -p \ 443 -i 5 -r 3 -t 3 -d health-monitoring check create Server24-TCP id 38 -m TCP Port \ -p i 5 -r 3 -t 3 -d health-monitoring check create Server24-Ping id 39 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server24-Ping id 40 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server24-Ping id 41 -p i 5 -r \ 3 -t 3 -d health-monitoring check create Server24-Ping id 42 -p i 5 -r \ 3 -t 3 -d health-monitoring binding create Copyright 2008, Juniper Networks, Inc.

41 health-monitoring binding create 2 1 health-monitoring binding create 3 1 health-monitoring binding create 4 1 health-monitoring binding create 5 1 health-monitoring binding create 6 1 health-monitoring binding create 7 1 health-monitoring binding create 8 2 health-monitoring binding create 9 2 health-monitoring binding create 10 2 health-monitoring binding create 11 2 health-monitoring binding create 12 2 health-monitoring binding create 13 2 health-monitoring binding create 14 2 health-monitoring binding create 15 3 health-monitoring binding create 16 3 health-monitoring binding create 17 3 health-monitoring binding create 18 3 health-monitoring binding create 19 3 health-monitoring binding create 20 3 health-monitoring binding create 21 3 health-monitoring binding create 22 4 health-monitoring binding create 23 4 health-monitoring binding create 24 4 health-monitoring binding create 25 4 health-monitoring binding create 26 4 health-monitoring binding create 27 4 health-monitoring binding create 28 4 health-monitoring binding create 29 5 health-monitoring binding create 30 5 health-monitoring binding create 31 5 health-monitoring binding create 32 5 health-monitoring binding create 33 5 health-monitoring binding create 34 5 health-monitoring binding create 35 5 health-monitoring binding create 36 6 health-monitoring binding create 37 6 health-monitoring binding create 38 6 health-monitoring binding create 39 6 health-monitoring binding create 40 6 Copyright 2008, Juniper Networks, Inc. 41

42 health-monitoring binding create 41 6 health-monitoring binding create 42 6 health-monitoring binding create 1 7 health-monitoring binding create 2 7 health-monitoring binding create 3 7 health-monitoring binding create 4 7 health-monitoring binding create 5 7 health-monitoring binding create 6 7 health-monitoring binding create 7 7 health-monitoring binding create 8 8 health-monitoring binding create 9 8 health-monitoring binding create 10 8 health-monitoring binding create 11 8 health-monitoring binding create 12 8 health-monitoring binding create 13 8 health-monitoring binding create 14 8 health-monitoring binding create 15 9 health-monitoring binding create 16 9 health-monitoring binding create 17 9 health-monitoring binding create 18 9 health-monitoring binding create 19 9 health-monitoring binding create 20 9 health-monitoring binding create 21 9 health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create Copyright 2008, Juniper Networks, Inc.

43 health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring binding create health-monitoring status set enable redundancy vrrp virtual-routers create 1 1 -as up -p 255 -pip redundancy vrrp associated-ip create redundancy vrrp associated-ip create redundancy vrrp associated-ip create redundancy vrrp associated-ip create redundancy vrrp associated-ip create manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm manage telnet status set enable manage telnet server-port set 23 manage web status set enable manage ssh status set enable manage secure-web status set enable redundancy arp-interface-group set Send net l2-interface set ad up redundancy vrrp global-advertise-int set 0 manage snmp groups create SNMPv1 public -gn initial manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly manage snmp groups create SNMPv2c public -gn initial manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly manage snmp groups create UserBased radware -gn initial manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly manage snmp access create initial SNMPv1 noauthnopriv -rvn iso -wvn iso \ -nvn iso manage snmp access create InitialReadOnly SNMPv1 noauthnopriv -rvn \ ReadOnlyView manage snmp access create initial SNMPv2c noauthnopriv -rvn iso -wvn iso \ -nvn iso manage snmp access create InitialReadOnly SNMPv2c noauthnopriv -rvn \ ReadOnlyView manage snmp access create initial UserBased authpriv -rvn iso -wvn iso \ -nvn iso manage snmp access create InitialReadOnly UserBased authpriv -rvn \ ReadOnlyView Copyright 2008, Juniper Networks, Inc. 43