Radware s AppDirector. And. Microsoft Office Communications Server R2. Integration Guide

Radware’s AppDirector

And

Microsoft Office Communications Server R2

Integration Guide

Products:

Radware AppDirector

Software: AppDirector version 2.10.00

Platform: On-Demand Switch II

Table of Contents

Joint Solution Overview ...4

Microsoft Office Communications Server Overview...4

Office Communications Server Architecture... 5

Diagram 1.0 - Office Communications Server 2007 R2 consolidated topology ... 5

Pool Components... 5

Front-End Server ... 5

Diagram 2.0 – Office Communications Server Conferencing Component Interrelationships ... 6

Consolidated Deployment Overview ... 9

Diagram 3.0 - Enterprise Pool: Consolidated Configuration ... 10

Perimeter Network Configuration for IM and Conferencing... 10

Diagram 4.0 - Office Communications Server 2007 R2 external configuration ... 11

Table 1.0 – Office Communications Server Protocols load balanced by AppDirector ... 13

Radware AppDirector Overview ...14

AppDirector and Microsoft Office Communication Server Architecture ...15

Diagram 5.0 - AppDirector and Microsoft Office Communications Server Reference Architecture... 15

Primary Front-End AppDirector Configuration ...16

IP Configuration ... 16

Farm Configuration... 18

Create Layer 4 Policy... 22

Extended Farms Settings... 25

Adding Servers to the Farm... 26

Enabling Client NAT ... 33

Health Monitoring ... 36

Create the Health Monitoring Checks. ... 36

Binding Health Checks to Servers ... 43

General Redundant Configuration Notes...44

Primary AppDirector VRRP Configuration ... 45

Primary Virtual Routers ... 45

Primary Associated IP Addresses ... 46

Primary Mirroring... 48

Auto-Generate the Front-End Backup AppDirector Configuration...49

Setting up basic IP connectivity on the Backup AppDirector... 49

Auto Generating the Backup Configuration from the Primary AppDirector ... 50

Upload the Backup Configuration file to the device ... 51

Primary DMZ AppDirector Configuration...52

IP Configuration ... 53

Farm Configuration... 55

Create Layer 4 Policy... 58

Extended Farms Settings... 64

Adding Servers to the Farm... 65

Enabling Client NAT ... 71

Health Monitoring ... 73

Create the Health Monitoring Checks. ... 74

Auto-Generate the DMZ Backup AppDirector Configuration...87

Setting up basic IP connectivity on the Backup AppDirector... 87

Auto Generating the Backup Configuration from the Primary AppDirector ... 88

Upload the Backup Configuration file to the device ... 89

Appendix ...91

Appendix 1 – Primary AppDirector Front-End Configuration File ... 91

Appendix 2 – Backup AppDirector Front-End Configuration File... 95

Appendix 3 – Primary AppDirector DMZ Configuration File ... 99

Appendix 4 – Backup AppDirector DMZ Configuration File ... 103

Joint Solution Overview

The Radware and Microsoft Office Communications Server joint solution ensures

Office Communications Server customers solution resilience, efficiency and scale.

Radware’s AppDirector guarantees Office Communications Server maximum

availability, scalability, performance and security. Managing traffic for both the

Web Service content and SIP based Unified Communication services, AppDirector

provides advanced health monitoring to avoid system down time and advanced

traffic management to deliver a best of breed subsystem. With a pay as you grow

platform licensing model, AppDirector ensures long term investment protection

facilitating incremental growth demanded by today’s business.

Microsoft Office Communications Server Overview

Office Communications Server 2007 R2 is available in two versions, Standard

Edition and Enterprise Edition. The primary difference between these two versions

is whether the deployment model is single server versus multi-server. Each of

these deployment models is referred to a pool. Standard Edition combines all

functions, including the SQL server, onto the same server platform, whereas

Enterprise edition is intended to be deployed on multiple servers, providing

scalability for enterprise deployments.

For the Office Communications Server 2007 R2 Enterprise Edition, Microsoft

recommends the use of a hardware load balancer for Enterprise Edition

deployments to distribute user traffic to the front end servers of a pool. Software

load balancing products such as NLB are not recommended for use with Office

Communications Server 2007 R2 for deployments larger than 500 users.

Office Communications Server 2007 R2 Edge Servers are deployed in the

perimeter network and provide connectivity for external users and public IM

connections. Employees traveling, or working from home or in remote offices, use

the Edge Servers to remotely access the service.

Office Communications Server Architecture

Office Communications Server 2007 R2 is a distributed server environment.

Independent software modules work in conjunction to provide the features of

Office Communications Server.

Diagram 1.0 - Office Communications Server 2007 R2 consolidated topology

Pool Components

An Office Communications Server pool consists of one or more Front End Servers

that provide IM, presence, and conferencing services and are connected to a

SQL Server database for storing user and conference information.

Front-End Server

The principal function of the front end server is to provide the following services to

end users and control the application environment.

• Telephony Conferencing Server

• Web Conferencing Server

•

Web Components Server

• Application Sharing Server for Multiparty or CWA-based Application Sharing.

