axsguard Gatekeeper Internet Redundancy How To v1.2

axsguard Gatekeeper Internet Redundancy How To v1.2

axsguard Gatekeeper Internet Redundancy How To v1.2 Legal Notice VASCO Products VASCO data Security, Inc. and/or VASCO data Security International GmbH are referred to in this document as 'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF data) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO data Security, Inc. and/or VASCO data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, DIGIPASS, and are registered or unregistered trademarks of VASCO data Security, Inc. and/or VASCO data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Radius Disclaimer Information on the RADIUS server provided in this document relates to its operation in the axsguard Gatekeeper environment. We recommend that you contact your NAS/RAS vendor for further information. Copyright 2009 VASCO data Security, Inc, VASCO data Security International GmbH All rights reserved. 2009 - VASCO Data Security 2

axsguard Gatekeeper Internet Redundancy How To v1.2 Table of Contents Table of Contents 1 Introduction...7 1.1 Audience and Purpose of this Document...7 1.2 What is the axsguard Gatekeeper?...8 1.3 About VASCO...8 2 Internet Redundancy Concept...9 2.1 Overview...9 2.2 What is Internet Redundancy?...9 2.3 Load Balancing...9 2.4 Internet Failover...11 2.5 Directing Traffic...12 3 Internet Redundancy Configuration...13 3.1 Overview...13 3.2 Feature Activation...13 3.3 Creating new Filters...14 3.4 Modifying existing Filters...15 3.5 Default Route for Unfiltered Traffic...15 3.6 Setting the Device Priorities...16 3.7 Changing the Filter Order...17 3.8 Practical Examples...18 3.8.1 Routing all outgoing DMZ Traffic through the Secondary Internet Device...18 3.8.2 Routing all HTTP Traffic through the Primary Internet Device with a Failover...20 3.8.3 Routing all Traffic for Audio through the Secondary Internet Device...21 3.8.4 HTTP Load Balancing...22 3.8.5 Using Load Balancing and Failover...24 4 Troubleshooting...26 5 Support...27 5.1 Overview...27 5.2 If you encounter a problem...27 5.3 Return procedure if you have a hardware failure...27 2009 - VASCO Data Security 3

axsguard Gatekeeper Internet Redundancy How To v1.2 Table of Contents Illustration Index Image 1: Example of Internet Redundancy Round Robin DNS...9 Image 2: Example of Internet Failover - AD Updates...10 Image 3: Example of Traffic Redirection...11 Image 4: Feature Activation...12 Image 5: Creating a new Filter...13 Image 6: Updating an existing Filter...14 Image 7: Default Route for Unfiltered Traffic...14 Image 8: Setting Internet Device Priorities...15 Image 9: Changing the Orders of Filters...16 Image 10: Routing outgoing DMZ Traffic through Secondary Internet Device...17 Image 11: Assigning DMZ Filter Priorities...18 Image 12: Routing all HTTP Traffic via Primary Internet Device...19 Image 13: Assigning HTTP Filter Priorities...19 Image 14: Routing all Audio Streaming via the Secondary Internet Device...20 Image 15: Assigning Audio Streaming Filter Priorities...20 Image 16: HTTP Load Balancing...21 Image 17: Assigning Priorities for HTTP Load Balancing...22 Image 18: HTTP Load Balancing and Failover...23 Image 19: Combining HTTP Load Balancing and Failover...24 2009 - VASCO Data Security 4

axsguard Gatekeeper Internet Redundancy How To v1.2 Table of Contents Index of Tables Table 1: Overview of Filter Settings...13 Table 2: Examples of Internet Redundancy use and Device Priorities...15 2009 - VASCO Data Security 5

