1 2 Previous Next 18 Replies Latest reply on Mar 30, 2009 11:11 PM by Paul Cannon

    Multiple App Servers Load Balanced behind an F5

      We have 2 app servers that we are trying to put behind an F5 for HA. The servers would then be available via bladelogic.company.com. I need to know a couple of things:

       

      1. What ports does the F5 need to forward to the 2 app servers (assume default port # configuration)? The app servers also double as NSH proxies.

       

      2. What changes do I need to make within the blasadmin console to get this to work? I am aware of the ValidateClientIpAddress and the ValidateRequestURL options for appserver, as well as AppServiceURLs and ProxyServiceURLs for authserver.

       

      3. For the authserver options, do I need to specify both the generic, F5 hostname (bladelogic.company.com) and the specific server hostname (host1)? If so, what is the proper syntax to specify multiple URLs for these options?

        • 1. Re: Multiple App Servers Load Balanced behind an F5
          Bill Robinson

          1 - 9840, 9841, 9842

           

          2 - i think those are it. change the urls to be 'bladelogic.company.com'

           

          3 - i believe just the url of vip, nothing else.

          • 2. Re: Multiple App Servers Load Balanced behind an F5

            so, the 2 Validate options for the appserver should be set to no?

            • 3. Re: Multiple App Servers Load Balanced behind an F5
              Bill Robinson

              i think that as long as the url matches the cert you can leave validate on.

               

              w/ the validateclientip, i think ask long as the url matches the hostname the client uses to access the host you can leave that on.

               

              i'm not 100% on that, i know that setting both of those to no/false will definately work.

              • 4. Re: Multiple App Servers Load Balanced behind an F5

                We had to shutoff ValidateClientIpAddress for ours to work.

                • 5. Re: Multiple App Servers Load Balanced behind an F5
                  Bill Robinson

                  from the docs:

                   

                  +To specify whether the client’s IP address included in a session credential should be compared to the IP address of the client that is presenting the credential, enter the following:

                  set appserver ValidateClientIpAddress true | false

                  In the command shown above:

                  • true means the IP address of the client must match the client’s IP address included in the session credential. If the IP addresses do not match, the client is denied access

                  By default, this option is set to true.

                  • false means the IP address of the client does not have to match the client’s IP address included in the session credential.+

                   

                   

                  so I think that the load balancer may need to pass through the ip to the appservers. sorry - i don't have a lb handy to test it.

                   

                  +To specify whether the service URL of the Application Service or Network Shell Proxy Service specified in a client’s service request should be compared to the actual service URL of that service, enter the following:

                  set appserver ValidateRequestURL true | false

                  In the command shown above:

                  • true means the service URL of the Application Service or Network Shell Proxy Service handling the request must match the service URL to which the request was addressed. By default, this option is set to true.

                  • false means the the receiving service’s URL does not have to match the service URL to which the request is addressed.

                  This option is useful if you are using a load balancer for your Application Servers or network Shell Proxy Servers and a client can access any one of many Application Servers when establishing a session connection.+

                   

                  as long as you set the urls in the authsvc config, this should work ok set to true.

                  • 6. Re: Multiple App Servers Load Balanced behind an F5

                    We have this working with 7.5.0, for all operations but NSH. If I do "NSH here" from the config manager, the window spits out a message, but then dies too fast for me to read it.

                     

                    If I run nsh directly from my laptop, I get the following when trying to access the app server:

                     

                    SSL_connect2

                    SSL_connect

                    Error in Initializing RBAC User and Role (SSO Proxy)

                    Network Shell can be used for local access

                    LCPWZGB1% cd //valizprd091.val.cummins.com

                    SSL_connect2

                    SSL_connect

                    cd: error in TLS protocol: //valizprd091.val.cummins.com

                     

                    Has anyone else seen a TLS issue like this when your NSH proxy is behind an F5?

