Internet Redundancy How To. Version 8.0.0

Internet Redundancy How To Version 8.0.0

Table of Contents 1. Introduction... 1 1.1. 1.2. 1.3. 1.4. About this Document... Examples used in this Guide... Documentation Sources... About the AXS GUARD... 1.4.1. What is it?... 1.4.2. Spare Units... 1.4.3. Licensed Units... 1.4.4. Configuration Wizards... 1.5. About VASCO... 1 1 1 2 2 2 2 3 3 2. Internet Redundancy Concept... 4 2.1. 2.2. 2.3. 2.4. 2.5. Overview... What is Internet Redundancy?... Load Balancing... Internet Failover... Directing Traffic... 4 4 4 5 6 3. Internet Redundancy Configuration... 7 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. Overview... 7 Feature Activation... 7 Creating new Filters... 7 Modifying Existing Filters... 8 Default Route for Unfiltered Traffic... 9 Setting the Device Priorities... 9 Changing the Order of Filters... 10 4. Practical Examples... 12 4.1. Overview... 4.2. Routing all outgoing DMZ Traffic through the Secondary Internet Device... 4.3. Routing all HTTP Traffic through the Primary Internet Device with a Failover... 4.4. Routing all Traffic for Audio through the Secondary Internet Device... 4.5. HTTP Load Balancing... 4.6. Using Load Balancing and Failover... 12 12 12 13 14 15 5. Troubleshooting... 17 6. Support... 18 6.1. Overview... 6.2. If you encounter a problem... 6.3. Return procedure if you have a hardware failure... Alphabetical Index... 18 18 18 22 ii

VASCO Products VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as VASCO. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. VASCO Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, AXS GUARD, DIGIPASS, DIGIPASS as a Service, MYDIGIPASS.COM and the logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Other Trademarks Citrix and XenServer are trademarks or registered trademarks of Citrix Systems, Inc. VMware and vsphere are registered trademarks or trademarks of VMware, Inc. Hyper-V is a registered trademark of Microsoft Corporation. Copyright 2014 VASCO Data Security, VASCO Data Security International GmbH. All rights reserved. iii

Chapter 1. Introduction 1.1. About this Document This document has been written for AXS GUARD version 8.0.0 and is based on changes and features that have been implemented since version 7.7.3. This document was last updated on 22 Sep 2014. The AXS GUARD Internet Redundancy How To serves as a reference source for technical personnel or system administrators. It explains the configuration of the AXS GUARD Internet Redundancy Module. In Chapter 1, Introduction, we introduce the AXS GUARD and explain the difference between licensed and spare units. In Chapter 2, Internet Redundancy Concept, we explain the concepts of Internet Redundancy, such as load balancing and Internet failover. In Chapter 3, Internet Redundancy Configuration, we explain how to configure and set up the Internet Redundancy Module on the AXS GUARD. In Chapter 5, Troubleshooting, we offer some solutions to solve difficulties. In Chapter 6, Support, we explain how to request support, and return hardware for replacement. 1.2. Examples used in this Guide All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log on as a full administrator or a user with lower privileges. The administrator levels are explained in the system administration guide. As software development and documentation are ongoing processes, screenshots shown in this guide may slightly vary from the screens of the software version installed on your appliance. 1.3. Documentation Sources Other documents in the set of AXS GUARD documentation include: AXS GUARD Installation Guide, which explains how to set up the AXS GUARD, and is intended for technical personnel or system administrators. How to guides, which provide detailed information on the configuration of each of the features available as add-on modules (explained in Section 1.4.1, What is it? ). These guides cover specific features such as: AXS GUARD Authentication AXS GUARD Firewall AXS GUARD Single Sign-On AXS GUARD VPN AXS GUARD Reverse Proxy AXS GUARD Directory Services Access to AXS GUARD guides is provided through the permanently on-screen Documentation button in the AXS GUARD Administrator Tool. 1

