Crescendo - UG-5500-7 1

Maestro AFE CN-5500
User Guide
Software Version 7.1

Copyright 2008 by Crescendo Networks. All rights reserved worldwide. No part of this publication may be
reproduced, modified, transmitted, transcribed, stored in retrieval system, or translated into any human or
computer language, in any form or by any means, electronic, mechanical, magnetic, chemical, manual, or
otherwise, without the express written permission of Crescendo Networks, 6 Yoni Netanyahu Street, Or-
Yehuda 60376, Israel.
Crescendo Networks provides this documentation without warranty in any form, either expressed or
implied.
Crescendo Networks may revise this document at any time without notice.
This document may contain proprietary information and shall be respected as a proprietary document with
permission for review and usage given only to the rightful owner of the equipment to which this document
is associated.
This document was designed, produced and published by Technical Publications, Crescendo Networks.
Produced in U.S.A.
January 22, 2008

Visit Crescendo Networks website at: http://www.crescendonetworks.com
The FCC and cTUVus Wants You to Know
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment.
This equipment generates uses and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which
case the user will be required to correct the interference at his/her expense.
Use of controls or adjustment or performance of procedures other then those specified herein may result in
hazardous radiation exposure
CLASS 1 LASER PRODUCT internal lasers comply with IEC 60 825-1:1993 + A1:1997 + A2:2001 and EN
60825-1:1994+A1:1996+ A2:2001
Equipment may operate in maximum ambient temperature 40C
FCC Warning
Modifications not expressly approved by the manufacturer could void the user authority to operate the
equipment under FCC Rules.

Maestro AFE User Guide

iii
Table of Contents
Chapter 1. Introduction to the Maestro AFE Platform................................................ 1
Overview of the Maestro AFE ........................................................................................................ 2
Hardware Technology..................................................................................................................... 2
Hardware Platforms......................................................................................................................... 2
TCP Offload & Delivery Optimization.......................................................................................... 3
Connection Management Algorithms ...................................................................................... 3
Request Processing Algorithms................................................................................................. 3
Response Optimization............................................................................................................... 4
Load Balancing.................................................................................................................................. 4
Compression...................................................................................................................................... 4
SSL Acceleration ............................................................................................................................... 5
Deployment Options........................................................................................................................ 5
Physical Configuration ............................................................................................................... 5
Single Server Acceleration Virtual Server Mode..................................................................6
Single Server Acceleration Spoofed Server Mode................................................................7
Load Balanced Server Acceleration........................................................................................... 8
VRRPc Redundancy......................................................................................................................... 9
Installation and Configuration Guidelines ................................................................................... 9
Deployment Environment Preparation.................................................................................... 9
Installation and Configuration ................................................................................................ 11
Chapter 2. Maestro AFE Installation ............................................................................ 14
Introduction..................................................................................................................................... 15
Maestro AFE Kit General Specifications ................................................................................. 15
Maestro AFE Installation Kit Detailed Items List ................................................................. 15
Installing the Maestro AFE Hardware..................................................................................... 16
Installing the Maestro AFE in the Rack.................................................................................. 16
Inserting the SFP Gigabit Ethernet Modules and Connecting the Cables ......................... 16
Device LED Status Definitions...................................................................................................... 18
Device Status LEDs.................................................................................................................... 18
Interface LEDs for CN-5500E................................................................................................... 18
Table of Contents
Maestro AFE User Guide iv
Chapter 3. Introduction to the Command Line Interface......................................... 19
Accessing the CLI ........................................................................................................................... 20
Serial Console Settings.............................................................................................................. 20
Conventions Used in this Guide................................................................................................... 20
CLI Prompt Structure..................................................................................................................... 21
CLI Navigation................................................................................................................................ 22
Case Sensitivity.......................................................................................................................... 22
Basic Navigation........................................................................................................................ 22
Online Help................................................................................................................................ 23
Configurable CLI Parameters ....................................................................................................... 23
Using the show Command ......................................................................................................... 24
Using the no Command .............................................................................................................. 25
Chapter 4. Introduction to the Graphical User Interface.......................................... 26
Graphical User Interface (GUI) Overview.................................................................................. 27
Preparations Installing Sun Java ............................................................................................... 27
Logging in to the GUI .................................................................................................................... 27
Navigating the GUI ........................................................................................................................ 28
Summary..................................................................................................................................... 29
Monitoring.................................................................................................................................. 30
History......................................................................................................................................... 31
Configuration............................................................................................................................. 32
Events .......................................................................................................................................... 33
Chapter 5. Initial Configuration & Global Settings.................................................. 34
Before Proceeding........................................................................................................................... 35
Conventions Used in this Guide................................................................................................... 35
Initial Configuration....................................................................................................................... 36
Initiating the Auto Configuration Dialog (ACD) ..................................................................36
Initial Configuration Summary ............................................................................................... 39
Outbound Traffic Rate Shaping............................................................................................... 39
Global Configuration Commands................................................................................................ 41
Showing Configuration Information from the CLI............................................................... 42
Using the no command from the CLI ................................................................................. 43
Device Name .............................................................................................................................. 44
Calendar and Time Settings .....................................................................................................45
Telnet and Secure Shell (SSH) Management Configuration................................................46
SNMP Management Configuration ........................................................................................ 48
HTTP Management Configuration ......................................................................................... 49
Auto Configuration Dialog (A.C.D.).......................................................................................50
Global History Service .............................................................................................................. 50
Table of Contents
Maestro AFE User Guide v
Proxy Signature (HTTP Header Settings) .............................................................................. 51
Interface Commands ...................................................................................................................... 53
Configuring the Management Ethernet Interface ................................................................. 53
Configuring the Management Serial Interface ...................................................................... 55
Configuring Gigabit-Ethernet Interfaces................................................................................56
Configuring Interface Speed/Duplex Settings for the CN-5500E........................................ 58
VLAN Support ........................................................................................................................... 58
Link Aggregation....................................................................................................................... 60
Networking Commands................................................................................................................ 65
Routing........................................................................................................................................ 65
Disable Routing of Non-accelerated Traffic between Interfaces......................................... 66
Client-side TCP Commands.......................................................................................................... 68
Client-side TCP Windows ........................................................................................................ 68
Client-side TCP Inactivity Timers ...........................................................................................70
Client-side MSS.......................................................................................................................... 70
FastTCP....................................................................................................................................... 71
Server-side TCP Commands......................................................................................................... 74
Server-side TCP Windows ....................................................................................................... 74
Security............................................................................................................................................. 76
User Configuration......................................................................................................................... 76
Access Lists for the Management Ethernet Interface............................................................77
System Commands......................................................................................................................... 79
Configuration File Management .............................................................................................79
Loading Additional Configuration Files to a Running Config ........................................... 80
File Transfer/Management .......................................................................................................80
File Commands .......................................................................................................................... 82
Software and Operating System Upgrade and Version Control ........................................ 83
Logging Commands....................................................................................................................... 86
Logging ....................................................................................................................................... 86
Chapter 6. Server Preparation and Logging Considerations................................... 90
Server Preparation.......................................................................................................................... 91
HTTP Server Configuration Requirements............................................................................ 91
TCP Server Configuration Requirements............................................................................... 92
Server Logging Considerations (Original Client IP) ................................................................. 92
Originator (Client) IP Address................................................................................................. 92
Server Log Configuration......................................................................................................... 94
Chapter 7. Server Topology Farms/Clusters/Real Servers .................................... 97
Before Proceeding........................................................................................................................... 98
Configuration Overview................................................................................................................ 98
Topology Farms, Clusters, and Real Servers ......................................................................98
Table of Contents
Maestro AFE User Guide vi
Virtual Servers............................................................................................................................ 99
Load Balancing Concepts - HTTP Application Load Balancing and Acceleration
vs. TCP (Layer4) Load Balancing ..........................................................................................100
Health Monitoring................................................................................................................... 100
Server Topology Configuration.................................................................................................. 101
Backend Connections (For HTTP Clusters) ......................................................................... 101
Dynamic File Extensions......................................................................................................... 102
Acceleration of Authenticated HTTP Sessions.................................................................... 103
Farm Configuration...................................................................................................................... 105
Configuration Steps................................................................................................................. 105
Cluster Configuration (Load Balancing, Health Checking, Persistence).............................. 107
Cluster Configuration ............................................................................................................. 107
Load Balancing Configuration............................................................................................... 110
Persistency................................................................................................................................ 114
Health Check Configuration.................................................................................................. 115
Server Inactivity Check........................................................................................................... 120
Real Servers ................................................................................................................................... 124
Configuring a Real Server ...................................................................................................... 124
Chapter 8. Virtual Servers, URL Rewriting, and L7 Switching / Redirection.... 127
Before Proceeding......................................................................................................................... 128
Virtual Servers............................................................................................................................... 128
Configuring Virtual Servers................................................................................................... 128
URL Rewriting.............................................................................................................................. 130
URL Rewrite Rules .................................................................................................................. 131
Configuring URL Rewrite Rules............................................................................................ 133
L7 Switching & Redirection (HTTP Virtual Servers)............................................................... 138
L7 Switching Criteria .............................................................................................................. 138
L7 Switching Criteria Options ............................................................................................... 139
L7 Switching Actions .............................................................................................................. 139
L7 Switching Rule Priorities................................................................................................... 140
L7 Switching Example Configuration................................................................................... 141
Configuring L7 Switching Rules ........................................................................................... 141
HTTP Redirection Rules .............................................................................................................. 144
HTTP Redirection Configuration Criteria............................................................................ 144
Configuring HTTP Redirection Rules................................................................................... 146
Chapter 9. Compression................................................................................................ 148
Compression Module Overview................................................................................................ 149
Compression Profile Configuration........................................................................................... 149
Sample mime-types ................................................................................................................. 149
Table of Contents
Maestro AFE User Guide vii
Configuring Compression...................................................................................................... 150
Global Configuration (Browser/File Exceptions) ..................................................................... 154
Configuring Browser/File Exceptions................................................................................... 154
Chapter 10. SSL Acceleration....................................................................................... 156
Overview of the SSL Acceleration Module............................................................................... 157
Configuration Preparation .......................................................................................................... 157
SSL Acceleration Configuration Outline.............................................................................. 157
Server Configuration............................................................................................................... 158
Preparation............................................................................................................................... 159
Configuring a Virtual Server....................................................................................................... 160
Configure Real or Virtual Server........................................................................................... 160
Importing or Creating a Private Key ......................................................................................... 160
Importing or Creating a Private Key .................................................................................... 160
Importing or Creating a Certificate............................................................................................ 164
Importing or Creating a Certificate....................................................................................... 164
Cipher Profile ................................................................................................................................ 169
Creating a Cipher Profile........................................................................................................ 169
Configuring an SSL Server Profile (Client-side SSL)............................................................... 172
SSL Server Profile Configuration Outline ............................................................................ 172
Configuring an SSL Client Profile (Server-side SSL)............................................................... 175
SSL Client Profile Configuration Outline............................................................................. 175
Converting Keys, Certificates, and Chained Certificates........................................................ 178
OpenSSL.................................................................................................................................... 178
Keys ........................................................................................................................................... 178
Certificate.................................................................................................................................. 179
Converting Certificates and Keys Exported from Microsoft IIS ...................................... 181
Chained Certificates ................................................................................................................ 182
Chapter 11. VRRPc Redundancy................................................................................. 184
VRRPc Overview.......................................................................................................................... 185
VRRPc in Hot-Standby Mode ..................................................................................................... 186
VRRPc Hot-Standby Configuration Guidelines.................................................................. 186
VRRPc in Load-Sharing Mode (Active/Active) ........................................................................ 188
VRRPc Load-Sharing Configuration Guidelines................................................................. 189
Chapter 12. Monitoring the Maestro AFE ................................................................. 192
Overview....................................................................................................................................... 193
Table of Contents
Maestro AFE User Guide viii
Viewing the Maestro AFE Summary Feature........................................................................... 193
Overview of the Summary Window..................................................................................... 194
Monitoring the Maestro AFE via the CLI.................................................................................. 195
Monitoring the Maestro AFE via the CLI............................................................................. 195
Monitoring the Maestro AFE via the GUI............................................................................ 195
Monitoring the Server.................................................................................................................. 201
Monitoring Servers or Groups of Servers via the CLI ........................................................ 201
Monitoring the Server via the GUI........................................................................................ 201
Monitoring Attacks and Abnormal Network Behavior .......................................................... 206
Configuring Attack Monitors................................................................................................. 207
Chapter 13. Using the Maestro AFE History Feature .............................................. 210
Overview of the Maestro AFE History Feature........................................................................ 211
Selecting and Viewing Maestro AFE History Graphs............................................................. 211
Available Historical Variables ............................................................................................... 212
Chapter 14. Troubleshooting ....................................................................................... 216
Common Issues and Solutions.................................................................................................... 217
Recovering a Lost Password....................................................................................................... 220

Maestro AFE User Guide 1
1
Introduction to the Maestro AFE
Platform
Chapter 1 provides an introduction to the Maestro AFE including a feature overview and
implementation examples. Additionally, the Installation and Configuration Guidelines section
on page 9 of this chapter is used to provide a configuration framework which can be
referenced throughout any stage of configuration.
Overview of the Maestro AFE .
Hardware Technology.
Hardware Platforms.
TCP Offload & Delivery Optimization.
Load Balancing.
Compression.
SSL Acceleration.
Deployment Options.
VRRPc Redundancy.
Installation and Configuration Guidelines.
Chapter 1 Introduction to the Maestro AFE Platform
Overview of the Maestro AFE
The Maestro AFE (Maestro Platform) provides a high performance, scalable, rack-
mounted solution designed specifically for demanding application environments. It
incorporates ground breaking hardware and software technology which increases the
performance of HTTP/HTTPS based applications and ensures consistent fast response
times regardless of traffic or load demands. The Maestro AFE incorporates several critical
technologies to provide best-of-breed performance, including TCP offload and delivery
optimization, hardware-based compression, SSL acceleration, and load balancing.
Hardware Technology
The Maestro AFE utilizes Crescendo Networks proprietary hardware architecture.
Designed to specifically address the requirements of application acceleration and
infrastructure scalability, the Maestro Application Delivery Platform provides superior
server acceleration and resource optimization. The FreeFlow architecture, utilizing
Network Processors (NP) and Field Programmable Gate Arrays (FPGA), incorporates over
80 micro-engines, explicitly tasked with various application-specific processes. The
implementation of task-specific hardware enables the Maestro AFE to utilize all
functionality simultaneously without suffering any performance degradation. This concept
of Feature Concurrency allows the Maestro AFE to operate at maximum capacity,
regardless of the features or configuration being used. Crescendo Networks hardware
demonstrates a unique and powerful approach to application acceleration.
Hardware Platforms
Four models of the Maestro AFE are available on the following platforms:
CN-5504E, CN-5504D, CN-5510E and CN-5510D.

2 RU Height*.

4 or 10 SFP GbE interfaces (10/100/1000/Auto Configurable Ethernet)*.

1 Fast Ethernet Management Interface.

1 RS-232 Serial/Console Interface.

Redundant Power Supply Capability* (available for CN-5504D and 5510D).

Enhanced Interface LED Display*.
* Denotes differences between the Maestro AFE series.
TCP Offload & Delivery Optimization
The Maestro AFE is deployed as an Application Front End (AFE), meaning all application
requests and responses are transmitted directly between the Maestro AFE and the servers.
For example, a client connection will be sent to, or intercepted by, the Maestro AFE. The
Maestro AFE establishes the TCP connection with the client and receives the application
request. Since the Maestro AFE maintains several persistent connections directly to each
accelerated server, it is able to quickly submit the clients application request, receive the
response, and forward it to the client.
Short Lived Transaction (SLT) technology is the core of the Maestro AFE. Using SLT, the
Maestro AFE intelligently manages how requests are sent to servers and how responses are
then transmitted to clients. SLT utilizes three main components:
Connection Management Algorithms
Server-side sessions are managed through a set of advanced algorithms that provide an
optimal approach to Connection Consolidation. These algorithms are dependent on a
number of factors that include the type of request (dynamic content vs. static content),
client-side TCP connection performance, and an inherent knowledge of what connection
profiles are best suited for the various web server operating systems.
Request Processing Algorithms
As a session terminating intermediary, the Maestro AFE is responsible for terminating
client connections, processing the requests that these connections carry, and then delivering
them to the server over existing server-side connections. SLT optimizes this process by
using two unique phases for handling and delivering the requests to the server:
The device waits until the entire request has arrived from the client before it decides to
deliver it to the server. This is incredibly beneficial in situations where long client
requests are arriving over slow or problematic TCP connections. If the server were
exposed to the weaknesses of these client-side TCP conditions, valuable resources
would be tied up while it waited for the arrival of the complete request. By waiting
for the entire request to arrive and then delivering it in whole to the server, SLT
shields the server from client-side TCP conditions and allows it to minimize its
processing time for each request.
Normally, a device performing Connection Consolidation would need to fully buffer
an object in route from the server to the client before starting to transmit it to the client.
However, at high capacity, this would require massive amounts of memory, which
leads to the solution either not being very scalable or very cost effective. SLT
addresses this issue by using partial requests on the server side, causing the server to
break up large objects into smaller ones. This is coupled with proper memory
management allowing high performance consolidation to occur with a reasonable
amount of memory, making the Maestro AFE both scalable and economical. This is
completely transparent to the client who never knows or needs to worry about the way
in which objects are fetched from the server by the Maestro AFE.
Response Optimization
One of the main objectives of SLT is to shield the server from weaknesses imposed by
client connections that are subjected to WAN environments. These client connections
experience packet loss, delay, and congestion, all of which would impact the server
through increased CPU and memory utilization if it were exposed to them. By completely
shielding the server from these issues, SLT allows the Maestro AFE to communicate with
the servers in a highly optimized environment. The server is already dealing with fewer
connections; and since those connections are managed by the Maestro AFE, the server can
transmit its responses to the network at maximum throughput. Client requests are served
as optimally as possible, allowing the server to quickly move on to the next request to be
processed.
Load Balancing
The Maestro AFE provides a comprehensive load balancing feature set that allows it to
efficiently distribute user requests across clusters of identical servers. Additionally, since
the Maestro AFE is in control of the actual request flow to the servers, it can direct traffic to
them based on real-time request load as well as other L7 switching criteria (url, file name,
hostname, browser language, etc.)
All HTTP (L7) load-balancing functionality is fully and seamlessly integrated with all other
optimization services provided by the highly scalable, multi-gigabit Maestro AFE platform.
Additionally, because of its unique and powerful task-specific hardware architecture, all
services can operate concurrently without any degradation in device performance.
The Maestro AFE also incorporates traditional Layer 4 Load Balancing for providing load
balancing for non-HTTP TCP-based protocols.
A load balancing license must be configured on the Maestro AFE to enable this feature.
Please contact your Crescendo Networks Reseller or Sales Associate for assistance with
enabling this feature.
Compression
Incorporating the hardware-based Compression module further enhances server
acceleration and resource optimization. The compression module, using industry standard
and broadly supported compression methodsgzip and deflate algorithmsenables a
dramatic reduction in outbound bandwidth usage, while also significantly reducing end-
user response times.
SSL Acceleration
The hardware-based SSL Acceleration module reduces a significant level of processing
resources from servers while allowing secure applications to easily scale beyond what
normal server platforms can provide. Because the Maestro AFE relieves the servers from
handling these tasks, the servers can redirect their full resources to provide up to 10 times
more processing performance.
Deployment Options
The Maestro AFE is a scalable, non-intrusive solution that is easy to integrate. The
Maestro AFE provides flexible physical and logical configuration options to ensure
seamless integration in different environments.
The Maestro AFE can be configured to accelerate individual servers, in which each server is
seen as a separate entity, or in a load balanced cluster, in which a group of identical servers
is represented as a single Virtual Server (Virtual IP) to the outside world. Regardless of
whether load balancing is used, all methods of server acceleration including TCP Offload,
Compression, and SSL Acceleration can be used. This section describes the two options
available for single server acceleration: virtual server and spoofed server modes.
Physical Configuration
The Maestro AFE is available in 4 Gbic (CN-5504), and 10 Gbic (CN-5510) Gigabit Ethernet
interface configurations. The Maestro AFE supports several physical configuration options
enabling deployment in virtually any environment.
Configuration options include:
One-leg single interface deployment.
Routed multiple interface deployment.
VLAN tagged implementation utilizing 802.1q tagging on one or more physical
interfaces.
The flexibility of the Maestro AFE enables the deployment methods described to be used in
combination with one another.
Single Server Acceleration Virtual Server Mode
In Virtual Server mode, a Virtual Server IP address and TCP port is configured on the
Maestro AFE and is then mapped to a single real server IP and port. Client traffic is
destined to the Virtual Server on the Maestro AFE, which communicates with the real
server directly. Traffic previously destined to the real server is directed to the Virtual
Server Address on the Maestro AFE instead. The following diagrams present examples of
Virtual mode configured in either one or two interface configurations.

Figure 1: Virtual Server One Interface

Figure 2: Virtual Server Two Interfaces
Single Server Acceleration Spoofed Server Mode
In Spoofed server mode, the Maestro AFE will be deployed as a router between client
traffic and the real server. The real server IP address and port is configured in the Maestro
AFE as a spoofed address and port. Traffic destined to this address will be intercepted
by the Maestro AFE, which communicates with the real server directly. All other traffic is
routed normally.

Figure 3: Spoofed Server Two Interfaces
Load Balanced Server Acceleration
When using Load Balancing, a cluster of identically configured servers will be configured
with a single Virtual Server IP address.

Figure 4: Load Balancing One Interface

Figure 5: Load Balancing Two Interfaces
VRRPc Redundancy
VRRPc is Crescendo Networks proprietary redundancy protocol for Application Front
End devices. VRRPc can be implemented in one of two ways: hot/standby or load-sharing
(i.e. active/active). Implemented in a similar fashion to VRRPusing virtual MAC and IP
addressesVRRPc extends the capabilities of traditional VRRP by enabling more
intelligent redundancy decisions. VRRPc tests more than simple network availability
between two redundant devices as VRRP does. Instead, failover decisions are based on
upstream network device availability as well as application server health and connectivity.
Installation and Configuration Guidelines
The following section provides a basic configuration outline as well as chapter references
associated with each specific concept. Required configuration information will be
reviewed at the beginning of each chapter.
Deployment Environment Preparation
The following questions should be addressed before proceeding with the installation of the
Maestro AFE.
Physical Network Topology
What type of configuration topology will be used? Determine the number of physical
interfaces desired.
Using a single interface configuration provides the flexibility of installing the Maestro
AFE without making any additional network changes.
Using a two interface configuration requires the Maestro AFE to act as a router,
meaning servers, routers, and other devices may require additional configuration
(static or default routes, etc.).
Will single server acceleration or load balancing be used? If using single server, which
method will be configured virtual or spoofed?
A two-interface configuration is recommended when using spoofed mode.
I P Address Requirements
Prepare IP addresses and route information. The following is a list of basic IP address
requirements:
The Management Ethernet interface will require an IP address.
Each data interface of the Maestro AFE will require an IP address.
Each Virtual Server will require an IP address (unless using a spoofed server, in which
an additional IP is not necessary).
VRRPc requires a separate IP address which will be shared between the redundantly
deployed units.
SSL Considerations
If configuring SSL Acceleration, the following information is required:
Private Key and Certificate in PEM format.

Most keys/certificates can be exported from existing servers and then imported
into the Maestro AFE.

Additionally, the certificate must have the text prepend before the BEGIN
CERTIFICATE statement.
If keys/certificates do not exist yet, a Certificate Request will have to be created and
submitted to a Certificate Authority, which will then issue the appropriate certificate
for import into the Maestro AFE.
Installation and Configuration
Physical I nstallation
Unpack and securely install unit.
Plug in required Gbic(s) and attach Maestro AFE to local switch(es).
Attach provided serial cable to workstations running terminal emulation software (for
example, Microsoft HyperTerminal or TeraTerm). Default serial configuration is as
follows:

Baud: 115,200

Data: 8 bit

Parity: none

Stop: 1 bit

Flow Control: none
Refer to Chapter 2. Maestro AFE Installation for specific information regarding unpacking
and mounting instructions.
I nitial Boot Configuration
Power on Maestro AFE.
During the initial boot process, the Maestro AFE will detect the existence of a startup
configuration file. If one does not exist, a menu is displayed prompting the user to
enter one of several configuration modes. It is recommended that the Automatic
Configuration Dialog (ACD) be used. (Use option 2 to enter the ACD.) The
following information should be configured:

Configure device name.

Create admin username and password.

Configure IP address and default route for Management Ethernet Interface.

Configure IP address and default route for Gigabit Ethernet Interfaces.

Configuring Accelerated services at this point is optional, but is covered in later
chapters to provide a more detailed explanation.

Save configuration. After finishing the ACD, the new configuration is presented
for verification along with a menu. Choose option 2 to save and load the new
configuration.
Refer to Chapter 5. Initial Configuration & Global Settings for additional details regarding the
ACD and other basic device configuration.
Log in to Maestro AFE
Log in with the newly configured admin account.
Refer to Chapter 3. Introduction to the Command Line Interface or Chapter 4. Introduction to the
Graphical User Interface for specific information regarding log in procedures and options.
Additional Basic Configuration Options
Once logged into the device, additional options can be configured.
Additional IP addresses and/or routes.
Management Access Control Lists.
Logging Options.
HTTP Header Options.
Refer to Chapter 5. Initial Configuration & Global Settings for additional configuration details
and options.
Acceleration Topology Configuration
Create Farm(s).
Create Cluster(s).

Clusters are created inside of a farm.
Configure Real Server(s).

One server per cluster for single server acceleration.

The load balancing license is required to add more than one server to a cluster.
Create Virtual Server.

If deploying in spoofed mode, the Virtual Server IP will be the same as the real
server. Otherwise, the Virtual Server IP should be a new, unused IP address.

Map Virtual Server to a Cluster.
Refer to Chapter 7. Server Topology Farms/Clusters/Real Servers for additional information.
Compression Configuration
Create Compression Profile.
Define content-type to be compressed within Compression Profile.
Enable Compression Profile per Cluster.
Refer to Chapter 9. Compression, for additional configuration details.
SSL Configuration
Import or create private key.
Import or create Certificate/Request.
Create SSL Server Profile.

Profile should include previously created/imported key and certificate.
Enable SSL Profile per Cluster or Virtual Server.
Refer to Chapter 10. SSL Acceleration for additional configuration details.
VRRPc Redundancy Configuration
Install two Maestro AFE units.
Configure VRRPc Interface IP addresses.
Configure VRRPc groups and enable feature.
Refer to Chapter 11. VRRPc Redundancy for additional configuration details.

