Load Balancing for eSafe Gateway 3.0 when
using Alteon’s AD2 or AD3
This document describes how to setup and configure Alteon’s AD2 (Alteon part # 700111) or AD3 (Alteon part # 700106), and Aladdin’s eSafe Gateway to provide a combined load-balancing and content filtering solution. Throughout this document, the Alteon units will be referred to as AD2/3.
Overview
The combined use of Alteon’s ACEdirector AD21 or AD32 (referred to as AD2/3 throughout the remainder of this document) with eSafe Gateway helps ensure a free flow of clean HTTP, FTP, and SMTP traffic, 24 hours a day, non-stop. Alteon’s AD2/3 units distribute the flow of traffic among a number of eSafe Gateway machines to allow them to filter a wider bandwidth at high speeds. Furthermore, if an eSafe Gateway machine fails for any reason, all traffic is
redistributed among the remaining eSafe Gateway machines to ensure the continued flow of traffic.
You can further increase redundancy to protect against temporary software failure of eSafe Gateway’s component modules by enabling each eSafe Gateway machine to use the CI module of the other eSafe Gateway machines. This setting slows down eSafe Gateway’s content filtering speeds.
IP addresses
Each AD2/AD3 has a number of ports, each of which can be assigned to a different IP address. When two AD2/AD3 units are used with eSafe Gateway machines placed between them, eSafe Gateway can filter out malicious and other undesirable FTP, HTTP, and SMTP traffic before this traffic reaches the LAN.
Port 1 is used by the external AD2/AD3 to communicate with the Internet, and by the internal AD2/AD3 to communicate with the LAN. Communication between the two AD2/AD3 units is distributed over additional ports, with a separate eSafe Gateway machine for each line of communication. In other words, a different eSafe Gateway machine filters content for port 3 than the one that filters content for port 2. Unused ports should be defined as alternates for port 1, i.e., with the same IP address.
Step 1. Define port 1 (default port) of each AD2/AD3 by assigning it the IP address that communicates with the Internet or LAN.
Step 3. Define port 2 of each AD2/AD3 to communicate with the relevant NIC of one of the eSafe Gateway machines.
Step 4. Define port 3 of each AD2/AD3 to communicate with the relevant NIC of a second eSafe Gateway machine.
Step 5. Repeat using a different AD2/AD3 port for each eSafe Gateway machine.
In the illustrated example, the content filtering load is balanced over two eSafe Gateway machines. The public IP address assigned to port 1 of the external AD2/AD3 is 192.168.20.1/24. The public IP address assigned to port 1 of the internal AD2/AD3 is 192.168.21.80/24.
An eSafe Gateway machine with an external IP address of 10.1.3.1/24 and an internal IP address of 10.1.5.1/24 filters traffic over port 2.
Another eSafe Gateway machine with an external IP address of 10.1.4.1/24 and an internal IP address of 10.1.6.1/24 filters traffic over port 3.
How to configure the AD2/AD3
Step 1. Connect an ASCII terminal (or PC running terminal emulation software) to the AD2/AD3 to serve as a console. You need to configure the console with the following communication parameters:
Baud = 9600 Data bits = 8 Stop bits = 1
Flow control = None
Step 2. Establish communication. To do this: a. Open a terminal session.
b. Press the Enter key until you are asked for a password.
c. Enter the password for access to the switch. The default super-user password is admin. Step 3. Enter the following command lines:
/boot/conf factory /boot/reset
This resets the switch to the factory default.
Step 4. Answer No when asked if you want to run the setup program. This will allow you to manually configure and verify each step.
Step 5. Configure the VLAN information. In the above example, ports 2 and 3 are the physical ports that will link to eSafe Gateway CRs. The commands for the above example are:
cfg/vlan 1/ean /cfg/vlan 2/ena /cfg/vlan 2/add2 /cfg/vlan 3 ena /cfg/vlan 3/add3 apply
Step 6. Turn off Spanning Tree to prevent automatic partitioning of ports when there are multiple interfaces into the same subnet.