axsguard Gatekeeper Internet Redundancy How To v1.2 Introduction 1 Introduction 1.1 Audience and Purpose of this Document This axsguard Gatekeeper Internet Redundancy How To v1.2 guide serves as a reference source for technical personnel and / or system administrators. It explains the configuration of the axsguard Gatekeeper Internet Redundancy Module. In sections 1.2 and 1.3, we introduce the axsguard Gatekeeper and VASCO. In section 2, we explain the concepts of Internet Redundancy, such as load balancing and Internet failover. In section 3, we explain how to configure and set up the Internet Redundancy Module on the axsguard Gatekeeper. In section 4, we offer some solutions to solve difficulties. In section 5, we explain how to request support, and return hardware for replacement. Other documents in the set of axsguard Gatekeeper documentation include: axsguard Gatekeeper Installation Guide, which explains how to set up the axsguard Gatekeeper, and is intended for technical personnel and / or system administrators. 'How to guides', which provide detailed information on configuration of each of the features available as 'add-on' modules (explained in the next section). These guides cover specific features such as: axsguard Gatekeeper Authentication axsguard Gatekeeper Firewall axsguard Gatekeeper Single Sign-On axsguard Gatekeeper VPN axsguard Gatekeeper Reverse Proxy axsguard Gatekeeper Directory Services Access to axsguard Gatekeeper guides is provided through the permanently on-screen Documentation button in the axsguard Gatekeeper Administrator Tool. Further resources available include: Context-sensitive help, which is accessible in the axsguard Gatekeeper Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen. Training courses covering features in detail can be organized on demand. These courses address all levels of expertise. Please see www.vasco.com for further information. Welcome to axsguard Gatekeeper security. 2009 - VASCO Data Security 6

axsguard Gatekeeper Internet Redundancy How To v1.2 Introduction 1.2 What is the axsguard Gatekeeper? The axsguard Gatekeeper is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the axsguard Gatekeeper has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, e-mail, Web access and VPN management. The axsguard Gatekeeper can easily be integrated into existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, e-mail and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system. 1.3 About VASCO VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software company for Internet Security serving customers in more than 100 countries, including many international financial institutions. VASCO s prime markets are the financial sector, enterprise security, e-commerce and e- government. Over 50 of VASCO s client authentication technologies, products and services are based on the VASCO s one and unique core authentication platform: VACMAN. VASCO solutions comprise combinations of the VACMAN core authentication platform, IDENTIKEY authentication server, axsguard authentication appliances, DIGIPASS client Password and Electronic Signature software and DIGIPASS PLUS authentication services. For further information on these security solutions, please see www.vasco.com. 2009 - VASCO Data Security 7

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Concept 2 Internet Redundancy Concept 2.1 Overview In this section, we explain the concept and aims of Internet Redundancy. If you are already familiar with the concept of Internet Redundancy, proceed to chapter 3. The two major goals of Internet Redundancy are: Load Balancing: Distributing data across two or more Internet interfaces to ensure that a single Internet interface does not get overloaded with network traffic. Internet Failover: The capability to switch over automatically to a redundant or standby Internet interface, upon the failure of the previously active interface. Directing Traffic: The capability to dedicate an Internet interface to a certain type of traffic. 2.2 What is Internet Redundancy? The Internet Redundancy Module has been designed for axsguard Gatekeepers with two or more Internet interfaces and allows administrators to assign and prioritize specific network traffic by designating the Internet interface which should be used for that traffic. This is done through the use of filters. As the role of Internet driven businesses is constantly growing, the reliability of connections and the need for a constant availability of services is an absolute necessity for corporations. A corporate network can be subject to outages or disruptions if a network link, such as an ISP link, fails (in the case of a DoS attack or a temporary outage). Internet Redundancy allows you to counter this via load balancing and the Internet failover, which are explained in the following sections. 2.3 Load Balancing In computer networking, load balancing is a technique to distribute the workload evenly across two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, minimize response time, and to avoid overload. From the Internet side, using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. The load balancing service is usually provided by a dedicated program or hardware device, such as a multilayer switch or a DNS server. On the axsguard Gatekeeper, load balancing for DNS is configured on the Public DNS module. For more information, see the axsguard Gatekeeper Public DNS How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2009 - VASCO Data Security 8

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Concept Example of Load Balancing from the Internet Suppose you have a web server which provides real-time information to your customers, such as tracking information about shipments. The server receives a lot of hits per second and has to deal with a lot of network traffic. To ease the burden and to avoid network traffic bottlenecks on a single Internet Interface, the load can be distributed evenly over the available Internet Interfaces, by assigning priorities for incoming traffic. Your server's name should of course resolve to two or more public IP addresses. This technique is also known as round robin DNS (see below). Image 1: Example of Internet Redundancy Round Robin DNS From the LAN side, load balancing also allows you to direct or prioritize certain outgoing network traffic over a selected Internet interface, equally divide outgoing network traffic over all available interfaces or to exclude traffic from being routed over a certain Internet device altogether. Example of Load Balancing from the LAN Assume that you have two Internet lines and you want all outgoing HTTP requests to be divided equally over both Internet lines. The axsguard Gatekeeper Internet Redundancy Module allows you to assign equal priorities to all outgoing HTTP requests, so that the HTTP network load is automatically and evenly balanced over the two Internet Interfaces. This option will be available as of axsguard Gatekeeper version 7.6.0, Revision 1. 2009 - VASCO Data Security 9