Chapter 1. Introduction Further resources available include: Context-sensitive help, which is accessible in the AXS GUARD Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen. Training courses covering features in detail can be organized on demand. These courses address all levels of expertise. Please see http://www.vasco.com for further information. 1.4. About the AXS GUARD 1.4.1. What is it? The AXS GUARD is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the AXS GUARD has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, e-mail and Web access control. The AXS GUARD can easily be integrated into existing IT infrastructures as a standalone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, e-mail and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system. 1.4.2. Spare Units A Spare Unit is an unlicensed appliance, with limited configuration possibilities and allows you to swiftly replace a defective appliance. It can also be licensed as a new appliance. In fact, all appliances can be considered spare units until they are licensed. Restoring to a Spare Unit is restricted to: the same hardware version (e.g. AG-3XXX, AG-5XXX or AG7XXX) as the unit being replaced. the same software version as the appliance being replaced (or a higher version on which data migration is supported; please contact VASCO support (support@vasco.com) for guidance. Once a backup is restored on a Spare Unit, full functionality is available. The configuration tool of the appliance can then be accessed by any user with administrative privileges (see the AXS GUARD System Administration How To.) The license from the backup is also restored on the Spare Unit. However, an appliance with a restored license only remains operational for a grace period of 30 days, during which the System Administrator needs to acquire a new license. If a new license has not been issued after this grace period, all services on the appliance will be stopped. Only the Administrator Tool will remain accessible. Contact VASCO support (support@vasco.com) to release the restored license of the original appliance. To relicense the appliance, follow the same procedure as used during first-time licensing. 1.4.3. Licensed Units With a licensed appliance, a user with full administrative privileges has access to all the configuration options on the AXS GUARD. Use the sysadmin account to create a user with administrative privileges. Since the sysadmin user can create new administrators, you should change the default password of this account when you log in to the appliance for the first time. Licensing and accessing a fully operational in-service appliance requires the following steps: 1. Logging on to the AXS GUARD as the default sysadmin user and changing the sysadmin password 2. Creating a new user with full administration rights, which is required to configure the AXS GUARD 3. Licensing the appliance 2

Chapter 1. Introduction 1.4.4. Configuration Wizards Use the configuration wizards to configure your system essentials more easily. 1.5. About VASCO VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. In addition to the financial sector, VASCO s technologies secure sensitive information and transactions for the enterprise security, e-commerce and e-government industries. For further information, please visit http://www.vasco.com. 3

Chapter 2. Internet Redundancy Concept 2.1. Overview In this section, we explain the concept and aims of Internet Redundancy. If you are already familiar with these topics, please proceed to Chapter 3, Internet Redundancy Configuration. The major goals of Internet Redundancy are: Load Balancing: Distributing data across two or more Internet interfaces to ensure that a single Internet interface does not get overloaded with network traffic. Internet Failover: The capability to switch over automatically to a redundant or standby Internet interface, upon the failure of the previously active interface. Directing Traffic: The capability to dedicate an Internet interface to a certain type of traffic. 2.2. What is Internet Redundancy? The Internet Redundancy Module has been designed for AXS GUARDs with two or more Internet interfaces and allows administrators to assign and prioritize specific network traffic by designating the Internet interface which must be used for that traffic. This is done through the use of filters. As the role of Internet driven businesses is constantly growing, the reliability of connections and the need for a constant availability of services is an absolute necessity for corporations. A corporate network can be subject to outages or disruptions if a network link, such as an ISP link, fails (in the case of a DoS attack or a temporary outage). Internet Redundancy allows you to counter this via load balancing and the Internet failover, which are explained in the following sections. 2.3. Load Balancing In computer networking, load balancing is a technique to distribute the workload evenly across two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, minimize response time, and to avoid overload. From the Internet side, using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. The load balancing service is usually provided by a dedicated program or hardware device, such as a multilayer switch or a DNS server. On the AXS GUARD, load balancing for DNS is configured on the Public DNS module. For more information, see the AXS GUARD Public DNS How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Example 2.1. Web server with load balancing Suppose you have a web server which provides real-time information to your customers, such as tracking information about shipments. The server receives a lot of hits per second and has to deal with a lot of network traffic. To ease the burden and to avoid network traffic bottlenecks on a single Internet Interface, the load can be distributed evenly over the available Internet Interfaces, by assigning priorities for incoming traffic. Your server s name should of course resolve to two or more public IP addresses. This technique is also known as round robin DNS (illustrated below). 4

Chapter 2. Internet Redundancy Concept Figure 2.1. Example of Internet Redundancy Round Robin DNS Example 2.2. Load balacing from the LAN Assume that you have two Internet lines and you want all outgoing HTTP requests to be divided equally over both Internet lines. The AXS GUARD Internet Redundancy Module allows you to assign equal priorities to all outgoing HTTP requests, so that the HTTP network load is automatically and evenly balanced over the two Internet Interfaces. This option is available as of AXS GUARD version 7.6.0, Revision 1. 2.4. Internet Failover Internet failover is the capability to switch over automatically to a redundant or standby Internet interface upon the failure of the primary Internet interface. This ensures the availability of Internet services to the users and servers in your network. Example 2.3. Failover Assume that you have an Active Directory server in your network, which is configured to automatically download and distribute system updates or anti-virus updates. The Active Directory server downloads these updates from the Internet. The AXS GUARD Internet Redundancy Module allows you to configure a scheme, so that the continuity of these downloads is ensured, even if one of the Internet interfaces were to fail (see the illustration below). 5

Chapter 2. Internet Redundancy Concept Figure 2.2. Example of Internet Failover - AD Updates 2.5. Directing Traffic The AXS GUARD allows you to dedicate an Internet line to a certain type of network traffic. Example 2.4. Internet radio Assume that your company policy allows the use of Internet radio and you want all outgoing audiostreaming requests to be routed over your second Internet line. The AXS GUARD Internet Redundancy Module allows you to assign filters so that these requests are routed over the desired Internet interface. The result is that the other Internet interfaces remain available for other (more crucial) traffic. Figure 2.3. Example of Traffic Redirection 6

Chapter 3. Internet Redundancy Configuration 3.1. Overview In this chapter, we explain how to set up and configure Internet Redundancy on the AXS GUARD. Topics covered in this chapter include: How to activate the Internet Redundancy Feature Creating Filters Setting Internet Device Priorities 3.2. Feature Activation Before the Internet Redundancy Module can be configured, it must be activated. 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to System > Feature Activation. 3. Expand the Internet Redundancy option. 4. Check the Do you use Internet Redundancy? Option. 5. Click on Update. Figure 3.1. Feature Activation 3.3. Creating new Filters To create a new filter: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Click on Add Filter. 4. Enter the settings as explained in the table below. 5. Click on Save. 7

Chapter 3. Internet Redundancy Configuration Figure 3.2. Creating a new Filter Parameter Description Name Enter a name for the Filter (required). Description Provide a description (optional). Enabled Check to activate the Filter. Protocol Select the desired protocol from the list. Leave empty to match any protocol. Source Enter the source IP address(es), using the CIDR notation, e.g. 192.168.1.0/24. Leave this field empty or enter 0.0.0.0/0 to match any IP address. Source Ports Enter the source ports (only if known and TCP or UDP traffic is being filtered). Leave empty to match any port. Destination Enter the destination IP address(es), using the CIDR notation, e.g. 192.168.1.0/24. Leave this field empty or enter 0.0.0.0/0 to match any IP address. Destination Ports Enter the destination ports (only if you have selected to filter TCP or UDP traffic). Leave empty to match any port. Table 3.1. Internet Redundancy Filter Configuration Settings 3.4. Modifying Existing Filters 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Select a Filter from the list. 4. Edit the settings as needed (see Section 3.3, Creating new Filters ). 5. Click on Update when finished. 8

Chapter 3. Internet Redundancy Configuration Figure 3.3. Updating an existing Filter 3.5. Default Route for Unfiltered Traffic This is the AXS GUARD default Filter for any unspecified traffic. You can select through which Internet device that traffic is going to be routed first, then specify a second Interface, a third, etc. This default Filter cannot be modified. More information is provided in the next section. Figure 3.4. Default Route for Unfiltered Traffic 3.6. Setting the Device Priorities In this section, we explain how to set the Internet device priorities for created or modified Filters (see Section 3.3, Creating new Filters and Section 3.4, Modifying Existing Filters ), without which the Filter has no effect. To set the Internet Device priorities: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Set the Internet device priority for each Filter, by clicking on the drop-down menu (see the image below). 4. Click on Save. 9

Chapter 3. Internet Redundancy Configuration Figure 3.5. Setting Internet Device Priorities If no priority is specified for an Internet device, it simply is not used (for that Filter). Filters can alsobe enabled or disabled via this screen. The table below shows some examples of possible priorities. Type Internet Device 1 Internet Device 2 Internet Device 3 Load Balancing 1 1 1 Failover 1 2 3 Redirection - 1-1 1 2 Load Balancing Failover and Table 3.2. Examples of Internet Redundancy use and Device Priorities 3.7. Changing the Order of Filters In this section, we explain how to set or change the order of traffic filters. This is critical if you have created 2 or more filters for the same type of traffic; one filter contains specific options, while other filters are more generic. Specific filters must always precede generic filters. Example 3.1. The order of Filters Assume that you have created a traffic filter which routes all HTTP traffic over Internet line 2 (Filter 1) and another traffic filter which routes HTTP traffic to a specific server on the Internet via Internet line 1 (Filter 2). st If filter 1 appears 1 in the list, filter 2 will be discarded, since filter 1 matches all HTTP traffic (since it is a generic filter for all HTTP traffic). Make sure that filter 2 precedes filter 1. To set or change the order of filters: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Navigate to Network > Internet Redundancy. 3. Check the filter to be shifted. 4. Click the up or down button. This moves the filter up or down by one position. 10

Chapter 3. Internet Redundancy Configuration Figure 3.6. Changing the Filter Order 11

Chapter 4. Practical Examples 4.1. Overview In this section, we provide some practical configuration examples. 4.2. Routing all outgoing DMZ Traffic through the Secondary Internet Device In this example, we explain how to route all outgoing DMZ traffic through the secondary Internet device. When using public IP addresses in your DMZ, make sure you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped by the ISP. Contact your ISP for more information. Create the Filter 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in Section 3.3, Creating new Filters. 3. Enter the settings as displayed in the image below. (Use the IP range which applies to your DMZ). 4. Click on Save when finished. Figure 4.1. Routing outgoing DMZ Traffic through Secondary Internet Device Assign Internet device Priorities 1. Follow the procedure as explained in Section 3.6, Setting the Device Priorities. 2. Set the priority of the first Internet device to -, as shown below. 3. Set the priority of the second Internet device to 1, as shown below. 4. Click on Save when finished. Figure 4.2. Assigning DMZ Filter Priorities 4.3. Routing all HTTP Traffic through the Primary Internet Device with a Failover In this example, we explain how to route all outgoing HTTP traffic through the primary Internet device and to use the second Internet device as a fallback. 12

Chapter 4. Practical Examples Create the Filter: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in Section 3.3, Creating new Filters. 3. Enter the settings as displayed in the image below. 4. Click on Save when finished. Figure 4.3. Routing all HTTP Traffic via Primary Internet Device Assign Internet device Priorities 1. Follow the procedure as explained in Section 3.6, Setting the Device Priorities. 2. Set the priority of the first Internet device to 1, as shown below. 3. Set the priority of the second Internet device to 2, as shown below. 4. Click on Save when finished. Figure 4.4. Assigning HTTP Filter Priorities 4.4. Routing all Traffic for Audio through the Secondary Internet Device In this example, we explain how to exclusively route all outgoing audio streaming traffic on TCP port 8000 via the secondary Internet device. Create the Filter: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in Section 3.3, Creating new Filters. 3. Enter the settings as displayed in the image below. 4. Click on Save when finished. Figure 4.5. Routing all Audio Streaming via the Secondary Internet Device 13

Chapter 4. Practical Examples Assign Internet device Priorities 1. Follow the procedure as explained in Section 3.6, Setting the Device Priorities. 2. Set the priority of the first Internet device to -, as shown below. 3. Set the priority of the second Internet device to 1, as shown below. 4. Click on Save when finished. Figure 4.6. Assigning Audio Streaming Filter Priorities 4.5. HTTP Load Balancing In this example, we explain how to create a HTTP load balancing filter for all outgoing HTTP traffic (see Section 2.3, Load Balancing ). The aim is to optimize the AXS GUARD load for all outgoing HTTP traffic. The AXS GUARD will automatically decide which Internet interface is used, depending on the weight in its routing tables or its routing cache. Load Balancing in custom filters is only available as of AXS GUARD Version 7.6.0. Create the Filter: 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in Section 3.3, Creating new Filters. 3. Enter the settings as displayed in the image below. 4. Click on Save when finished. Figure 4.7. HTTP Load Balancing Assign Internet device Priorities 1. Follow the procedure as explained in Section 3.6, Setting the Device Priorities. 2. Set the priority of the first Internet device to 1. 3. Set the priority of the second Internet device also to 1. 14

Chapter 4. Practical Examples 4. Click on Save when finished. Figure 4.8. Assigning Priorities for HTTP Load Balancing 4.6. Using Load Balancing and Failover In this example, we explain how to create a filter which combines two features; HTTP load balancing and HTTP Failover (see Section 2.3, Load Balancing and Section 2.4, Internet Failover ). This requires three Internet lines. The aim is to optimize the AXS GUARD load for all outgoing HTTP traffic and to provide a failover system in case the two Internet devices that provide load balancing fail. The AXS GUARD will automatically decide which Internet interface is used for load balancing, depending on the weight in its routing tables or its routing cache. Load Balancing in custom filters is only available as of AXS GUARD Version 7.6.0. Create the Filter 1. Log on to the AXS GUARD Administrator Tool, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button. 2. Follow the procedure to create a new Filter, as explained in Section 3.3, Creating new Filters. 3. Enter the settings as displayed in the image below. 4. Click on Save when finished. Figure 4.9. HTTP Load Balancing and Failover Assign Internet device Priorities 1. Follow the procedure as explained in Section 3.6, Setting the Device Priorities. 2. Set the priority of the third Internet device to 1. 3. Set the priority of the first Internet device also to 1. 4. Set the priority of the second Internet device to 2. 5. Click on Save when finished. 15

Chapter 4. Practical Examples Figure 4.10. Combining HTTP Load Balancing and Failover Use the Internet device permutations which apply to your situation and/or preferences. 16

Chapter 5. Troubleshooting Load balancing over two Internet devices: One of my Internet devices receives an IP address through DHCP. In case one of your Internet devices has a dynamic IP address - assigned by a DHCP server - and load balancing if configured for the default gateway or DHCP traffic, you must make sure that all traffic towards the DHCP server is routed over the correct Internet device. Otherwise, DHCP problems may occur. Create a new Filter and enter the IP address of the DHCP server as the destination address. Assign the Internet device priority accordingly (see Section 3.3, Creating new Filters and Section 3.6, Setting the Device Priorities ). One of my Internet devices goes down undetected. The AXS GUARD verifies whether your Internet devices are up and running by periodically executing connectivity checks. The connectivity checks use the ICMP protocol (the protocol used by the ping command). st If an ICMP Filter is added without a destination IP address and assigned to the 1 Internet device, the Filter will precede any other routing rules. As a result subsequent entries are overruled. All ICMP traffic will be st nd routed via the 1 Internet device. As a consequence, the 2 (and any additional Internet devices) may go down undetected and the routing table cannot be updated (in other words, the connectivity check fails). If the st nd 1 Internet device goes down, the 2 will also be marked as down, even if it is still up. Administrators must always specify a destination IP address in ICMP Filters. I cannot resolve any hostname with an Internet device (DNS problem). If you decide to route all your DNS request over a specific Internet interface (ISP), you might run into DNS problems. Some Internet Service Providers (ISP) do not allow the use of third-party DNS servers on their network. If you encounter DNS problems, use the DNS servers provided by your ISP to solve the problem. I cannot send any traffic from my DMZ. When using public IP addresses in your DMZ, make sure that you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped (see Section 4.2, Routing all outgoing DMZ Traffic through the Secondary Internet Device ). I cannot set equal priorities in a custom filter. Equal priorities in custom filters are needed for load balancing. This option is only available as of AXS GUARD Version 7.6.0, Revision 1. 17

Chapter 6. Support 6.1. Overview In this section we provide instructions on what to do if you have a problem, or experience a hardware failure. 6.2. If you encounter a problem If you encounter a problem with a VASCO product, follow the steps below: 1. Check whether your problem has already been solved and reported in the Knowledge Base at the following URL: http://www.vasco.com/support 2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product. 3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. For details about support capabilities by user, visit: http://www.vasco.com/support/support_services/ types_of_customes.aspx 6.3. Return procedure if you have a hardware failure If you experience a hardware failure, contact your VASCO supplier. 18

List of Figures 2.1. Example of Internet Redundancy Round Robin DNS... 5 2.2. Example of Internet Failover - AD Updates... 6 2.3. Example of Traffic Redirection... 6 3.1. Feature Activation... 7 3.2. Creating a new Filter... 8 3.3. Updating an existing Filter... 9 3.4. Default Route for Unfiltered Traffic... 9 3.5. Setting Internet Device Priorities... 10 3.6. Changing the Filter Order... 11 4.1. Routing outgoing DMZ Traffic through Secondary Internet Device... 12 4.2. Assigning DMZ Filter Priorities... 12 4.3. Routing all HTTP Traffic via Primary Internet Device... 13 4.4. Assigning HTTP Filter Priorities... 13 4.5. Routing all Audio Streaming via the Secondary Internet Device... 13 4.6. Assigning Audio Streaming Filter Priorities... 14 4.7. HTTP Load Balancing... 14 4.8. Assigning Priorities for HTTP Load Balancing... 15 4.9. HTTP Load Balancing and Failover... 15 4.10. Combining HTTP Load Balancing and Failover... 16 xix

List of Tables 3.1. Internet Redundancy Filter Configuration Settings... 8 3.2. Examples of Internet Redundancy use and Device Priorities... 10 xx

List of Examples 2.1. 2.2. 2.3. 2.4. 3.1. Web server with load balancing... 4 Load balacing from the LAN... 5 Failover... 5 Internet radio... 6 The order of Filters... 10 xxi

Alphabetical Index A AXS GUARD, 2 D Default route, 9 Documentation, 1 F Failover, 5 I Internet redundancy, 4 L Licensed appliance, 2 Load balancing, 4 S Spare unit, 2 Support, 18 T Troubleshooting, 17