/cfg/stp/off
Step 7. Assign IP addresses to each port. The command for port 1 of the external AD2/AD3 in the above example is:
/cfg/ip/if 1/addr 192.168.21.80/mask 255.255.255.0/broad 192.168.21.255 /cfg/ip/if 1/vlan 1 ena/apply
The command for port 2 of the external AD2/AD3 in the above example is (the parameters that differ from the port 1 definitions are bolded and underlined to bring them to your attention):
/cfg/ip/if 2/addr 10.1.5.10/mask 255.255.255.0/broad 10.1.5.255 /cfg/ip/if 2/vlan 2 ena/apply
The command for port 3 of the external AD2/AD3 in the above example is (the parameters that differ from the port 1 definitions are bolded and underlined to bring them to your attention):
Step 8. Setup static routes to channel traffic through each eSafe Gateway CR machine. The command for the external AD2/AD3 in the above example is as follows:
/cfg/ip/route
add 10.1.3.0 255.255.255.0 10.1.5.1. 2 add 10.1.4.0 255.255.255.0 10.1.6.1. 3 /apply
/save
The command for the internal AD2/AD3 contains additional commands (bolded and underlined for emphasis). The commands for the above example is as follows:
/cfg/ip/route add 10.1.3.0 255.255.255.0 10.1.5.1. 2 add 10.1.4.0 255.255.255.0 10.1.6.1. 3 /cfg/ip/gw 1 addr 192.168.20.1/ena /apply /save
Step 9. Make sure IP forwarding is turned on and RIP turned off. /cfg/ip/fwrd/on
/cfg/ip/rip/off
Step 10. Enable server load balancing. /cfg/slb/on
Step 11. Define the other AD2/AD3 as the real server. This enables the AD2/AD3 to test the integrity of the entire data path. The command for the external AD2/AD3 in the above example is as follows: /cfg/slb/real 1/rip 10.1.3.10/ena
/cfg/slb/real 2/rip 10.1.4.10/ena /apply
/save
The command for the internal AD2/AD3 in the above example is as follows (differences bolded and underlined for emphasis):
/cfg/slb/real 1/rip 10.1.5.10/ena /cfg/slb/real 2/rip 10.1.6.10/ena /apply
/save
Step 12. Create a real server group and add the real servers.
/cfg/slb/group 1/metric hash/health http/cont health.htm/add 1/add 2 /apply
/save
Step 13. Create a virtual IP address to enable the HTTP integrity test to work. /cfg/slb/virt 1/service http
/cfg/slb/filt 100/ena/dip 192.168.21.0/dmask 255.255.255.0/proto any /cfg/slb/filt 224/ena/action redir/group 1
/apply /save
Step 15. Add all of the filter rules to the external ports of each AD2/AD3 (normally port 1 and unused ports). /cfg/slb/port 1/filt ena/add 100/add 224
Installing eSafe Gateway
Minimum requirements
Dedicated computer: Pentium III, 500 MHz or above, two Ethernet 10/100 Mbps NICs (not dual or quad). If you have 3COM NICs, the NIC monitor programs and drivers must be removed or disabled. (Only one NIC is needed for additional CI machines.)
Hardware integration: The machine has been factory or vendor tested as a complete unit. It is strongly recommended that you disable all unnecessary services.
Disk space: 5 GB free. SCSI-UW with NTFS recommended.
Additional drives: CD-ROM drive or Internet connectivity (for installation). RAM: 256 MB or above (512 MB recommended).
OS: Fresh installation of Windows NT 4 server/workstation (Intel version) with SP 6a (additional CI machines can also run under Windows 2000 with SP 1 or above). Do not install from an image unless the image is from
a fresh installation!
Make sure that the Windows OS for each machine containing a CI (eSafe Gateway/Mail machine or remote CI machine) includes CABINET.DLL. If this file does not exist on the machine, eSafe Gateway/Mail cannot scan CAB (cabinet) files. You can add this file by installing Internet Explorer 5.0 or above.
Internet access (required for CR only): FTP access to enable software updates. Access to an external SMTP Mail Server that is configured to accept SMTP requests from the eSafe Gateway/Mail machine (this is necessary to send warnings and alerts to administrators, senders and recipients). Resolving capability (definition and access to a DNS Server).
Important Note:
Do not install additional software. You should disable all unnecessary services.
Pre-installation Checklist
R
The machines on which you will install eSafe Gateway components, each meet the minimum requirements for those components.R
You are acquainted with network terminology, have a working knowledge of network management, and know how to configure IP routing.R
You have read the latest eSafe Gateway/Mail Release Notes.R
The eSafe Gateway machine does not have any other content inspection/anti-virus program installed. If it does, you must uninstall.R
The eSafe Gateway and remote CI machines have a CD-ROM drive or Internet connectivity (for installation).R
You have administrator access to the eSafe Gateway machine (and any additional CI machines).R
If you have a firewall, you have full administrator access to its policy manager.R
Decide where you want to place the eSafe Gateway machine.If you have a firewall, the eSafe Gateway machine is usually configured to operate between the firewall and the LAN (not in the DMZ). If you do not have a firewall, the eSafe Gateway machine is installed as a gateway to your network (between the Router and the LAN).
