Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
1
Replies

ACE configuration - Return flow from WEB to WAS for SSO

Paul Pinto
Level 1
Level 1

‎02-17-2012 10:05 PM

Good day,

We have a requirement to provide load balancing of a return for SSO functionality. The flow requirement is is follows:

1. Client--->ACE client VLAN VIP----->WEB servers(serperate VLAN - routed mode)

2. Web servers--------->WAS servers on seperate VLAN (not load balanced by ACE- using IBM Webshere)

3. WAS servers----->ACE client VLAN VIP (same as 1. above)------>WEB Servers (same as 1. above. Seperate VLAN - routed mode)

So three VLAN's, Client VLAN, Web server VLAN and WAS server VLAN in same context. Point three is the return flow from WAS servers to Web servers for SSO.

Configuration applied is below. The question is would this configuration achieve what is required? Also to confirm, which interface the policy-map

WASSSO-VIP should be applied to, the WEB or WAS server VLAN?

access-list any line 1 extended permit icmp any any

access-list any line 2 extended permit ip any any

rserver host SZAWAS1

  ip address 10.250.203.139

  inservice

rserver host SZAWAS2

  ip address 10.250.203.140

  inservice

rserver host SZAWEB1

  ip address 10.250.202.171

  inservice

rserver host SZAWEB2

  ip address 10.250.202.172

  inservice

serverfarm host SZAFIN_WASFARM

  failaction purge

  predictor leastconns slowstart 60

  probe SZAWAS_TCP10001

  probe SZAWAS_TCP10002

  probe SZAWAS_TCP10003

  fail-on-all

  rserver SZAWAS1

    inservice

  rserver SZAWAS2

    inservice

serverfarm host SZAFIN_WAS_SSO_FARM

  failaction purge

  predictor leastconns slowstart 60

  probe SZAWAS_SSO_TCP

  rserver SZAWAS1

    inservice

  rserver SZAWAS2

    inservice

serverfarm host SZAFIN_WEBFARM

  failaction purge

  predictor leastconns slowstart 60

  probe SZAWEB_TCP

  rserver SZAWEB1

    inservice

  rserver SZAWEB2

    inservice

parameter-map type generic SSLID_PARAMMAP

  set max-parse-length 76

parameter-map type connection TCP_PARAM_MAP

  set timeout inactivity 1800

  set tcp timeout embryonic 900

  set tcp timeout half-closed 900

sticky layer4-payload SSL_WEB_GROUP

  timeout 15

  serverfarm SZAFIN_WEBFARM

  response sticky

  layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"

class-map match-any L4VIPCLASS_CB_FIN_WASSSO_SA_SIT

  2 match virtual-address 10.250.202.75 tcp eq https

class-map match-any L4VIPCLASS_CB_FIN_WAS_SA_SIT

  2 match virtual-address 10.250.202.75 tcp eq 10001

  3 match virtual-address 10.250.202.75 tcp eq 10002

  4 match virtual-address 10.250.202.75 tcp eq 10003

class-map match-all L4VIPCLASS_CB_FIN_WEB_SA_SIT

  2 match virtual-address 10.250.202.75 tcp eq https

class-map type management match-any REMOTE_ACCESS

  2 match protocol ssh any

  3 match protocol telnet any

  4 match protocol icmp any

  5 match protocol snmp any

  6 match protocol http any

  7 match protocol https any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type loadbalance first-match CB_FIN_WASSSO_SA_SIT

  class class-default

    serverfarm SZAFIN_WAS_SSO_FARM

policy-map type loadbalance first-match CB_FIN_WAS_SA_SIT

  class class-default

    serverfarm SZAFIN_WASFARM

policy-map type loadbalance generic first-match SSLID_32_WEB_POLICY

  class class-default

    sticky-serverfarm SSL_WEB_GROUP

policy-map multi-match CLIENT-VIPs

  class L4VIPCLASS_CB_FIN_WEB_SA_SIT

    loadbalance vip inservice

    loadbalance policy SSLID_32_WEB_POLICY

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

    appl-parameter generic advanced-options SSLID_PARAMMAP

    connection advanced-options TCP_PARAM_MAP

  class L4VIPCLASS_CB_FIN_WAS_SA_SIT

    loadbalance vip inservice

    loadbalance policy CB_FIN_WAS_SA_SIT

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

policy-map multi-match WASSSO-VIP

  class L4VIPCLASS_CB_FIN_WASSSO_SA_SIT

    loadbalance vip inservice

    loadbalance policy CB_FIN_WASSSO_SA_SIT

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

interface vlan 303

  description WAS Server Vlan

  ip address 10.250.203.133 255.255.255.224

  alias 10.250.203.132 255.255.255.224

  peer ip address 10.250.203.134 255.255.255.224

  no normalization

  no icmp-guard

  access-group input any

  access-group output any

  no shutdown

interface vlan 306

  description Client Access Vlan

  ip address 10.250.202.69 255.255.255.192

  alias 10.250.202.68 255.255.255.192

  peer ip address 10.250.202.70 255.255.255.192

  no normalization

  no icmp-guard

  access-group input any

  access-group output any

  service-policy input CLIENT-VIPs

  no shutdown

interface vlan 308

  description WEB Server Vlan

  ip address 10.250.202.165 255.255.255.224

  alias 10.250.202.164 255.255.255.224

  peer ip address 10.250.202.166 255.255.255.224

  no normalization

  no icmp-guard

  access-group input any

  access-group output any

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.250.202.65

Any advice would be greatly appreciated.

Thank you.

Paul

Labels:
0 Helpful
1 Reply 1

Paul Pinto
Level 1
Level 1

‎02-19-2012 10:32 PM

Good day,

Any feedback on this? I think the policy-map WASSSO-VIP should be on the WAS Server Vlan (303). Also with this implementation, Source NAT would not be required for the flow from the WAS servers back to the Web servers, correct?

Thank you.

Paul.

0 Helpful
Customers Also Viewed These Support Documents