                    • 7. Re: Multiple App Servers Load Balanced behind an F5
                      Bill Robinson

                      what's in the 'secure' file on your client system?

                       

                      did you check the 'cache session credentials' when you log in via the CM GUI?

                       

                      is the proxysvcurl set to the vip name on your appservers?

                       

                      if i talk to the vip on 9842 will it goto the same backend server as the other CM connections?

                      • 8. Re: Multiple App Servers Load Balanced behind an F5

                        I was able to verify the secure file by switching back to a non-vip configuration in the URLs and fixing my proxy config by adding a ProxySVCPort setting. Going direct to the server works with this config. When I go back to using the F5, I get a new error:

                         

                        SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"

                        Error in Initializing RBAC User and Role (SSO Proxy)

                        Network Shell can be used for local access

                         

                        So I think you may be onto something with the 3rd question. However, my vips in our lab environment are just pointing at different ports on the same server, so shouldn't they be allowing access to the same credentials? This credential is working fine with the auth and config server vips when working through the config manager console.

                        • 9. Re: Multiple App Servers Load Balanced behind an F5
                          Bill Robinson

                          appservers or instances of the appservers will not share login credentials. so being authenticated to appserverA does not mean appserverB will accept the credentials.

                           

                          what about the 'my vips in our lab environment are just pointing at different ports on the same server' - what do you mean by that? there's only 1 server behind the f5?

                           

                          can you describe how the VIP is setup? (load balancing method, services, etc)

                          • 10. Re: Multiple App Servers Load Balanced behind an F5

                            Yes, only one server is behind the F5. We don't have a second physical server available yet, so we are load balancing between app servers running on different ports. We have 3 vips:

                             

                            blappserv port 80 -> valizprd091 ports 9840 and 9940

                            blappserv port 81 -> valizprd091 ports 9841 and 9941

                            blappserv port 82 -> valizprd091 ports 9833 and 9933 (need to reconfigure to *42)

                             

                            Here's my AppServiceProfiles.xml:

                             

                            <?xml version="1.0" encoding="UTF-8"?>

                            <!DOCTYPE Deployment SYSTEM "file://bladelogic.com/dtds/Server-Profile.dtd">

                            <!WARNING - THIS IS A GENERATED FILE. DO NOT EDIT.>

                             

                            • 11. Re: Multiple App Servers Load Balanced behind an F5
                              Bill Robinson

                              oh - but you do have 2 instances behind the vip.

                               

                              my f5 is a little rusty but you need to make sure something like this is happening:

                               

                              client1 hits authsvc (9840) on server1, authenticates, goes to appsvc (9841), opens nsh (9833), client1 always goes to server1 (sticky sessions)

                               

                              when you set the urls, did you change the ports in the urls to match the 80,81,82? i'm wondering if that got messed up in one of the urls?

                              • 12. Re: Multiple App Servers Load Balanced behind an F5

                                I'm checking with our network staff on the F5 config. However, I had already tried to avoid that issue by disabling one of the servers and forcing everything through the same path.

                                 

                                Yes, I modified the URLs - here they are:

                                AppServiceURLs:

                                service:appsvc.bladelogic:blsess://blappserv.val.cummins.com:81

                                ProxyServiceURLs:

                                service:proxysvc.bladelogic:blsess://blappserv.val.cummins.com:82

                                • 13. Re: Multiple App Servers Load Balanced behind an F5
                                  Bill Robinson

                                  in one of your other posts you said

                                   

                                  I was able to verify the secure file by switching back to a non-vip configuration in the URLs and fixing my proxy config by adding a ProxySVCPort setting.

                                   

                                  can you post the secure file you're using w/ the vip and w/o the vip?

                                  • 14. Re: Multiple App Servers Load Balanced behind an F5

                                    I was using the same secure file but changing the defaultProfile between the F5 URLs and one of the direct URLs.

                                     

                                    default:port=4750:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/BladeLogic/OM/br/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

                                    1 2 Previous Next