Novell Border Manager Appnote Deploying Load balancing for Novell Border Manager Proxy using Session Failover feature of NBM 3.8.4 and L4 Switch Bhavani ST and Gaurav Vaidya Software Consultant stbhavani@novell.com gvaidya@novell.com Abstract: This document provides a solution for high availability and failover for HTTP forward proxy, which is transparent to end users. The solution is based on load balancing capability of any L4 switch and session failover feature of Novell BorderManager 3.8.4
Table of Contents 1. Introduction...3 2. Intended Audience...3 3. Pre-requisite/Assumptions...3 4. The Background...4 4.1 Novell BorderManager Proxy...4 4.2 Session Failover with BorderManager 3.8.4...4 4.3 How Session failover works?...4 4.4 Load Balancing the BorderManager proxy...5 5. Proposed Solution...5 5.1 Set of Actions...6 5.2 Information on Network Diagram...7 6. Steps to configure...8 6.1 Configure HTTP Service on BorderManager Proxy...8 6.2 Configuring Auth Agent...8 6.3 Start Auth Agent...9 6.4 Configuring Proxy for Session Failover...9 6.5 Start Proxy Agent...10 6.6 Configure L4 switch...10 6.7 Verification of the setup...11 7. Conclusion...12 8. Reference...12
1. Introduction When large number of authenticated users are accessing BorderManager Proxy service on multiple proxy servers, it becomes important to optimize the usage of proxy servers. Traditionally each BorderManager proxy keep record of authenticated users and does not share the information with other proxies. With the introduction of session failover feature on BorderManager 3.8.4, it is now possible for proxy to share the authenticated user information with other BorderManager proxies configured in the system. This Appnote utilizes this concept and provides the guidelines for deploying Novell BorderManager Proxy with Load balancing capabilities to service number of users. This solution is formulated by using multiple BorderManager 3.8.4 server farm connected through a Layer-4 switch and utilizes the session failover feature of Novell BorderManager 3.8.4. 2. Intended Audience All those who wants the efficient utilization of their BorderManager proxy servers in multi-proxy server deployment. All those who wants to utilize the Load Balancing capabilities of L4 switch for BorderManager proxy for high availability. All those who wants to add session failover capability in multiple BorderManager proxy server deployment (i.e. Provide 24 x 7 service even if connectivity to any of the proxy server is lost) 3. Pre-requisite/Assumptions Users/Administrators are familiar with Novell BorderManager Proxy Users/Administrators know how to configure Proxy services, ie., usage of NWADMIN. Administrator has worked on the L4 switch they intended to use with this solution. In this appnote we are covering at high level, what needs to be configured for making it work with Novell BorderManager.
4. The Background 4.1 Novell BorderManager Proxy There are three main applications of Novell BorderManager proxy : Forward, Reverse and Transparent proxies. Novell BorderManager's HTTP forward proxy is being used by most of the organizations for providing Internet access to their employees. Forward proxy is one of the widely used feature, because of its caching, authentication and single-sign-on capabilities. Novell BorderManager proxy does not have inbuilt load balancing capabilities except when deployed as cluster. While load balancing in cluster scenario, still requires users to re-authenticate when user switches the proxies. Although the advantage Novell BorderManager provide in the Cluster environment is, that the cached information will be available with the other nodes of the cluster. Once the re-authentication is complete the new proxy node can service the web requests from the cache. Even though the caching information is shared with all the nodes in the cluster, the authentication information is not shared. Now with the release of BoderManager 3.8.4, proxy can share the authentication information using session failover feature. 4.2 Session Failover with BorderManager 3.8.4 In 3.8.4 version of Novell BorderManager a new feature has been added that provides the session failover capability. This feature allows multiple proxies to share the user's authentication information. Whenever a user does login, logout or timeout from a proxy, that information is shared to other pre-configured proxies through an agent. This arrangement enables a user to switch to another proxy during the Internet Access session. 4.3 How Session failover works? This solution has two components: Auth Agent and Proxy Agent. There is generally one Auth Agent configured in the system and Proxy Agent configured at each BorderManager proxy. All the entities share the similar configuration file which defines the Auth Agent and all proxy agents in the system.
Auth Agent is a central entity which collects information from multiple proxy agents and distributes the same to all other proxy agents. This will ensure sharing of authentication information amongst all proxies that are configured to use the Auth Agent. Even if the user has authenticated to only one proxy, that information would be shared with all other configured proxies. Auth Agent is a java application and can be deployed either on NetWare or Linux server. Proxy agent is the new authchk.nlm, running in each of the proxy servers configured for Session failover. Proxy Agents run on each BorderManager proxy server and has responsibility to inform Auth Agent about every user login, logout or timeout. When ever a similar event happens at any other proxy, the auth agent forwards the information to each proxy where Proxy Agent is configured. Proxy Agent updates the local authenticated users table on receiving the information from Auth Agent. 4.4 Load Balancing the BorderManager proxy Prior to Novell BorderManager 3.8.4 (i.e. session failover feature) it was not possible to provide transparent load balancing for proxy servers. As mentioned earlier, proxy deployed on clusters could provide failover but it is not transparent and the user must re-authenticate to the newly switched proxy. With the introduction of session failover feature now all the proxies in the deployed network can be configured to share authentication information and it has made it possible to utilize load balancing for BorderManager proxy servers. 5. Proposed Solution For providing Load balancing capabilities a L4 switch is configured to distribute the load among different proxies. Novell Border Manager proxies are configured behind L4 switch. The proxy server is configured with session failover feature for sharing authentication information. Figure-1 shows the sample setup used for the purpose of this Appnote. Details about the setup are described in Section 5.2. In the proposed load balancing solution, a typical sequence of interaction between users, L4 switch, Novell BorderManager Proxy (Proxy Agent) and Auth Agent is described below:
5.1 Set of Actions 1. User authenticates via L4 switch to any of the proxies (as selected by L4 switch). 2. Once the authentication is successful, proxy send the authentication information to Auth Agent, which in turn distribute it to other proxies in the setup. 3. After successful authentication even if L4 switch send the subsequent HTTP request to other proxies, that proxy would be able to service the request without asking user to re-authenticate. 4. If for some reason the connectivity to any of the proxy is down, L4 switch will forward the client requests to another proxy in the setup and the request can be serviced. 5. In the event of user logout or user authentication timeout the information is propagated to all the proxies through the Auth Agent (as in Step-2). Figure-1: Network Diagram for Load Balancing Setup
5.2 Information on Network Diagram Following are the details about the network setup as shown in Figure-1. Proxy (BorderManager Server) : All NBM servers are configured with forward HTTP proxy and authentication enabled. These servers have the private interface in the 10.x.x.x network and public interface in 192.168.10.x network. Brand Processor RAM : Dell Power Edge 2650 series : Intel xeon 1.8 Ghz : 2 GB L4 Switch: L4 switch is configured for load balancing among 3 proxy servers. It is in same network as clients and private interface of BorderManager servers. For this setup it is also providing connectivity between proxy and Auth agent. Brand : Alteon 184 series OS Version : 10.0.32.1 Clients : Brand : Connoi Processor : Intel Pentium 4 RAM : 1 GB
6. Steps to configure 6.1 Configure HTTP Service on BorderManager Proxy Configure Border Manager server for Forward Proxy, use the following link to do the configuration which provides detailed information http://www.novell.com/documentation/nbm38/index.html?page=/docume ntation/nbm38/inst_admin/data/hbvwoadz.html#hbvwoadz For configuring Authentication for Forward Proxy use the following link http://www.novell.com/documentation/nbm38/index.html?page=/docume ntation/nbm38/inst_admin/data/huvskz48.html#huvskz48 NOTE: Configure same Idle Timeout value on all the proxies which are doing load balancing. 6.2 Configuring Auth Agent Auth Agent can be configured on either Netware or Linux server. For this Appnote we are considering Linux. Create auth.cfg in /etc/proxy directory (SYS:/ETC/PROXY/ for NetWare). 1. Copy bmauth.jar to the system where the Auth Agent is being configured. 2. Create auth.cfg in /etc/proxy directory (SYS:/ETC/PROXY/ for NetWare). One can copy sample auth.cfg file to /etc/proxy folder from SYS:/ETC folder of the BorderManager Server. 3. Modify the file as per your setup. Auth Agent and Proxy agent should be contactable to each other. Choose the proxy interface which is in the same network as Auth agent. For Example the auth.cfg file would look like as follows for Figure-1:
[proxy agents] 1=10.10.1.1 2=10.10.1.2 3=10.10.1.3 [auth ] ipport1=10.10.1.5:9023 [debug] Level=10 File=auth.log In the above sample configuration 1, 2 and 3 are unique proxy ID for Proxy Agent-1(10.10.1.1), Proxy Agent-2(10.10.1.2) and Proxy Agent-3 (10.10.1.3). 10.10.1.5 is the IP address of the server where Auth Agent is running. 6.3 Start Auth Agent Java must be installed on your server where Auth Agent is configured. Use the following command to start Auth Agent: java -classpath <full_path_of_bmauth.jar> com.novell.bordermanager.proxy.auth.authdb 6.4 Configuring Proxy for Session Failover The trust between Proxy agent and Auth agent is established by the configuration file. Proxy Agent also has the similar configuration file as configured for Auth Agent. Before starting Proxy Agent, make sure that Auth Agent is configured and running. Copy sample auth.cfg file to SYS:/etc/proxy folder from SYS:/ETC folder of BorderManager Server. For Example auth.cfg file for the first proxy Server in the Setup would look like as follows
[proxy agents] 1=localhost 2=10.10.1.2 3=10.10.1.3 [auth ] ipport1=10.10.1.5:9023 [debug] Level=10 File=auth.log Again, in the above file 1, 2 and 3 are unique proxy ID for Proxy Agent-1 (10.10.1.1), Proxy Agent-2 (10.10.1.2) and Proxy Agent 3(10.10.1.3). 10.10.1.5 is the IP address of the server where Auth Agent is configured. NOTE: Difference between Auth and Proxy agents auth.cfg file It can be observed from both the auth.cfg files that, at each individual proxy agent for the local agent they need to add value as localhost. 6.5 Start Proxy Agent. On the Netware console of your BorderManager Proxy server, run stopbrd and startbrd after configuring auth.cfg file. On restarting the BorderManager services the proxy service would start with proxy agent. The logger screen shows the information that session failover is enabled. 6.6 Configure L4 switch There may be different L4 switch deployed at different implementations. In this section we would discuss the configuration of L4 at
higher level. Users / Administrators are supposed to configure the L4 switch deployed in their network on similar line. Following are the steps for setup in this document (Figure-1): 1. Add all the BorderManager proxy servers as Real servers. Configure IP address and add port for service provided by each server. For this deployment the ports are 8080 and 443. 2. Configure a group with three real servers (i.e. proxies) configured in above step. This group would act as a pool for load balancing. 3. Configure a Virtual Server with services provided for port 8080 and 443. Attach the group created in step two to this virtual service, which would enable L4 switch to do load balancing among real servers i.e. proxies. 4. Finally configure the load balancing algorithm to be used for distributing the load among all the proxies. For the purpose of this Appnote the load balancing algorithm used was HASH (which binds clients to a specific server based on client's IP). IMPORTANT NOTE: On L4 Switch Load Balancing Algorithm L4 switch provides various algorithms for load balancing. It includes load based, round robin, hash and many more. When L4 switch is configured with round robin or load based algorithm the authentication requests themselves is distributed across multiple proxies, this may results in many security warning messages at the browser. The best choice of algorithm in this scenario could be HASH where every client is tied to only one server based on client's address. 6.7 Verification of the setup Configure proxy setting for browser at the client, to use L4 switch IP as proxy address and port configured as 8080. Once all the configurations as mentioned above are complete, start a HTTP session from a client. Observe through which proxy the user login has happened. Once that is known bring down that proxy server and initiate further HTTP requests. For new HTTP requests proxy should not ask for re-authentication.
7. Conclusion Using the capabilities of two different products i.e. L4 switch and BorderManager 3.8.4 session failover feature, one can add load balancing capabilities to BorderManager proxy for providing high availability. 8. Reference Online Documentation for BorderManager Session Failover (http://www.novell.com/documentation/nbm38/index.html?page=/docume ntation/nbm38/inst_admin/data/bxizbb7.html#bxizbb7)