2
Maestro AFE Installation
Chapter 2 describes the hardware installation process for the Maestro AFE.
Introduction.
Maestro AFE Kit General Specifications.
Installing the Maestro AFE Hardware.
Device LED Status Definitions
Chapter 2 Maestro AFE Installation
Introduction
This chapter provides the essential information required to unpack and mount the Maestro
AFE.
The CN-5500E is a 2U rack mounted device. The Maestro AFE is offered in 2, 4, 8, or 10
SFP GbE interface configurations. Gbic interfaces enable the use of either Copper or Fiber
Gigabit Ethernet connectivity based on the module(s) installed.
The Maestro AFE comes with two management interfaces:
RS-232/RJ45 Console port.
100BT/RJ45 Out of Band Ethernet Interface.
Maestro AFE Kit General Specifications
The Maestro AFE kit provides you with the following items:
Maestro AFE unit.
SFP (Gbic) Gigabit Ethernet modules (Fiber or Copper).
Documentation provided on CD.
Serial Cables.
Brackets and screws.
Power Cable(s) Units sold in U.S.A. only.
Do not drop. Handle the Maestro AFE unit with care.
Maestro AFE Installation Kit Detailed Items List
The Maestro AFE kit that you purchased should include the following equipment:
SFP (Gbic) Gigabit Ethernet modules Comes according to the number and type you
order.
Installation guide Available on CD.
Cables:

1.5 meter power cable According to the relevant standard of your country.

2 meter, RS-232 to RJ-45 Serial console cable.
Brackets and screws:

Rack mount brackets.

Screws (+1 spare) for the Maestro AFE brackets.
Installing the Maestro AFE Hardware
Unpack the Maestro AFE unit from its protective cardboard box (packed with Styrofoam
inserts). The next step requires that you prepare it for installation in the rack.
The Maestro AFE unit is an electrical device, handle it carefully and do not plug in the power cord
until after it is installed in the rack.
Installing the Maestro AFE in the Rack
To install the Maestro AFE
1. Install the rack mount brackets included in the installation kit to the front of the
Maestro AFE. Be sure to use the black screws that accompany the brackets, as they are
longer than the screws removed from the Maestro AFE.
2. Tighten screws to ensure the brackets are securely connected to the front sides of the
Maestro AFE.
3. Slide the Maestro AFE into an available rack.
4. Secure the Maestro AFE to the rack with the screws provided by the rack manufacturer
as illustrated in Figure 6 below.

Figure 6: Mounting Brackets
Inserting the SFP Gigabit Ethernet Modules and Connecting
the Cables
After you mount the Maestro AFE in the rack, the next step requires you to insert the
Gigabit Ethernet modules into the ports and connect the cables.
I nserting the SFP Gigabit Ethernet module into the Ports
Insert the module (optical or copper) into the ports on the front panel of the Maestro
AFE (Figure 7).

Figure 7: SFP (Gbic) Interfaces
Connecting Cables
For the initial setup, you are required to attach the following cables to the Maestro AFE:
Serial Console cable See Maestro AFE Installation Kit Detailed Items List on page 15 for a
description.
Management Ethernet cable See Maestro AFE Installation Kit Detailed Items List on
page 15 for a description.
Power cable Standard 110 (US) or 220 (Europe/Asia) cable according to your location.
Gigabit Ethernet cables Standard optical or copper cables.
To connect the cables
1. Connect the serial console cable into the Maestro AFE console port and to the console
(see Figure 8).

Figure 8: Front Panel
2. Connect the Management cable into the Maestro AFE Ethernet port and to the
management network (see Figure 8).
3. Connect the power cable. The unit will become powered-on immediately after
plugging the cable in.
Device LED Status Definitions
The Maestro AFE has three operational status LEDs located on the right front panel as well
as a single LED for each physical interface. The blinking activity and related status of each
LED is defined in this section.
Device Status LEDs
Power.

On Power is on.
System.

Off Normal state.

On Problem with FLASH memory, user intervention required.
Status.

Blinking System is operational; ready for use.

Fast Blinking Error; not operational.
Interface LEDs for CN-5500E
The CN-5500E incorporates LEDs to represent interface activity in addition to the basic link
notification.
Link LED
On Interface has link.
Off Interface has no link.
Activity LED
Blinks depending on link activity level.

3
Introduction to the Command Line
Interface
Chapter 3 describes the Maestro AFE CLI command set. This chapter provides the basic
information needed to access, navigate, and use the CLI as a powerful means of
configuration.
Accessing the CLI.
Conventions used in this Guide.
CLI Prompt Structure.
CLI Navigation.
Configurable CLI Parameters.
Using the show Command.
Using the no Command.
Chapter 3 Introduction to the Command Line Interface
Accessing the CLI
Connection The CLI can be accessed via the Serial interface (RS-232) and Ethernet
Management interface using SSH or Telnet.
Number of connections The Maestro AFE supports up to 5 concurrent remote
management connections via SSH or Telnet.
Authentication Each connection requires a username and password. Each user is
given privileges according to the user level (user, admin, or tech). In general, an
admin or tech user level is required to perform configuration operations. All users
can view the current configuration and the system status.
Serial Console Settings
Use the serial port in conjunction with the provided serial cable to open a console
session using a Terminal Emulation program (for example, Microsoft HyperTerminal,
TeraTerm, etc.).
Setup the serial port as follows:

Bits per second: 115,200.

Data bits: 8.

Parity: None.

Stop bits: 1.

Flow control: None.
Conventions Used in this Guide
This User Guide presents instructions for configuring the Maestro AFE. All configuration
variables are available through the CLI while a majority of them are also available in the
GUI. When discussing configuration concepts, the CLI version of a command will be
demonstrated first, followed by a GUI example if applicable.
The CLI conventions used for this user guide are as follows:
Table 1: CLI Conventions
Convention Description
Italicized Indicates user input command elements like
specifying a name or IP address.
? Enter a question mark at any point to get help.
| Indicates a delimiter between options.
{Braces} Commands enclosed in braces indicate mandatory
command elements.
[Brackets] Commands enclosed in brackets indicate optional
settings.
CLI Prompt Structure
CLI navigation is composed of a prompt level based hierarchy. Each level contains specific
commands relevant to that level. For example, at the interface level the user enters an
interface name and can configure all the relevant parameters for that interface (i.e. IP
address, VLAN information, etc.).
The CLI command set consists of all the available CLI commands required to configure and
monitor the Maestro AFE. The command structure is based on the following prompt
levels:

Figure 9: Prompt Levels
The prompt represents the current prompt level a user is in. The prompt level is stated for
each command explained throughout this User Guide.
Examples:
In Root level, the prompt is (crescendo>).
In System level, the prompt is (system>).
In Configuration level, the prompt is (config>).
In Configuration Interface level, the prompt is (gigabit-ethernet port 1>).
In Configuration Farm level, the prompt is (farm "Farm">).
Commands on a higher level in the command tree are available. Command completion is
only available when in the correct prompt level.
CLI Navigation
Case Sensitivity
CLI commands, keywords, and reserved words are not case-sensitive. Commands and
keywords can be entered in upper or lower case.
User-defined text strings are not case-sensitive and can be defined in both upper and lower
case (including mixed cases). Character case in the user-defined text strings is preserved in
the configuration for readability purposes only.
Basic Navigation
The CLI allows for the use of the TAB key for command completion as well as supporting
abbreviated commands. For example, instead of typing the command configure terminal
a user can input c t instead.
The CLI contains a command buffer of the last 16 commands. When using the up/down
arrows, only the relevant commands related to the current configuration level display.
Also, prior to accepting a configuration entry (line) the line can be edited
Additionally, the following special keys can be used to aid in navigating within the CLI.
Table 2: Special Keys for Navigating within CLI
Key Function
? List available choices in the current prompt level
and privilege/security level.
Backspace Deletes characters backward, one character at a
time.
Tab Completes command word.
[ESC] [ESC] Clears the prompt line.
Ctrl-N or Down Arrow Go to the next line in the history buffer.
Ctrl-P or Up Arrow Go to the previous line in the history buffer.
The special keys rely on a VT compatible terminal.
Online Help
Commands that enable you to query the Online Help feature are specified according to:
Command mode.
Command.
Keyword.
Argument.
Table 3: Online Help Query Commands
abbreviated-command-entry Obtain a list of commands that begin with a
particular character string.
abbreviated-command-entry<Tab> Complete a partial command name.
? List all commands available for a particular
command mode in given prompt level and with
current user credentials.
command ? List a commands associated keywords.
command keyword ? List a keywords associated arguments.
Configurable CLI Parameters
There are several options for adjusting the way information is displayed within the CLI.
All options can be accessed via the crescendo> prompt as displayed below:
crescendo>cli
abbreviated set cli mode to abbreviated
case-sensitive make cli case-sensitive
auto-clear make cli clear command line after syntax
error
sort-help display cli help by alphabetical order
color enable color support
parent-mode set cli parent mode
more set number of lines for asking for more
idle-inactivity set idle time (before automatically exiting session)
Using the show Command
The show command is one of the most important commands available in the GUI. Show
can be used to view virtually any configuration variable. The command is located in the
root prompt level crescendo> but will operate within any prompt level.
To show configuration information
Command Syntax:
show variable
Prompt level - Root
Example command:
config> show ?
Output:
crescendo> show
cli show cli information
ip display IP information
vrrpc display vrrpc information
ftp-record display ftp record
system display system parameters
version display version
running display running configuration
startup display startup configuration
file display a file from /FLD/cfg directory
users display users table
compression display compression profiles data
boot-test display startup test status
global-data show global data
license-codes show codes for activated features
server-queue-limit show long queue protection status
connection-inactivity show time intervals to wait before
resetting the connections
server-rx-window show server RX window size
tcp display TCP information
real display real server information
virtual display virtual server information
farm display farms
cluster display clusters
counters display counters
interfaces display interfaces table
vlans display vlans table
snmp display snmp information
logging show logging information
ssl ssl cli commands

config> show interfaces gigabit-ethernet 1
Output:
gigabit-ethernet 1, Admin UP, Status UP
Description giga ethernet 1
Hardware address 00-50-C2-22-A3-29
Fiber Sfp
Internet address 10.1.1.100, Mask 255.255.255.0
MTU 9216 bytes, BW 1000 Mbit, FULL duplex

config> show system
Output:
Hostname CN-5500, Date: 11:02:05 Time: 17:45:37
Servers: HTTP Server Enabled, SNMP Enabled, SSH Disabled,
Telnet Enabled
Using the no Command
The CLI provides the no command to undo or disable most configuration
elements of the Maestro AFE.
To undo a command
Command Syntax:
no command [variable]
Prompt level - Configure
Example command:
To remove an IP Address from an interface:
gigabit-ethernet-1> no ip address
To disable the http server for the GUI:
config> no http

4
Introduction to the Graphical User
Interface
Chapter 4 introduces and explains the Maestro AFE Web-based Graphical User Interface
(GUI).
Graphical User Interface (GUI) Overview.
Preparations Installing Sun Java.
Logging in to the GUI.
Navigating the GUI.
Chapter 4 Introduction to the Graphical User Interface
Graphical User Interface (GUI) Overview
The Maestro AFE GUI is a powerful tool for monitoring and managing the device. The
GUI is a Java-based SNMP management application launched via a Web browser.
Preparations Installing Sun Java
The workstation accessing the Maestro AFE must have the latest version of Sun Java
installed. Java can be freely downloaded and installed at http://www.java.com.
Logging in to the GUI
From a Web browser, connect to the IP address of the management interface of the Maestro
AFE.
Ensure that ports 80 and 161 are available to enable access to the GUI.
Once connected, a Crescendo Networks image will display in the existing browser window
as shown in Figure 10. Do not close this window; doing so will close the Java-based GUI
management application.

Figure 10: Management Interface of Maestro AFE Crescendo Networks Image
The user is presented with a separate window which prompts for log in credentials as
shown in Figure 11.

Figure 11: Login Screen
Log in using a user name and password created during the Auto Configuration Dialog or
normal CLI configuration. Once logged in, the Maestro AFE GUI will be presented as a
separate window. See Chapter 5. Initial Configuration & Global Settings.
Navigating the GUI
The GUI functions in five primary modes:
Summary Displays basic real time information and device status.
Monitoring Enables the user to view real-time and last 5 minutes performance
information for the Maestro AFE, farms, clusters, and servers.
History Displays historical performance information for the Maestro AFE, farms,
clusters, and servers.
Configuration Enables the user to configure most aspects of the Maestro AFE.
Events Enables the user to view real-time and past events.
Summary
Summary mode displays basic global information such as the number of operational farms,
clusters, and servers. Additionally, it shows real time relative performance and transaction
performance within the previous 24 hours.

Figure 12: Summary Screen

Monitoring
Monitoring Mode enables the user to view real-time and last 5 minutes performance
information for the Maestro AFE, farms, clusters, and servers. Click on an object in the
Topology window to view related performance information. Selecting a cluster will
present the aggregate information for all servers contained in that specific cluster. Selecting
a farm will present the aggregate information for all clusters and servers contained in that
specific farm.

Figure 13: Monitoring Screen
History
The History mode displays historical performance information for the Maestro AFE, farms,
clusters, and servers. The History service must be enabled for each device you wish to
view historical information for. History can be enabled through the Configuration mode.

Figure 14: History Screen
While in History mode, click on an object in the Topology window. If historical
information is available, the pull down data menus will be available. Up to 4 data types
can be viewed simultaneously. Once selected, the information will be charted in the right
panel.
Selecting a cluster will present the aggregate information for all servers contained in that
specific cluster. Selecting a farm will present the aggregate information for all clusters and
servers contained in that specific farm.
Additionally, the graphs time scale can be adjusted to minutes, days, or weeks by cycling
through the icon at the bottom of the window.
Configuration
Configuration mode enables the user to configure most aspects of the Maestro AFE. Click
on an object in the Topology window. Available configuration variables will be displayed
in the right panel. Always click Apply to implement changes. To make the configuration
change permanent for subsequent device startups, make sure to save the running
configuration by clicking File Save Configuration.

Figure 15: Configuration Screen
Events
Events mode enables the user to view GUI Event information. In order to see information,
GUI Events and Logging per device/object must be enabled.

Figure 16: Events Screen
To enable GUI Events, enter Configuration mode. From the Topology window, select the
Maestro AFE icon. In the right pane, select the Events & Logging tab. Check the box
labeled GUI Events and customize the logging level for associated events you would like
displayed in the Events mode window. Click Apply. Next, you will have to enable
logging for each device you would like to see logging information. Do this by selecting
each device in the Topology window and checking the box labeled logging. Click
Apply.

5
Initial Configuration & Global Settings
Chapter 5 introduces the initial configuration and basic administrative configuration
options of the Maestro AFE.
Before Proceeding.
Conventions Used in this Guide.
Initial Configuration (Auto Configuration Dialog).
Global Configuration Commands.
Interface Commands.
Networking Commands.
Client-side TCP Commands.
Server-side TCP Commands.
Security Commands.
System Commands.
Supportability Commands.
Chapter 5 Initial Configuration & Global Settings
Before Proceeding
In order to proceed with the Initial Configuration & Global Setting, the following steps
should be satisfied.
The Maestro AFE should be properly mounted and connected to power. Please see
Chapter 2. Maestro AFE Installation.
The Gbic interfaces should be installed and connected via Fiber or Copper to a switch.
Please see Chapter 2. Maestro AFE Installation.
Management connectivity, whether through Serial Console or via Management
Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction to the
Command Line Interface.
Conventions Used in this Guide
This User Guide presents instructions for configuring the Maestro AFE. All configuration
variables are available through the CLI while a majority of them are also available in the
GUI. When discussing configuration concepts, the CLI version of a command will be
demonstrated first, followed by a GUI example if applicable.
The CLI conventions used for this user guide are as follows:
Italicized Indicates user input command elements like
specifying a name or IP address.
? Enter a question mark at any point to get help.
| Indicates a delimiter between options.
{Braces} Commands enclosed in braces indicate mandatory
command elements.
[Brackets] Commands enclosed in brackets indicate optional
settings.
Initial Configuration
Once the Maestro AFE is properly mounted and connected to a terminal via the provided
serial cable (See Chapter 2. Maestro AFE Installation and Chapter 3. Introduction to the
Command Line Interface), the unit can be powered on for the first time.
The following section will demonstrate the configuration of a newly installed Maestro AFE
by demonstrating the Auto Configuration Dialog. The remaining sections of Chapter 5
demonstrate additional global configuration parameters. The example used throughout
this section assumes a basic network environment as displayed in Figure 17.

Figure 17: Basic Network Environment
Initiating the Auto Configuration Dialog (ACD)
After the boot process initializes successfully, the following options will be displayed
through the Serial Console if the Maestro AFE shipped without a configuration file
(startup.cfg):
[1] Run startup config file from the current directory
[2] Activate the A.C.D (Auto Configuration Dialog)
[3] Run the CLI without running any startup config file

Enter your selection: 2

If a configuration file exists (i.e. if the preceding menu is not displayed upon boot up) the
existing startup.cfg file should be deleted or renamed, after which the box will present the
startup menu upon the next reboot. The startup.cfg file can be renamed or deleted by
logging into the CLI as an administrator or with the rescue account, entering the
system> prompt, and then issuing the rename or delete commands for the
startup.cfg file. File management operations are covered in greater detail later in this
chapter.
Proceed by selecting option 2 to enter the Auto Configuration Dialog input the
required information.
Configuration Comments
Would you like to enter the initial
configuration dialog (yes/no)? [yes] yes

Enter host name [CN-5500]: CN-5500
Enter admin username [Admin]: admin
Enter password: *****
Retype password for verification: *****
The username and password
defined is case sensitive.
Enter IP address for the Management
interface: 192.168.1.100
Enter subnet mask for this interface
[255.255.255.0] : 255.255.255.0
Enter Management Default Gateway IP
address: 192.168.1.1
Do you wish to enable SSH server (yes/no)?
[yes] yes
Do you wish to enable HTTP GUI (yes/no)?
[yes] yes

If no DG is required, press
enter
If SSH is disabled during this
process, Telnet will be
automatically enabled.
Please select a data port 1-8: 1
Enter IP address for this interface:
10.1.1.254
Enter subnet mask for this interface
[255.255.255.0] : 255.255.255.0
Do you want to define an IP-address to
another data port (yes/no)? [no] no

Enter external network Default Gateway IP
address: 10.1.1.253
If no DG is required, press
enter
Do you wish to configure Accelerated
services (yes/no)? [NO]:yes
Enter farm name: Farm-1
The next section of the ACD
deals with configuring
servers. You can choose to
skip this portion by
answering no as the manual
addresses the remaining
config issues in detail.
Enter cluster name: Cluster-1
Configuration Comments
Enter Real Server name: Server-1
Enter Real Server IP address:10.1.1.1
Please select Real Server port [80]:80

Do you wish to add more real servers
(yes/no)? [NO]:yes

Enter Real Server name: Server-2
Enter Real Server IP address:10.1.1.2
Please select Real Server port [80]:80

Do you wish to add more real servers
(yes/no)? [NO]:no

Do you wish to add more clusters (yes/no)?
[NO]:no

Do you wish to add more farms (yes/no)?
[NO]:no

Do you wish to configure Virtual Servers
(yes/no)? [NO]:yes

Enter Virtual Server name: Virtual-1
Enter Virtual Server IP address:10.1.1.100
Please select Virtual Server port [80]:
Do you wish to define a default cluster
(yes/no)? [NO]:yes
Enter Default Cluster name: Cluster-1

Do you wish to add more virtual servers
(yes/no)? [NO]:no

Once complete, the Maestro AFE will display the configuration details, as follows:
The following configuration has been created:
File : /RAMD/auto_startup.cfg

hostname CN-5080E
user admin admin admin
interface management ethernet
ip address 192.168.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ssh-server v1
http-server
interface gigabit-ethernet 1
ip address 10.1.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.253
farm Farm-1
cluster Cluster-1
real Server-1 10.1.1.1 80
real Server-2 10.1.1.2 80
virtual Virtual-1 10.1.1.100 80 default cluster
Cluster-1

[1] Return back to the setup without saving this config
[2] Save this configuration file, run it and exit the dialog
[3] Run the startup.cfg from the current directory
[4] Go to the CLI command prompt without saving this config
Enter option 1 to cancel the configuration and restart the ACD, or choose option 2
to save and load the new configuration.
Enter your selection [2]: 2
Copy OK: 314 bytes copied
run startup script "/FLD/cfg/startup.cfg"...

login: admin
password: *****
crescendo>
Log in with the admin account created during the ACD.
Initial Configuration Summary
It is not required that Accelerated Services be configured during the ACD. The
remaining sections in Chapter 5 deal with Global Configuration Settings such as interface,
routing, user administration, and logging issues. Additional configuration details are
provided in individual chapters for Server Acceleration & Load Balancing, Compression,
SSL Acceleration, and device redundancy.
Outbound Traffic Rate Shaping
The Maestro AFE is equipped with Gigabit Ethernet data interfaces. Many outbound links
utilize a Fast Ethernet (100Mb/s) connection. Therefore, all data transmissions are sent at
Gigabit speed to the outbound link. In some network environments, this could result in
the Maestro AFE flooding the outbound link causing dropped packets and subsequently
poor performance. In these instances, the Maestro AFE must be configured to shape the
rate at which data is transmitted to accommodate the slower outbound connection.
This is accomplished with the rate-shaping command. By default, rate-shaping is
disabled; meaning data is transmitted at maximum speed and burst rates. When installing
the Maestro AFE in a network with slower outbound link connectivity, the command
should be used as follows:
To set the rate-shaping globally
Command Syntax:
rate-shaping {value in Mb/s} {max burst size in KB/s}
no rate-shaping
Example command:
To set the rate-shaping for a Fast Ethernet (100Mb/s) link:
config> rate-shaping 100 128
To set the rate-shaping per interface
Command Syntax:
rate-shaping {value in Mb/s} {max burst size in KB/s}
no rate-shaping
Prompt level Configure Interface Gigabit
Example command:
To set the rate-shaping for a Fast Ethernet (100Mb/s) link:
gigabit-ethernet port 1> rate-shaping 100 128
To set the rate-shaping per interface from the GUI
1. Once logged in through the GUI, click on the Configuration button on the left panel.
2. In the Topology window, click on the Maestro AFE device icon, then select the Ports &
VLANs tab.

Figure 18: Setting the Rate-Shaping per Interface
3. Select the Port and Aggregator interface for adjusting the rate shaping.
4. Configure the Rate and Maximum Burst Size. A rate of 0 and Maximum Burst Size of
16 are the default values which represent no rate shaping.
Global Configuration Commands
Use the CLI Global Commands to define the Maestro AFE basic administrative settings.
They are as follows:
Showing Configuration Information.
Device Name.
Calendar set.
Internal clock.
Services for Remote Management (SSH/Telnet).
Services for SNMP server access.
SNMP Configuration.
HTTP Server Configuration.
Proxy Signature (HTTP Header configuration).
Showing Configuration Information from the CLI
The show command is one of the most important commands available in the GUI. Show
can be used to view almost any configuration variable. The command is located in the root
prompt level crescendo> but will operate within any prompt level.
To show configuration information
Command Syntax:
show variable
Prompt level - Root
Example command:
config> show ?
Output:
cli show cli information
ip display IP information
vrrpc display vrrpc information
ftp-record display ftp record
system display system parameters
version display version
running display running configuration
startup display startup configuration
file display a file from /FLD/cfg directory
users display users table
compression display compression profiles data
boot-test display startup test status
global-data show global data
license-codes show codes for activated features
server-queue-limit show long queue protection status
connection-inactivity show time intervals to wait before
resetting the connections
server-rx-window show server RX window size
tcp display TCP information
real display real server information
virtual display virtual server information
farm display farms
cluster display clusters
counters display counters
interfaces display interfaces table
vlans display vlans table
snmp display snmp information
logging show logging information
ssl ssl cli commands

config> show interfaces gigabit-ethernet 1
Output:
gigabit-ethernet 1, Admin UP, Status UP
Description giga ethernet 1
Copper Sfp
MTU 9216 bytes, BW 1000 Mbit, FULL duplex

config> show system
Output:
Hostname CN-5020E, Date: 25:07:06 Time: 16:19:23
Servers: HTTP Server Enabled (listening on port 80),
SNMP Enabled,
SSH Disabled,
Telnet Disabled
Using the no command from the CLI
The CLI provides the no command to undo or disable most configuration elements of the
Maestro AFE.
To undo a command
Command Syntax:
no command [variable]
Example command:
To remove an IP Address from an interface:
gigabit-ethernet-1> no ip address
To disable the http server for the GUI:
config> no http
Device Name
The device/host name is specified to distinguish the Maestro AFE being managed. Perform
the following commands to set the Maestro AFE hostname.
To set the hostname from the CLI
Command Syntax:
hostname box-name
Example command:
config> hostname CN-1
To set the Hostname from the GUI
2. In the Topology window, click on the Maestro AFE icon.

Figure 19: Setting the Hostname
3. Select the Global tab and input new hostname in the Name window.
Calendar and Time Settings
To set the Calendar from the CLI
Perform the following example commands to set the Maestro AFE calendar.
Command Syntax:
calendar dd:mm:yy
Example command:
config> calendar 22:02:04
To set the Calendar from the GUI
The calendar can be set in the GUI via the Configuration Maestro AFE System tab
screen as shown in Figure 19.
To Set the Internal Clock from the CLI
Perform the following example commands to set the Maestro AFE internal clock settings.
Command Syntax:
clock hh:mm:ss
Example command:
config> clock 15:00:00
To set the Clock from the GUI
The clock can be set in the GUI via the Configuration Maestro AFE Global tab screen
as shown in Figure 19.
Telnet and Secure Shell (SSH) Management Configuration
Perform the following example commands to set the Maestro AFE service availability
(Telnet/SSH):
When performing the initial configuration using the Auto Configuration Dialog (A.C.D.),
an option is presented to enable or disable SSH access. If the ssh-server is disabled, the
telnet-server is automatically enabled.
To enable/disable telnet server from the CLI
Command Syntax
telnet-server
no telnet-server
Example commands:
config>telnet-server
Output: enabling telnet access
config>no telnet-server
Output: disabling telnet access
To enable/disable the SSH server from the CLI
Command Syntax
ssh-server [v1 | v2]
no ssh-server
Example commands:
config> ssh-server
Output: enabling ssh access
config> no ssh-server
Output: disable ssh-server
The telnet-server and ssh-server toggle each other. When one is enabled, the other is
disabled.
To enable/disable Telnet or SSH from the GUI
The clock can be set in the GUI via the Configuration Maestro AFE Global tab screen
as shown in Figure 19.
To configure Telnet/SSH Session Idle Inactivity Timer from the CLI
Telnet/SSH connection made to the Maestro AFEs management port are automatically
closed by the Maestro AFE after a configured period of inactivity. The default value for
telnet/SSH session inactivity is 10 minutes, but the value can be changed if necessary.
Command Syntax
cli idle-inactivity {seconds}
no cli idle-inactivity
Example commands:
crescendo> cli idle-inactivity 1200
crescendo> no cli idle-inactivity
SNMP Management Configuration
The SNMP server can be enabled and disabled only from the CLI. Perform the following
example commands to set the Maestro AFE SNMP server configuration.
To enable/disable the SNMP server from the CLI
Command Syntax
snmp-server
no snmp-server
Example commands:
config> snmp-server
Output: enabling Snmp access
config> no snmp-server
Output: disabling Snmp access
The SNMP server status can be enabled or disabled only from the CLI. The SNMP name
and location variables are the only fields modifiable via the GUI. Additionally, the
SNMP server must be enabled for the GUI to operate.
To configure the SNMP server contact from the CLI
Command Syntax
snmp-server contact contact-string
Example command:
config> snmp-server contact jones
To configure the SNMP server location from the CLI
Command Syntax
snmp-server location location-string
Example command:
config> snmp-server location "main office"
To configure the SNMP server community from the CLI
Command Syntax
snmp-server community community-string {read | write-read}
Example commands:
config> snmp-server community-string read password
config> snmp-server community-string write-read read_and_write
SNMP Configuration from the GUI
The SNMP server must be enabled for the GUI to operate. The SNMP server status can be
enabled or disabled only from the CLI.
The SNMP name and location variables are the only fields modifiable via the GUI.
These options can be set in the GUI via the Configuration Topology screen as shown in
Figure 4.1.3.1.
HTTP Management Configuration
The HTTP service can be enabled and configured. Perform the following example
commands to set the Maestro AFE HTTP server configuration.
The HTTP service must be enabled in order for the GUI to function properly.
To enable/disable the HTTP server from the CLI
Command Syntax
http-server [listening-port]
no http-server
Example commands:
config> http-server
Output: enabling HTTP access
config> no http-server
Output: disabling HTTP access
Auto Configuration Dialog (A.C.D.)
The Auto Configuration Dialog provides a wizard-like approach to configuring the
Maestro AFE. When the Maestro AFE boots and the initial configuration file (startup.cfg)
does not exist, the user is prompted to use the A.C.D. to create a configuration file. Upon
completion of the wizard, the user will be prompted to load and save the new
configuration information as startup.cfg. During the next boot process, the Maestro AFE
will use the information found in the startup.cfg file.
To initiate the Auto Configuration Dialog during normal operation from the CLI
Command Syntax
auto-config
Prompt level Configure
Global History Service
To enable the Maestro AFE to save historical performance information for specified objects
like farms, clusters, or servers, the History service must be enabled globally. Once enabled
globally, individual objects must enable the history function as a separate configuration
action before historical data will be available.
To enable/disable history from the CLI
Command Syntax:
service history
no service history
Example command:
config>service history
config>no service history
Proxy Signature (HTTP Header Settings)
The Maestro AFE acts as a TCP intermediary, maintaining separate client and server
connections. In this way, the Maestro AFE operates as a proxy and enables the ability to
insert special headers on the client and server connections to identify itself. By default, the
Maestro AFE inserts the following header into client-side responses and server-side
requests:
Via: CN-5500E
The header used to identify the Maestro AFE can be disabled or configured as either Via
or X-Via for either the client or server side connections.
To configure proxy signature from the CLI
Command Syntax:
proxy-sign {via | x-via} {to-client | to-server | [CR] (to both)}
no proxy-sign
Example command:
config> proxy-sign via
config> proxy-sign x-via to-server
To configure proxy signature (to backend server) from the GUI
1. From the Configuration mode of the GUI, click on the Servers Topology icon.
2. Adjust the Proxy Signature settings in the General tab.

Figure 20: Setting the Proxy Signature to the Backend Server
To configure proxy signature (to clients) from the GUI
1. From the Configuration mode of the GUI, click on the Virtual Servers icon.
2. Adjust the Proxy Signature settings in the Advanced tab.

Figure 21: Setting the Proxy Signature to the Clients
Interface Commands
Use the CLI commands to configure the following Maestro AFEs interfaces:
Management Ethernet port.
Management Serial port.
Use the CLI and the GUI to configure the following Maestro AFE interface:
Gigabit-Ethernet data ports.
It is important to understand that the Maestro AFE utilizes an out-of-band management
architecture for enhanced security and manageability. Because of this, two terms are used
throughout this User Guide to discuss the path of data: data-path and management-path.
Data-path refers to any traffic being accelerated or routed through the primary interfaces of
the Maestro AFE. Management-path refers only to traffic destined to the management
Ethernet port. For each path, there is a separate routing table and PING commands.
Configuring the Management Ethernet Interface
The management Ethernet interface can only be configured from the CLI. Perform the
following commands to configure the Maestro AFE Management interfaces.
The management Ethernet interface is used for all remote management access, e.g., GUI,
SNMP, Software and configuration file management, etc. The management Ethernet
interface has a separate routing table and must have a default route to access a remote
network.
To configure the management Ethernet interface from the CLI
Command Syntax
interface management ethernet
Example commands:
config> interface management ethernet
To add IP-address to the management Ethernet interface from the CLI
Command Syntax
ip address ip-address subnet-mask
no ip address
Prompt level - Configure Interface Management Ethernet
Example commands:
management-ethernet> ip address 192.168.1.100 255.255.255.0
management-ethernet>no ip address
To configure management Ethernet interface description from the CLI
Command Syntax:
description interface-description
Example commands:
management-ethernet> description FW_DMZ_2
To configure the management interface route from the CLI
Command Syntax:
ip route prefix-ip-address prefix-mask nexthop-ip
no ip route prefix-ip-address prefix-mask nexthop-ip
Example commands:
management-ethernet> ip route 0.0.0.0 0.0.0.0 10.0.0.1
management-ethernet> no ip route 0.0.0.0. 0.0.0.0
To ping via the management interfaces from the CLI
Command Syntax:
ping mgmt IP-address [count number of pings] [size buffer-size]
Prompt level - Root
Example commands:
crescendo> ping mgmt 10.0.0.8
Configuring the Management Serial Interface
The management serial interface can only be configured from the CLI. Perform the
following commands to configure the Maestro AFE Management interface.
The default settings for the Management Serial Interface are:
Baud: 115,200
Data bits: 8
Parity: none
Stop bits: 1
Flow Control: none
To configure the management serial interface from the CLI
Command Syntax
interface management serial
Example commands:
config> interface management serial
Perform the following example commands to configure the Maestro AFE console port.
Management-serial console configuration is required so port specific characteristics can be
configured.
To configure management serial interfaces from the CLI
Command Syntax:
speed bps
Prompt level - Configure Management Serial
Example command:
management-serial> speed 115200
To configure management-serial interface descriptions from the CLI
Command Syntax:
Prompt level Configure Management Serial
Example command:
management-serial> description "TS11"
Configuring Gigabit-Ethernet Interfaces
Perform the following example commands to configure the Maestro AFE Gigabit-Ethernet
interfaces.
To configure gigabit-ethernet interfaces from the CLI
Command Syntax:
interface gigabit-ethernet {1-2 | 1-8 | 1-4 | 1-10}
Example commands:
config> interface gigabit-ethernet 1
To configure gigabit-ethernet interface descriptions from the CLI
Command Syntax:
Prompt level - Configure Interface Gigabit
Example commands:
gigabit-ethernet port 1> description "link to web farm"
To set the administrative status of the gigabit-ethernet interface from the CLI
Command Syntax:
shutdown
no shutdown
Example commands:
gigabit-ethernet port 1> shutdown
gigabit-ethernet port 1> no shutdown
To configure gigabit-ethernet interface IP addresses from the CLI
Command Syntax:
no ip address ip-address
Example commands:
gigabit-ethernet port 1> ip address 10.1.1.254 255.255.255.0
gigabit-ethernet port 1> no ip address
To configure gigabit-ethernet interfaces from the GUI
2. In the Topology window, click on the Maestro AFE device icon, then select the IP tab.

Figure 22: Setting Gigabit-Ethernet Interfaces
3. From the Ports window, use the drop down menu to select the physical port or
aggregator on the Maestro AFE to be configured.
4. Enter the IP Address, Subnet Mask, and/or VLAN information.
5. Click Apply.
Configuring Interface Speed/Duplex Settings for the
CN-5500E
The CN-5500E supports the ability to configure individual port speed and duplex
parameters. Each interface can be configured for auto negotiation of these options,
manually configured as 10/100/1000 speed and full/half duplex.
To configure speed/duplex settings per interface
Command Syntax:
speed {10mb | 100mb | 1000mb | auto}
duplex {full | half | auto}
Prompt level - Interface
Example commands:
gigabit-ethernet port 1> speed 1000mb
gigabit-ethernet port 1> duplex full
VLAN Support
VLAN support is achieved by defining sub-interfaces on a physical port. The range can be
from 1 to 4095. The VLAN is exactly the same configuration as a regular Gigabit ethernet
port with added VLAN and VLAN number.
The Maestro AFE supports 802.1q VLAN tagging. Tagging is automatically enabled upon
configuration of a VLAN interface. Packets leaving a VLAN interface are tagged using that
interfaces associated VLAN number.
To establish single or multiple sub-interfaces per port from the CLI
Command Syntax:
interface gigabit-ethernet inf-number vlan vlan-number
Example commands:
config>interface gigabit-ethernet 6 vlan 901
To configure Vlan gigabit-ethernet interface description from the CLI
Command Syntax:
Prompt level - Configure - interface gigabit Vlan
Example commands:
gigabit-ethernet port 6 Vlan 901>description Server Ian on Vlan 901
To set the administrative status of the Vlan gigabit-ethernet interface from the CLI
Command Syntax:
shutdown
no shutdown
Example commands:
gigabit-ethernet port 6 Vlan 901> shutdown
gigabit-ethernet port 6 Vlan 901> no shutdown
To configure Vlan gigabit-ethernet interface IP addresses from the CLI
Command Syntax:
no ip address ip-address
Example commands:
gigabit-ethernet port 6 Vlan 901> ip address 10.10.10.5
255.255.255.0
While in the interface prompt, a shortcut to the sub-interface with VLAN tag is available
with the command: VLAN {vlan-number}. This brings the user into the prompt level:
"interface GigabitEthernet {port} VLAN {vlan-number}". The Gigabit Ethernet port cannot
have an IP address if VLANs are associated with the port. Each VLAN interface can be
shut down individually, or the entire Gigabit Ethernet port can be shut down which results
in all associated VLANs being shut down. For security purposes, tagged packets are only
accepted when the port/network/VLAN match, any mismatched packets are discarded.
To configure VLAN variables from the GUI
VLAN interfaces can be set in the GUI via the Configuration Maestro AFE device icon
Ports & VLANs tab screen as shown in Figure 23.

Figure 23: Setting VLAN Variables
Link Aggregation
The Maestro AFE supports Link Aggregation (LAG), which enables the configured system
to reach increased bandwidth and availability by creating a Link Aggregation Group, or
aggregator. Depending on the configuration, there are either 2 or 5 predefined aggregators
in the system. The aggregator enables one or more physical ports to be grouped together
and treated as a single link. The aggregator is a system interface, for which IP subnets or
VLANs can be created. The IP subnet and VLANs are created the same way for aggregators
as they are for a regular interface.
To switch the CLI interface to specific aggregators context menu:
In the CLI, some aggregation commands can only be used within a specific aggregators
context menu. Use this command to ensure that you are working in the correct aggregators
context menu.
Command Syntax:
interface aggregator <15>
Example commands:
config>interface aggregator 2
aggr 2>exit
The aggregator context menu has the following available commands:
Exit exit the current context
No undo command
ip ip related commands
vrrpc vrrpc configuration
shutdown shutdown the interface
mode set the mode of the interface (speed only)
description set the interface description
To add or remove a port from an aggregator
Command Syntax:
Description aggregator-group <110>
Description no aggregator-group <110>
Prompt level - Configure - interface gigabit VLAN
Example commands:
Config> interface gigabit-ethernet 4
gigabit-ethernet port 4> aggreagator-group <15>
Config> interface gigabit-ethernet 4
gigabit-ethernet port 4> no aggreagator-group <15>
To configure a VLAN for an aggregator from the CLI
Command Syntax:
interface aggregator <15> vlan <14095>
Example commands:
Config>interface aggregator 2 vlan 55
aggr 2.55>
To display aggregators
Command Syntax:
show interfaces
show interfaces aggregator <15>
Example commands:
Example for displaying information about all physical interfaces, VLANs, aggregators,
and Vlans on aggregators:
show interfaces
Example for displaying information about a specific aggregator:
crescendo> show interfaces aggregator 1
Output:
aggregator 1, Admin UP, Status UP
Description link aggregator 1
MTU 9216 bytes, BW 1000 Mbps, FULL duplex
Physical ports 1,2,8,10
To display information about all interfaces, as well as VLANs with configured IP
addresses
Command Syntax:
show interfaces ip
Example commands:
crescendo> show interfaces ip
Output:
crescendo> show interfaces ip
Interface IP Address IP Mask ShapeRate BurstSize Admin Oper
1 1.2.3.1 255.0.0.0 No Limit No Limit UP DOWN
2.56 10.20.3.6 255.255.0.0 No Limit No Limit UP DOWN
3 2.2.3.4 255.0.0.0 No Limit No Limit UP DOWN
aggr1 4.2.3.4 255.0.0.0 No Limit No Limit UP DOWN
aggr3.40 5.2.3.4 255.0.0.0 No Limit No Limit UP DOWN
Mgmt 10.0.2.146 255.255.252.0 No Limit No Limit UP UP
Available Ethernet ports: 4

The output contains a line for each interface. The interfaces can be any of the
following:
Aggregator Appears as aggr<aggregator number>, for example, agg1.
Physical port Appears as <port number>, for example, 1.
VLANs with IP addresses Appears as aggr<aggregator
number>.<VID>, for example, agg3.40.
Management Appears as Mgmt.
To add a port to an aggregator from the GUI
1. Once logged in through the GUI, click the Configuration button on the left panel.
2. In the Topology window, click the Maestro AFE device icon, then select the IP tab
3. Ensure that no IP addresses are specified in the IP tab.
4. Select the Ports & VLANs tab.

Figure 24: Adding a Port to an Aggregator
5. From the Port window, use the drop down menu to select the port that you want to
add to an aggregator. For example, Port 5.
6. In the Aggregator window, select the Aggregator to which you want to add the port.
For example, Aggregator 4.
7. Ensure each of the following:

The Admin check box is checked.

Auto mode (1000 Mbps / Full Duplex) is selected.

No VLANs are specified in the Ports and VLANs window.
8. Click Apply. In the example, Port 5 is added to Aggregator 4.
To remove a port from an aggregator from the GUI
2. In the Topology window, click the Maestro AFE device icon, then select the Ports &
VLANs tab.

Figure 25: Removing a Port from an Aggregator
3. From the Port window, use the drop down menu to select the port that you want to
remove from an aggregator. For example, Port 5.
4. In the Aggregator window, select None.
5. Click Apply. The Port is removed from the Aggregator.
Networking Commands
The networking commands for the Maestro AFE provide the functionality to configure
static routes (including default gateway) for the data path.
Routing
Configure the routing for the Maestro AFE unit by performing the following example
commands.
To add/remove routes from the CLI
Command Syntax:
ip route ip-address mask nexthop-ip [enable | disable]
no ip route ip-address mask
Example commands:
config> ip route 0.0.0.0 0.0.0.0 10.1.1.200
config> no ip route 192.168.1.0 255.255.255.0
To show IP route information from the CLI
Command Syntax:
show ip route
Prompt level - Root
Example commands:
crescendo> show ip route
To add/remove routes from the GUI
2. In the Topology window, click on the Maestro AFE device icon, then select the IP tab.

Figure 26: Adding and Removing Routes
3. From the Ports window, use the drop down menu to select the physical port or
aggregator on the Maestro AFE to which you want to add or remove a route.
4. In the IP route window:

To add an IP route, enter the IP Address, Network Mask, and Next Hop
information and click Apply.

To remove an IP route, select the row of the IP route that you want to remove, and
click Delete.
Disable Routing of Non-accelerated Traffic between
Interfaces
By default, the Maestro AFE routes traffic between all the IP interfaces configured on its
data ports. This applies to all non-accelerated traffic that is not terminated at the Maestro
AFE itself.
Routing between the Maestro AFE IP interfaces can be disabled in order to prevent the
device from passing non-accelerated from one IP interface to another.
To disable routing of non-accelerated traffic from the CLI
Command Syntax:
routing {enable | disable}
Example commands:
config> routing enable
config> routing disable
To disable routing of non-accelerated traffic from the GUI
2. In the Topology window, click on the Maestro AFE device icon, then select the Global
tab.

Figure 27: Disabling Routing of Non-Accelerated Traffic
Client-side TCP Commands
As the termination point of all incoming connections, the Maestro AFE sets up and
maintains all client-side connections. For these connections, a number of variables are
configurable.
Always consult with Crescendos technical support staff before changing these parameters.
Client-side TCP Windows
The Maestro AFE terminates and owns all TCP connections with clients. A number of
parameters are configurable on the Maestro AFE:
Initial Transmit Window (KB) the initial transmit window used for client-side TCP
connections. This is the total number of bytes the Maestro AFE will send to the client
without waiting for an ACK, in the start of a TCP connection. The transmit window
will increase as the connection ramps up. The default value for this parameter is 3KB.
Maximum Transmit Window (KB) the most number of bytes the Maestro AFE will
send over a client connection without waiting for an ACK. The default value for this
parameter is 6KB.
Maximum Receive Window (KB) the maximum window size the Maestro AFE will
advertise to a TCP client. The default value for this parameter is 8KB.
To configure client-side TCP windows from the CLI
Command Syntax:
tcp {client-initial-tx-window | client-max-tx-window | client-rx-
window} window-size
Example commands:
config> tcp client-initial-tx-window 5
The client-initial-tx-window is a value between 1KB and 6KB.
config> tcp client-max-tx-window 16
The client-max-tx-window is a value between 1KB and 32KB
config> tcp client-rx-window 32
The client-initial-tx-window is a value between 8KB and 64KB
To configure client-side TCP windows from the GUI
2. In the Topology window, click on the Virtual Servers icon, then select the Advanced
tab.

Figure 28: Setting Client-Side TCP Windows
Client-side TCP Inactivity Timers
There are also two TCP inactivity timers that control how long idle client connections are
kept open by the Maestro AFE. There are two kinds of TCP client connections. An Active
client connection is one where the connection is currently in use for a transaction. This is
most common when the client has sent a request but has yet to receive a response. An Idle
client connection is one where there is no activity on the TCP connection at all; the last
transaction (if applicable) was completed successfully and the TCP connection is now idle
with the client not waiting for a response. The inactivity timers for these two types of
connections are both configurable and indicate how long the Maestro AFE will keep each
kind of connection open when there is no data present over the connection. The default
timer for both kinds of connections is 30 seconds. After this inactivity timer, the Maestro
AFE will close the connection.
To configure client-side TCP inactivity timers from the CLI
Command Syntax:
tcp connection-inactivity {idle-client-time | active-client-time}
inactivity-time
Example commands:
config> tcp connection-inactivity idle-client-time 30
The idle-client-time is a value between 15 and 4,096 seconds.
config> tcp connection-inactivity active-client-time 30
The active-client-time is a value between 15 and 4,096 seconds.
To configure client-side TCP inactivity timers from the GUI
tab as shown in Figure 28.
Client-side MSS
TCP Maximum Segment Size (MSS) is used for a TCP client to announce the maximum
TCP segment its willing to receive to its TCP peer. The peer, in turn, should not send any
TCP segments larger than the MSS announced by the client. This occurs by both TCP
endpoints, each endpoint announcing the MSS its expecting to receive to its peer when the
connection is initially set up. The TCP MSS will have an impact on packet sizes as well.
MSS is a TCP option and is only seen in TCP SYN segments.
The Maestro AFE uses a default MSS of 1462 Bytes for client-side TCP connections.
However, this MSS is configurable and can be adjusted if necessary.
To configure client-side TCP MSS from the CLI
Command Syntax:
tcp client-max-mss mss-size
Example commands:
config> tcp client-max-mss 1452
The client-max-mss is a value between 536 and 1452 bytes.
FastTCP
FastTCP refers to a collection of advanced algorithms used by the Maestro AFE to optimize
and further accelerate TCP connections. There are three primary mechanisms deployed by
FastTCP:
Accelerated Slow Start FastTCP employs a slow start algorithm that ramps up to
optimal TCP connection speed quicker than standard TCP slow start algorithms. This
is done by ramping up the TCP transmit window for the clients quickly. This
mechanism is always used by the Maestro AFE and the Initial Transmit Window and
Maximum Transmit Window configurations control the transmit window sizes used
for a connection. Each connection starts at the Initial Transmit Window and ramps up
to the Maximum Transmit Window as quickly as the TCP connection allows.
Slow Start Avoidance FastTCP can adaptively adjust the inactivity timers used for
active and idle client TCP connections (see definition of connection types above). This
is done by enabling the Adaptive Inactivity feature of the Maestro AFE. Enabling this
mechanism overrides the static inactivity timer configuration and enables FastTCP to
dynamically adjust how long client connections are kept open, based on client behavior
and system load. Keeping connections open longer encourages clients to reuse TCP
connections and not move to new connections. This reduces the total number of
connections seen per individual client therefore reducing the number of slow starts
each client is subjected to.
Advanced Congestion Avoidance Standard TCP congestion avoidance algorithms
ramp up TCP connections until there are dropped packets and then continue to
implement a rudimentary trial-and-error mechanism in order to find the optimal
bandwidth of a connection. FastTCP employs an adaptive mechanism that continually
monitors the possible bandwidth of a TCP connection and dynamically adjusts the
Maestro AFEs transmit window in order to continue operating at maximum TCP
connection capacity, avoiding dropped packets altogether. This mechanism is
activated by enabling the FastTCPs Adaptive Transmit Window functionality.
Enabling the Adaptive Transmit Window overrides the Maximum Transmit Window
configured since FastTCP adaptively adjusts the transmit window during a TCP
connection.
The following two diagrams illustrate how standard TCP operates and the ways in which
FastTCP optimizes and accelerate client-side TCP connections to the Maestro AFE:

Figure 29: FastTCP (1)

Figure 30: FastTCP (2)
To configure FastTCP from the CLI
Command Syntax:
fast-tcp adaptive-transmit-window
Example commands:
config> fast-tcp adaptive-transmit-window
config> fast-tcp no-adaptive-transmit-window
To configure FastTCP from the GUI
tab.

Figure 31: Setting FastTCP
Server-side TCP Commands
Just as the Maestro AFE is the termination point for all client-side TCP connections, it also
sets up a small number of TCP connections with each server its front-ending. These are
highly optimized connections, owned and maintained by the Maestro AFE. For these
connections, a number of variables are configurable.
Always consult with Crescendos technical support staff before changing these parameters.
Server-side TCP Windows
The server-side TCP window configuration parameters are similar to those on the client-
side:
Initial Transmit Window (KB) the initial transmit window used for server-side TCP
connections. This is the total number of bytes the Maestro AFE will send to the server
without waiting for an ACK, in the start of a TCP connection. The transmit window
will increase as the connection ramps up. The default value for this parameter is 6KB.
Maximum Transmit Window (KB) the most number of bytes the Maestro AFE will
send over a server connection without waiting for an ACK. The default value for this
parameter is 6KB.
Maximum Receive Window (KB) the maximum window size the Maestro AFE will
advertise to a TCP server. The default value for this parameter is 8KB.
To configure server-side TCP windows from the CLI
Command Syntax:
tcp {server-initial-tx-window | server-max-tx-window | server-rx-
window} window-size
Example commands:
config> tcp server-initial-tx-window 5
The server-initial-tx-window is a value between 1KB and 6KB
config> tcp server-max-tx-window 16
The server-max-tx-window is a value between 1KB and 32KB
config> tcp server-rx-window 32
The server-initial-tx-window is a value between 8KB and 64KB.
To configure server-side TCP windows from the GUI
tab.

Figure 32: Setting Server-Side TCP Windows
Security
The Security commands for the Maestro AFE unit enable the definition of users/password,
access-lists, SSH, etc.
User Configuration
Three categories of users can be assigned to logon to the Maestro AFE, each with their own
set of privileges. The user categories are:
User permitted to use show commands and view statistics.
Administrator (admin) permitted privileges to do all operations.
Technician (tech) permitted the same privileges as the admin, with the addition of
"debug" facilities.
The default user created during with the Auto Configuration Dialog (A.C.D.) has
administrator privilege.
Define users for the Maestro AFE unit by performing the following example commands.
Substitute real names in place of the listed example names, where required.
To configure user/password privileges from the CLI
Command Syntax:
user username {password | encrypted encrypted-passwd} {admin | user
| technician}
Example commands:
config> user james jeremy user
config> username bob password encrypted 095F571A0D001A admin
config> no user james
The option to add a user with an encrypted password is to allow inserting a user from a
previous configuration without having to know the users clear text password.
To view online users information from the CLI
Command Syntax:
show users
Prompt level - Root
Example commands:
crescendo> show users
Output:
User Table:
user name permission
bob admin
james user
Access Lists for the Management Ethernet Interface
The access lists (ACL) provide a key protection component for management of the Maestro
AFE. The ACL consists of a list of rules that enable administrators to permit or deny remote
management access from specific hosts or networks. The following steps are required to
create and apply an access list to the management interface.
Define an access list name and the first policy within it.
Each policy within the access list can either "permit" or "deny" management access
from a specified host or network.
By default, there is no access list enabled on the Maestro AFE, therefore allowing
remote administration from any IP address.
To define access list for management Ethernet port from the CLI
Command Syntax:
ip access-list name permit ip-address mask subnet-mask
Example commands:
The following example demonstrates the creation of an access list (ACL1), which
restricts remote management access from all but one host (1.2.3.4).
config> ip access-list ACL1 deny 0.0.0.0 mask 0.0.0.0
config> ip access-list ACL1 permit 1.2.3.4
The maximum number of entries in an access list is limited to 100.
To implement the access list on the management Ethernet interface from the CLI
Command Syntax:
ip access-list acl-name
no ip access-list
Prompt level - Configure - Management ethernet
Example commands:
config> interface management ethernet
management-ethernet> ip access-list ACL1
management-ethernet> no ip access-list ACL1
The access list uses best match, and not order priority.
To view access list information from the CLI
Command Syntax:
show ip access-list name
Prompt level - Root
Example commands:
crescendo> show ip access list james
The access list is based on best match, longest prefix, and not based on the order of the
permit/deny command.
System Commands
The system commands for the Maestro AFE unit consist of the following categories:
Configuration File Management.
File Transfer/Management.
File Commands.
Software and Operating System Upgrade and Version Control.
Configuration File Management
Manage the configuration file by performing the following example commands. Substitute
real names in place of the listed example names, where required. The configuration file will
save the running configuration to flash. The startup.cfg file loads after the system boots.
The configuration file is text based and can be viewed with a standard text editor.
To save the configuration file from the CLI
Command Syntax:
save-config {[Startup.cfg] | filename}
Prompt level - System
Example commands:
system> save-config backup.cfg
To view running configuration from the CLI
Command Syntax:
show running-config
Prompt level - Root
Example command:
crescendo> show running-config
To view saved configuration file from the CLI
Command Syntax:
show startup-config
Prompt level - Root
Example command:
crescendo> show startup-config
Loading Additional Configuration Files to a Running Config
This feature enables an administrator to apply configuration variables from a separate
configuration file. For example, an administrator adding to or modifying an existing
configuration may choose to upload a file which contains all of the required configuration
modifications. The add-config command can be used to process all new configuration
changes found in the file. The changes can then be saved to the start-up configuration.
To execute commands from a file from the CLI
Command Syntax
add-config file-name
This command processes commands found in the defined file. The file should be ASCII
text and be located on the local file system. The ftp-get command can be used to download
the file to the local file system.
File Transfer/Management
The Maestro AFE has the capability to transfer files/software versions to and from a remote
FTP server. The initial configuration of a remote FTP account is required using the ftp-
record command.
To configure an FTP record from the CLI
Command Syntax:
ftp-record username : passwd @ ipaddress directory
Example commands:
config> ftp-record james : er @ 10.10.10.10 samsonzi
To retrieve a remote file via FTP from the CLI
There are four types of files which can be transferred via ftp. Each file type is addressed in
a different way, it is important to select the correct operation:
default retrieved as a regular file and is saved as-is to flash file system.
config downloads a configuration file, tests for validity and saves as "startup.cfg".
operating system downloads operating system image. Low level system drives are
rarely changed. There are two banks, primary and secondary. The newly downloaded
operating system is saved to the primary bank and will be used after the next system
reboot. The backup is available in case the primary is corrupted.
version downloads application image. This is the combined hardware and software
image. As with the operating system, there are two banks, primary and secondary.
Unlike the operating system, the downloaded version is saved to the secondary bank,
and can be toggled to be the primary, at the users discretion.
Command Syntax:
ftp-get filename {config | version | operating-system}
Example command:
system> ftp-get startup.cfg
To export a file via FTP from the CLI
Command Syntax:
ftp-put filename
Example command:
system> ftp-put startup.cfg
File Commands
The Maestro AFE has a flash file system for storing configuration files. The following
commands will aid in managing the files.
To display files in the current directory from the CLI
Command Syntax:
dir
Example command:
system> dir
To copy files from the CLI
Command Syntax:
copy filename1 filename2
Example command:
system> copy startup.cfg backup.cfg
To delete files from the CLI
Command Syntax:
delete filename
Example command:
system> delete startup.cfg
To rename files from the CLI
Command Syntax:
rename filename1 filename2
Example commands:
system> rename backup.cfg startup.cfg
To save the configuration or license files from the CLI
Command Syntax:
save [config | license]
Example commands:
system> save config
Software and Operating System Upgrade and Version
Control
The Maestro AFE has two software images, primary and secondary. The system boots
from the primary image. Each image has an operating system and application software
component.
Before upgrading software, read the associated Release Notes carefully to understand if the
new version of application software requires a new operating system version as well.
To upgrade Application and OS from the CLI
Check Release Notes of new Application Software and determine if a new Operating
System is required.
Download the necessary file(s) from the Crescendo Networks Support website.

Application software is typically named CN5KA_x_xx_xx.ar.

Operation System software is name CN5KO-x_xx_xx.tar.
Place these files on the FTP server configured for access by the Maestro AFE.
From the CLI, log in as an administrator.
Verify the username, password, ftp server IP address, and directory path are setup
correctly for the ftp-record command.

Use the show ftp-record command to verify settings.
From the system> prompt, transfer the new Operating System first, if required:

As described in File Transfer/Management on page 80, use the following command:
ftp-get CN5KO-x_xx_xx.tar operating-system
Next, transfer the new Application Software:

As described in File Transfer/Management on page 80, use the following command:
ftp-get CN55A_x_xx_xx.ar version
Verify that the new Application is downloaded and installed successfully by using the
show version detailed command. The version should exist in the Secondary
version section.
From the system> prompt, use the software-toggle-boot command to switch the
Secondary (new) software with the Primary software.
Reboot the Maestro AFE.
To upgrade Application from the GUI
The Maestro AFE application software can be upgraded from the GUI using HTTP. This
alleviates the need to place the new application software on an FTP server.
Please note, upgrading the Operating System via HTTP is currently not supported. Verify
that the new application version does not require an operating system upgrade. If so, the
traditional method of upgrading both the OS and Application must be followed.
When upgrading through the GUI, using the HTTP method, the application software is
automatically uploaded to the secondary memory space. An upload status will not be
displayed during upload. On a LAN, software update typically takes between 2-3
minutes. Before resetting the device, the secondary version (new software) must be placed
in the primary version memory space.
From the GUI, click on File Software Update via HTTP.
Select application file to be uploaded; usually in the format CN5KA_4_xx_xx.ar.
When upload is complete, click on File Software Switch Between Secondary and
Primary Application.
Verify the new version is correctly located in the Primary Version memory space by
clicking on Help About.
Reboot the Maestro AFE by clicking File Software Reset Device.
To view the current running software version from the CLI
Command Syntax:
show version
Prompt level - Root
Example commands:
crescendo> show version detailed
Output:
board type : CN5510E
hardware version : a.0.0
board serial number : CN608070277
management port MAC : 00-1D-B1-00-11-50
physical memory : 1024 Mbytes

primary version : 55A.7.0.1
primary os version: 1.04.34

secondary version : 55A.7.1.5
secondary os version: 1.04.34

running version : 55A.7.0.1
running os version: 1.04.34
software version : Nov 28 2007-14:52:57
firmware version : V000 07-03-07 / V000 14-01-07

SSL H/W version : 177d/1
Compression H/W version : 0xFFFF0000
ALP is not licensed

uptime is 0 weeks, 0 days, 22 hours, 39 minutes, 26 seconds
To show system information from the CLI
Command Syntax:
show system
Prompt level - Root
Example command:
crescendo> show system
Output
Hostname Crescendo, Date: 06:07:06 Time: 16:44:56
Servers: HTTP Server Enabled (listening on port 80),
SNMP Enabled,
SSH Disabled,
Telnet Enabled
To toggle the boot to alternate software image from the CLI
Command Syntax:
software-toggle-boot
Example commands:
system> software-toggle-boot
To synchronize the secondary OS version with the primary from the CLI
Command Syntax:
operating-system-sync
Example commands:
system> operating-system-sync
To synchronize the secondary software image with the primary from the CLI
Command Syntax:
software-sync
Example commands:
system> software-sync
Logging Commands
Logging
The logging commands all reside under the "configure" prompt level and are configurable
by the administrator user. The administrator user can access levels 0-6 (Debug level 7 is
restricted to debug with technician privileges). The log information is configured globally
and each "client" can be configured to filter or receive all the logs. A client can be a console,
memory, file on flash, or syslog server.
To set the Maestro AFE message logging level setting from the CLI
Command Syntax:
logging threshold {[global | syslog | console | buffer |
persistent]} level subject]
Example commands:
config> logging threshold global
To display filter thresholds from the CLI
Command Syntax:
show logging threshold
Prompt level - Root
Example commands:
crescendo> show logging threshold
Output:
logging configuration
logging to syslog is disabled, server 10.0.0.
logging to console is disabled
01 test
events generated from level debug
buffer does not capture events
persistent buffer does not capture events
console does not capture events
syslog does not capture events
02 network
events generated from level debug
buffer does not capture events
persistent buffer does not capture events
console does not capture events
syslog does not capture events
03 system....
This command continues for all the services.
To direct logs to the console from the CLI
Command Syntax:
logging console
no logging console
Example commands:
config> logging console
config> no logging console
Only one console can receive debug information, it can be to a serial connection or
telnet/ssh session. The total number of CLIs at any given time can be five (5).
To direct logs to the internal buffer (cyclic 4096 lines) from the CLI
Command Syntax:
logging buffered
no logging buffered
Example commands:
config> logging buffered
config> no logging buffered
To log messages to the Syslog server from the CLI
Command Syntax:
logging syslog ip-address {port-num [514]} facility [local7]
no logging syslog
Example commands:
config> logging syslog 1.2.3.4 513 facility 20
config> no logging syslog
To show which devices are configured to log from the CLI
Command Syntax:
show logging
Prompt level - Root
Example commands:
config>show logging
Output:
logging configuration:
logging to syslog is disabled, server 10.0.0.48:514 base 184
logging to console is enabled (this terminal)
To set logging server configuration from the GUI
2. In the Topology window, click on the Topology icon.

Figure 33: Setting Logging Server Configuration
3. Click the check box of the Syslog and/or GUI Events to configure the associated
servers.

6
Server Preparation and Logging
Considerations
Chapter 6 provides critical information regarding server configuration. This chapter
should be consulted to ensure the proper server configuration before attempting to
accelerate and/or load balance with the Maestro AFE.
Server Preparation.
Server Logging Considerations (Original Client IP).
Chapter 6 Server Preparation and Logging Considerations
Server Preparation
Within the Maestro AFE configuration, servers are defined as real servers. A real server
definition includes the server IP address and TCP port from which the application can be
accessed. Real servers can be configured within HTTP clusters or TCP clusters. HTTP
clusters are defined for HTTP based applications which have the ability to utilize the full
suite of acceleration features within the Maestro AFE such as TCP Offload (multiplexing
and optimization), Compression, and SSL Acceleration. TCP clusters are used for non-
HTTP based TCP applications. Depending on the type of applicationand, ultimately the
type of clusterthe server must be properly configured to ensure functionality and
optimum performance.
HTTP Server Configuration Requirements
When a server is configured in an HTTP cluster, the Maestro opens a small number of
backend connections to it. These connections are designed to stay open indefinitely,
limiting the overall TCP connection setup and teardown activity on the server. Because of
this behavior, it is important that the servers be configured to optimally take advantage of
the small number of backend connections. Typically, many servers are not configured to
use long-lasting TCP connections because of the burden of managing them when not front-
ended by the Maestro AFE. Therefore, it is important to follow the following guidelines
before configuring a server to be accelerated by the Maestro. Failure to do so may result in
poor performance and in some cases, increased CPU utilization on the server.
Apache
Apache requires the following modifications be made to the httpd.conf file usually found
in the /etc/httpd/conf/ directory.
KeepAlive On (By default, this is set to Off).
MaxKeepAliveRequests 0 (Provides unlimited requests, by default, set to 100).
KeepAliveTimeout 45 (By default, set to 15).
Microsoft I I S
There is no special configuration required for default configurations of Microsoft IIS 5 or
IIS 6.
Other Servers
If the server being load balanced/accelerated by the Maestro is a server other than Apache,
or Microsoft IIS, please verify that the HTTP Keep-Alive and Request per Connection
settings are set to appropriate values, as outlined for Apache-based servers.
TCP Server Configuration Requirements
If a server is not an HTTP server, but will be load balanced via the Maestro AFE using the
Layer 4 Load balancing featureCluster and Virtual Server set to TCP protocol modethe
servers default gateway (or return path route) must be configured as the interface (or
VRRPc interface) of the Maestro. If the routes are not properly configured on the server,
asymmetrical routing will occur, causing the application not to function. Please note, if
the Maestro AFE is deployed redundantly using VRRPc, then the default gateway of the
server should be configured as the Maestros VRRPc interface.
Server Logging Considerations (Original Client IP)
When a cluster is configured in HTTP mode, all client traffic is terminated by the Maestro
AFE, enabling high-speed communication between the Maestro AFE and the accelerated
servers. Therefore, all communication to the server is from the IP address of Maestro AFE.
For organizations that utilize logging on the server, the Source/Client IP address field will
always be reported as the IP address of the Maestro AFE. This section outlines the different
methods in which the Maestro AFE can be configured to preserve the original client IP
address, as well as steps to configure existing servers to properly report the client IP
address.
Originator (Client) IP Address
To ensure that the original client IP (i.e. originator IP) address is preserved, the Maestro
AFE has the ability to embed the client IP in the HTTP headers of the request forwarded to
the server. If enabled, one of the following headers can be used:
X-Forwarded-For: <original_ip>
Client-IP: <original_ip>
Cres-Client-IP: <original_ip>
The X-Forwarded-For header is used by default, and a sample HTTP GET request and
headers are provided below:
GET /sales/homepage.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (Compatible; MSIE 6.0)
Host: 10.1.1.101
Connection: Keep-Alive
Via: CN-5500
X-Forwarded-For: 128.38.22.167
Additionally, the Originator-IP feature also has the following configurable actions:
Add always The client source IP observed by the Maestro AFE is inserted in the
header, even if another header exists. For example, if the Maestro AFE receives a
request which contains the same header used by the Maestro AFE, X-Forwarded-For,
for example, the Maestro AFE will overwrite the existing header with its own header
and observed source IP.
Add if not present If the Maestro AFE receives a request which contains the same
header used by the Maestro AFE, X-Forwarded-For, for example, the Maestro AFE will
leave the original header and not modify or add an additional header, preserving the
original header and contents.
Server logging software should be reconfigured to identify the Client IP address in the
header configured in the Maestro AFE.
To configure originator IP header from the CLI
Command Syntax:
originator-ip {no-mark | mark} [xforwardedfor | clientip |
cresclientip]
Example commands:
config> originator-ip mark xforwardedfor
config> originator-ip no-mark
To configure originator IP header from the GUI
2. In the Topology window, click on the Servers Topology icon.

Figure 34: Setting Originator IP Header
3. Enable the Originator IP feature by placing a check box next to Originator IP. Select
the header and action to be used.
Server Log Configuration
The following section provides instructions for configuring the logging functionality within
some popular Web/application servers to properly use the originator IP information
provided by the Maestro AFE.
Microsoft I nternet I nformation Server ( I I S) Logging
Before proceeding, verify that the Maestro AFE is configured to insert the original client IP
address in the X-Forwarded-For header. Through the GUI, verify this by logging in as an
admin user and entering the Configuration mode. Click on the Servers Topology icon
and select the General tab. Verify that Originator IP is checked, and that x-forwarded-
for is selected in the Header field.
To configure IIS to report the Client IP address from the X-Forwarded-For header, an
ISAPI filter must be installed on each server. The process is outlined below:
Download the CN-XFF.dll file from the Crescendo Networks Support website or
contact your local Technical Support Engineer for assistance.
Copy the CN-XFF.dll file into a directory on the server.
Open the IIS Manager on the server.
Right-click and enter the Web Site Properties menu for the desired Web server.
Click on the ISAPI Filters tab.
Click New and input a name, like Crescendo Filter, and browse for the CN-XFF.dll
file. Click OK.
The Web server may need to be restarted for the changes to take affect.

Figure 35: Installing an ISAPI filter on each Server
The IIS Server will now search for the X-Forwarded-For: header when populating the
Client-IP field in the logs. For all other application traffic not forwarded by the Maestro
AFE, the log files will display the correct Client-IP.
Apache Logging
Follow the following steps to configure Apache to log the X-Forwarded-For header:
Open the httpd.conf file typically located in the /etc/httpd/conf/ directory.
Look for the Logformat section and edit the logging format nickname, e.g.: common.
Add the following logging parameter: %{X-Forwarded-For}i
Example in httpd.conf:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b" common
The preceding example enables Apache to log the information found in the X-Forwarded-
For header in Source-IP field of the log files.
Sun ONE Server ( formerly iPlanet) Logging
Follow the following steps to configure Sun ONE Server for correct source IP logging:
Log in to the Sun ONE server Web-based management interface.
Go to the Preferences tab Access Logging Options Custom Format.
For Custom Format, replace the string:
%Ses->client.ip%
with the following string:
%Req->headers.X-Forwarded-For%
As shown in Figure 36.

Figure 36: Configuring Sun ONE Server for Correct Source IP Logging

7
Server Topology
Farms/Clusters/Real Servers
Chapter 7 provides information for configuring the Maestro AFE server topology settings,
including Farms, Clusters, and Real servers. Additionally, this section discusses concepts
such as HTTP Application Based Load Balancing, Layer 4 (TCP-based) Load balancing,
Backend Server Connection Management, Server Health Checking, and Session Persistence.
Before Proceeding.
Configuration Overview.
Farm Configuration.
Cluster Configuration (Load Balancing, Health Checking, Persistence).
Real Server Configuration.
Chapter 7 Server Topology Farms/Clusters/Real Servers
Before Proceeding
In order to proceed with configuring server acceleration and/or load balancing, the
following steps should be satisfied.
Management connectivity for each unit, whether through Serial Console or via
Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction
to the Command Line Interface.
At least one Data Interface on each unit configured with an IP Address and connected
to the same network as the server(s) to be accelerated. Please see Chapter 5. Initial
Configuration & Global Settings.
Some servers may require a configuration change to work properly with the Maestro
AFE. Please see Chapter 6. Server Preparation and Logging Considerations.
Configuration Overview
Topology Farms, Clusters, and Real Servers
The configuration topology is comprised of Farms, which contain one or more Clusters,
which in turn contain one or more real servers. For instance, a configuration designed to
accelerate a single server would look as follows:
Farm-1.

Cluster-1.
Server-1.
As discussed in Chapter 1, the Maestro AFE can be configured to accelerate individual
servers or a load balanced cluster of servers. Therefore, the configuration of a cluster with
three identically configured servers intended to be load balanced would look as follows:
Farm-1.

Cluster-1.
Server-1.
Server-2.
Server-3.
If the Load Balancing license is not installed, you will be unable to add more than one
server to a cluster. However, all other features, including single server acceleration will
still function. Please contact your Crescendo Networks Reseller or Sales Associate for
assistance with enabling this feature.
The concept of Farms and Clusters exists primarily as a logical grouping tool for
administration as well as monitoring and viewing performance information. For example,
performance information can be viewed for a real server, cluster, farm, or entire device.
It is common for a Maestro AFE to be configured to accelerate several different groups of
servers. It may make sense for an administrator to logically group the servers in separate
Farms or Clusters for administrative and reporting reasons. For example:
Accounting.

Application-1.
Server-1.
Server-2.
Server-3.

Application-2.
Server-4.
Server-5.
Sales.

Application-3.
Server-6.
Server-7.
Virtual Servers
After the real servers are defined in a cluster, a Virtual Server must be configured to enable
acceleration and/or load balancing. The Virtual Server has several configuration options
depending on whether load balancing is used and how the server is intended to be
accelerated. Virtual Server setup and configuration is covered in detail in Chapter 8. Virtual
Servers, URL Rewriting, and L7 Switching / Redirection.
As discussed in Chapter 1, servers can be accelerated as stand-alone servers (no load
balancing), or exist within a load balanced cluster. If the server is a stand-alone server, it
will be configured in a Cluster by itself. An administrator has the option of accelerating the
server using a Virtual Server IP (VIP), in which server traffic is destined to the VIP
configured on the Maestro AFE, or in spoofed mode, in which traffic is routed through
the Maestro AFE, and only traffic destined to the server is intercepted and accelerated
while all other traffic is routed normally. Please note that load-balancing is not supported
when using spoofed mode, since traffic is not destined to a unique Virtual Server (VIP).
Regardless of mode, a Virtual Server must be created. The Virtual Server is then mapped
to a cluster. The Virtual Server is configured with a Virtual IP address and TCP port
number. In the case of a stand-alone server which will operate in spoofed mode, the
Virtual Server IP address should be configured as the same IP address as the real server.
Additionally, a check box will be selected indicating the Virtual Server is a spoofed
server.
For load balanced HTTP clusters, additional HTTP Switching rules can be configured
which enable the ability to direct client requests to different clusters based on Layer 7
application-based information such as host name, file extension, URL, or browser
language.
Load Balancing Concepts - HTTP Application Load Balancing
and Acceleration vs. TCP (Layer4) Load Balancing
The Maestro AFE inherently operates at the HTTP layer providing advanced load
balancing capabilities, SSL termination, compression, and L7 switching/redirection
features. Additionally, the Maestro AFE is capable of performing load balancing for non-
HTTP applications that run over the TCP protocol. Non-HTTP load balancing is performed
at layer 4 (TCP) and on a per-connection basis.
When creating a Cluster or Virtual Server, the administrator has the option of configuring
these entities as HTTP or TCP. The HTTP setting should be used for all HTTP/HTTPS
applications, whereas any other, non-HTTP TCP-based application requiring load
balancing should be configured as TCP. The Maestro treats traffic destined to TCP and
HTTP Virtual Servers and Clusters differently.
When a Cluster and Virtual Server are configured as HTTP, the Maestro will operate in
its native proxy-based acceleration modeopening a small number of persistent backend
connections to each configured server. In this mode, the Maestro can apply compression,
SSL termination, Layer 7 Switching/Redirection, and advanced load balancing functionality
to HTTP traffic.
When a Cluster and Virtual Server are configured as TCP, the Maestro will function as a
traditional Layer 4 load balancer. Unlike HTTP mode, which utilizes TCP-multiplexing
many client-side connections and a smaller number of server-side connectionsTCP mode
utilizes a 1:1 connection ratio between the client and the server. Therefore, the Maestro
load balances each new connection among the cluster of servers using one of several load
balancing algorithms. Additionally, because the Maestro is not functioning as a Proxy
(communicating to the backend server via its own IP address), the backend server sees the
client IP address. Therefore, a server in a TCP cluster must have its Default Gateway
configured as the interface of the Maestro AFE (or, the VRRPc interface address if two
Maestro AFE units are deployed redundantly).
Health Monitoring
Each cluster can be configured to monitor the health of servers. Health checking can
include the following mechanisms:
Verifying the servers ability to open a TCP connection on the designated port.
Confirming the existence and ability for the server to serve a specific page requested by
the Maestro.
Finally, the Maestro can also confirm the existence (or non-existence) of specific content
being retrieved.
Server Topology Configuration
Backend Connections (For HTTP Clusters)
Once a real server is configured and administratively enabled (Up Admin Status), the
Maestro AFE establishes a small number of persistent TCP connections. The Maestro AFE
distinguishes between these connections by the type of requests being made. For example,
a set number of these TCP connections are used only for static content requests (for
example, images, etc.), while another set of these connections is used for dynamic content
requests (for example, ASP, cgi, etc.).
The number of connections is configurable on a global level or per server.
Globally, these connections are set from the config> prompt with the CLI commands
described below.
Recommended Connection Settings per Platform
Table 6: Recommended Connection Settings Per Platform
Platform Static Dynamic
Apache 64 32
Microsoft IIS 5 96 32
Microsoft IIS 6 96 32
Sun 64 32
Bluecoat 128 32
CacheFlow 12 12
To configure backend connections from the CLI
Command Syntax:
set conns {# of static} dynamic {# of dynamic}
By default, these settings are globally set to 64 static connections and 32 dynamic
connections (96 backend connections per server).
To configure backend connections from the GUI

Figure 37: Configuring Backend Connections
3. Specify the Static and Dynamic connections to be used globally. These numbers
represent the number of connections opened for each new server configured.
4. When configuring servers, the global connection numbers can be ignored by specifying
specific connection counts per individual server on a local level.
Dynamic File Extensions
The Maestro AFE classifies the requests to be sent via the dynamic connections based on
the file extension. Any requests which do not have a matching file extension will be sent to
a server via a static connection.
The following file extensions are included in the dynamic list by default: asp, jsp, pl, cgi,
php, dll, cfm
To configure dynamic file extensions from the CLI:
Command Syntax:
http dynamic-file-extension extension
Example commands:
config> http dynamic-file-extension php
config> no http dynamic-file-extension php
To configure dynamic file extensions from the GUI

Figure 38: Configuring Dynamic File Extensions
3. Specify the file extensions to be used to classify dynamic requests. File extensions
should be specified using a semicolon delimiter between values.
Acceleration of Authenticated HTTP Sessions
The HTTP protocol allows various user authentication techniques to be used in case a
server requires certain credentials from a user. Authentication protocols include Basic,
Digest, NTLM, and Negotiate (SPNGEO), among others. Sometimes, however, HTTP
authentication does not work properly with TCP consolidation (multiplexing) because the
server authenticates an actual TCP connection, rather than the clients HTTP session.
Because of this, the Maestro AFE can enable/disable multiplexing for various
authentication protocols.
The Maestro AFE recognizes the authentication protocol used from a users request headers
(specifically, the Authorization request header). What happens with each authentication
protocol depends on the configuration of the Maestro AFE. The following authentication
protocols are recognized:
NTLM multiplexing is always disabled for NTLM.
Basic multiplexing can be enabled/disabled via user configuration.
Negotiate (SPNGEO) multiplexing can be enabled/disabled via user configuration.
Other (protocols other than those listed above) multiplexing can be enabled/disabled
via user configuration.
For multiplexing authenticated sessions, the Maestro AFE provides enable/disable
configuration options at two levels: global and per-cluster. First, which authentication
protocols are multiplexed is configured globally. Then, each cluster has the option of
handling authenticated sessions either per the global configuration, or per configuration
specifically for that cluster.
To configure Authentication Multiplexing from the CLI
Command Syntax:
http {basic-authentication | negotiate-authentication | other-
authentication} {accelerate | not-accelerate}
Example commands:
config> http basic-authentication accelerate
To configure Authentication Multiplexing from the GUI

Figure 39: Configuring Authentication Multiplexing
3. Check the appropriate authentication method to be accelerated.
Farm Configuration
Configuration Steps
Perform the following example commands to add/remove farms. Substitute actual names
for the example names where required.
To add farms from the CLI
Command Syntax:
farm name
no farm name
Example commands:
config> farm Farm-1
config> no farm Farm-1
To enable/disable services on a farm from the CLI
Command Syntax:
service {history | logging}
no service {history | logging}
Prompt level - Configure - Farm
Example command:
farm "Farm-1"> service history
farm "Farm-1"> no service history
To add farms from the GUI
2. In the Topology window, click on the Servers Topology icon then click the New
button.

Figure 40: Adding Farms
3. The Add New Farm window will display, specify a name for the farm and click Apply.

Figure 41: Add a New Farm Window
Cluster Configuration (Load Balancing, Health
Checking, Persistence)
Several variables are configured for a Cluster, including load balancing, health checks, the
association of Compression policies (covered in Chapter 9) and server-side SSL (covered in
Chapter 10). Load balancing and server health check configuration is covered in detail later
in this section.
Cluster Configuration
Please note that the load balancing license is required to configure more than one server
per Cluster.
To add a cluster from the CLI
Command Syntax:
cluster name
no cluster name
Prompt level - Configure - Farm
Example commands:
farm "Farm-1"> cluster Cluster-1
farm "Farm-1"> no cluster Cluster-1
To add/remove a service for entire cluster from the CLI
Command Syntax:
service {history | logging | ssl | compression }
no service {history | logging | ssl | compression }
Prompt level - Configure - Farm - Cluster
Example commands:
cluster "Cluster-1">service history
cluster "Cluster-1">no service history
The other features configurable at a cluster level include health-check, server-inactivity,
load balancing, and compression. These features are addressed individually in greater
detail throughout this manual.
To add a cluster from the GUI
2. In the Topology window, expand the Servers Topology icon by clicking the + symbol
then click the farm to which you want to add the cluster.
3. Click the New button.

Figure 42: Adding a Cluster
4. The Add New Cluster window will display, specify a Cluster Name and Protocol for
the cluster and click Apply.

Figure 43: Add New Cluster Window
Load Balancing Configuration
Traffic is load balanced among available servers in a cluster. There are several configurable
variables including the protocol being load balanced, load balancing algorithm, method of
session persistency, and health checking.
Cluster Protocol: HTTP or TCP ( Layer 4 Load Balancing)
The Maestro AFE inherently operates at the application (HTTP) layer, functioning as a full
proxy. The Maestro therefore, sees an application as a series of requests and responses,
instead of only packets and TCP sessionslike a traditional Layer 4 Load Balancer.
Functioning at the HTTP level also enables the Maestro to perform advanced load
balancing functions like L7 Switching and Redirection, while simultaneously having the
ability to compress response data in real time and secure an application with SSL. The
Maestro AFE is capable of performing load balancing for non-HTTP applications that run
over the TCP protocol as well. Non-HTTP load balancing is performed at layer 4 (TCP)
and on a per-connection basis.
Layer 4 load balancing is still performed using TCP termination. The Maestro AFE will
terminate all TCP connections that need layer 4 load balancing services, thus allowing them
to use the devices advanced TCP services such as FastTCP and buffering. These services
will help the TCP connections perform more optimally.
With layer 4 load balancing, since client-side connections are terminated by the Maestro
AFE, server-side connections are initiated by the device. Since there is no connection
consolidation for non-HTTP connections (i.e. no multiplexing), there will be a 1-to-1
relationship between client-side and server-side connections. However, the server-side
connections will still carry the source IP address of the original client, in order to allow
server logging mechanisms to operate as before. This means that TCP servers must
guarantee their path back to the client through the Maestro AFE. This is often done by
configuring the IP address of server-side interface of the Maestro AFE to be the default
gateway of the server. This way, all response traffic from the server will flow through the
Maestro AFE to assure proper TCP connection handling.
To configure Layer 4 Load Balancing, the following steps must be followed:
Each cluster that is configured with non-HTTP servers will be configured as a TCP
cluster, rather than an HTTP cluster.
The real servers within the TCP cluster must be configured to route return traffic back
through the Maestro AFE. This is accomplished by configuring the servers default
route (or network specific route) to route through the Maestro AFE physical IP
interface (or VRRPc interface if redundantly deployed).
A Virtual Server (with IP address and TCP port) is configured as a TCP Virtual Server,
rather than an HTTP virtual server.
A TCP virtual server can only be bound to a single cluster. That cluster must be configured
as a TCP cluster. Also, no SSL or compression services are available to TCP virtual servers
or TCP clusters.
Load Balancing Algorithms
The algorithm represents the logic by which application requests will be distributed to
available servers in a cluster. Four options exist:
Round Robin (RR) Application requests are forwarded in a cyclical fashion to each
available server.
Weighted Round Robin (WRR) Similar to Round Robin in that requests are cyclically
distributed among available servers, however they are forwarded based on each
servers configured weight. Servers are configured with a weight, or metric, between 1
and 100. The higher the weight, the greater priority, or amount of traffic a server
should receive relative to other lower weighted servers.
Weighted Least Pending Requests (WLPR) For HTTP Clusters only. The Maestro
AFE is fully application awareknowing the status of each outstanding client request
and the servers subsequent response. This application level intelligence enables the
Maestro AFE to make extremely accurate load balancing decisions based on real-time
application knowledge of each servers pending request load.
Weighted Least Connections (WLC) For TCP Clusters. When performing in TCP
mode (Layer 4 Load Balancing), the Maestro AFE keeps track of the number of
individual TCP connections load balanced to each server within a cluster. The Maestro
can make load balancing decisions based on a combination of the servers configured
weight as well as the number of connections currently established with each server.
Server Response Time (SRV-RSP-TIME-BASED) The Maestro AFE calculates the
servers response time as it receives updates from the server health check mechanism
regarding the servers in the cluster. The load balancing process distributes a high
percentage of the load to the fast servers, enabling them to receive more traffic and a
small percentage of the load to the slow servers, enabling them to receive less traffic.
In addition, each cluster has a Stop Traffic Factor (STF) parameter, which removes very
slow servers from being eligible for traffic distribution. When a servers response time
is greater than STF multiplied by the response time of the fastest server, the server is no
longer eligible for new requests. STF has the value of three by default, but can accept
values from 1 to 100.
The server response time is updated every five seconds by default, enabling the
response times to be recalculated and the server priorities to change.
The server response time option can only be enabled when the Health Check is enabled. If
the Health Check is disabled on the cluster, a warning message appears.
To configure load balancing algorithm from the CLI
Command Syntax:
load-balancing algorithm { wlpr | wlc | wrr | rr }
load-balancing algorithm { wlpr | wlc | wrr srv-rsp-time-based}
Example commands:
cluster "Cluster-1">load-balancing algorithm rr
Example of enabling load balancing based on the servers response time:
cluster "Cluster-2">load-balancing algorithm wrr | wlpr srv-rsp-
time-based
Example of disabling load balancing based on the servers response time:
cluster "Cluster-3">load-balancing algorithm wrr | wlpr no srv-rsp-
time-based
Example of setting STF:
cluster "Cluster-4">load-balancing algorithm wrr | wlpr srv-rsp-
time-based stop-traffic-factor 4
To configure load balancing algorithm from the GUI
and then clicking the Farm icon. The Farm window appears.

Figure 44: Adding a Cluster
3. Click the New button. The Add New Cluster window appears.
4. Specify a Cluster Name and Protocol for the cluster.

Figure 45: Add New Cluster Window
5. Select the Load Balance Algorithm. In the Use Server Response Time window, specify
whether to enable the server response time mechanism. Set the STF to the desired
value in Stop Traffic Factor.
Ensure that the health check is enabled. Otherwise, the Server Response Time mode is
disabled.
When the Load Balance Algorithm is set to RR, the server response mechanism is disabled.
When Use Server Response Time is set to Disable, the Stop Traffic Factor field is disabled.

Figure 46: Configuring Load Balancing Parameter
Persistency
Some applications require that a client communicate with the same server in a load
balanced cluster throughout the duration of their session. This functionality is called
persistence, as each new connection from the same client should be kept persistent, or
sticky to the same server. The persistency mechanism of the Maestro AFE offers several
settings:
None No persistence is enabled for the cluster. All requests are distributed via the
configured load balancing algorithm.
By IP Address The Maestro AFE will identify a client by the Source IP address.
When configured, the first request from a client will be load balanced to the best server.
Subsequent requests from the same Source IP address will remain persistent to the
chosen server.
Application Level Persistency (Available only for HTTP Clusters). The Maestro AFE
will insert data into the HTTP/HTTPS response of each new client request. The data
will identify which server the clients requests should be forwarded to. Therefore, each
request from the client will include the inserted data which the Maestro AFE will use to
identify which server to forward the request to, thus maintaining persistency
throughout the duration of the clients session.
To Configure Persistency Method from the CLI
Command Syntax:
load-balancing { persistency | no-persistency } [ by-ip |
application-level-persistency ]
Example commands:
cluster "Cluster-1">load-balancing persistency by-ip
cluster "Cluster-1">load-balancing no-persistency
To Configure Persistency from the GUI
Enter the Configuration mode and select the desired cluster, as described in To add
farms from the GUI on page 106.
Health Check Configuration
The Maestro AFE will only forward traffic to available (healthy) servers and verifies the
health of a server by one of several means.
By default, the Maestro attempts to connect directly to and verify the basic connectivity of
each server configured in a cluster (HTTP or TCP). If the connection cannot be established,
the Maestro marks the server as Operationally Down and will continue to periodically
check the health of the server. More advanced health checking options exist allowing the
capability to request specific content from a server and verify content within server
responses. This type of health checking is referred to as data checks within the
configuration. The servers response is analyzed to determine whether the server is
functioning properly. Data checks are available for HTTP or TCP clusters and are covered
in more detail in Health Checking for HTTP Clusters on page 116 and Health Checking for TCP
(non-HTTP) Clusters on page 117 respectively.
If Health Checks are to be used, the following variables should be configured:
Mode Enable or Disable Health Checks.
Frequency (1-300 seconds) Default value is 5 seconds. Defines the number of
seconds between health checks.
Wait Time (1-300 seconds) Default value is 3 seconds. Defines the number of
seconds the Maestro AFE should wait for a server response. If a healthy response is
not returned within the time designated, the Maestro AFE will classify the request as a
failure.
Consecutive Failures (1-100) The number of consecutive failures which must occur
before the Maestro AFE classifies a server as down.
URL to be checked Used with HTTP clusters only. The URL to be requested from
each server within the cluster. The URL is requested at the configured Frequency. It is
recommended that a small page be designated to reduce the load on the server.
Host Header Used with HTTP clusters only. The host name to be used for the health
check request. This is useful if several Virtual Hosts exist on a single server. For
example, a server may have a single IP address, but distinguishes between several
virtual servers by the Host Header (ex. www.site1.com vs. www.site2.com) to
determine which virtual server should serve the content. If no Host Header is
configured, the host header will consist of the IP address of the server being health
checked.
How these options are used depends on whether the cluster is made up of HTTP servers or
TCP (non-HTTP) servers. This is configured on a per-cluster basis.
Health Checking for HTTP Clusters
If the cluster is HTTP, then only the following configuration parameters are relevant:
Standard options.

Mode.

Frequency.

Wait time.

Consecutive failures.

URL.

Host.
Data Checks.

Response.

Validate absence of response string.
The data check request field is not applicable since the URL field determines the request
that is sent to the server.
If the data check response field is left blank, then the health check mechanism operates
exactly as it did in versions before 4.2: it sends a request to the server and only validates
that the response has a status code of 200.
If the data check response field is configured, however, then the Maestro AFE will parse
the response from the server. The Maestro will parse both the headers and the body of the
response in order to look for the presence or absence of the response string configured,
depending on whether the validate the absence of the response string option is enabled
or not.
The data check response field is case-sensitive.
The binary option of the data check response field is not relevant with HTTP.
Health Checking for TCP ( non- HTTP) Clusters
If the cluster is a TCP (non-HTTP) cluster, then only the following configuration
parameters are relevant:
Standard options.

Mode.

Frequency.

Wait time.

Consecutive failures.
Data Checks.

Request.

Response.

Validate absence of response string.
With TCP clusters, there are four ways of configuring health checks:
Without using data checks
If no data check options are configured, then the TCP servers will only be checked at
the TCP connection level. The Maestro attempts to open a TCP connection to the
server. If the connection is successfully opened before the wait time expires, then the
health check is considered a success. Otherwise, its considered a failure.
Only using the request data check option
If the intent of health checking is only to verify that the server responds with some data
to a request (any data), then only configure the data check request option. In this
case, the Maestro first attempts to open a connection with the server. If the connection
is successfully opened, the Maestro sends the data configured in the request field to
the server (either text or binary, per configuration). After the request is sent, the
Maestro expects a response (any response) from the server.
All of this (opening a connection, sending the request, and getting a response) has to
happen before the wait time expires; otherwise the health check is considered a
failure.
Only using the response data check option
Certain TCP applications respond with a banner when a connection is first opened to
them. Mail servers (SMTP and POP) are examples of such cases. For checking the
health of these servers, you only need to configure the data check response option.
If only the response data check option is configured, the Maestro first attempts to
open a connection with the server. If the connection is opened successfully, the
Maestro expects data from the server to follow immediately after the connection is
opened. The contents of the response are compared to the response option (text or
binary, per configuration) and the presence or absence of the configured response is
validated, depending on whether the validate absence of response option is
configured.
All of this (opening the connection, receiving the response, and validating it against the
response option one way or another) needs to happen before the wait time expires;
otherwise, the health check is considered a failure.
Using both request and response data check options
For bi-directional application health checking of TCP servers, both the request and
response data check options must be configured. In these cases, the Maestro AFE
first attempts to open a connection with the server. Once the connection is opened, the
Maestro sends the server the contents of the request field (in text or binary, per
configuration). Then, the Maestro examines the server response and compares it to the
content of the response field (in text or binary, per configuration) to validate the
presence or absence of the configured response, depending on whether the validate
absence of response option is configured.
All of this (opening the connection, sending the request, receiving the response, and
validating it against the response option on way or another) needs to happen before
the wait time expires; otherwise, the health check is considered a failure.
Through these four options, all cases of server health checking for TCP (non-HTTP)
servers are covered. Clusters should be configured according to the type of application
the TCP servers within the cluster host.
With all TCP checks, the time it takes to open the TCP connection is part of the overall time
of the health check.
As with HTTP checks, the response field is case-sensitive (in text responses).
When analyzing server responses, the Maestro AFE will accept data from the server
regardless of the number of packets exchanged between the Maestro AFE and the server
as long as the total time does not exceed the wait time.
To Configure Health Checks from the CLI
Command Syntax:
health-check [enable | disable | url | frequency | wait-time |
failures | host-header | data-check]
health-check data-check [no | req-str | resp-str | req-bin | resp-
bin]
Example commands:
cluster "Cluster-1">health-check enable
cluster "Cluster-1">health-check url /index.html
cluster "Cluster-1">health-check failures 3
cluster "Cluster-1">health-check data-check resp-str test
To Configure Health Checks from the GUI
1. Enter the Configuration mode and select the desired cluster. Once the cluster is
highlighted, click on the Health Checks tab.
2. Change the Mode to Enable.

Figure 47: Configuring Health Checks
3. Adjust the Frequency, Wait Time, and Consecutive Failures settings for the specific
application to be tested.
4. For HTTP clusters, specify the URL to be requested.
5. Define a Data Check Response if required. If not defined, the Maestro AFE will
determine health based on the HTTP response code returned from the server,
identifying a response of 200 as healthy.
Server Inactivity Check
The Maestro AFE opens a limited number of persistent TCP connections to each accelerated
server. If a connection is idleno data sent to, or received from the serverfor 30 seconds
(default setting), one of three actions can be defined:
The connection can be closed, and a new one immediately opened.
The connection can be kept alive using an HTTP HEAD method to verify connectivity
over the open connection.
The connection can be kept alive using an HTTP GET method to verify connectivity
over the open connection.
A path and file name can be specified for the HEAD and GET keep-alive methods. The
server-inactivity feature can be configured on a global level, affecting all servers configured
for acceleration, or on an individual server level.
By default, the server-inactivity feature is configured globally to close connections. If
configured in Keep-Alive GET mode, it is advised to configure the url as a small static
page, up to 1000 Bytes in total size, to avoid creating unnecessary load on the server. Keep
in mind, the server-inactivity feature only executes after 30 seconds of inactivity on each
individual backend server connection.
Recommended Server Settings
Table 7: Recommended Server Settings
Web Server / Operating
System
Recommended Configuration
Microsoft IIS 6.0 (Server 2003) server-inactivity close
Microsoft IIS 5.0 (Server 2000) server-inactivity keep-alive [HEAD | GET]
Apache* (Linux, BSD, Windows) server-inactivity close
* Apache requires the following modifications be made to the httpd.conf file usually found
in the /etc/httpd/conf/ directory.
KeepAlive On (By default, this is set to Off).
MaxKeepAliveRequests 0 (Provides unlimited requests, by default, set to 100).
KeepAliveTimeout 45 (By default, set to 15).
The settings outlined in the table are recommendations based on typical environments.
Because many applications may vary based on customization, it is recommended that the
settings be verified with a Crescendo Networks Support Engineer to ensure optimal
performance. For example, the default server-inactivity timer is set to 30 seconds. If for
some reason a request may take longer than 30 seconds to be processed by the server, the
server-inactivity timer value should be increased to allow for maximum server processing
time.
To configure server-inactivity globally from the CLI
Command Syntax
server-inactivity [close | keep-alive] url [GET | HEAD]
Example commands:
config> server-inactivity close
config> server-inactivity keep-alive /test.html GET
config> server-inactivity keep-alive /test.html HEAD
To configure server-inactivity globally from the GUI
2. In the Topology window, click on the Server Topology icon under the Maestro AFE
icon.

Figure 48: Configuring Server-Inactively Globally
3. Configure the Server Inactivity setting in the Advanced tab.
4. If the Server Inactivity option is checked, this signifies Keep-alive mode and a URL
and methodGET or HEADshould be specified.
5. If the Server Inactivity option is left unchecked, this signifies close mode.
To configure server-inactivity per cluster from the CLI
Configuring the server-inactivity is an extension of the Cluster configuration within the
Farm > Cluster prompt level. Each cluster can be configured with a unique server-
inactivity action (Close, Keep-Alive GET, or Keep-Alive HEAD) similar to the global
configuration. Additionally, the Cluster can be configured to use the global settings.
Command Syntax
server-inactivity [close | global | keep-alive] url [GET | HEAD]
Prompt level Configure Farm Cluster
Example commands:
Cluster Cluster-1> server-inactivity close
Cluster Cluster-1> server-inactivity keep-alive /test.html GET
Cluster Cluster-1> server-inactivity keep-alive /test.html HEAD
Cluster Cluster-1> server-inactivity global
To configure server-inactivity per cluster from the GUI
Server inactivity can be configured per Cluster.
2. In the Topology window, expand the Topology icon by clicking the + symbol then
expand the Farm icon and click on the desired Cluster icon.

Figure 49: Configuring Server-Inactivity Per Cluster
3. The Server Inactivity variable is configured as Close, Keep-alive, or Global.
Real Servers
When configuring servers to be accelerated or just load-balanced, it is important to verify
several settings in the server configuration before defining them in the Maestro AFE
configuration. For information pertaining to server configuration please consult Chapter 6.
Server Preparation and Logging Considerations before proceeding with configuring real
servers.
Configuring a Real Server
Real servers are defined within a cluster. When the server is configured, the Maestro
immediately attempts to connect to the server. In the case of a real server defined in an
HTTP cluster, the Maestro AFE will attempt to open the preconfigured number backend
connections to the server, as well as begin performing separate Health Checks (if
configured). In the case of a real server defined in a TCP cluster, the Maestro will begin
performing health checks (if configured).
Backup Servers
When configuring a real server, the option exists to make the server a backup server.
This designation means that the server configured as backup within the cluster will not
receive any traffic, unless any other server within the cluster becomes unavailable. The
configuration allows for only one backup server to be designated per cluster.
When any other server in a cluster fails, the backup server will become active. When the
previously failed server becomes available again, the backup server will do the following
(based on whether the cluster is configured as an HTTP or TCP-based cluster):
HTTP Cluster The backup server will immediately stop receiving traffic and will be
placed in backup mode again.
TCP Cluster The backup server will not be forwarded any new TCP connections, and
will gracefully timeout any existing connections. Once all connections are no longer
active, and have been timed-out, the server will be placed in backup mode again.
To add a real server from the CLI
Command Syntax:
real real-name {shutdown | [no shutdown]} real-ip port {backup-
server}
no real real-name
Example commands:
cluster "Cluster-1"> real Server-1 10.1.1.1 80
cluster "Cluster-1"> no real Server-1
cluster Cluster-1> real Server-1 backup-server
cluster Cluster-1> real Server-1 no-backup-server
To add a real server from the GUI
2. In the Topology window, expand the Servers Topology icon by clicking the + symbol,
then expand the Farm icon and the Cluster icon. Click the Real Server icon and click
New.
3. The Add New Server window is displayed. Specify a name for the server, the servers
real IP address, and TCP port of the HTTP application to be accelerated. Additionally,
configure additional services such as Logging, History, or the backend connections.
Click Apply.

Figure 50: Add New Server Window
4. Repeat this step for each server.
To configure backend connections per server from the CLI
When configuring an individual server, the backend connections will use the global
settings unless otherwise specified. The following command outlines the configuration of
connection settings per server.
Command Syntax:
real name conns [global | static] # dynamic #
Example commands:
cluster "Cluster-1"> real Server-1 conns global
cluster "Cluster-1"> real Server-1 conns static 100 dynamic 3

8
Virtual Servers, URL Rewriting, and L7
Switching / Redirection
Chapter 8 provides information about configuring Virtual Servers (VIPS) as well as
advanced configuration concepts such as L7 Switching and HTTP Redirection rules.
Before Proceeding.
Virtual Servers.
URL Rewriting.
L7 Switching & Redirection (HTTP Virtual Servers).
HTTP Redirection Rules.
Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection
Before Proceeding
In order to proceed with configuring server acceleration and/or load balancing, the
following steps should be satisfied.
Farms, Clusters, and at least one Real Server must be defined and properly configured
within the Server Topology configuration. Please see Chapter 7. Server Topology
Farms/Clusters/Real Servers.
Virtual Servers
Configuring Virtual Servers
The following section outlines the steps required to create and configure a Virtual Server
(VIP). Virtual Servers are mapped to Clusters. Similar to Clusters, Virtual Servers have a
protocol configuration; either HTTP or TCP. A Virtual Servers protocol configuration must
match that of the Cluster it is mapped to. Therefore, a Cluster configured as HTTP can
only be mapped to a Virtual Server configured as HTTP. Similarly, a Cluster configured as
TCP must be mapped to a Virtual server configured as TCP. Cluster and Virtual Server
protocol designations cannot be mismatched.
Virtual Servers configured for HTTP protocol also allow configuration of HTTP/L7
Switching and Redirection rules, as well as Client-Side SSL which is covered in Chapter 10.
SSL Acceleration.
To add virtual servers from the CLI:
Command Syntax:
virtual virtual-name {shutdown | [no shutdown]} virtual-ip virtual-
port {protocol [http | tcp]}
no virtual virtual-name
Example commands:
config> virtual Virtual-1 10.1.1.100 80 default-cluster Cluster-1
protocol http
config> no virtual Virtual-1
config> virtual Virtual-1 shutdown
config> virtual Virtual-1 no-shutdown
To add services to a virtual server from the CLI
Command Syntax:
virtual virtual-name service {history | logging | ssl}
virtual virtual-name no service {history | logging | ssl}
Example commands:
config> virtual Virtual-1 service history
config> virtual Virtual-1 no service history
To add a virtual server from the GUI
then click on the Virtual icon. Click on the New button.

Figure 51: Adding a Virtual Server from the GUI
3. The New Virtual Server window will be displayed. Specify a name for the Virtual
Server, the Virtual IP address, and TCP port of the HTTP application to be accelerated.
4. Choose the Protocol. If the Virtual Server will be mapped to a TCP-based cluster (for
non-HTTP load balancing), then the Protocol must be set to TCP within the Virtual
Server configuration. The GUI will generate an error if an HTTP Virtual Server is
configured with a TCP cluster.
5. Next, specify the Default Action as sending traffic to a specific cluster, redirecting to a
URL, or denying access.
6. Once the Default Action is configured, additional L7 Switching and Redirection
configuration can be made via the respective tabs if the Virtual Server and subsequent
Clusters are configured as HTTP protocol.
URL Rewriting
URL Rewrite is the method by which the Maestro AFE rewrites the URL in an incoming
request, before sending the URL to the Cluster / Real Server. The URL is rewritten based on
the original URL, the Host field of the URLs HTTP header, and the matching URL rewrite
rule.
The first step of the URL rewrite process is performed by checking whether the Virtual
Server has a URL that is waiting to be rewritten. The Maestro AFE then selects the URL
rewrite rule to be used by comparing the rules format with the format of the incoming
URL. When a match is found between a rule and a URL, the URL is rewritten according to
the selected rule. Since more than one rule can match a URL, the Maestro AFE selects the
rule according to its priority level. The URL rewrite is performed by removing or copying
parts of the URL and pasting them in other areas within the URL. Once the URL is
rewritten, the L7 switching decisions that were determined before the URL was rewritten
are used.
The L7 switching decisions are based on the parameters from the incoming URL request,
before the URL is rewritten.
The ability to rewrite URLs enables site administrators to achieve greater control of the
HTTP traffic entering their site. URL rewriting can be used for the following scenarios:
Hiding Web server names and server configuration information from your users by
redirecting an external URL to an internal URL. This improves the security on your site
and makes the sites URLs shorter.
Redirecting an old webpage to a new webpage.
Redirecting specific keyword searches to simplified URLs.
As mentioned above, the URL is rewritten based on the original URL, the Host field of the
URLs HTTP header, and the matching URL rewrite rule.
An example of a URL rewrite request is:
The URL: GET /sports/bball/index.asp?id=12213234
The host name: www.cnn.com
The rewrite rule:

Input www.cnn.com/$01/$02/$R

Output $01.cnn.com/$02/$R
After the rewrite, a host name must be included in the URL input request as well as the
output URL. The only time a host name is not included in the request, is when matching
HTTP 1.0 requests.
URL Rewrite Rules
Creating URL rewrite rules enables you to control how each incoming URL is rewritten.
This involves creating a generic format for the input URL and for the output URL.
Predefined variables are used in the rules to indicate the generic information that varies
with each URL. You can create up to 100 URL rewrite rules.
URL rewrite rules can contain two types of variables:
<$R>
<$XX>, where XX is 01, 02, 03
The following example rule demonstrates the use of the variable <$R>, which contains the
end of the URL.
URL From Incoming Request URL After Rewrite
www.x.com/images/<$R> www.x.com/images/jpg/<$R>

When using this rule, the URL www.x.com/images/hello is rewritten to
www.x.com/images/jpg/hello. Using the same rule, the URL www.x.com/images/goodbye
is rewritten to www.x.com/images/jpg/goodbye.
The <$R> variable can contain any character, including slashes and periods, except for a
space. Since a space indicates the end of the URL, it cannot be used within the variable.
The following example rule demonstrates the use of the variable <$XX>, which indicates a
string from the URL.
URL From Incoming Request URL After Rewrite
www.x.com/<$01>friend/<$02>index.htm www.x.com/<$02>/<$01>/index.htm

When using this rule, the URL www.x.com/myfriend/homeindex.htm is rewritten to
www.x.com/home/my/index.htm.
The <$XX> variable cannot contain slashes, periods, question marks, or spaces. This
variable can appear only once between a set of dashes, periods, or question marks in the
URL.
The following table displays additional examples of URL rewrite rules, using the <$R> and
<$XX> variables. The Desired row describes the desired output according to the specified
input. The Rule row displays the input and output rule to be used to receive the desired
result.
Table 8: Examples of URL Rewrite Rules
Example
Number
URL Input URL After Rewrite
Desired www.x.com/images/<rest> www.x.com/images/jpg/<rest> 1
Rule www.x.com/images/$R www.x.com/images/jpg/$R
Desired www.x.com/images/<rest> www.x.com/pictures/<rest> 2
Rule www.x.com/images/$R www.x.com/pictures/$R
Desired www.x.com/images/<rest> pictures.x.com/<rest> 3
Rule www.x.com/images/$R pictures.x.com/$R
4 Desired images.x.com/<rest> www.x.com/pictures/<rest>
Example
Number
URL Input URL After Rewrite
Rule images.x.com/$R www.x.com/pictures/$R
Desired <uname>.x.com/<rest> www.x.com/~<uname>/<rest> 5
Rule $1.x.com/$R www.x.com/~$1/$R
Desired www.x.com/<app>/<rest> <app>.x.com/<rest> 6
Rule www.x.com/$1/$R $1.x.com/$R
Desired www.x.com/<uname> www.x.com/user.php?uname=<uname> 7
Rule www.x.com/$1 www.x.com/user.php?uname=$1
Desired www.x.com/dir www.x.com/dir/ 8
Rule www.x.com/$1 www.x.com/$1/
Configuring URL Rewrite Rules
You can configure the rewrite rules through the CLI or GUI. This includes adding, editing,
and removing rules from the Configured rules list. Once a rewrite rule is created, you need
to commit the rule. In addition to the regular configurations mentioned above, you can run
the newly modified rules. You can view the committed rules or perform a rollback, to undo
the recent run and return the list of previously run rewrite rules.
This section outlines the steps required to configure URL rewrite rules through the CLI and
GUI.
To add a URL rewriting rule from the CLI
Command Syntax:
virtual name rewrite before url-string-before after url-string-after
priority
Example commands:
config> virtual v1 rewrite before www.x.com/$01 after
www.x.com/user.php?uname=$01 2
config> virtual v1 rewrite before www.$01.com/ after
www.x.com/user.php?uname=$01 3
To remove a URL rewriting rule from the CLI
Command Syntax:
no virtual name rewrite id internal-id
no virtual name rewrite before url-string-before
Example commands:
no virtual v1 rewrite before www.$01.com/
To commit the rewrite rules from the CLI
Command Syntax:
virtual name rewrite commit
Example commands:
virtual v1 rewrite commit

To perform a rollback from the CLI
After running a list of rules, you can perform a rollback to restore the previously run
list of rules. These rules will then need to be run again before they can be used.
Command Syntax:
virtual name rewrite rollback
Example commands:
virtual v-1 1.2.3.4 80 redundancy-group 1 default-cluster c1
virtual v-1 rewrite before $01.before-$02-after.$03/$04/$05.txt after
www.match-$05-$01.com/$04/$01/before-$03-
after/$02.txt 90
virtual v-1 rewrite before www.endofpath.com/$01 after www.match-
endofpath.com/$01 89
virtual v-1 rewrite before $01.constpost.com/default.html after
$01.constpost.com/$01/default.html 88
virtual v-1 rewrite before "before $01.rest.$R" after www.match-$01.$R
86
virtual v-1 rewrite before $01.restendofhost.com$R after www.match-
$01.$R 85
virtual v-1 rewrite before www.str1$$str2.com/$01/$$ after www.match-
str1$$str2.com/$01/$$ 84
no virtual v-1 rewrite before $01.before1-$02-after.$03/$R after
www.match1-$01.com/$02/$R 91
virtual v-1 rewrite commit
virtual v-1 rewrite before $01.before1-$02-after.$03/$R after
www.match1-$01.com/$02/$R 91
To view the URL rewrite configured rules from the CLI
Command Syntax:
show virtual rewrite configured
Prompt level - Root
Example commands:
root> show virtual rewrite configured
Virtual Id Before URL After URL Priority Commit
v-1 7 www.str1$$str2.co www.match-str1$$s 84 committed
6 $01.restendofhost www.match-$01.$R 85 committed
5 before $01.rest.$ www.match-$01.$R 86 committed
3 $01.constpost.com $01.constpost.com 88 committed
2 www.endofpath.com www.match-endofpa 89 committed
1 $01.before-$02-af www.match-$05-$01 90 committed
4 $01.before1-$02-a www.match1-$01.co 91 Not committed
To view the URL rewrite rules that are running from the CLI
Command Syntax:
show virtual rewrite committed
Prompt level - Root
Example commands:
root> show virtual rewrite actual
Virtual Before URL After URL Priority
v-1 www.str1$$str2.com/$01/ www.match-str1$$str2.co 84
$01.restendofhost.com$R www.match-$01.$R 85
before $01.rest.$R www.match-$01.$R 86
$01.constpost.com/defau $01.constpost.com/$01/d 88
www.endofpath.com/$01 www.match-endofpath.com 89
$01.before-$02-after.$0 www.match-$05-$01.com/$ 90
$01.before-$02-after.$0 www.match-$01.com/$02/$ 91
To add URL rewriting rules from the GUI
2. In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then
click the specific Virtual Server icon.
3. Select the URL Rewriting tab to display the URL rewrite rules.
4. In the URL Rewriting Rules area, select the Configured tab to configure the rules.

Figure 52: Configuring the URL Rewrite Rules from the GUI
5. In the Rule Before, Rule After, and Priority fields, enter the rules input and output
information and the rules priority level.
6. Click Apply to add the rule to the list of available rewrite rules. Once the rule is added,
you must run the rule before it can be used.
To commit the URL rewriting rules from the GUI
4. In the URL Rewriting Rules area, select the Configured tab.
5. Click Commit All. The rules are running and can be matched with incoming URLs.
6. Click the Commited tab to display the URL rewriting rules that are being used for this
virtual server.

Figure 53: Running the URL Rewrite Rules from the GUI
To perform a rollback from the GUI
5. Click Rollback to restore the list of previously run URL rewriting rules.
To edit URL rewriting rules from the GUI
5. In the URL Rewriting Rules table, select the rule you want to edit.
6. Edit the rule and click Apply.
To remove URL rewriting rules from the GUI
5. In the URL Rewriting Rules table, select the rule that you want to remove and click
Delete.
L7 Switching & Redirection (HTTP Virtual Servers)
HTTP Switchingreferred to as L7 Switchingis the method by which requests sent to a
Virtual Server (configured for HTTP traffic) are classified and forwarded to a specific
cluster. HTTP switching is only available when the load-balancing feature is enabled
(licensed) and the Virtual Server and subsequent Clusters to receive traffic are
configured in HTTP protocol mode. HTTP Switching enables the creation of ordered
(prioritized) rules within the Virtual Server to determine which cluster should receive
matching requests. Rules can be configured to classify based on any combination of the
following criteria: Host Name, File Extension, URL, and Language.
An example of an environment that may benefit from HTTP Switching is one with different
content types being served by different clusters. For instance, a cluster may be optimized
to serve only image content, like jpegs and gifs, while another cluster is optimized to serve
application requests and communicate with a backend database. In this scenario, two
separate clusters would be configured. Through the use of HTTP switching rules, a single
Virtual Server would be created with rules designating which clusters receive client
requests based on content. Therefore, requests for images are served by the image cluster
and requests for all other data is served by the application or default cluster.
HTTP Switching is also ideal when content is served in different languages.
Administrators can manage different clusters setup to serve content in different languages.
HTTP Switching enables the Maestro AFE to forward requests to the correct cluster based
on the language specified in the clients browser.
L7 Switching Criteria
As previously mentioned, HTTP Switching rules are built with a combination of the
following criteria:
Hostname Hostname specified in the clients Host header. (For example
www.site1.com or www.site2.com).
File Extension Extension of object being requested. (Ex. jpg, gif, html, etc.)
URL Commonly used for directory structure and based on longest match. For
example, if /products/ is specified, the following URLs would match /products/
and /products/shoes/. It is important that the leading slash be specified.
Additionally, the URL field can accommodate only 30 characters.
Language As specified in the browsers Accept-Language header. If more than
one language is listed in the clients request, the Maestro AFE will only classify
based on the first language listed.
L7 Switching Criteria Options
Each of the rule criteria are configured with a defined value as demonstrated above, or one
of two different options.
Doesnt Exist Set when you require the rule to match based on the non-existence of a
value. For example, setting the File Extension to Doesnt Exist means that the
Maestro AFE will classify a request for a file with no extension as a match, whereas a
file with an extension will not match.
Dont Care Set when the criteria does not matter. For instance, setting the File
Extension criteria to Dont Care means that the Maestro AFE will not care what file
extensions are requested.
After specifying criteria for a rule, a priority should be configured, as well as a defined
Cluster for traffic matching the rule.
URL Criteria Options
When creating an HTTP Switching rule based on the URL, two options are available to
ensure proper functionality:
Exact Match If the URL is configured with an exact match option, then its a match
only if the portion after GET matches exactly the configured string.
Longest Prefix If the URL is configured with a longest prefix option, then its a
match if the string is found. Additionally, the search for longest prefix always starts at
the beginning of the URI (right after GET) this is why the URL section is always
required to start with a / in the Maestro AFE configuration.
L7 Switching Actions
When configuring HTTP switching rules, two possible actions are available if a rule
matches a user request:
Send to cluster the virtual server will direct the user request to the configured
cluster.
Deny the virtual server will deny the user request and reset the TCP connection.
L7 Switching Rule Priorities
When configuring an HTTP Switching or Redirection rule, a priority value is required. The
priority value is only used in instances when more than one HTTP Switching or
Redirection rule is matched.
I mportant I nformation about Priorities
A priority value must be assigned to each L7 switching or Redirection rule.
Priority values are only used when two rules match all criteria for a request.
Priority is based on a descending scale, so a rule with priority 2 has a higher
precedence than a rule with a priority of 5.
Even though there are two tables to configure L7 Switching and Redirection rules per
Virtual Server (VIP) in the GUI, they effectively utilize the same table. This means that
for the same Virtual Server, you cannot have an L7 Switching rule with a priority of 2
and a Redirection rule with a value of 2 also. Instead, the two tables must utilize non-
conflicting priority values since they are actually executed as a single table.
For example, a request is received which contains the following information:

Request URL: /images/image1.jpg.

Host name: www.site1.com.
The Maestro AFE has the following HTTP Switching and Redirection rules:
Table 9: L7 Switching
Hostname File Ext. URL Language Priority Cluster
Dont Care jpg Dont Care Dont Care 1 Cluster-1
Table 10: Redirection
Hostname File Ext. URL Language Priority Redirecti
on to:
www.site1.com Dont Care Dont Care Dont Care 2 www.site2.
com

In this example, the request actually matches both configured rules. When this occurs,
the Maestro AFE uses the configured priority to determine which action to take. In this
case, the L7 Switching rule has a higher priority (1) and the request will be forwarded
to Cluster-1 per the configured action.
L7 Switching Example Configuration
Assume the following configuration in which two clusters exist:
Farm-1.

Cluster-1.
Server-1.
Server-2.

Cluster-2.
Server-3.
Server-4.
Server-5.
Cluster-1 serves image content consisting of jpegs and gifs, while Cluster-2 serves all other
content and application requests. After configuring each Cluster on the Maestro AFE, a
Virtual Server must be created with the following configuration:
Virtual Server = 10.1.1.100; Port = 80.
Default Cluster = Cluster-2.
L7 Switching Rules:
Table 11: L7 Switching Rules
Hostname File
Ext.
URL Language Priority Cluster
Dont Care jpg Dont Care Dont Care 1 Cluster-1
Dont Care gif Dont Care Dont Care 2 Cluster-1

As the Virtual Server configuration demonstrates, requests for jpg or gif objects will be
forwarded to Cluster-1 as stipulated in Rule 1 and 2, while all other requests will be
forwarded to Cluster-2 (default rule).
Configuring L7 Switching Rules
The following section outlines the steps required to configure L7 switching rules through
the CLI and GUI.
To add L7 switching rules from the CLI
Command Syntax:
virtual name rule { hostname variable | no-hostname | any-hostname |
file-ext variable | no-file-ext | any-file-ext | url variable | no-
url | any-url | language variable | no-language | any-language}
rule_priority_[1100] {to-cluster cluster | redirect url | deny}
Example commands:
config> virtual Virtual-1 rule any-hostname file-ext jpg any-url
any-language to-cluster Cluster-1
To add L7 switching rules from the GUI
2. In the Topology window, expand the Virtual Servers icon by clicking the + symbol
then click on the specific Virtual Server icon.

Figure 54: Configuring L7 Switching
3. The L7 Switching rules can be found in the L7 Switching tab.
4. Select a blank row, and then configure the desired variables by either selecting one of
the options from the drop down menu (for example Dont Care or Doesnt Exist).
Or, specify a specific value by clicking in the variable window and input the desired
text.
5. Click Apply.
To remove an L7 switching rule from the CLI
Command Syntax 1:
no virtual <vir-name> rule id <number> / <language>
In some cases, when using this command, you will need to make modifications to the rule
before the rule can be removed. For example, when you use the command Show Run to
discover the rule, you will need to make modifications to the rule. For this reason it is
recommended to use the following command.
Command Syntax 2:
show virtual rule
no vir <vir-name> rule id <number>
Example commands:
show virtual rule
no virtual LAN2 rule any-hostname any-file-ext url / any-language
To remove L7 switching rules from the GUI

Figure 55: Configuring L7 Switching
3. The L7 Switching rules can be found in the L7 Switching tab.
4. Select the row of the rule that you want to delete and click Delete.
HTTP Redirection Rules
For each virtual server, redirection rules can be configured instructing the Maestro AFE
virtual server to redirect specific user requests to alternate URLs. Each redirection rule is
configured exactly as an L7 switching rule. Also, the priorities assigned to redirection rules
are compared to other priorities in both redirection and L7 switching rules for the same
Virtual Server. Therefore, L7 switching priorities cannot conflict with those of the
redirection rule table for the same Virtual Server (VIP).
HTTP Redirection Configuration Criteria
Configuring a redirection rule is exactly like configuring an L7 switching rule with regards
to matching for host name, file extension, URL, language, and priority. In addition, a
number of redirection-specific parameters are available for configuration:
Redirect to The location to which the Maestro AFE will redirect the client request to,
if there is a rule match. See below for a more detailed description of how to configure
this parameter.
Connection The Connection header used in the redirect message from the Maestro
AFE. The device can send the redirect with a Connection: keep-alive or Connection:
close header.
Preserve Original Path Enabling this option will instruct the Maestro AFE to append
the path of the request URL to the redirection URL. The path, in this case, refers to
everything from the first slash (not counting the protocol slashes) to the end of the
request. For example, if the request URL is http://www.site.com/abc/def/index.html,
then the original path would be /abc/def/index.html including the first slash. See
below for how this parameter affects the redirection location.
Permanent redirection By default, the Maestro AFE uses temporary redirects for the
redirection mechanism. This means that it redirects HTTP/1.1 clients using response
code 307 and HTTP/1.0 clients using response code 302. The option is available to
make the redirection permanent. If the option is enabled, the Maestro AFE will use a
response code 301 with the redirect for all clients.
The redirect to Field
The redirection mechanism of the Maestro AFE has an extensive set of capabilities that
allows it to perform much more than simple HTTP redirection. The mechanism allows for
protocol switching (http->https), redirection to a new host and/or new port number, and
the ability to preserve the original request path if necessary, as discussed above. As such,
the redirect to parameter can take many forms. The figure below describes the general
anatomy of the parameter:

Figure 56: Redirect To Field
The table below shows possible configurations for this parameter and what each means.
All examples shown below are valid configurations. Also shown is the effect of the
preserve original path option to each of the redirects. In these examples, we assume that
the original request was to http://<host>/abc/def/x.htm:
Table 12: Redirect ToFields Possible Configurations
Location header of the redirect

redirect to
parameter
Pres. orig. path
disabled
Pres. orig. path enabled
https:// https://<host> https://<host>/abc/def/x.htm
https:/// https://<host>/ https://<host>/abc/def/x.htm
:8080 http://<host>:8080 http://<host>:8080/abc/def/x.htm
https://:444 https://<host>:444 https://<host>:444/abc/def/x.htm
www.site.com http://www.site.com http://www.site.com/abc/def/x.htm
www.site.com/ http://www.site.com/ http://www.site.com/abc/def/x.htm
www.site.com:8080 http://www.site.com:8080 http://www.site.com:8080/abc/def/x.htm
www.site.com:8080/ http://www.site.com:8080/ http://www.site.com:8080/abc/def/x.htm
https://www.site.com:444 https://www.site.com:444 https://www.site.com:444/abc/def/x.htm
https://www.site.com:444/ https://www.site.com:444/ https://www.site.com:444/abc/def/x.htm
www.site.com/dir1 http://www.site.com/dir1 http://www.site.com/dir1/abc/def/x.htm
www.site.com/dir1/ http://www.site.com/dir1/ http://www.site.com/dir1/abc/def/x.htm
:8080/dir1 http://<host>:8080/dir1 http://<host>:8080/dir1/abc/def/x.htm
/dir1 http://<host>/dir1 http://<host>/dir1/abc/def/x.htm
https:///dir1/ https://<host>/dir1/ https://<host>/dir1/abc/def/x.htm
Configuring HTTP Redirection Rules
The following section outlines the steps required to configure L7 switching rules through
the CLI and GUI.
To Configure Redirection from the CLI
Command Syntax:
virtual name rule { hostname variable | no-hostname | any-hostname |
file-ext variable | no-file-ext | any-file-ext | url variable | no-
url | any-url | language variable | no-language | any-language}
rule_priority_[1100] {to-cluster cluster | redirect url | deny}
Example commands:
config> virtual Virtual-1 rule any-hostname file-ext jpg any-url
any-language redirect http://www.test.com/
config> show virtual Virtual-1 rule
To Configure Redirection from the GUI

Figure 57: Configuring HTTP Redirection
3. The HTTP Redirection rules can be found in the Redirection tab.
4. Select a blank row, and then configure the desired variables by either selecting one of
the options from the drop down menu (for example Dont Care or Doesnt Exist).
Or, specify a specific value by clicking in the variable window and input the desired
text.
5. Click Apply.

9
Compression
Chapter 9 introduces and explains the configuration of the Compression module.
Before Proceeding.
Compression Module Overview.
Compression Module Configuration.
Global Configuration (Browser/File Exceptions).
Chapter 9 Compression
Before Proceeding
In order to proceed with configuring Compression, the following steps should be satisfied.
Management connectivity, whether through Serial Console or via Management
Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 5. Initial Configuration &
Global Settings.
Server(s) configured in at least one HTTP cluster. Please see Chapter 7. Server Topology
Compression Module Overview
The compression feature requires the installation of an optional hardware compression
module. If you are interested in purchasing the compression module, please contact your
local sales representative or email sales@crescendonetworks.com.
The Maestro AFE utilizes industry standard gzip and deflate-compression algorithms
accepted by most Web browsers for HTTP content. Not all content is compressible;
therefore, the Maestro AFE determines compressibility by analyzing the mime-type
defined in server responses. If the content matches a configurable list of compressible
mime-types, the Maestro AFE compresses and forwards the data to the end-user.
Otherwise, non-compressible data is forwarded normally.
The compression module also includes a global set of compression rules that act based on
browser characteristics and file extensions. These rules can be used in order to compensate
for certain browsers that have issues either with all compression or with specific file types.
The global rules override individual profiles and apply to all traffic compressed by the
Maestro AFE.
Compression Profile Configuration
Sample mime-types
The full list of mime-types is available at the Internet Assigned Numbers Authority (IANA)
website at http://www.iana.org/assignments/media-types/.
Below is a sample of common mime-types:
Table 13: Common Mime-types Sample
Mime-type (includes type/subtype) File Extension
application/x-javascript js
application/xml xml xsl
image/bmp Bmp
image/jpeg jpeg jpg jpe
text/html html htm
text/plain asc txt
Configuring Compression
Configuring compression requires the following steps.
Create a compression profile.
Define mime-types for use with compression profile.
Apply compression profile to a Cluster.
To create a compression profile from the CLI
The Compression Module enables a great deal of flexibility with regard to Profile
configuration. For example, a Profile can be created with a default action of exclude,
meaning no data will be compressed unless mime-types are added with the include
setting. Alternatively, a profile could be created with a default action of include,
meaning all data will be compressed except for that with mime-types specifically defined
as exclude.
Command Syntax
compression profile profile_name [include | exclude]
Example commands:
config> compression profile Cmp-Profile-1 exlude
To configure mime-types for a policy from the CLI
The Maestro AFE parses the server response headers for matching mime-type information.
If a match is found, and the content being sent is greater than 128 bytes, the Maestro AFE
will compress the content. Mime-types are listed as a type and sub-type in the format of:
type/sub-type. When configuring mime-types for a Compression Profile, you can choose to
specify the exact mime type, like text/plain, or specify only the type, like text.
Specifying only the type will ensure that all content within the specific type will be
included or excluded for compression by the Maestro AFE without having to input each
individual mime-type.
Command Syntax
compression mime-type profile_name content-type [include | exclude]
Example commands:
config> compression profile test_profile exclude
config> compression mime-type test_profile text/html include
config> compression mime-type test_profile text/plain
To display compression configuration information from the CLI
Command Syntax
show compression
Prompt level Root
Example commands:
crescendo> show compression
To create a compression profile from the GUI
2. In the Topology panel, click on Compression under the Services icon.

Figure 58: Creating a Compression Profile
3. Click on the New button to display the Add New Compression Profile window
shown below.

Figure 59: Add a New Compression Profile
4. Specify the Profile Name and Action. If Include is chosen, the profile will include all
data types for compression. If Exclude is chosen, the profile will not perform
compression for any mime-type, except for types manually added in the next step.
To configure mime-types for a policy from the GUI
1. Custom mime-types can be configured for inclusion or exclusion within a compression
profile. Once the profile is created, click on the profile name in the Topology panel to
display profile details.

Figure 60: Importing a Private Key
2. Data types are added as HTTP mime-types. Click on a blank entry in the Mime-Type
table to enable the ability to add a mime-type and action.
To apply compression profile to a Cluster from the CLI
Command Syntax
service compression profile-name
Example commands:
Cluster Cluster1> service compression Cmp-Profile-1
To apply compression profile to a Cluster from the GUI
Compression profiles can be associated with a Cluster containing one or more servers.
2. In the Topology panel, click on a Cluster under the Topology Farm Cluster icon.
This will display the Cluster configuration settings as shown in the figure below.

Figure 61: Applying a Compression Profile to a Cluster
3. Check the box next to Compression and choose the correct Profile created in the
previous steps.
Global Configuration (Browser/File Exceptions)
The compression module includes a global set of compression rules that act based on
browser characteristics and file extensions. These rules can be used in order to compensate
for certain browsers that have issues either with all compression or with specific file types.
The global rules override individual profiles and apply to all traffic compressed by the
Maestro AFE.
Configuring Browser/File Exceptions
The following section outlines the configuration steps required for configuring the global
compression actions for the Maestro AFE, including browser type/version and file
extensions.
Each rule must include a browser and a file extension.
To Configure Global Configuration Rules from the CLI
Command Syntax
compression default-action file-ext {name | id} {name or id}
{include | exclude | mime-type}
Prompt level Configuration
Example commands:
config> compression default-action css id 23 exclude
config> show compression default-action
To View the Browser IDs from the CLI
The following command displays the browser/version ID list for use with configuring
default-action rules through the CLI.
Command Syntax
show classified-user-agent
Prompt level Root
To Configure Global Configuration Rules from the GUI
2. In the Topology panel, expand the Services icon and click on the Compression icon.

Figure 62: Configuring Global Configuration Rules
3. Click on a blank rule, and input the Browser Group, Version, File Extension, and
Action variables.

10
SSL Acceleration
Chapter 10 introduces and explains the configuration of the SSL Acceleration module.
Before Proceeding.
Overview of the SSL Acceleration Module.
Configuration Preparation.
Configuring a Real or Virtual Server.
Importing or Creating a Private Key.
Importing or Creating a Certificate.
Creating a Cipher Profile.
Configuring an SSL Server Profile (Client-side SSL).
Configuring an SSL Client Profile (Server-side SSL).
Chapter 10 SSL Acceleration
Before Proceeding
In order to proceed with configuring SSL Acceleration, the following steps should be
satisfied.
Server(s) configured in at least one cluster. Please see Chapter 7. Server Topology
Overview of the SSL Acceleration Module
The Maestro AFE terminates inbound SSL connections from requesting clients. Requests
are then processed and sent from the Maestro AFE to the server over an existing backend
connection. By default, communication with backend servers utilizes unencrypted (i.e.
clear text) HTTP. For implementations which require encryption to the server, the Maestro
AFE can be configured with an SSL Client Profile. This profile enables the Maestro AFE to
maintain a configurable number of encrypted backend connections using HTTPS, ensuring
that all data is transmitted to the server using SSL.
The SSL module provides a significant level of processing off-load from the server.
Furthermore, the Maestro AFE provides a centralized facility for managing all SSL keys
and certificates. All SSL functions can be aggregated on to the Maestro AFE instead of
having to modify each new server added or removed from the environment.
Configuration Preparation
SSL Acceleration Configuration Outline
Configuring SSL Acceleration requires the following steps:
Create a Virtual Server on port 443.

SSL is customarily configured to operate on TCP port 443. However, the Maestro
AFE can provide SSL Acceleration on any port designated by the virtual server.
Create or import an SSL private key.
Create or import an SSL certificate, or create an SSL Certificate Request for submission
to a Certificate Authority.
Create a Cipher Profile, or use the default list.
Create an SSL Server Profile.
Map the SSL Server Profile to a Virtual Server.
By default all communication to the server, even if originally terminated as SSL, is
transmitted from the Maestro AFE as HTTP. This section also outlines the configuration of
server-side SSL using a Client-Profile which enables encrypted communication
between the Maestro AFE and the backend server.
Server Configuration
This section outlines the various methods in which the Maestro AFE and server are
configured to support applications encrypted with SSL.
Virtual Server Providing SSL only
To configure a Virtual Server (VIP) which only accepts encrypted HTTPS communication
and communicates with the backend server over unencrypted HTTP, the following logical
configuration would apply:
Virtual Server 10.1.1.100 TCP port 443
Mapped to Cluster-1
Server-1 TCP port 80

The server configuration and further SSL configuration is covered later in this chapter.
Virtual Server Providing HTTP and SSL to Single Cluster
To configure a Virtual Server (VIP) with HTTP and SSL Acceleration, create two Virtual
Servers each configured to listen on a different port, mapped to the same cluster. For
example:
Mapped to Cluster-1

Mapped to Cluster-1

In this example, the server has the entire website or application available over port 80.
Depending on the authentication and content control mechanisms being used, it may not
be desirable to have content accessible over HTTP (port 80) which would otherwise only be
accessible via HTTPS (port 443). If this is the case, proceed to the following example.
Virtual Server Providing HTTP and SSL to Two Clusters
As discussed in the previous section, some applications being offloaded by the Maestro
AFE may require originally encrypted content to be served through a different Web service
running on the same server. For example, it may not be desirabledepending on the
authentication and content control mechanisms being usedto have content accessible
over HTTP (port 80) which would otherwise only be accessible via HTTPS (port 443). In
these cases, it is advisable to have content which is only intended to be accessed by users
over HTTP to be served over port 80 on the server. Content intended to be accessed by
users using HTTPS should be served over a different port (separate Web server instance);
port 81 for example. All communication to the backend server is still offloaded, using only
HTTP communication; however, the data is now secured, preventing a user accessing the
site with HTTP from viewing or downloading content which should only be accessed via
HTTPS. The configuration of such a setup looks as follows:
Mapped to Cluster-1
Server-1-80 TCP port 80

Mapped to Cluster-2
Server-1-81 TCP port 81

Different server names are used to differentiate the port being configured.
All communication to the server, even if originally terminated as SSL, is transmitted from
the Maestro AFE as HTTP.
Preparation
In preparation for configuring SSL Acceleration, the following steps will need to be
completed:
If your servers are currently using SSL, the Private Keys and Certificates must be
exported as individual files so they can be imported into the Maestro AFE.

There should be one file for the private key, and one file for the certificate which
includes the public key.

The files must be in PEM (.pem) format.

The key cannot have a pass phrase (password) associated with it.

In addition to being in PEM format, the certificate file must have the correct text
information at the beginning of the certificate.
Read Converting Keys, Certificates, and Chained Certificates on page 178 before proceeding for
detailed steps to modify, convert, and verify the format of keys and certificates before
proceeding.
OpenSSL can be used to modify, convert, and verify format of the keys and certificates
before being imported into the Maestro AFE. OpenSSL can be downloaded for free for
most popular operating systems (including binary versions for Windows machines) at
http://www.openssl.org. See Converting Keys, Certificates, and Chained Certificates on
page 178 for detailed information before proceeding.
If you do not have a valid SSL key(s) or certificate(s), they should be requested from a
Certificate Authority (for example, Verisign or DigiCert). The Maestro AFE enables
you to create your own private key which is associated with a Certificate Request. The
Certificate Request can then be sent to a Certificate Authority to be officially signed
and validated.
The SSL Configuration requires the Maestro AFE to import and/or export files from an
FTP server. Therefore, the ftp-record should be configured in the Maestro AFE
configuration. As discussed in Chapter 5. Initial Configuration & Global Settings, the ftp-
record specifies an available FTP server, user credentials, and home directory.
Configuring a Virtual Server
Configure Real or Virtual Server
Chapter 8. Virtual Servers, URL Rewriting, and L7 Switching / Redirection discusses how to
create a Virtual Server. The virtual server should be configured on the TCP port used for
SSL by clients accessing the application. The examples presented throughout this
document assume that SSL is operating on port 443.
Importing or Creating a Private Key
Follow the following steps to import or create a private key. If creating a key, the key size
can be specified as a value between 384 and 2048 bits.
When importing files into the Maestro AFE, the ftp-record must be configured correctly
and the files being imported must reside on the associated FTP server. Please see Chapter 5.
Initial Configuration & Global Settings.
Importing or Creating a Private Key
To import a private key from the CLI
Command Syntax
ssl key name {import | export} filename
Example commands:
config>ssl key Key-1 import Key1.pem
To import a private key from the GUI
2. In the Topology window, expand the Services icon by clicking the + symbol then
expand the SSL icon.
3. Click on the Key icon and click the New button.

Figure 63: Importing a Private Key
The Add New Key window will appear.

Figure 64: Importing a Private Key Add New Key Window
4. Specify a key name, check the Import box, and provide the file name of the key and
click Apply. The Maestro AFE will automatically log in and download the file based
on the FTP information configured for the ftp-record command.
The imported key will be displayed under Services SSL Key
To create a private key from the CLI
Command Syntax
ssl key name [key-size 3842048]
no ssl key name
Example commands:
config>ssl key Key-1 1024
To create a private key from the GUI
expand the SSL icon.
3. Click on the Key icon and click the New button.

Figure 65: Creating a Private Key
The Add New Key window will appear.

Figure 66: Creating a Private Key Add New Key Window
4. Specify a key name and size (between 384-2048) click Apply.
The created key will be displayed under Services SSL Key.
Importing or Creating a Certificate
The Certificate is associated with the Private key created or imported in Configuring a
Virtual Server on page 160. The certificate configuration involves one of the following steps:
Import an existing, signed and valid, certificate from a Certificate Authority.
Create a Certificate Request which is then exported from the Maestro AFE and sent to a
Certificate Authority for validation. The signed certificate received from the Certificate
Authority is then imported into the Maestro AFE.
Create a self-signed certificate. This certificate is not validated by a Certificate
Authority and should typically be used only for testing purposes. Clients accessing
accelerated servers using a self-signed certificate will receive a security message from
their browser.
When an SSL client receives a certificate from a server, it checks the Certificate Authority
(CA) that authorized the certificate and if that CA is trusted, then the certificate itself can be
trusted. Servers may also send the client a Certificate Chain which is essentially a series of
certificates. A Chained Certificate allows SSL hierarchies to be conveyed from a server to a
client. In a Chained Certificate, the first certificate is always that of the sender itself (i.e. the
server). The second certificate is of the CA that authorized the senders certificate. The
third certificate is of the CA that authorized the second certificate, and so on. As long as
the client can validate the last certificate in the chain, the entire chain is trusted.
The Maestro AFE supports both individual certificates and chained certificates without any
special configuration.
Importing or Creating a Certificate
To import a certificate from the CLI
Command Syntax
ssl certificate name key-name {export | import} name
Example commands:
config>ssl certificate Certificate-1 Key-1 import Cert.pem
To import a certificate from the GUI
expand the SSL icon. Click on the Certificate icon and click the New button.

Figure 67: Importing a Certificate
The Add New Certificate window will be displayed.
3. Even though a certificate will be imported, all fields should still be filled out. If any of
the field values are different than those in the actual certificate, they will be
overwritten by the correct values from the imported certificate. Make sure the key
name specified is the correct key which will correspond with the certificate to be
imported.

Figure 68: Importing a Certificate Add New Certificate Window
4. Do not check the Self Signed box. Click Apply.
The Maestro AFE will automatically log in and download the file based on the FTP
information configured for the ftp-record command.
To create a certificate request from the CLI
The following command generates a new interactive certificate request which is exported
to the ftp server and directory specified in ftp-record. Once the command is issued, the
user will be prompted to answer a series of questions regarding the Certificate to be
requested.
Before a certificate request can be created, a key must be created as discussed in Importing
or Creating a Private Key on page 160.
Command Syntax
ssl certificate name key-name [export-name]
Example commands:
config>ssl certificate Certificate-1 Key-1 export Request.pem
Output:
Enter Subject Country (2 characters): US
Enter Subject State: CA
Enter Subject Locality: San Jose
Enter Subject Org: Sample, Co.
Enter Subject Common: www.sample.com
Enter Subject Email address: admin@sample.com
Use quotation marks for values which contain spaces.
To create a certificate request from the GUI
Before a certificate request can be created, a key must be created as discussed in Importing
or Creating a Private Key on page 160.
3. The Add New Certificate window will be displayed.

Figure 69: Creating a Certificate Request Add New Certificate 1
4. Specify a name for the certificate, the associated Key name for the key created in the
previous step. Complete the subject information.
5. Do not check the Self Signed box. Click Apply.

6. Once created, click on the Certificate Name created in the previous step under Services
SSL Certificates.
7. Check the Export box, and provide the file name of the Certificate Request and click
Apply. The Maestro AFE will automatically log in and upload the file based on the
FTP information configured for the ftp-record command.
The Certificate Request should then be retrieved from the FTP server and submitted to
a Certificate Authority for validation.
Once a signed and valid certificate has been received from the Certificate Authority, it
should be placed on the FTP server and uploaded to the Maestro AFE.
8. To upload the certificate, click on the Certificate Name created in the previous step
under Services SSL Certificates.
9. Check the Import box, and provide the file name of the certificate to be uploaded.
Click Apply.
To create a self-signed certificate from the CLI
A self-signed certificate is not validated by a Certificate Authority and should typically be
used only for testing purposes. Clients accessing accelerated servers using a self-signed
certificate will receive a security message from their browser.
Command Syntax
ssl certificate name key-name self-signed export export-file-name
Example commands:
config>ssl certificate Certificate-1 Key-1 self-signed export cert-
1.pem
To create a self-signed certificate from the GUI
Before a self-signed certificate can be created, a key must be created as discussed in
Importing or Creating a Private Key on page 160.
3. The Add New Certificate window will be displayed.

4. Specify a name for the certificate, the associated Key name for the key created in the
previous step. Complete the subject information.
5. Check the Self Signed box and specify the number of days the certificate should be
valid. Click Submit.
Cipher Profile
The cipher is the algorithm used for encryption and decryption. Typically, the client and
server have the ability to use several different ciphers. During the initiation of the SSL
session, the cipher to be used is negotiated between the two end points. The Maestro AFE
supports many ciphers used by different client browsers.
Creating a Cipher Profile
The available ciphers on the Maestro AFE can be configured with a Cipher Profile.
Therefore, an administrator can specify the exact ciphersencryption methodsthey
would like to use for their application.
It is not mandatory to create a Cipher Profile. If no profile is created and associated with a
Server Profile, the Maestro AFE will simply negotiate the cipher based on the default list.
The following steps are required for creating a Cipher Profile:
1. Create a Cipher Profile.
2. Add Cipher types to the profile with associated priorities for negotiation.
To create a cipher profile from the CLI
The following command creates a cipher profile. Once created, the profile does not contain
any ciphers. Proceed to the following section to learn how to add cipher types to the
profile.
Command Syntax
ssl cipher profile profile-name
Example commands:
config>ssl cipher profile Profile-1
To add cipher types to a cipher profile from the CLI
The following command adds individual cipher types to a profile configured in the
previous step. The available list of cipher types are as follows:
EXP1024-RC4-MD5.
EXP1024-RC4-SHA.
AES128-SHA.
AES256-SHA.
RC4-MD5.
EXP-RC4-MD5.
RC4-SHA.
DES-CBC-SHA.
DES-CBC3-SHA.
ADH-RC4-MD5.
A priority is also associated with each cipher entry. The priority is used during cipher
negotiation between the Maestro AFE and the client.
Command Syntax
ssl cipher type profile-name cipher-type cipher-priority
Example commands:
config>ssl cipher type Profile-1 RC4-SHA 1
To create a cipher profile from the GUI
expand the SSL icon. Click on the Cipher icon and click the New button.
3. The Add New Cipher window will be displayed.

Figure 72: Creating a Cipher Profile
4. Input a Cipher Profile Name and click Apply.
5. By default, no Ciphers will be selected for the newly created profile. Follow the steps
outlined in the next section.
To add cipher types to a cipher profile from the GUI
expand the SSL icon, and the Cipher icon. Click on the Cipher Profile created in the
previous section.

Figure 73: Adding Cipher Types to a Cipher
3. In the right panel, select the cipher type from the Available window and click the Add
button to move it to the Selected window.
4. Once a cipher type is selected, its priority (shown in parenthesis) can be changed by
clicking on the cipher type, and then clicking either of the single up/down arrows.
Configuring an SSL Server Profile (Client-side SSL)
The Server Profile consolidates the individual SSL components: key, certificate, cipher
profile, etc. Additional information is then configured. Once created, the Server Profile
can be associated with one or more Virtual Servers, enabling SSL Acceleration.
SSL Server Profile Configuration Outline
An SSL Client Profile is configured within the Services SSL section of the GUI and
applied at the Virtual Server level.
To create an SSL server profile from the CLI
Command Syntax
ssl server-profile [name] [certificate name] [cipher-profile name]
[SSL-3] [cipher-selection {server | client}]
Example commands:
config>ssl server-profile Profile-1 Certificate-1 SSL-3 TLS-1
Cipher Selection specifies which end point will have priority over
determining the selected cipher. The options are client or server.
Selecting server enables the Maestro AFE to make the decision.
To create an SSL server profile from the GUI
expand the SSL icon. Click on the Server Profile icon and click the New button.

3. The Add Server Profile window will be displayed.

4. Specify a Profile name and select the associated Certificate and Cipher profile.
5. Cipher Selection specifies which end point will have priority over determining the
selected cipher. The options are client or server. Selecting server enables the
Maestro AFE to make the decision.
To apply an SSL server profile to a Virtual Server from the CLI
SSL Acceleration will function once an SSL Server Profile is associated with an existing
Virtual Server or Cluster.
Command Syntax
virtual server-name ssl profile-name
Example commands:
config> virtual Virtual-1 ssl SSL-Profile-1
To apply an SSL server profile to a Virtual Server from the GUI
expand the Virtual icon. Select the desired Virtual Server.

Figure 76: Applying an SSL Server to a Virtual Server
3. In the right panel, check the SSL box and choose the desired profile from the pull-
down menu.
4. Click Apply.
Configuring an SSL Client Profile (Server-side SSL)
When a Server Profile is configured, the Maestro AFE terminates HTTPS client connections
(i.e. acting as the server) and communicates with the backend servers using clear text HTTP
by default. For implementations which require data to be encrypted all the way to the
server, an SSL Client Profile can be configured on the Maestro AFE. The Client Profile
enables the Maestro AFE to open and maintain the backend connections using HTTPS (i.e.
acting as the client).
SSL Client Profile Configuration Outline
An SSL Client Profile is configured within the Services SSL section of the GUI and
applied at the cluster level. The following items should be considered when implementing
server-side SSL.
Verify that the servers defined in the cluster have the appropriate TCP port number
configured for HTTPS communication.

SSL traditionally operates on TCP port 443.
To create an SSL Client Profile from the CLI
Command Syntax
ssl client-profile [name] [key name] [cipher-profile name | no-
cipher-profile] [SSL-2 | no-SSL-2] [SSL-3 | no-SSL-3] [TLS-1 | no-
TLS-1]
Example commands:
config>ssl client-profile Client-1 SSL-2 SSL-3 TLS-1
To create an SSL Client Profile from the GUI
expand the Services icon. Highlight the SSL icon and click the + icon to expand the
available options. Highlight the Client Profile icon and click the New button.

Figure 77: Creating an SSL Client Profile
3. In the right panel, configure the Client Profile Name and specify a Profile Name and
select the desired Protocols.
4. Key, Cipher Profile, Server Certificate, and Verify Server options are not required for
configuration.
5. Click Apply.
To apply an SSL Client Profile to a Cluster from the CLI
Command Syntax
service ssl client-profile-name
Example commands:
Cluster-1> service ssl client-1
To apply an SSL Client profile to a Cluster from the GUI
expand the Farm icon. Highlight the desired Cluster icon.

Figure 78: Applying an SSL Profile to a Cluster
3. In the right panel, check the SSL box and select the desired Client Profile.
4. Click Apply.
Converting Keys, Certificates, and Chained
Certificates
The Maestro AFE requires that keys and certificates be in PEM format. When exporting
keys and certificates from Web servers or other SSL offload devices, they may need to be
modified before being imported into the Maestro AFE. This section outlines how to verify
the correct format for keys and certificates, and if not correct, outlines the appropriate
procedure to convert them to the proper format before being imported.
Additionally, when exporting keys and certificates from Microsoft IIS servers, the key and
certificate are typically in a single PFX file and require manipulation. The steps for
exporting and properly converting files from a Microsoft IIS server are provided in this
section.
OpenSSL
All of the commands required for verifying and converting keys and certificates will use
OpenSSL. OpenSSL can be downloaded for free for most popular operating systems
(including binary versions for Windows machines) at http://www.openssl.org.
Keys
As previously discussed, the key must be a separate file. The key must also be in PEM
format and cannot have a pass phrase associated with it. The Maestro AFE will not
function properly if a key with a pass phrase is imported. To remove the pass phrase
follow the steps outlined in To remove the pass phrase on an RSA private key on page 179.
Sample Key file: The MII located after the --BEGIN RSA PRIVATE KEY-- tag indicate
that the key is in PEM format.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE5M1r
eWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDET7yx
KRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswIDAQAB
AoGAJHR0sDnfECA40QWzYOw8swrrx4dcENcest2ZJt7OpxRXNA17jLmZGZdMLfAq
SqS89asRnHdkvqnjxLYKm7gHqiYRFYCxEU17T9hFtuQpSI4oPa+79bMjuriik78W
vnnA3u0JhRNP4Z743O7Ku2UEbbtVRPKCVS53TjF11z3yLkECQQD1J8jMH78YHuhD
RD6j+ZIPCADZEVtMiO0tDRAKphGQj2xJAejlbSIXAIvWYdsRnQqU7ByaZbL4lcRt
kqEpSWQRAkEAzWdI3MJhfMs8NYt1e2SwkqvKlouFbha927up2251jYMO4buGHtF6
uGJNn/P6uu3juKjT5Ak/3jt0Fmtd6fAtgwJBAMMpJMS7ERlWoXfLQEKxTwEAUgx7
sL7A0m7m0zpm8dyvEHkeOBVMR7MgEDJePFNNPTtIq4yOIWebcn/4FqwTbMECQCD/
4/vbms/y0uSDWEePwLJ/uReAqNor+yqvNrXTRD2M/boUZ5LR8tZmrLPy/ahEid5j
+U7ckY9Bm//yFe98r8MCQQDgBYH8Xd+MjmsZEBDQQsHMP8lZLxTqqWImyblLTs4D
HQiqeez97sFqUTUQoRNeJolGQ1cGceyaj3bNGVXWO6CS
-----END RSA PRIVATE KEY-----
To remove the pass phrase on an RSA private key
The following command should be input on a workstation with read and write access to
the key file. If you are unsure whether a private key file has a pass phrase, it is ok to run
the following command against the key; if the original key file does not have a pass phrase,
it will not be altered.
openssl rsa -in key.pem -out keyout.pem
You will be prompted for the current pass phrase before openssl will allow you to remove
it. Once the pass phrase has been removed, the new key can be properly imported into the
Maestro AFE.
Certificate
Like the key, the certificate must also be in PEM format. Additionally, the certificate must
include the text information within the certificate file. The following are samples
demonstrating the certificate file with and without the required text information. Follow
the steps outlined in 10.10.3.1 to properly format the certificate.
Sample Certificate in PEM format without text information. The MII located after the --
BEGIN CERTIFICATE-- tag indicate that the certificate is in PEM format.
-----BEGIN CERTIFICATE-----
MIICcjCCAdugAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxEDAOBgNVBAcTB1RlbmFmbHkxGzAZBgNVBAoTEkNyZXNjZW5k
byBOZXR3b3JrczEVMBMGA1UEAxMMd3d3LnRlc3QuY29tMR0wGwYJKoZIhvcNAQkB
Fg5hZG1pbkB0ZXN0LmNvbTAeFw0wNzA2MjUwODI4MjNaFw0wODA2MjQwODI4MjNa
MH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEQMA4GA1UEBxMHVGVuYWZseTEb
MBkGA1UEChMSQ3Jlc2NlbmRvIE5ldHdvcmtzMRUwEwYDVQQDEwx3d3cudGVzdC5j
b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE
5M1reWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDE
T7yxKRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswID
AQABMA0GCSqGSIb3DQEBBAUAA4GBAID1oCh6dXj1SijrYIx2tHBFX4Jlw7isazut
JW4byRWtAtYcCGVEKGKgjxsD7SB3rTyGKGveYDyoiEh/uodac6EYPJT0gcUtg0Ku
izR25RuYklMZ+nQybaWnXA2yYA3YHED8hcXbx5GwpNTxeDMnDmQZj5ri51FQU4Ux
bhMy7o0/
-----END CERTIFICATE-----

Sample Certificate in PEM format with text information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NJ, L=Tenafly, O=Crescendo Networks,
CN=www.test.com/emailAddress=admin@test.com
Validity
Not Before: Jun 25 08:28:23 2007 GMT
Not After : Jun 24 08:28:23 2008 GMT
Subject: C=US, ST=NJ, L=Tenafly, O=Crescendo Networks,
CN=www.test.com/emailAddress=admin@test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:b3:c4:93:d8:5c:46:4c:26:4d:47:5f:f4:86:
ac:64:d2:e9:aa:ff:f3:05:56:1c:48:ee:ac:d7:26:
f0:a7:54:50:44:e4:cd:6b:79:66:34:b3:5c:0c:3b:
5b:7d:a3:d7:eb:99:21:2a:4d:2a:be:c2:61:58:84:
da:bb:22:57:a5:fc:4b:1b:a5:3a:5a:e4:58:67:10:
ef:62:b8:8f:0c:1d:70:c4:4f:bc:b1:29:18:c5:e4:
da:b1:14:e1:98:ca:57:4a:59:d5:cd:09:7d:e7:b1:
77:96:4d:d1:84:b0:97:4c:37:78:de:f4:06:fd:a5:
b7:e6:75:52:c8:50:15:31:b3
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
80:f5:a0:28:7a:75:78:f5:4a:28:eb:60:8c:76:b4:70:45:5f:
82:65:c3:b8:ac:6b:3b:ad:25:6e:1b:c9:15:ad:02:d6:1c:08:
65:44:28:62:a0:8f:1b:03:ed:20:77:ad:3c:86:28:6b:de:60:
3c:a8:88:48:7f:ba:87:5a:73:a1:18:3c:94:f4:81:c5:2d:83:
42:ae:8b:34:76:e5:1b:98:92:53:19:fa:74:32:6d:a5:a7:5c:
0d:b2:60:0d:d8:1c:40:fc:85:c5:db:c7:91:b0:a4:d4:f1:78:
33:27:0e:64:19:8f:9a:e2:e7:51:50:53:85:31:6e:13:32:ee:
8d:3f
-----BEGIN CERTIFICATE-----
MIICcjCCAdugAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxEDAOBgNVBAcTB1RlbmFmbHkxGzAZBgNVBAoTEkNyZXNjZW5k
byBOZXR3b3JrczEVMBMGA1UEAxMMd3d3LnRlc3QuY29tMR0wGwYJKoZIhvcNAQkB
Fg5hZG1pbkB0ZXN0LmNvbTAeFw0wNzA2MjUwODI4MjNaFw0wODA2MjQwODI4MjNa
MH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEQMA4GA1UEBxMHVGVuYWZseTEb
MBkGA1UEChMSQ3Jlc2NlbmRvIE5ldHdvcmtzMRUwEwYDVQQDEwx3d3cudGVzdC5j
b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE
5M1reWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDE
T7yxKRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswID
AQABMA0GCSqGSIb3DQEBBAUAA4GBAID1oCh6dXj1SijrYIx2tHBFX4Jlw7isazut
JW4byRWtAtYcCGVEKGKgjxsD7SB3rTyGKGveYDyoiEh/uodac6EYPJT0gcUtg0Ku
izR25RuYklMZ+nQybaWnXA2yYA3YHED8hcXbx5GwpNTxeDMnDmQZj5ri51FQU4Ux
bhMy7o0/
-----END CERTIFICATE-----
To add text information to certificate in PEM format
The following command should be input on a workstation with read and write access to
the certificate file.
openssl x509 -in cert.pem -out certout.pem -text
Once the command has been completed, check the new certificate file to verify the
existence of the text information. The certificate will not import correctly without the text
at the beginning of the file.
Converting Certificates and Keys Exported from
Microsoft IIS
Microsoft IIS server does not support the ability to export keys and certificates as separate
files in PEM format. Instead, a single PFX file is exported which includes the key and
certificate. Use the following instructions to properly export the PFX file from the IIS
server and then convert the file into a separate key and certificate file.
Exporting the Keys and Certificates from Microsoft I I S
Detailed Steps for migrating an SSL certificate from an IIS server to the Maestro
1. From the Run prompt, type mmc, and click enter.
2. Go to Console->Add/Remove Snap-in.
3. Click on Add.
4. Select Certificates and click Add.
5. Select Computer Account and click Next and Finish.
6. Click Close and Ok.
7. Expand Certificates tree and expand Personal->Certificates.
8. Highlight the certificate you want to export.
9. Right-click on it and select All Tasks-> Export. The Export Welcome Screen loads.
10. Click Next.
11. On the next screen, you MUST select to export the private key. Select Yes, Export the
private key and click Next.
12. Check Include all certificates in the certificate path. Doing so guarantees the proper
exporting of all parent certificates if the certificate being exported is a chained
certificate.
13. Uncheck Enable Strong Protection. Then click Next.
14. On the next screen leave the two password fields blank, unless a password was
assigned when generating the key. Click Next.
15. Select a destination and file name. In this example, lets call it cert.pfx.
Converting the PFX File into Separate Key and Certificate Files
Once the certificate has been exported, open a command prompt window, go to the
directory where the certificate was saved, and type in the following commands:
openssl pkcs12 -in cert.pfx -out cert_temp.pem -nodes -nokeys<enter>
<enter>
Extract the private key from the PFX Certificate to a separate file
Run the following command to extract the key from the original certificate file:
openssl pkcs12 in cert.pfx out cert.key nodes nocerts <enter>
<enter>
If there is a password on the private key, you will need to enter it, otherwise, just press
enter twice.
Add required Header information to PEM certificate using OpenSSL
1. Check the contents of cert_temp.pem, to verify whether there is more than a single
certificate within the file. Every certificate in the file will have some existing header
information followed by a -----BEGIN CERTIFICATE----- tag, and ending with an -----
END CERTIFICATE----- tag. If there is only one certificate in the file, this means the
exported certificate was not a chained certificate, and you should therefore proceed to
step 21 now.
2. If, however, there is more than one certificate in the file, this means that a chained
certificate was exported from the IIS server, and additional steps need to be taken
before each certificate can be processed. For chained certificates, skip to Chained
Certificates on page 182.
3. Now, run the following command from the command prompt:
openssl x509 -in cert_tmp.pem -out cert.pem text
4. The last step is to validate that the certificate file and key file have same signature. To
do this, run the following two commands, and verify that the output strings match:
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5
5. Once you have verified the signatures, copy the two files onto the FTP server.
Chained Certificates
As explained above, if the PEM file contains more than one Certificate, this means that the
certificate that was exported from IIS was a chained certificate. The first step to handling a
chained certificate file is to separate each of the certificates into separate files.
Here are the detailed steps for handling a chained certificate (proceed with these steps after
completing steps above).
1. Cut and paste each certificate contained in the cert_temp.pem file into a separate text
file, by doing the following:
2. Cut and paste each certificate from and including the -----BEGIN CERTIFICATE-----
tag, up to and including the -----END CERTIFICATE----- tag.
There will be additional header information that precedes each certificate in the PEM file,
but you need not copy this header information into each new file only the certificates
themselves need to be copied.
3. Name each certificate file sequentially. For example: chain_cert1.pem, chain_cert2.pem,
etc... This is important, as the order of the certificates will need to be preserved at the
end of this process.
4. After the certificates are separated into separate files, run the following OpenSSL
command for each certificate file, to add the necessary header:
openssl x509 -in chain_cert1.pem -out cert1_with_header.pem text
5. Once all certificate files have been converted to include a header, merge the contents of
the individual certificate files into a single new file, called cert.pem. Make sure to paste
the certificates in the same order that they existed in the original certificate.
6. The last step is to validate that the certificate file and key file have same signature. To
do this, run the following two commands, and verify that the output strings match:
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5
7. Once you have verified the signatures, copy the two files onto the FTP server.
The key and certificate files are now ready to be imported into the Maestro AFE.

11
VRRPc Redundancy
Chapter 11 discusses the VRRPc feature designed to provide redundancy between two
Maestro AFE units.
Before Proceeding.
VRRPc Overview.
VRRPc in Hot-Standby Mode.
VRRPc in Load-Sharing Mode.
Chapter 11 VRRPc Redundancy
Before Proceeding
In order to proceed with configuring VRRPc Redundancy, the following steps should be
satisfied.
Two Maestro AFE units should be properly mounted and installed.
Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 2. Maestro
AFE Installation.
At least one Data Interface on each unit configured with an IP Address and connected
to the same network as the server(s) to be accelerated. Please see Chapter 5. Initial
Configuration & Global Settings.
Server(s) configured in at least one cluster. Please see Chapter 7. Server Topology
VRRPc Overview
VRRPc is Crescendo Networks proprietary redundancy protocol for Application Front
End devices. Implemented in a similar fashion to VRRPusing virtual MAC and IP
addressesVRRPc extends the capabilities of traditional VRRP by enabling more
intelligent redundancy decisions. VRRPc tests more than simple network availability
between two redundant devices as VRRP does. Instead, it bases failover decisions on
upstream network device availability as well as application server health and connectivity.
VRRPc is configured by assigning a VRRPc IP address and ID number to each participating
interface of a Maestro AFE. Each device can be configured to health check upstream
routers or load balancers as well as verify the connectivity to servers configured for
acceleration. Each Maestro AFE compares its availability (ability to reach all configured
devices) and then determines which Maestro AFE should be active. In the event of unit
failure, or if the backup Maestro AFE has a greater level of successful connectivity to
servers and/or upstream devices, failover will take place insuring application availability.
VRRPc can be implemented in one of two ways: hot/standby or load-sharing (i.e.
active/active). In hot/standby mode, only one Maestro AFE will be active, while the other
unit remains dormant. Load-sharing mode enables two Maestro AFE units to be
simultaneously active, providing acceleration for different groups of servers at the same
time.
The configuration examples provided in the following sections pertain to the configuration
of two Maestro AFE devices. While most implementations will require an almost identical
configuration between devices, there are still small differences which are noted in the
Guidelines for each section.
VRRPc in Hot-Standby Mode
In hot-standby mode, only one Maestro AFE will be active at a given time.
VRRPc Hot-Standby Configuration Guidelines
Configure interface IP Address and mask on each gigabit-ethernet interface. Each
Maestro AFE will have different regular IP addresses.
Configure VRRPc virtual router IP (VRIP) Address and Virtual Router ID (VID). The
VRIP and VRID defined will be identical between Maestro AFEs.
The VRID must be a number within the range 1-255. The VRID should be different for
each VRIP defined across all physical interfaces.
All VRRPc configurations for hot-standby mode should utilize group-1 settings
when defining VRRPc interfaces and virtual servers. Do not configure the second
VRIP and VRID for group-2.
Enable VRRPc in hot-standby mode.
To configure VRRPc IP and ID per interface from the CLI
Command Syntax
vrrpc [group-1 | group-2] VID# vrrpc-ip-address
Prompt level Configure > Gigabit Interface Configuration
Example commands:
gigabit-ethernet port 1> vrrpc group-1 100 1.1.1.150
If the Maestro AFE is installed as a router (i.e. when using passive mode), all devices
configured to route through the Maestro AFE should configure those routes to forward
through the VRRPc IP Addresses.
To configure VRRPc IP and ID per interface from the GUI
2. In the Topology panel, click on the Redundancy icon under Services. This will bring
up the General VRRPc Configuration settings as shown below.

Figure 79: Configuring VRRPc IP and ID Per Interface in Hot-Standby Mode
3. Select the Port or Aggregator to which you want to add a VRRPc IP address.
4. Highlight the existing IP interface to populate the configuration windows below.
5. Configure VRRP address and VRID. VRID 1 and VRRP IP 1 belong to group-1 while
VRID 2 and VRRP IP 2 belong to group-2. For Hot-Standby, only use group-1
settings.
To enable VRRPc globally from the CLI
Command Syntax
vrrpc [enable | disable] [hot-standby | load-sharing]
Example commands:
config> vrrpc enable hot-standby
config> vrrpc disable
To enable VRRPc globally from the GUI
2. In the Topology panel, click on the Redundancy icon under Services. This will bring
up the General VRRPc Configuration settings as shown in the figure below.

Figure 80: Enabling VRRPc Globally in Hot-Standby Mode
3. Configure the Mode as Disable, Hot Standby, or Load Sharing.
To view VRRPc status information from the CLI
Command Syntax
show vrrpc
Once the VRRPc IP Addresses and IDs are configured for each interface, VRRPc must be
enabled globally. Once enabled, the Maestro AFE automatically takes into account
connectivity to existing servers. Therefore, routing may not work properly until
accelerated servers are defined in the configuration. Additionally, it is not required that
health checks be configured for upstream routers or load balancer. However, it is
recommended that these additional checks be configured to ensure the highest level of
availability.
VRRPc in Load-Sharing Mode (Active/Active)
Load-sharing enables the ability for two Maestro AFE units to be simultaneously active
while providing redundancy between each unit.
The concept of groups is used within the configuration to differentiate which servers
should be accelerated for a given Maestro AFE. For instance, each Maestro AFE will have
an identical farm, cluster, and server configuration, in which some of the Virtual Servers
will be defined as group-1 and some defined as group-2. Since each Maestro AFE has
the same configuration, either device could provide acceleration for each group of servers.
Using the VRRPc election mechanism, the two Maestro AFE units determine which should
provide acceleration for each group. This is determined based on connectivity to the
servers and other upstream devices such as load balancers or routers. If network
connectivity and server availability is the same for each Maestro AFE, then the MAC
address of each unit is used as the final arbitrator.
Essentially, if all things are equal (i.e. health and connectivity), the Maestro AFE with the
highest MAC address will provide acceleration for servers denoted as group-1 while the
unit with the lowest MAC address will provide acceleration for servers denoted as group-
2. VRRPc will then provide seamless failover between each Maestro AFE should there be
device or connectivity failure.
VRRPc Load-Sharing Configuration Guidelines
Configure interface IP Address and mask on each gigabit-ethernet interface. Each
Maestro AFE will have different regular IP addresses.
Configure VRRPc Virtual Router IP Address (VRIP) and Virtual Router ID (VRID). The
VRIP and VRID defined will be identical between Maestro AFEs.
The VRID must be a number within the range 1-255. The VRID should be different for
each VRIP defined across all physical interfaces.
Assign VRRPc interfaces and virtual servers as either group-1 or group-2. When both
Maestro AFE units are functioning simultaneously, each will be responsible for a
different group which will include an interface and servers.
Between redundant units, each VRID should correspond with each VRIP defined.
Configure each Virtual Server with the appropriate VRRPc group (either group-1 or
group-2).
Enable VRRPc in load-sharing mode.
To configure VRRPc IP and ID per interface from the CLI
Command Syntax
vrrpc [group-1 | group-2] VID# vrrpc-ip-address
Prompt level Configure > Gigabit Interface Configuration
Example commands:
To configure VRRPc IP and ID per interface from the GUI
See the example from the previous VRRPc in Hot-Standby mode section. VRID 1 and
VRRP IP 1 belong to group-1 while VRID 2 and VRRP IP 2 belong to group-2.
To Configure Virtual Servers for Load Sharing from CLI
Command Syntax
virtual virtual-server-name redundancy-group [1 | 2]
Example commands:
config> virtual Virtual-1 redundancy-group 1
To Configure Virtual Servers for Load Sharing from GUI
VRRPc variables can be configured for Virtual Servers.
2. In the Topology panel, click on the individual Virtual Server under the Virtual Server
icon. This will display the general Virtual Server Properties as shown in the figure
below.

Figure 81: General Virtual Server Properties
3. Configure the VRRP Group as group-1 or group-2. By default, servers are
configured as group-1.
To enable VRRPc globally from the CLI
Command Syntax
vrrpc [enable | disable] [hot-standby | load-sharing]
Example commands:
config> vrrpc enable load-sharing
config> vrrpc disable
To enable VRRPc globally from the GUI
2. In the Topology panel, click on the individual Virtual Server under the Virtual Server
icon. This will display the general Virtual Server Properties as shown in the figure
below.

Figure 82: Enabling VRRPc Globally in Load-Sharing Mode

12
Monitoring the Maestro AFE
Chapter 12 provides a description and explanation about monitoring the Maestro AFE unit
and the accelerated farms, clusters, and servers using either the GUI-Based Maestro
Management system or the CLI.
Overview.
Viewing the Maestro AFE Summary.
Monitoring the Maestro AFE Unit.
Monitoring Farms, Clusters, and Servers.
Monitoring Attacks and Abnormal Network Behavior.
Chapter 12 Monitoring the Maestro AFE
Overview
The Maestro Platform offers an intuitive tool for managing and monitoring the Maestro
AFE. The GUI is accessible via any Web browser, which launches the java-based SNMP
management and monitoring tool. The GUI provides a simple method to configure the
Maestro AFE, while also accessing a rich level of statistical information about farms,
clusters, individual servers, or even the global statistics regarding the Maestro AFE and
how it is enhancing application performance. The following chapter describes the
Maestros monitoring features with cross references to the relevant CLI monitoring
commands.
Viewing the Maestro AFE Summary Feature
Before going any further with the description and explanation of the monitoring feature, it
is important to introduce the Maestro AFE Summary feature. This feature serves as the
starting point for monitoring the Maestro AFE unit; it provides you with a visual display of
the following vital system information that summarizes your systems current status:
Active Port Indicators (1-10, according to the Maestro AFE unit purchased).
Server Inventory including the number of servers, clusters and farms, and the status of
each.
Traffic per port/Accelerated traffic.
Maestro AFE Statistics.
Events legend.
The Summary window enables you to view, at a glance, your systems current status, e.g.,
which servers are operational/failed, which Maestro AFE unit ports are configured, etc. To
open the Summary window, click the Summary button on the left panel.
Overview of the Summary Window

Figure 83: Summary Window
The Summary feature window contains the following information areas:
System Status This area contains current information about the total number of
farms, clusters and servers configured; and how many are operational/failed.
Traffic This area contains the current graphical information about the traffic levels
moving through the Maestro AFE ports, and how much of that traffic is accelerated.
Acceleration Statistics This area provides the current graphical information about
two system acceleration indicators:

Transactions your system is handling.

Active clients your system is handling.
Events legend This legend contains a tri-color code that categorizes the system events
as:

Red (X) = Critical.

Yellow (!) = Warning.

Green (i) = Informational.
Monitoring the Maestro AFE via the CLI
Monitoring the Maestro AFE via the CLI
Monitoring the Maestro AFE via the CLI enables you to check connectivity using Ping, and
display various information using Show commands, e.g., Global counters, Logging, etc.
See the following examples.
To show all counters
Command Syntax:
show counters {global-counters | farm | cluster | server | virtual}
[farm-name | cluster-name | server-name | virtual-server-name]
Prompt level - Root
Example Command:
crescendo> show counters global-counters
crescendo> show counters farm
crescendo> show counters cluster Cluster-1
Monitoring the Maestro AFE via the GUI
The following section describes and explains the Maestro AFE GUI monitoring
feature.
To view Device-based administrative information
1. In the left panel of the Maestro AFE window, click the Monitoring button.

Figure 84: Maestro AFE Traffic Tab
2. In the Topology window, click on the Maestro AFE icon. The tabs displayed in the
right panel present global performance data for the Maestro AFE. Several tabs are
available to display current configuration information.
The Traffic tab window contains the following information, in read-only mode:

Byte/Second - Current and Last 5 Minute Max.

Packets/Second - Current and Last 5 Minute Max.

Request/Second - Current and Last 5 Minute Max.

Response/Second - Current and Last 5 Minute Max.

Average Client Time - Client and Server.

Ping/Second - ICMP traffic count.

Pause Update - Freezes the counters on the screen (internally the counters continue
to progress). <releasing> continues to display the counters.
To view the TCP tab
Click the TCP tab to bring it forward.

Figure 85: Maestro AFE TCP Tab
The TCP tab window contains the following information, in read-only mode:

Connections.
Active Monitors the number of clients and servers connected.
Total Established Monitors the total number of clients and servers
connected.

Connections per second.
Attempted Monitors the number attempted connections per second for
clients and servers.
Established Monitors the number of established connections per second for
Max. Established Monitors the maximum number of established connections
per second for clients and servers.
To view the HTTP tab window
Click the HTTP tab to bring it forward.

Figure 86: Maestro AFE HTTP Tab
The HTTP tab window contains the following information, in read-only mode:

Request - For HTTP 1.0 and 1.1.

Response - For HTTP 1.0 and 1.1.

Total - For HTTP 1.0 and 1.1.

Breakdown (per second).
Gets.
Puts.
Head.
Post.
Success.
Redirect.
Client error.
Server error.
To view the IP tab window
Click the IP tab to bring it forward.

Figure 87: Maestro AFE IP Tab
The IP tab window contains the following information, in read-only mode:

IP Address.

Network Mask.

Next Hop.

Status.
To view the Ports tab window
Click the Ports tab to bring it forward.

Figure 88: Maestro AFE Ports Tab
The Ports tab window contains the following counter information for each port and
aggregator, in read-only mode:

Frames: In and Out.

Octets: In and Out.

Errors: In and Out.

Discards: In.

ARP Requests Sent.

ARP Responses Received.

PING (Echo requests).

ARP Learning.

IP Length Errors.

IP Checksum Errors.

TCP Checksum Errors.

VRRPc on Wrong Port.

VLAN ID is 0.

Global Frame Counters:
Unknown Layer 2.
Unknown Layer 3.
Invalid ARP.
Non-TCP.
No Route.
Routed.
Monitoring the Server
The Maestro AFE provides you with the capability for monitoring your accelerated servers
via the CLI or GUI features. In the following section, examples of monitoring procedures
using the CLI and GUI features are described and explained. You can monitor servers
(farm, cluster, real, and virtual) connected to the Maestro AFE unit via CLI. It enables you
to Ping and perform various Show commands to view information. See the following
examples.
Monitoring Servers or Groups of Servers via the CLI
To show counters
Command Syntax:
show counters {farm|cluster|real|virtual}
Prompt level - Root
Example Command:
crescendo> show counters farm farm1
Monitoring the Server via the GUI
The following section describes and explains the server GUI monitoring feature.
To view the server Traffic tab window
In the Server Topology panel, select the object (farm, cluster, real or virtual server) that
you want monitor.

Figure 89: Server Traffic Tab
The Traffic tab window contains the following information, in read-only mode:

Byte/Second - Current and Last 5 Minute Max.

Packets/Second - Current and Last 5 Minute Max.

Request/Second - Current and Last 5 Minute Max.

Response/Second - Current and Last 5 Minute Max.

Average Client Time - Client and Server.

Ping/Second.

Pause Update button.

Reset Counters button.

Events table.
To view the TCP tab window
Click the TCP tab to bring it forward.

Figure 90: Server TCP Tab
The TCP tab window contains the following information, in read-only mode:

Connections.
Active Monitors the number of clients and servers connected.
Total Established Monitors the total number of clients and servers
connected.

Connections per second.

Attempted Monitors the number of attempted connections per second for clients
and servers.

Established Monitors the number of established connections per second for

Max. Established Monitors the maximum number of established connections per
second for clients and servers.
To view the HTTP tab window
Click the HTTP tab to bring it forward.

Figure 91: Server HTTP Tab
The HTTP tab window contains the following information, in read-only mode:

Request For HTTP 1.0 and 1.1.

Response For HTTP 1.0 and 1.1.

Total For HTTP 1.0 and 1.1.

Breakdown (per second).
Gets.
Puts.
Head.
Post.
Success.
Redirect.
Client error.
Server error.
To view the Load Balancing tab window
Click the Load Balancing tab to bring it forward.

Figure 92: Server Load Balancing Tab
The Load Balancing tab window contains the following information, in read-only
mode:

Algorithm Used The type of algorithm used for the Load Balancing table.

STF The value of the Stop Traffic Factor parameter.

Load Balancing Table Each row of the table contains the following information:
Name.
Static Weight.
Response Time.
Dynamic Weight.
Static.
Dynamic.
Static.
Dynamic.
Calculated % of Traffic.
Monitoring Attacks and Abnormal Network Behavior
The hardware-based TCP/IP stack of the Maestro AFE is inherently immune to many DoS
and DDoS (Denial of Service and Distributed Denial of Service) attacks, with specific
provisions implemented to further protect the device and the accelerated servers from
harmful traffic. The Maestro AFE architecture innately protects the appliance and the
servers from attacks such as:
Teardrop.
Ping of Death.
Open/Close.
ICMP unreachable attack.
ICMP redirect attack.
Ping attack.
ARP attack.
Christmas tree attack.
TCP flood.
The Maestro AFE is also capable of reporting attacks and abnormal traffic behavior to the
administrator, providing a warning mechanism on top of the protection mechanisms
implemented. Reporting is based on user-configurable thresholds, described below.
The following attacks and abnormal traffic behavior are reported by the Maestro AFE:
Attacks.

Land attack IP packets where the source address is the same as the destination
address.

SYN attacks SYN packets received from malicious clients indicating a need to
open a TCP connection, but the client never fully opens the connection (the client
does not respond to the SYN/ACK of the server).
Abnormal behavior.

IP broadcasts packets with any broadcast IP address destination.

TCP frames (to virtual IP) TCP frames destined for a virtual IP address, but not
an associated TCP port.

Non-TCP frames (to primary IP) Any non-TCP frame destined for one of the IP
addresses associated with a data port on the Maestro AFE.

Non-TCP frames (to virtual IP) Any non-TCP frame destined for one of the
virtual IP addresses configured on the Maestro AFE.
The Maestro AFE will monitor and report on any of these attacks and abnormal events
based on two user-configurable parameters:
Interval a sample interval (in seconds) over which the number of frames matching the
attack or abnormal behavior are counted.
Threshold - defined in terms of number of frames. If the number of frames (matching
the attack or abnormal behavior) per sample interval exceeds this number, an event is
generated indicating a single instance of an attack.
The default interval and threshold for all attacks and abnormal behavior are 5 seconds and
20 frames, respectively. That means that if 20 frames of each type are seen within a 5
second window, an attack event is registered and reported. The only exception to these
default values is the SYN attack where the default threshold is 200 frames.
The Maestro AFE reports each attack event and keeps track of the total number of attacks
of each type. This number can be reset for any of the attacks or abnormal behaviors,
independently.
Configuring Attack Monitors
Configuring Attack Monitors from the CLI
Follow the following steps to configure the attack monitors and associated thresholds from
the CLI.
Command Syntax
attack-monitor {land | syn | ip-broadcast | tcp-to-virtual | nontcp-
to-virtual | all | default} {interval | threshold | enable | disable
| reset-counter}
Example commands:
config> attack-monitor land interval 30 threshold 200
Configuring Attack Monitors from the GUI
2. In the Topology window, click on the Maestro AFE. Select the Attacks tab.

Figure 93: Configuring Attacks Tab
Monitoring Attacks from the CLI
Follow the following steps to view the attack monitors status from the CLI.
Command Syntax
Example
show attack-monitor
Monitoring Attacks from the GUI
1. Once logged in through the GUI, click on the Monitor button on the left panel.
2. In the Topology window, click on the Maestro AFE. Select the Attacks tab.

Figure 94: Monitoring Attacks Tab

13
Using the Maestro AFE History Feature
Chapter 13 provides you with the description and explanation of the Maestro AFE History
feature.
Overview of the Maestro AFE History Feature.
Selecting and Viewing the Maestro AFE History Graphs.
Chapter 13 Using the Maestro AFE History Feature
Overview of the Maestro AFE History Feature
The Maestro AFE unit History feature provides you with the capability to review and
analyze the units and servers performance for any period of time, up to one week past.
You are able to obtain a graphical analysis of the history of any selected entity, such as box,
farm, cluster, or server, and all counters for the entity are saved.
The History service must be enabled for each device you wish to view historical
information for. For example, history data will not be saved and made available for
viewing until the History check box is checked for the specific object through the
Configuration mode.
Selecting and Viewing Maestro AFE History Graphs
In the following section the procedures for selecting and the viewing Maestro AFE History
graphs will be described.
To view Maestro AFE History
Once logged in through the GUI, click on the History button on the left panel.

Figure 95: Maestro History
The list of values for each list in the Data legend changes according to the level (global,
farm, cluster, or server) selected in the Topology tree.
The History feature window contains the following information:

Data legend - Provides you with color-coded definitions for the data the history
graph measures:

Green.

Blue.

Lavender.

Purple.
Four graphs can be viewed at any time. The four graphs are selected from the predefined
counters for which history is gathered. There is a drop-down list for each of the four
legends.
Available Historical Variables
Client- side TCP Connection History Statistics
Client Attempted Conns PerSec.
Client Accepted Conns PerSec.
Client Max Accepted Conns PerSec.
Client Established Connections.
Client Active Connections.
Sever- side TCP Connection History Statistics
Server Attempted Conns PerSec.
Server Accepted Conns PerSec.
Server Max Accepted Conns PerSec.
Server Established Connections.
Server Active Connections.
Client- side HTTP History Statistics
L2 Bytes PerSec.
Client L7 Request Bytes PerSec.
Max L2 Bytes PerSec.
Max Client L7 Request Bytes PerSec.
Client Requests PerSec.
Client Responses PerSec.
Max Client Requests PerSec.
Max Client Responses PerSec.
Avg Client Transaction Time.
Avg Server Transaction Time.
Client HTTP 10 Requests PerSec.
Client HTTP 10 Responses PerSec.
Client HTTP 11 Requests PerSec.
Client HTTP 11 Responses PerSec.
Client Gets PerSec.
Client Others PerSec.
Client Puts PerSec.
Client Posts PerSec.
Client Heads PerSec.
Client 2xx Responses PerSec.
Client Discarde dRequests.
Accelerated Bytes PerSec.
Max Accelerated Bytes PerSec.
Non Accelerated Bytes PerSec.
Max Non Accelerated Bytes PerSec.
Server Up Events.
Server Down Events.
Compression History Statistics
Compressible Transactions PerSec.
Compressed Transactions PerSec.
Compressed Bytes Before PerSec.
Compressed Bytes After PerSec.
Max Compressible Transactions PerSec.
Max Compressed Transactions PerSec.
Max Compressed BytesBefore PerSec.
Max Compressed BytesAfter PerSec.
Client L7 Response Bytes PerSec.
Server- side HTTP History Statistics
MaxClient L7 Response Bytes PerSec.
Server Requests.
Server Responses.
Server Requests PerSec.
Server Responses PerSec.
Max Server Requests PerSec.
Max Server Responses PerSec.
Server L7 Request Bytes PerSec.
MaxServer L7 Request Bytes PerSec.
Server L7 Response Bytes PerSec.
Max Server L7 Response Bytes PerSec.
Server HTTP 10 Requests PerSec.
Server HTTP 10Responses PerSec.
Server HTTP 11Requests PerSec.
Server HTTP 11Responses PerSec.
Server Gets PerSec.
Server Others PerSec.
Server Puts PerSec.
Server Posts PerSec.
Server Heads PerSec.
Server 2xx Responses PerSec.
Client Max Attempted Conns PerSec.
Server Max Attempted Conns PerSec.
Attack History Statistics
Attack Land PerInt.
Attack Land Total Frames.
Attack Syn PerInt.
Attack Syn Total Frames.
Attack Ip Brdcst PerInt.
Attack Ip Brdcst Total Frames.
Attack Tcp Virtual PerInt.
Attack Tcp Virtual Total Frames.
Attack Non Tcp Primary PerInt.
Attack Non Tcp Primary Total Frames.
Attack Non Tcp Virtual PerInt.

14
Troubleshooting
Chapter 14 provides example troubleshooting FAQs along with information outlining
common issues and solutions for the Maestro AFE.
Common Issues and Solutions.
Recovering a Lost Password.

Chapter 14 Troubleshooting
Common Issues and Solutions
Table 14 Common Issues and Solutions
Problem Solution
All Maestro AFE LEDs are off Check power cable
Maestro AFE reports that configured
servers are operationally Up, but
traffic destined to a configured Virtual
Server does not work.
Verify networking environment. If outbound
link is less than 1 gigabit connectivity (for
example, a 100Mb router) set the shaping-rate
command to accommodate the slower
outbound connection. See Outbound Traffic
Rate Shaping on page 39.
Box loads but configuration is missing Connect via console and check if the startup.cfg
file is present.

crescendo> system
system>dir

If file is not there, it may have been erased or
was not saved prior to power cycling the unit.
You may either restore from a backed up
configuration file residing on your ftp server or
reconfigure the unit.
Application loads with error during
boot
Connect via console.
Copy the error message (for later reference).
Delete files from flash including startup.cfg.
If problem persists Upgrade OS and
application, reboot.
If problem persists; send the output from the
debug> show tech-support, copy all text
and send to Crescendo Networks Technical
Support.
Console does not have connectivity Check port settings defaults are
115k baud, 8 data bits, 1 stop bit
no parity
no flow control
Make sure the console cable is plugged into the
correct management port, labeled Serial, NOT
Ethernet.
Problem Solution
Maestro AFE starts loading and then
freezes
Power cycle the Maestro AFE.
Contact Crescendo Networks Technical
Support
SSH/Telnet refuses connection Connect via console:
Verify that the telnet/ssh servers are enabled.
Check ACL is not preventing access.
Verify username and password.
Cannot open GUI Verify that the snmp-server and http-server are
enabled.
Client: check that SUN Java is installed and
enabled.
Verify the Web browser cache does not have an
older version of the GUI than the current
release. (Clear cache from Java console and
retry)
GUI login fails Verify correct username/password via
telnet/ssh or console.
Verify that there are no intermediary devices
(i.e. firewalls, filters, etc.) which may be
blocking SNMP traffic between the workstation
and the Maestro AFE management interface.
Management Ethernet interface does
not respond
Check cables, IP configuration, and switch/hub
port.
Verify configuration of gateway on
management port in order to get response to an
external network.
CLI/ Telnet freezes Close session and retry again. Try SSH
This may happen with non standard telnet
clients.
SNMP Communities are not working
can not use MIB browser
Verify community configuration in the Maestro
AFE and on the MIB Browser (or SNMP tool).
Syslog does not log anything on syslog
server
Check syslog threshold settings. Verify that
objects in configuration (i.e. servers, clusters,
etc.) have logging enabled.
No traffic on data path Check cablings (Fiber tx/rx for example) and
IP. Check show IP interfaces. Verify
server port is open.
Problem Solution
Server is in status operational down * Check server properties, IP and port.
Check connectivity from Maestro AFE to server
with ping.
* Log onto the Web server and make sure its
HTTP task is running, and that it is accepting
new TCP connections. Also, check the Web
servers TCP connection timeout to make sure
it is not set too low.
* Check to make sure the health check that is
configured for this server is correct.
Traffic not accelerated (a percentage of
failures)
Use show real command to check that the
server reports UP. Check that there is ping
connectivity and the port on the server is open
Time stamps in logs are incorrect Reset date and time.
FTP commands fail Check management port is enabled and works.
Check connectivity with PING to ftp server.
Verify that the user/password/path configured
in the ftp-record is correct.
Verify that there are no intermediary devices
(i.e. firewalls) which may block ftp transfers.
Verify that the proper default gateway has
been configured for the management interface.
Maestro AFE appears to be un-
responsive on HTTP path
Check with a PING from other appliances that
it is available on the network, as well as from
the Maestro AFE.
Maestro AFE is working abnormally Use the debug> show tech-support
command. Issue the command twice in a 5
minutes interval. Copy the output and send it
to Crescendo Network Technical Support.
Using a Maestro Self-Signed SSL
certificate causes the browser to display
a certificate is expired or is not yet
valid warning
This can occur if the date and time were not
configured on the Maestro AFE before the SSL
certificate was generated. Reset the date and
time, and re-create the certificate.
New Maestro features do not appear in
the Maestros GUI console immediately
after updating the Maestro via an HTTP
upload
This issue occurs if the Maestros GUI console
applet was not closed after updating the
Maestro AFE. The GUI console and all other
open browser windows must be closed
following a Maestro code update, so that the
new GUI console will be downloaded from the
Maestro AFE.
Problem Solution
A real server intermittently appears to
be down, and then up again after a
few seconds.
Check the TCP timeout settings on both the
Maestro and the Web server. Make sure the
Web servers TCP timeout setting is greater
than the timeout setting on the Maestro.
After configuring the Maestro to offload
SSL from an IIS server, you receive the
following error message when trying to
access a secure portion of the website
via SSL.
The page must be viewed over a
secure channel
This occurs because the Require Secure
Channel (SSL) option in the IIS configuration
is enabled. Contact Support for instructions on
how to resolve this matter.
While trying to access a specific farm or
cluster in the CLI (Via Telnet, SSH or
Console), you find that the farm or
cluster is empty.
This can occur if you misspelled the name of
the farm or the cluster when issuing the Farm
Farm_Name or Cluster Cluster_Name
commands. If the Farm_Name or
Cluster_Name are not pre-existing entities, a
new entity will be created with the misspelled
name when the command is entered in the CLI.
CLI session ends spontaneously Check the value of the idle-inactivity
parameter. See Configurable CLI Parameters on
page 23 for details.
After configuring two Maestro units to
operate in Hot/Standby mode, the
virtual IPs become intermittently
inaccessible
Check to makes sure that the option force
master is not enabled on both Maestro AFE, as
this will cause a race condition among the two
units. Disable this option on the standby unit.
Recovering a Lost Password
In the case of a lost password, the Maestro AFE has a recovery system. The administrator
can connect via the serial console and log in with the user name "rescue" and password
"crescue". Once logged in, the permissions are those of an administrator and the password
of the admin user can be changed.
To logon through the Maestro AFE console
1. Perform the following:
login: rescue
password: **** [crescue]

rescue login accepted, please logout as soon as possible
crescendo>
2. Enter Configuration Prompt Level.
crescendo> config terminal
config>

3. Change password of existing admin account. For this example, the admin account is
called "hooman" and the new password should be "80hairband".
config> user hooman 80hairband admin
config>

4. Enter System Prompt Level and save new configuration changes.
config> system
system> save

5. Logout as rescue.
system> exit
crescendo> exit
login:

6. Once logged out, logon as the configured admin user.

Crescendo - UG-5500-7 1

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Crescendo - UG-5500-7 1

Încărcat de

Drepturi de autor:

Formate disponibile

Maestro AFE CN-5500

S-ar putea să vă placă și