Installation
Step 1. Configure TCP/IP for Router Mode installation. a. Install two NICs into the eSafe Gateway machine. b. Assign the IP addresses to the NICs.
c. Make sure that the Enable IP Forwarding check box is selected on the eSafe Gateway machine. If you fail to do this, files will not pass from the firewall to the LAN and vice-versa.
Step 2. Connect the eSafe Gateway machine.
Step 3. Install the evaluation version of eSafe Gateway software in Router Mode. Step 4. Install additional CIs - remember to set CI assignments.
Important Note:
The number of CIs that an eSafe Gateway machine can use is restricted by the license. Make sure that the license for EACH eSafe Gateway/Mail machine covers the total number of CIs that it needs. This
information is listed under Help | About | Registration Information.
Step 5. Test eSafe Gateway.
Step 6. Test communication at all workstations and servers.
a. Connect the CR between the AD2/AD3 units. DO NOT place any other hosts on this segment. b. Check your AD2/AD3 and other logs to make sure that traffic flows freely through the eSafe Gateway machine, acting as a Windows NT router before you install the eSafe Gateway/Mail software.
Step 7. Register.
Router mode installation
Step 1. Install two NICs into the eSafe Gateway machine. Make sure to remove or disable all NIC monitor programs and drivers.
Step 2. Take the IP address of the firewall/router’s inner NIC and assign it to the inner NIC of the eSafe Gateway machine.
Step 3. Before you continue, make sure that you are authorized to make changes to the firewall/router
machine. Establish a network segment between the firewall/router and the eSafe Gateway machine.
c. Assign the new IP address to the inner NIC of the router/firewall.
d. Assign the new IP address to the outer NIC of the eSafe Gateway machine from the newly created network segment.
e. Enable IP forwarding on eSafe Gateway machine. Example:
Step 4. Disable all unnecessary services and drivers, including the partial list below.
services: • Alerter • Computer Browser • DHCP Client • Messenger • Server • Task Scheduler • Net-Logon • Workstation
• Network DDE • Network DDE DSDM device drivers: • Parallel • ParPort • ParVdm • Serial • WINS Client network bindings: • NetBIOS
• WINS Client (TCP/IP) Important Note:
Additional changes to Windows NT that can improve performance and tighten security are described in appendix D.
Step 5. At the firewall machine, create a permanent static route for the LAN that passes through the eSafe Gateway machine.
Sample routing command
route add -p <10.1.10.1> mask <255.255.255.0> <10.1.10.2> where:
•<10.1.10.1> represents your default gateway.
•<255.255.255.0> represents your network’s netmask.
•<10.1.10.2> represents the IP of the NIC in the CR that communicates with the firewall.
Step 6. Copy the routing table of the firewall. To do this enter the following text into the command prompt: route print > rtable.txt
Step 7. Connect the CR machine to the firewall/router on a dedicated Ethernet segment. Do not place any
other hosts on this segment.
Step 8. Boot the CR machine and make sure that workstations on the LAN can surf the Internet.
Step 9. Check your firewall and other logs to make sure that traffic flows freely through the CR machine, acting as a Windows NT router before you install the eSafe Gateway/Mail software.
Step 10. Make sure that the network functions properly and there are no routing problems.
Step 11. Run the Setup program from the CD-ROM or downloaded file. You can download the Setup program from ftp://ealaddin.com/pub/products/esg3.exe .
Important Note:
If an older version or build of eSafe Gateway with NitroInspection™ is already installed, you must uninstall the older version and reboot the machine before installing the new version.
Step 13. Select the component(s) to install.
Step 14. Define whether the eSafe Gateway machine will sit in front of a proxy or firewall machine.
Step 15. Check the path where eSafe Gateway is to be installed and edit if necessary.
Step 16. Select Evaluation or Registration. Evaluation allows you to work with and update eSafe
Gateway/Mail for 30 days, after which time eSafe Gateway/Mail will block all monitored traffic. When a registered license expires eSafe Gateway/Mail will continue to operate, but will not allow updates to software, virus tables, or any other components.
In order to avoid licensing the wrong IP, it is recommended that you first install as Evaluation, wait until eSafe Gateway is up and running, then register from the CR machine (see page 21).
Step 17. Wait while the files are copied.
Step 18. Select whether to use the SMTP module.
If you have an SMTP server on the LAN, select Also monitor SMTP and enter the Internet Domain name (FQDN) and IP address of the internal SMTP Server. If you have more than one mail domain you can add it later after completing the initial installation via eConsole (Adminstration | SMTP Server |
Internal Mail Servers). Failure to enter the name and IP address of ALL internal SMTP Servers will cause eSafe Gateway’s SMTP module to block all incoming mail until you add this information to the configuration.