The Office Communications Server 2007 R2, Standard Edition or Enterprise

Edition, Front End Server is responsible for the following tasks:

• Handling signaling among servers and between servers and clients

• Authenticating users and maintaining user data, including all user endpoints

• Routing VoIP calls within the enterprise and to the PSTN

• Scheduling and initializing on-premise conferences and managing conference

state

• Aggregating enhanced presence information of users for clients

• Routing signaling and IM traffic

• Managing conferencing signaling and conference state

• Hosting SIP server applications

These services are supported via the following software modules:

Instant Messaging Conferencing Server

The Instant Messaging Conferencing Server (IM MCU) is responsible for user

registration into Office Communications Server 2007, instant messaging traffic,

and presence state for users.

A/V Conferencing Server

The A/V Conferencing Server enables multiparty audio and video mixing and

relaying capabilities. It is built on industry standard Real-time Transport Protocol

(RTP) and Real-time Transport Control Conferencing Server the Protocol (RTCP).

Telephony Conferencing Server

The Telephony Conferencing Server (ACP MCU) is responsible for facilitating

audio conferences hosted on a PSTN bridge provided by a telecomm provider.

Web Components Server

This is an Internet Information Server (IIS) service. The Web Components Server

enables organizers to upload presentations and other data for use in a Web

conference. Participants download this content via the Web Components Server.

This IIS service also performs distribution list (DL) expansion for Office

Communicator clients and distributes address book files to clients.

Web Conferencing Server

The Web Conferencing Server (DATA MCU) adds data collaboration functionality

to Office Communications Server. The Web Conferencing Server is built on the

same Persistent Shared Object Model (PSOM) technology used by the Live

Meeting service. Both signaling and media are sent to and from a Web

Conferencing Server using the PSOM protocol. The Web Conferencing Server

supports Live Meeting features, such as Microsoft Office PowerPoint

presentations, document presentations, chat, voting, white boarding, and

application sharing.

Application Sharing Server

Sharing Server provides Desktop Sharing functionality users can access directly in

Office Communicator and Communicator Web Access, instead of users having to

launch the Live Meeting client separately.

Audio/Visual Conferencing Server

The A/V Conferencing Server (AV MCU) enables users to share audio and video

streams during multipoint Conferences.

Focus

Focus is a conference state service that manages all group IM, multiparty A/V, and

data collaboration sessions on the Front End Server

the service is responsible for

conference setup and signaling for the duration of the conference.

Focus Factory

The Focus Factory is part of the Focus that is responsible for creating and

destroying an instance of a conference and returning information about the

conference to the client and is responsible for scheduling meetings.

Conferencing Server Factory

The Conferencing Server Factory is responsible for provisioning a conference for a

particular media type on a conferencing server.

Front End Server VoIP Components

Translation Service

The Translation Service is the server component that is responsible for translating

a dialed number into the E.164 format or another format

Inbound Routing Component

The Inbound Routing component handles incoming calls largely according to

preferences that are specified by users on their Enterprise Voice clients.

Outbound Routing Component

Exchange UM Routing Component

The Exchange UM routing component handles routing between Office

Communications Server and servers running Microsoft Exchange Unified

Messaging (UM),

Consolidated Deployment Overview

Office Communications Server 2007 R2 consolidated configuration deployments

typically consists of an Enterprise pool where all server components are

co-located on the pool's front end servers. All front end servers in the Enterprise

pool are configured identically. The back end server running a SQL Server

database resides on a separate dedicated physical server. The consolidated

configuration provides scalability and high availability and is easy to plan, deploy,

and manage.

In the Office Communications Server 2007 R2 consolidated pool topology, the

following server roles and services are collocated on the same computer as the

Front End Server:

•

Address Book Service

•

Address Book Web Query Service

•

Application Server

•

Application Sharing Server

•

A/V Conferencing Server

•

Conference Announcement Service

•

Conference Attendant

•

Group Expansion Service

•

IM Conferencing Server

•

Outside Voice Control

•

Response Group Service

•

Telephony Conferencing Server

•

Device Update Server

•

Web Conferencing Server

Enterprise pool in consolidated configuration requirements:

•

Requires two or more front end servers deployed behind a hardware load

balancer.

•

Each of the Office Communications Server 2007 R2 components is

installed onto each front-end server in the pool.

•

A dedicated SQL Server is required to support the pool.

Diagram 3.0 - Enterprise Pool: Consolidated Configuration

Perimeter Network Configuration for IM and Conferencing

Office Communications Server 2007 R2 allows users working outside the

enterprise network to participate in on-premise conferences, complete with data

collaboration and the ability to relay audio and video through your organization’s

firewall. Office Communications Server 2007 R2 also enhances existing support

for remote access, federation, and public IM connectivity service providers: AOL,

MSN, and Yahoo!

The Edge Server is composed of the following services: Access Edge Service, A/V

Edge Service, and Web Conferencing Edge Service.

• The Access Edge service validates and forwards SIP signaling traffic

between internal and external users.

• The A/V Edge service enables audio and video conferencing, desktop

sharing, and audio/video (A/V) peer-to-peer communications with external

users who are equipped with a supported client. For details, see Supported

Clients.

• The Web Conferencing Edge service enables external users to participate

in conferences that are hosted by an internal Web Conferencing Server.

• The HTTP reverse proxy is required for downloading Address Book

Diagram 4.0 shows the servers that are required in the Office Communications

Server 2007 R2 perimeter network and the protocols they use to communicate with

Internet clients on one side and with Enterprise Edition servers on the other.

Diagram 4.0 - Office Communications Server 2007 R2 external configuration

Required services in the Office Communications Server 2007 R2 perimeter

network are as follows.

Access Edge Service

The Access Edge service handles all SIP traffic across the corporate firewall. The

Access Edge service handles only the SIP traffic that is necessary to establish and

validate connections. It does not handle data transfer, nor does it authenticate

users. Authentication of inbound traffic is performed by the Director or the Front

End Server. A Director is an Office Communications Server 2007 R2 Standard

Edition server or Enterprise pool that does not home users and that resides inside

the organization’s firewall. A Director is not mandatory but is strongly

authentication, which the Edge Servers do not have because they are deployed in

the perimeter network outside AD DS.) The Access Edge service is essential for all

external user scenarios, including conferencing, remote user access, federation,

and public IM connectivity

Web Conferencing Edge Service

The Web Conferencing Edge service proxies Persistent Shared Object Model

(PSOM) traffic between the Web Conferencing Server and external clients.

External conference traffic must be authorized by the Web Conferencing Edge

service before it is forwarded to the Web Conferencing Server. The Web

Conferencing Edge service requires that external clients use TLS connections and

obtain a conference session key.

A/V Edge Service

The A/V Edge Service provides a single trusted connection point through which

inbound and outbound media traffic (including application sharing traffic) can

securely traverse network address translations (NATs) and firewalls. The

industry-standard solution for multimedia traversal of firewalls is Interactive

Connectivity Establishment (ICE), which is based on the Simple Traversal

Underneath NAT (STUN) and Traversal Using Relay NAT (TURN) protocols. The

A/V Edge service is a TURN/STUN server. All users are authenticated to secure

both access to the enterprise and use of the firewall traversal service that is

provided by the A/V Edge service. To send media inside the enterprise, an

external user must be authenticated and must have an authenticated internal user

agree to communicate with him or her through the A/V Edge service.

HTTP Reverse Proxy

An HTTP reverse proxy in the perimeter network carries HTTP and HTTPS traffic

for external users. The HTTP reverse proxy can be used to authenticate external

users using Communicator Web Access. It is also required to enable external

users to download the following data:

• Address Book Server information

• Web conferencing content

• Expanded distribution lists

• Client and device updates

similar look and feel to the desktop version of Microsoft Office Communicator 2007

R2. External Users can access the IM and presence features in Office

Communications Server 2007 R2 through any supported Web browser.

Communicator Web Access Server is deployed in the internal network. Internal

users can access it directly. External users access the Communicator Web Access

Servers through the HTTP reverse proxy.

Component

(server role or

client)

Port

Protocol

Notes

Load balancer for

Front End Servers

5060/5061

TCP

MTLS

Used by Standard Edition servers and Enterprise pools for all

internal SIP communications between servers and between

servers and Office Communicator.

Load balancer for

Front End Servers

443

HTTPS

Communication from Front End Servers to the Web farm

FQDNs (the URLs used by Web Components).

Load balancer for

Front End Servers

444

HTTPS

Communication between the focus (the Office

Communications Server component that manages

conference state) and the conferencing servers.

Load balancer for

Front End Servers

135

DCOM and

RPC

Used when a load balancer is deployed. Port 135 is used by

the Front End Servers for WMI operations and for moving

users (a remote DCOM-based database operation).

Load balancer for

Front End Servers

5065

TCP

Used for incoming SIP listening requests for application

sharing.

Load balancer for

Director

5060/5061 TCP

Used for internal communications between servers.

Load balancer for

Edge Servers

443

TCP

Used for internal ports for SIP/TLS communication for

remote user access, accessing internal Web conferences,

and STUN/TCP inbound and outbound media

communications for accessing internal media and A/V

sessions.

Load balancer for

Edge Servers

5061

TCP

Used for internal ports for SIP/MTLS communication for

remote user access or federation.

Load balancer for

Edge Servers

5062

TCP

Used for internal ports for SIP/MTLS authentication of IM

communications flowing outbound through the internal

firewall.

Load balancer for

Edge Servers

3478

UDP

Used for internal ports for STUN/UDP inbound and outbound

media communications.

Load balancer for

Edge Servers

443

TCP

Used for external ports for SIP/TLS communication for

remote user access, accessing internal Web conferences,

and STUN/TCP inbound and outbound media

communications for accessing internal media and A/V

sessions.

Load balancer for

Edge Servers

5061

TCP

Used for external ports for SIP/MTLS communication for

remote user access or federation.

Load balancer for

Edge Servers

3478

TCP

Used for external ports for STUN/UDP inbound and

outbound media communications.

Live Meeting

2007 client

8057

TCP

Used for outgoing PSOM traffic sent to the Web

Conferencing Server.

For more information, please visit:

http://www.microsoft.com/communicationsserver/en/us/technical-resources.aspx

Radware AppDirector Overview

Radware’s AppDirector is an intelligent application delivery controller (ADC) that

provides scalability and application-level security for service infrastructure

optimization, fault tolerance and redundancy. Radware combined its

next-generation, OnDemand Switch multi-gigabit hardware platform with the

powerful capabilities of the company’s APSolute™ operating system “classifier”

and “flow management” engine. The result – AppDirector – enables accelerated

application performance; local and global server availability; and application

security and infrastructure scalability for fast, reliable and secure delivery of

applications over IP networks.

AppDirector is powered by the innovative OnDemand Switch platform. OnDemand

Switch, which has established a new price/performance standard in the industry,

delivers breakthrough performance and superior scalability to meet evolving

network and business requirements. Based on its on demand, “pay-as-you-grow”

approach, no forklift upgrade is required even when new business requirements

arise. This helps companies guarantee short-term and long-term savings on

CAPEX and OPEX for full investment protection. Radware’s OnDemand Switch

enables customers to pay for the exact capacity currently required, while allowing

them to scale their ADC throughput capacity and add advanced application-aware

services or application acceleration services on demand to meet new or changing

application and infrastructure needs. And it does it without compromising on

performance.

AppDirector lets you get the most out of your service investments by maximizing

the utilization of service infrastructure resources and enabling seamless

consolidation and high scalability. AppDirector’s throughput licensing options

allows pay as you grow investment protection. Make your network adaptive and

more responsive to your dynamic services and business needs with AppDirector’s

fully integrated traffic classification and flow management, health monitoring and

failure bypassing, traffic redirection, bandwidth management, intrusion prevention

and DoS protection.

AppDirector and Microsoft Office Communication Server Architecture

Diagram 5.0 - AppDirector and Microsoft Office Communications Server

Reference Architecture

Note: There is two pair of AppDirectors configured for this deployment. A pair of

AppDirectors configured in the DMZ for the Edge Servers and a pair of

AppDirectors configured in the LAN for the Front-End Servers.

Note: DNS SRV records for the appropriate domain are used to locate the OCS

servers for client connectivity. DNS administration is required to bind an A record

for the OCS FQDN, where the FQDN resolves the appropriate AppDirector Virtual

IP Address (VIP). AppDirector has the ability to become the Authoritative

Primary Front-End AppDirector Configuration

Using a serial cable and a terminal emulation program, connect to the AppDirector.

The default console port settings are:

• Bits per Second: 19200

• Data Bits: 8

• Parity: None

• Stop Bits: 1

• Flow Control: None

1. Using the following Command line, assign management IP address 10.210.6.4

/ 16 to interface MNG-1 (Dedicated Management Interface) of the AppDirector:

net ip-interface create 10.210.6.4 255.255.0.0 MNG-1 -pa 10.210.6.3

2. Using a browser, connect to the management IP Address of the AppDirector

(10.210.6.4) via HTTP or HTTPS. The default username and password are

“radware” and “radware”.

Failure to establish a connection may be due to the following:

• Incorrect IP Address in the browser

• Incorrect IP Address or default route configuration in the AppDirector

• Failure to enable Web Based Management or Secure Web Based

Management in the AppDirector

• If the AppDirector can be successfully pinged, attempt to connect to it

via Telnet or SSH. If the pinging or the Telnet/SSH connection are

unsuccessful, reconnect to the AppDirector via its console port.

3. On the IP Interface Parameters Create page, enter the necessary parameters

as shown below:

This will create the interfaces needed for the Office

Communications Server ecosystem.

4. Click the Set button to save parameters.

5. Repeat the steps 2 – 4 to create the next IP Interface, whose information is

defined as follows:

IP Address 192.168.2.1, Network Mask 255.255.255.0, If Number G-1, Peer

Address 192.168.2.2

6. Verify that the new entries were created on the IP Interface Parameters page:

Farm Configuration

1. From the menu, select AppDirector

Farms

Farm Table to display the

Farm Table page similar to the one shown below:

2. Click the Create button.

Note: Farm Aging time tuned to 20 minutes from default value. This will ensure

that state entries will not be terminated prior to client aging time.

4. Click the Set button to save parameters.

5. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

6. Click the Set button to save parameters.

8. Click the Set button to save parameters.

9. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

10. Click the Set button to save parameters.

12. Click the Set button to save parameters.

13. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

14. Click the Set button to save parameters.

Create Layer 4 Policy

1. From the menu, select AppDirector
Layer 4 Traffic Redirection
Layer 4

Policies to display the L4 Policies page similar to the one shown below:

2. Click the Create button.

3. On the L4 Policies Create page, enter the necessary parameters as shown

below.

4. Click the Set button to save the parameters.

6. Click the Set button to save the parameters.

7. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

9. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

10. Click the Set button to save the parameters.

12. Click the Set button to save the parameters.

13. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

14. Click the Set button to save the parameters.

15. Verify that the new entry was created on the L4 Policies page:

Extended Farms Settings

1. Click the Extended Farm Parameters URI at the top of the Farm Table page.

2. On the Extended Farm Parameters Table page, click on the Farm Name

3. On the Extended Farm Parameters Update page, Select the parameters as

shown below:

Note: The Client Nat Address Range gets set by the Client NAT Quick Setup; no

action is required at the Extended Farm Update page. It is circled here because

Client NAT Address Range is not set by default.

Note: Close Session At Aging will reset the sessions if they still exist after the

aging period. This will ensure any clean-up of abandoned sessions which could

hold state on the servers inadvertently.

4. Click the Set button to save parameters.

5. Repeat the steps 2 - 4 for extended farms: ocs.frontend.SIP.5060.farm,

ocs.frontend.HTTPS.conf.444.farm, ocs.frontend.HTTPS.443.farm,

ocs.frontend.MTLS.5061.farm

and ocs.frontend.DCOM.135.farm

to verify

“Client NAT Address Range” “192.168.1.201” and enable “Close Session at

Aging”. For extended farm ocs.frontend.SIP.app.sharing.5065.farm

enable

“Close Session at Aging”.

Adding Servers to the Farm

2. On the Server Table Create page, enter the necessary parameters as shown

below:

Note: The Client NAT field is enabled by the Client NAT Quick Setup; no action

is required at the Server Table Create page.

4. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

5. Click the Set button to save parameters.

6. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

7. Click the Set button to save parameters.

9. Click the Set button to save parameters.

10. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

11. Click the Set button to save parameters.

13. Click the Set button to save parameters.

14. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

15. Click the Set button to save parameters.

17. Click the Set button to save parameters.

18. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

19. Click the Set button to save parameters.

21. Click the Set button to save parameters.

22. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

23. Click the Set button to save parameters.

25. Click the Set button to save parameters.

26. Verify that the new entries were created on the Server Table page:

Enabling Client NAT

1. From the menu, select AppDirector

NAT

Client NAT

Client NAT

Quick Setup to display the Client NAT Quick Setup page similar to the one

2. On the Client NAT Quick Setup page, enter the necessary parameters as

shown below:

3. Click the Set button to save parameters.

4. From the menu, select AppDirector

NAT

Client NAT

Intercept

Addresses to display the Client NAT Intercept Table page similar to the one

shown.

7. Click the Set button to save parameters.

8. Create the next intercept range. On the Client NAT Intercept Table Create

page, enter the necessary parameters as shown below:

9. Click the Set button to save parameters.

10. Create the next intercept range. On the Client NAT Intercept Table Create

page, enter the necessary parameters as shown below:

11. Click the Set button to save parameters.

12. Create the next intercept range. On the Client NAT Intercept Table Create

page, enter the necessary parameters as shown below:

13. Click the Set button to save parameters.

14. Verify the Intercept Addresses were created on the Client NAT Intercept

Health Monitoring

1. From the menu, select Health Monitoring

Global Parameters to display

the Health Monitoring Global Parameters page.

2. On the Health Monitoring Global Parameters page, change the parameters

as shown below:

3. Click the Set button to save parameters.

Create the Health Monitoring Checks.

1. From the menu, select Health Monitoring

Check Table to display the

2. Click the Create button.

3. Create a set of health checks for the web servers. On the Health Monitoring

Check Table Create page, enter the necessary parameters as shown below:

4. Click the Set button to save parameters.

6. Click the Set button to save parameters.

7. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

8. Click the Set button to save parameters.

10. Click the Set button to save parameters.

11. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

12. Click the Set button to save parameters.

14. Click the Set button to save parameters.

15. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

16. Click the Set button to save parameters.

18. Click the Set button to save parameters.

19. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

20. Click the Set button to save parameters.

22. Click the Set button to save parameters.

Binding Health Checks to Servers

1. From the menu, select Health Monitoring

Binding Table to display the

Health Monitoring Binding Table page similar to the one shown below:

2. Click the Create button.

3. Create the health check binding for the web servers. On the Health

Monitoring Binding Table Create page, enter the necessary parameters as

shown below:

4. Click the Set button to save parameters.

5. Repeat the steps 2 - 5 to bind the rest of the server health checks. See the

table below.

Check

Server/NHR/Report

Mandatory

6. Verify that the new entries were created on the Health Monitoring Binding

Table page:

This completes the Primary AppDirector policy configuration.

Primary AppDirector VRRP Configuration

1. From the menu, select AppDirector

Redundancy

Global Configuration

and set the parameters as noted below:

2. Click the Set button to save these changes.

Primary Virtual Routers

1. From the menu, select AppDirector

Redundancy

VRRP

Virtual

Routers to display the Virtual Router Table page similar to the one shown

2. Click the Create button

3. On the Virtual Router Table page, enter the necessary parameters as shown

below.

4. Click the Set button to save the parameters.

5. Verify that the new entries were created on the Virtual Router Table page:

Primary Associated IP Addresses

1. From the menu, select AppDirector

Redundancy

VRRP

Associated

IP Addresses to display the Associated IP Addresses Create page similar to

3. On the Associated IP Addresses Create page, enter the necessary

parameters as shown below:

4. Click the Set button to save the parameters

5. Repeat the steps 2-4 to create the associated IP Addresses for the Layer 4

policy virtual IP address and client NAT address. These definitions will ensure

proper ARP management by the backup device during failures.

Note: Additional IP addresses are defined as follows:

192.168.1.200 – All the EBS Front End Layer 4 policy VIP’s reference this single IP

and run on different ports.

192.168.1.201 - Client NAT address used to ensure symmetric routing in a one

armed design.

6. Verify that the new entries are created on the Associated IP Addresses page:

7. Go to AppDirector

Redundancy

VRRP

Virtual Routers and on the

Virtual Router Table under VRID’s Up/Down select “All Up” and click on the

Set button to enable all Virtual Routers.

Primary Mirroring

1. Go to AppDirector

Redundancy

Mirroring

Active Device

Parameters and set the Client Table Mirroring status to enable:

2. Click the Set button to save the parameters.

3. From the menu, select AppDirector

Redundancy

Mirroring

Mirror

Device Parameters to display the Mirror Device Parameters page similar to

5. On the Mirror Device Parameters page, enter the necessary parameters as

shown below:

Note: This sets the Backup AD target address used for mirror traffic.

6. Click the Set button to save the parameters.

This completes VRRP redundancy configuration on the Primary AppDirector.

Auto-Generate the Front-End Backup AppDirector Configuration

Once the Backup AppDirector is configured for basic IP connectivity and is

available to the network, simply export the Backup Configuration file from the

Primary AppDirector and upload it to the Backup AppDirector. The steps are

defined below.

Setting up basic IP connectivity on the Backup AppDirector

Using a serial cable and a terminal emulation program, connect to the AppDirector.

The default console port settings are:

• Bits per Second: 19200

• Data Bits: 8

• Parity: None

• Stop Bits: 1

• Flow Control: None

1. Using the following Command line, assign management IP address 10.210.6.3

/ 16 to interface MNG-1 (Dedicated Management Interface) of the AppDirector:

net ip-interface create 10.210.6.3 255.255.0.0 MNG-1 -pa 10.210.6.4

Failure to establish a connection may be due to the following:

• Incorrect IP Address in the browser

• Incorrect IP Address or default route configuration in the AppDirector

• Failure to enable Web Based Management or Secure Web Based

Management in the AppDirector

• If the AppDirector can be successfully pinged, attempt to connect to it

via Telnet or SSH. If the pinging or the Telnet/SSH connection are

unsuccessful, reconnect to the AppDirector via its console port.

Auto Generating the Backup Configuration from the Primary AppDirector

1. From the web interface menu of the Primary AppDirector, select File

Configuration

Receive from Device to display the Download

Configuration File page similar to the one shown below:

3. Click the Set button to launch save file window.

4.

Click the SAVE button to save the file to a local directory.

Upload the Backup Configuration file to the device

1. From the web interface menu of the Backup AppDirector, select File

Note: Clicking the Browse button and navigate to the updated configuration file.

2. Click the Set button to upload the configuration.

This completes redundancy configuration on the Backup AppDirector.

Primary DMZ AppDirector Configuration

Using a serial cable and a terminal emulation program, connect to the AppDirector.

The default console port settings are:

• Bits per Second: 19200

• Data Bits: 8

• Parity: None

• Stop Bits: 1

• Flow Control: None

1. Using the following Command line, assign management IP address 10.210.6.8

/ 16 to interface MNG-1 (Dedicated Management Interface) of the AppDirector:

net ip-interface create 10.210.6.8 255.255.0.0 MNG-1 -pa 192.168.6.7

2. Using a browser, connect to the management IP Address of the AppDirector

(10.210.6.8) via HTTP or HTTPS. The default username and password are

“radware” and “radware”.

Failure to establish a connection may be due to the following:

• Incorrect IP Address in the browser

• If the AppDirector can be successfully pinged, attempt to connect to it

via Telnet or SSH. If the pinging or the Telnet/SSH connection are

unsuccessful, reconnect to the AppDirector via its console port.

IP Configuration

1. From the menu, select Router

IP Router

Interface Parameters to

display the IP Interface Parameters page.

2. Click the Create button.

3. On the IP Interface Parameters Create page, enter the necessary parameters

as shown below:

This will create the interfaces needed for the Office

Communications Server ecosystem.

4. Click the Set button to save parameters.

5. Repeat the steps 2 – 4 to create the next IP Interface, whose information is

defined as follows:

IP Address 11.1.11.10, Network Mask 255.255.255.0, If Number G-1, Peer

Address 11.1.11.11

Farm Configuration

1. From the menu, select AppDirector

Farms

Farm Table to display the

Farm Table page similar to the one shown below:

2. Click the Create button.

3. On the Farm Table Create page, enter the necessary parameters as shown

below:

Note: Farm Aging time tuned to 20 minutes from default value. This will ensure

that state entries will not be terminated prior to client aging time.

4. Click the Set button to save parameters.

5. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

6. Click the Set button to save parameters.

7. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

8. Click the Set button to save parameters.

10. Click the Set button to save parameters.

11. On Farm Table page Click the Create button to configure another Farm. Enter

the necessary parameters as shown below:

12. Click the Set button to save parameters.

Create Layer 4 Policy

1. From the menu, select AppDirector
Layer Traffic Redirection
Layer 4

Policies to display the L4 Policies page similar to the one shown below:

2. Click the Create button.

3. On the L4 Policies Create page, enter the necessary parameters as shown

below.

4. Click the Set button to save the parameters.

6. Click the Set button to save the parameters.

8. Click the Set button to save the parameters.

9. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

10. Click the Set button to save the parameters.

12. Click the Set button to save the parameters.

14. Click the Set button to save the parameters.

15. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

16. Click the Set button to save the parameters.

18. Click the Set button to save the parameters.

20. Click the Set button to save the parameters.

21. On L4 Policies page Click the Create button to configure another Layer 4

Policy. Enter the necessary parameters as shown below:

22. Click the Set button to save the parameters.

23. Verify that the new entry was created on the L4 Policies page:

2. On the Extended Farm Parameters Table page, click on the Farm Name

ocs.edge.HTTPS.SIP.443.farm.

3. On the Extended Farm Parameters Update page, Select the parameters as

shown below:

Note: The Client Nat Address Range gets set by the Client NAT Quick Setup; no

action is required at the Extended Farm Update page. It is circled here because

Client NAT Address Range is not set by default.

Note: Close Session At Aging will reset the sessions if they still exist after the

aging period. This will ensure any clean-up of abandoned sessions which could

hold state on the servers inadvertently.

4. Click the Set button to save parameters.

5. Repeat the steps 2 - 4 for extended farms: ocs.edge.lm.443.farm,

ocs.edge.meeting.443.farm and ocs.edge.av.443.farm to verify “Client NAT

Address Range” “11.1.10.210 and enable “Close Session at Aging”. For

extended farm ocs.edge.internal.443.farm only enable “Close Session at

Aging”.

Adding Servers to the Farm

2. On the Server Table Create page, enter the necessary parameters as shown

below:

Note: The Client NAT field is enabled by the Client NAT Quick Setup; no action

is required at the Server Table Create page.

3. Click the Set button to save parameters.

5. Click the Set button to save parameters.

6. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

7. Click the Set button to save parameters.

9. Click the Set button to save parameters.

10. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

11. Click the Set button to save parameters.

13. Click the Set button to save parameters.

14. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

15. Click the Set button to save parameters.

17. Click the Set button to save parameters.

18. On Server Table Create page Click the Create button to configure another

Server. Enter the necessary parameters as shown below:

19. Click the Set button to save parameters.

Enabling Client NAT

1. From the menu, select AppDirector

NAT

Client NAT

Client NAT

Quick Setup to display the Client NAT Quick Setup page similar to the one

shown.

2. On the Client NAT Quick Setup page, enter the necessary parameters as

shown below:

4. From the menu, select AppDirector

NAT

Client NAT

Intercept

Address to display the Client NAT Intercept Table page similar to the one

shown.

5. Click the Create button.

6. Create the intercept range. On the Client NAT Intercept Table Create page,

enter the necessary parameters as shown below:

7. Click the Set button to save parameters.

8. Create a second intercept range. On the Client NAT Intercept Table Create

page, enter the necessary parameters as shown below:

9. Click the Set button to save parameters.

10. Verify the Intercept Address Verify was created on the Client NAT Intercept

Note: the intercept IP’s should reference all client IP’s that are trying to access the

Edge servers, only 2 IP’s were configured to test with the lab clients.

You can open up the range to include all IP’s (see below).

Health Monitoring

1. From the menu, select Health Monitoring

Global Parameters to display

the Health Monitoring Global Parameters page.

2. On the Health Monitoring Global Parameters page, change the parameters

as shown below:

Create the Health Monitoring Checks.

1. From the menu, select Health Monitoring

Check Table to display the

Health Monitoring Check Table page similar to the one shown below:

2. Click the Create button.

3. Create a set of health checks for the web servers. On the Health Monitoring

Check Table Create page, enter the necessary parameters as shown below:

4. Click the Set button to save parameters.

6. Click the Set button to save parameters.

7. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

8. Click the Set button to save parameters.

10. Click the Set button to save parameters.

11. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

12. Click the Set button to save parameters.

14. Click the Set button to save parameters.

15. Create the next health check. On the Health Monitoring Check Table Create

page, enter the necessary parameters as shown below:

16. Click the Set button to save parameters.

18. Click the Set button to save parameters

19. Verify the new entries were created on the Health Monitoring Check Table

Note: The status of this check may display “Unknown” until the server replies

2. Click the Create button.

3. Create the health check binding for the web servers. On the Health

Monitoring Binding Table Create page, enter the necessary parameters as

shown below:

Note: only the ocs.edge.HTTPS.internal.tcp.443.server.1 and

ocs.edge.HTTPS.internal.tcp.443.server.2 checks are using Non-Mandatory the

rest uses mandatory.

4. Click the Set button to save parameters.

5. Repeat the steps 2 - 5 to bind the rest of the server health checks. See the table

below.

Check

Server/NHR/Report

Mandatory

ocs.edge.HTTPS.SIP.tcp.443.server.2 Farm ocs.edge.av.443.farm - 11.1.10.4 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.1 Farm ocs.edge.HTTPS.SIP.443.farm - 11.1.10.1 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.1 Farm ocs.edge.meeting.443.farm - 11.1.10.5 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.1 Farm ocs.edge.av.443.farm - 11.1.10.3 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.2 Farm ocs.edge.HTTPS.SIP.443.farm - 11.1.10.2 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.2 Farm ocs.edge.meeting.443.farm - 11.1.10.6 - 0 Mandatory ocs.edge.HTTPS.av.tcp.443.server.2 Farm ocs.edge.av.443.farm - 11.1.10.4 - 0 Mandatory

6. Verify that the new entries were created on the Health Monitoring Binding

General Redundant Configuration Notes

For complete high-availability, Radware encourages implementing pairs of

AppDirector units in an Active / Backup configuration. If your implementation of

this architecture includes only a single AppDirector, then it is unnecessary to follow

the steps in this section.

Primary AppDirector VRRP Configuration

1. From the menu, select AppDirector

Redundancy

Global Configuration

and set the parameters as noted below:

2. Click the Set button to save these changes.

Primary Virtual Routers

1. From the menu, select AppDirector

Redundancy

VRRP

Virtual

Routers to display the Virtual Router Table page similar to the one shown

2. Click the Create button

3. On the Virtual Router Table page, enter the necessary parameters as shown

below.

4. Click the Set button to save the parameters.

6. Click the Set button to save the parameters.

7. Verify that the new entries were created on the Virtual Router Table page:

Primary Associated IP Addresses

1. From the menu, select AppDirector

Redundancy

VRRP

Associated

IP Addresses to display the Associated IP Addresses Create page similar to

the one shown below:

2. Click the Create button

3. On the Associated IP Addresses Create page, enter the necessary

parameters as shown below:

Note: Additional IP addresses are defined as follows:

11.1.11.200 – OCS Internal VIP’s

11.1.10.201 – OCS Edge STUN VIP

11.1.10.202 – OCS Edge Meeting VIP

11.1.10.203 – OCS Edge Lm VIP

11.1.10.210 - Client NAT address used to ensure symmetric routing in a one

armed design.

6. Verify that the new entries are created on the Associated IP Addresses page:

7. Go to AppDirector

Redundancy

VRRP

Virtual Routers and on the

Virtual Router Table under VRID’s Up/Down select “All Up” and click on the

Set button to enable all Virtual Routers.

Primary Mirroring

1. Go to AppDirector

Redundancy

Mirroring

Active Device

Parameters and set the Client Table Mirroring status to enable:

2. Click the Set button to save the parameters.

3. From the menu, select AppDirector

Redundancy

Mirroring

Mirror

Device Parameters to display the Mirror Device Parameters page similar to

5. On the Mirror Device Parameters page, enter the necessary parameters as

shown below:

Note: This sets the Backup AD target address used for mirror traffic.

6. Click the Set button to save the parameters.

This completes VRRP redundancy configuration on the Primary AppDirector.

Auto-Generate the DMZ Backup AppDirector Configuration

Once the Backup AppDirector is configured for basic IP connectivity and is

available to the network, simply export the Backup Configuration file from the

Primary AppDirector and upload it to the Backup AppDirector. The steps are

defined below.

Setting up basic IP connectivity on the Backup AppDirector

Using a serial cable and a terminal emulation program, connect to the AppDirector.

The default console port settings are:

• Bits per Second: 19200

• Data Bits: 8

• Parity: None

• Stop Bits: 1

• Flow Control: None

1. Using the following Command line, assign management IP address 10.210.6.7

/ 16 to interface MNG-1 (Dedicated Management Interface) of the AppDirector:

net ip-interface create 10.210.6.7 255.255.0.0 MNG-1 -pa 10.210.6.8

Failure to establish a connection may be due to the following:

• Incorrect IP Address in the browser

• Incorrect IP Address or default route configuration in the AppDirector

• Failure to enable Web Based Management or Secure Web Based

Management in the AppDirector

• If the AppDirector can be successfully pinged, attempt to connect to it

via Telnet or SSH. If the pinging or the Telnet/SSH connection are

unsuccessful, reconnect to the AppDirector via its console port.

Auto Generating the Backup Configuration from the Primary AppDirector

1. From the web interface menu of the Primary AppDirector, select File

Configuration

Receive from Device to display the Download

Configuration File page similar to the one shown below:

3. Click the Set button to launch save file window.

4.

Click the SAVE button to save the file to a local directory.

Upload the Backup Configuration file to the device

3. From the web interface menu of the Backup AppDirector, select File

Note: Clicking the Browse button and navigate to the updated configuration file.

4. Click the Set button to upload the configuration.

Appendix

Appendix 1 – Primary AppDirector Front-End Configuration File

!

!Device Configuration !Date: 16-06-2009 01:21:23

!DeviceDescription: AppDirector with Cookie Persistency !Base MAC Address: 00:03:b2:4d:0e:80

!Software Version: 2.10.00 (Build date Apr 7 2009, 22:33:12,Build#150) !APSolute OS Version: 10.31-03.05(40):2.06.09

!

!

! The following commands will take effect only ! once the device has been rebooted!

!

system tune bridge-fft-table set 1024 system tune ip-fft-table set 100000 system tune arp-table set 1024 system tune client-table set 500000 system tune routing-table set 512 system tune url-table set 256 system tune request-table set 2000 system tune nat-address-table set 10 system tune nat-ports-table set 64511 system tune session-id-table set 16000 system tune l3-client-table-size set 20 system tune outbound-nat-address set 10 system tune outbound-nat-ports set 64511 system tune outbound-intrcpt-tbl set 10 system tune radius-attribute-table set 1 system tune segments set 15

system tune l4-policy-table set 512 system tune static-dns-persistency set 5 system tune dynamic-dns-persistency set 10

manage snmp versions-after-reset set "v1 & v2c & v3" system tune session-pasv-protocols set 16

system tune session set 512 system tune session-resets set 100

!

! The following commands take effect immediately ! upon execution!

!

health-monitoring check create ocs.SIP.AV.tcp.5063.server.1 -id 0 -m \ "TCP Port" -p 5063 -i 3 -r 2 -t 1 -d 192.168.1.21

health-monitoring check create ocs.SIP.AV.tcp.5063.server.2 -id 1 -m \ "TCP Port" -p 5063 -i 3 -r 2 -t 1 -d 192.168.1.22

health-monitoring check create ocs.HTTPS.conf.tcp.444.server.1 -id 2 -m \ "TCP Port" -p 444 -i 3 -r 2 -t 1 -d 192.168.1.21

health-monitoring check create ocs.HTTPS.web.tcp.443.server.1 -id 4 -m \ "TCP Port" -p 443 -i 3 -r 2 -t 1 -d 192.168.1.21

health-monitoring check create ocs.HTTPS.web.tcp.443.server.2 -id 5 -m \ "TCP Port" -p 443 -i 3 -r 2 -t 1 -d 192.168.1.22

health-monitoring check create ocs.MTLS.tcp.5061.server.1 -id 6 -m \ "TCP Port" -p 5061 -i 3 -r 2 -t 1 -d 192.168.1.21

health-monitoring check create ocs.MTLS.tcp.5061.server.2 -id 7 -m \ "TCP Port" -p 5061 -i 3 -r 2 -t 1 -d 192.168.1.22

health-monitoring check create ocs.SIP.app.sharing.tcp.5065.server.1 -id \ 8 -m "TCP Port" -p 5065 -i 3 -r 2 -t 1 -d 192.168.1.21