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Concept 2.4 Internet Failover Internet failover is the capability to switch over automatically to a redundant or standby Internet interface upon the failure of the primary Internet interface. This ensures the availability of Internet services to the users and servers in your network. Example Assume you have an Active Directory server in your network, which is configured to automatically download and distribute system updates or anti-virus updates. The Active Directory server downloads these updates from the Internet. The axsguard Gatekeeper Internet Redundancy Module allows you to configure a scheme, so that the continuity of these downloads is ensured, even if one of the Internet interfaces were to fail (see Image 2). Image 2: Example of Internet Failover - AD Updates 2009 - VASCO Data Security 10

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Concept 2.5 Directing Traffic The axsguard Gatekeeper allows you to dedicate an Internet line to a certain type of network traffic. Example Assume that your company policy allows the use of Internet radio and you want all outgoing audiostreaming requests to be routed over your second Internet line. The axsguard Gatekeeper Internet Redundancy Module allows you to assign filters so that these requests are routed over the desired Internet interface. The result is that the other Internet interfaces remain available for other (more crucial) traffic. Image 3: Example of Traffic Redirection 2009 - VASCO Data Security 11

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3 Internet Redundancy Configuration 3.1 Overview In this chapter, we explain how to set up and configure Internet Redundancy on the axsguard Gatekeeper. Topics covered in this chapter include: Internet Redundancy Feature activation Creating new Filters Setting Internet Device Priorities Some practical examples 3.2 Feature Activation Before the Internet Redundancy Module can be configured, it needs to be activated (see Image 4): 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to System > Feature Activation. 3. Expand the Internet Redundancy option. 4. Check the Do you use Internet Redundancy? Option. 5. Click on Update. Image 4: Feature Activation 2009 - VASCO Data Security 12

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.3 Creating new Filters To create a new filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Click on Add Filter. 4. Enter the settings as explained in Table 1. 5. Click on Save. Image 5: Creating a new Filter Table 1: Overview of Filter Settings Name Name Enter a name for the Filter (mandatory). Description Description Provide a description (optional). Enabled Check to activate the Filter. (Also see section 3.6). Protocol Source Source Ports Destination Destination Ports Select the desired protocol from the list. Leave empty to filter on any protocol. Enter the source IP address(es), using the CIDR notation, i.e. the IP address(es) from which traffic Is leaving. Leave this field empty or enter 0.0.0.0/0 to specify any IP address. Enter the source ports (only if known and TCP or UDP traffic is being filtered). Leave empty to specify any port. Enter the destination IP address(es), using the CIDR notation, i.e. the IP address(es) to which traffic is being sent. Leave this field empty or enter 0.0.0.0/0 to specify any IP address. Enter the destination ports (only if you have selected to filter TCP or UDP traffic). Leave empty to specify any port. 2009 - VASCO Data Security 13

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.4 Modifying existing Filters 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Select a Filter from the list. 4. Edit the settings as needed (see section 3.3). 5. Click on Update. Image 6: Updating an existing Filter 3.5 Default Route for Unfiltered Traffic This is the axsguard Gatekeeper default Filter for any traffic which is not specified. You can select through which Internet device that traffic is going to be routed first, then specify a second Interface, a third, etc. This default Filter cannot be modified. More information is provided in the next section. Image 7: Default Route for Unfiltered Traffic 2009 - VASCO Data Security 14

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.6 Setting the Device Priorities In this section, we explain how to set the Internet device priorities for created or modified Filters (see sections 3.3 and 3.4), without which the Filter has no effect. To set the Internet Device priorities: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Set the Internet device priority for each Filter, by clicking on the drop-down menu (see Image 8). 4. Click on Save. Image 8: Setting Internet Device Priorities Notes If no priority is specified for an Internet device, it is not used (for that Filter). Filters can also be enabled or disabled via this screen. The table below shows some examples of possible priorities. Table 2: Examples of Internet Redundancy use and Device Priorities Type Internet Device 1 Internet Device 2 Internet Device 3 Load Balancing 1 1 1 Failover 1 2 3 Redirection - 1 - Load Balancing + Failover 1 1 2 2009 - VASCO Data Security 15

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.7 Changing the Filter Order In this section, we explain how to set or change the order of traffic filters. This is critical if you have created 2 or more filters for the same type of traffic; one filter contains specific options, while other filters are more generic. Specific filters should always be placed before generic filters. Example Assume you have created a traffic filter which routes all HTTP traffic over Internet line 2 (Filter 1) and another traffic filter which routes HTTP traffic to a specific server on the Internet via Internet line 1 (Filter 2). If filter 1 appears 1 st in the list, filter 2 will be discarded, since filter 1 matches all HTTP traffic (since it is a generic filter for all HTTP traffic). Make sure filter 2 is listed before filter 1. To set or change the order of filters: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Check the filter to be shifted. 4. Click the up or down button. This moves the filter up or down by one position. Image 9: Changing the Orders of Filters 2009 - VASCO Data Security 16

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.8 Practical Examples In this section, we provide some practical configuration examples. 3.8.1 Routing all outgoing DMZ Traffic through the Secondary Internet Device In this example, we explain how to route all outgoing DMZ traffic through the secondary Internet device only. Caution When using public IP addresses in your DMZ, make sure you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped by the ISP. Contact your ISP for more information. Create the Filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in section 3.3. 3. Enter the settings as displayed in the image below. (Use the IP range which applies to your DMZ). 4. Click on Save. Image 10: Routing outgoing DMZ Traffic through Secondary Internet Device 2009 - VASCO Data Security 17

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration Assign Internet device Priorities 1. Follow the procedure as explained in section 3.6. 2. Set the priority of the first Internet device to -, as shown below. 3. Set the priority of the second Internet device to 1, as shown below. 4. Click on Save. Image 11: Assigning DMZ Filter Priorities 2009 - VASCO Data Security 18

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.8.2 Routing all HTTP Traffic through the Primary Internet Device with a Failover In this example, we explain how to route all outgoing HTTP traffic through the primary Internet device and to use the second Internet device as a fall back. Create the Filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in section 3.3. 3. Enter the settings as displayed in the image below. 4. Click on Save. Image 12: Routing all HTTP Traffic via Primary Internet Device Assign Internet device Priorities 1. Follow the procedure as explained in section 3.6. 2. Set the priority of the first Internet device to 1, as shown below. 3. Set the priority of the second Internet device to 2, as shown below. 4. Click on Save. Image 13: Assigning HTTP Filter Priorities 2009 - VASCO Data Security 19

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.8.3 Routing all Traffic for Audio through the Secondary Internet Device In this example, we explain how to exclusively route all outgoing audio streaming traffic on TCP port 8000 via the secondary Internet device. Create the Filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in section 3.3. 3. Enter the settings as displayed in the image below. 4. Click on Save. Image 14: Routing all Audio Streaming via the Secondary Internet Device Assign Internet device Priorities 1. Follow the procedure as explained in section 3.6. 2. Set the priority of the first Internet device to -, as shown below. 3. Set the priority of the second Internet device to 1, as shown below. 4. Click on Save. Image 15: Assigning Audio Streaming Filter Priorities 2009 - VASCO Data Security 20

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.8.4 HTTP Load Balancing In this example, we explain how to create a HTTP load balancing for all outgoing HTTP traffic (see section 2.3). The aim is to optimize the axsguard Gatekeeper load for all outgoing HTTP traffic. The axsguard Gatekeeper will automatically decide which Internet interface is used, depending on the weight in its routing tables or its routing cache. Caution Load Balancing in custom filters is only available in axsguard Gatekeeper Version 7.6.0, Revision 1 and any later versions. Create the Filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in section 3.3. 3. Enter the settings as displayed in the image below. 4. Click on Save. Image 16: HTTP Load Balancing 2009 - VASCO Data Security 21

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration Assign Internet device Priorities 1. Follow the procedure as explained in section 3.6. 2. Set the priority of the first Internet device to 1. 3. Set the priority of the second Internet device also to 1. 4. Click on Save. Image 17: Assigning Priorities for HTTP Load Balancing 2009 - VASCO Data Security 22

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration 3.8.5 Using Load Balancing and Failover In this example, we explain how to create a filter which combines two features; HTTP load balancing and HTTP Failover (see sections 2.3 and 2.4). This requires three Internet lines. The aim is to optimize the axsguard Gatekeeper load for all outgoing HTTP traffic and to provide a failover in case the two Internet devices, providing load balancing, would fail (also see Table 2 on page 15). The axsguard Gatekeeper will automatically decide which Internet interface is used for load balancing, depending on the weight in its routing tables or its routing cache. Caution Load Balancing in custom filters is only available in axsguard Gatekeeper Version 7.6.0, Revision 1 and any later versions. Create the Filter: 1. Log on to the axsguard Gatekeeper Administrator Tool, as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in section 3.3. 3. Enter the settings as displayed in the image below. 4. Click on Save. Image 18: HTTP Load Balancing and Failover 2009 - VASCO Data Security 23

axsguard Gatekeeper Internet Redundancy How To v1.2 Internet Redundancy Configuration Assign Internet device Priorities 1. Follow the procedure as explained in section 3.6. 2. Set the priority of the third Internet device to 1. 3. Set the priority of the first Internet device also to 1. 4. Set the priority of the second Internet device to 2. 5. Click on Save. Image 19: Combining HTTP Load Balancing and Failover Note Use the Internet device permutations which apply to your situation and/or preferences. 2009 - VASCO Data Security 24

axsguard Gatekeeper Internet Redundancy How To v1.2 Troubleshooting 4 Troubleshooting Load balancing over two Internet devices: One of my Internet devices receives an IP address through DHCP. In case one of your Internet devices has a dynamic IP address - assigned by a DHCP server - and load balancing if configured for the default gateway or DHCP traffic, you should ensure that all traffic towards the DHCP server is routed over the correct Internet device. Otherwise, DHCP problems may occur. Create a new Filter and enter the IP address of the DHCP server as the destination address. Assign the Internet device priority accordingly (see sections 3.3 and 3.6). One of my Internet devices goes down undetected. The axsguard Gatekeeper makes sure your Internet devices are up and running by periodically executing connectivity checks. The connectivity checks use the ICMP protocol (used by the ping command). If an ICMP Filter is added without a destination IP address and assigned to the 1 st Internet device, the Filter will be listed first in the routing rules and overrule any subsequent entry. This means that all ICMP traffic is routed through the 1 st Internet device. As a consequence, the 2 nd (and any additional Internet devices) may go down undetected and the routing table cannot be updated (in other words, the connectivity check fails). If the 1 st Internet device goes down, the 2 nd will also be marked as such, even if it is still up in reality. You should always include a destination IP address in ICMP Filters. I cannot resolve any hostname with an Internet device (DNS problem). If you decide to route all your DNS request over a specific Internet interface (ISP), you might encounter DNS problems. Some Internet Service Providers (ISP) do not allow the use of third-party DNS servers on their network. If you encounter DNS problems, use the DNS servers provided by your ISP to solve the issue. I cannot send any traffic from my DMZ. When using public IP addresses in your DMZ, make sure you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped (see section 3.8.1). I cannot set equal priorities in a custom filter. Equal priorities in custom filters are needed for load balancing. This option is only available as of axsguard Gatekeeper Version 7.6.0, Revision 1. 2009 - VASCO Data Security 25

axsguard Gatekeeper Internet Redundancy How To v1.2 Support 5 Support 5.1 Overview In this section we provide instructions on what to do if you have a problem, or experience a hardware failure. 5.2 If you encounter a problem If you encounter a problem with a VASCO product, please follow the steps below: 1. Check whether your problem has already been solved and reported in section 4 or in the Knowledge Base at the following URL: http://www.vasco.com/support. 2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product. 3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. If necessary, VASCO experts can access your axsguard Gatekeeper remotely to solve any problems. 5.3 Return procedure if you have a hardware failure If you experience a hardware failure, please contact your VASCO supplier. 2009 - VASCO Data Security 26

axsguard Gatekeeper Internet Redundancy How To v1.2 Support Alphabetical Index Accessing Documents...6 Authentication...6 axs GUARD Gatekeeper...7 DIGIPASS...2 Directory Services...6 Documents...6 Filter...12, 13p. Firewall...6 Internet Failover...8, 10 Internet Redundancy...8, 12 Load Balancing...8 Priorities...15 Return Procedure...26 Reverse Proxy...6 Single Sign-On...6 Support...26 Training Courses...6 VPN...6 2009 - VASCO Data Security 27