Step 19. Decide whether to subscribe to the Early Detection Service (recommended). Step 20. At the end of the setup program, click Next.
Step 21. Click Cancel when prompted to restart the computer. Step 22. Shutdown (not restart) Windows and turn off the machine.
Step 23. Turn on the eSafe Gateway machine and look for error messages during startup.
Step 24. After you complete installation, enter Control Panel | Services and make sure that the following services are started:
• eSafe Gateway
• eSafe Content Inspector
Step 25. At this point the software is installed and you are ready to adapt the configuration to your needs as described in the eSafe Gateway Administrator’s Manual.
Step 27. Check that the IP address of the CR appears in blue. This may take a few seconds.
If the IP address does not appear, you have a problem and should refer to Troubleshooting. Step 28. Double-click the CR and create a password.
Step 29. Check the SMTP parameters needed for sending alerts and define or edit them if necessary. a. Run eConsole and enter the configuration module (click Configuration). If you need detailed
instructions, consult the Administrator’s manual.
b. To scan email for more than one domain, go to Administration | SMTP Server | Internal Mail
Servers and enter the additional domains.
c. Go to Administration | Alerts | Alert Recipients and define alert recipients.
d. Go to Administration | Alerts | File & Other Params and enter an address into the Senders field with a domain name that will allow alerts to pass through the anti-spoofing mechanism of the SMTP server that will receive the alerts.
e. If you want all of your alerts to be sent via a specific SMTP server, enter it into the Outgoing SMTP
server field. If you leave this field blank eSafe Gateway will use the DNS lookup.
Step 30. Test eSafe Gateway operation by downloading the virus test file fromhttp://www.eicar.org. This file is not an actual virus and cannot replicate. It was developed by the European Institute of Computer Research and anti-virus vendors for the sole purpose of testing scan engines to make sure that they are working. For more extensive tests, see the Administrator’s Manual.
Registration
Evaluation mode allows you to work with and update eSafe Gateway/Mail for 30 days, after which time eSafe
Gateway/Mail will block all monitored traffic. When a registered license expires, eSafe Gateway will continue to operate, but will not allow software and virus table updates.
Important Note:
If you are ugprading from build 96 or above, you can use the same license key.
Important Note:
If you are ugprading from version 2.1 to a NitroInspection™ CR, you must use a new license key that your vendor can supply.
In order to register, you need your login name and password. If you need to move a license to another machine, you must contact the VAR or distributor who sold you the license, then update your registration before you can create a new license key3.
You can create a cold-restart backup machine with an exact copy of the CR and the same license. If your CR has a hardware or other failure, you can connect the cold-restart backup machine in its place to keep your Internet gateway open while you troubleshoot the problem.
Step 1. Generate a license key.
a. Make sure you have your login name and password for entering the licensing center. If you do not have either of these, contact your vendor.
b. Click Get License if you are in the installation procedure or connect to the eSafe Licensing Center at
http://www.ealaddin.com/lc . If possible, connect from the eSafe Gateway/Mail machine. c. Make sure to select the correct product and operation mode.
d. Choose Issue license from the menu and follow the instructions that appear on screen. Make sure
that the IP address listed is for the eSafe Gateway/Mail machine that you want to license; we recommend that you register the IP address taken from the firewall.
Step 2. Select Start | Programs | eSafe Gateway/Mail | Enter Registration Number from your Windows
Desktop.
Step 3. Enter your name, company name and license key into the Registration window, and click Next. Step 4. Review the details and click Next. If you discover an error, click Back and make the corrections. Important Note:
If you forget your license key and need to reinstall, you can use your login name and password to retrieve it from the eSafe Licensing Center at http://www.ealaddin.com/lc .
Important Note:
Make sure to register the eSafe Gateway for the total number of CIs needed.
Allowing the AD2/3 test files without scanning
The AD2/3 units continually send the test files through to test communication. Under the default configuration this file is scanned time and again.
If you add the AD2/3 units to the Trusted Servers List for Blocking and Scanning the test files will not identify a CI failure. If this is the only CI available to the eSafe Gateway machine, all files that need to be scanned will either be blocked or allowed without scanning according to the Block if a scanner error occurs check box setting. Consequently the AD2/3 will not compensate, i.e., it will not redirect all new files to other CR machines.
You can avoid this situation by adding the other eSafe Gateway machines to the list of CIs used and/or adding CI machines to the internal LAN. In either case, you must add the static routes (passing through the internal AD2/3) to the NT routing table of the eSafe Gateway machine.
If you add CIs to the internal LAN, you must be careful to avoid assigning conflicting IP addresses to the internal LAN and the virtual subnets created between the AD2/3 units and eSafe Gateway machines. Important Note: