Development Application

ACE Deployment in an Application
Environment
BRKAPP-2020
Agenda
 Load Balancing Today’s Web Application

Benefits of Traffic Management
Introduction to ACE
Design Considerations
Probes, Persistence, Predictors
Resources
SSL
 Linking Vmware VCenter Manager to the ANM 3.1

VMWare View 3.0
ACE Deployment Models with VDI
 Microsoft Deployments
ACE for Microsoft Exchange 2007
Microsoft SharePoint with Cisco ACE
BRKAPP-2020 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Load Balancing Today’s Web
Applications
What Are the Challengers?
 Virtual Data Center introduces new challenges for
load balancers and application management
Transition to Virtual Machines (VMs) using Vmware and
Microsoft Hyper-V technology
Servers that used to be stand-alone are now VMs
Virtual data center requires orchestration of the application,
VM server and switching infrastructure
Application Network
Manager (ANM 3.1)
Application Delivery Controller
 Benefits of traffic management—Why application

delivery controller:
Mobile phone
Availability Virtual IP
Scalability Web browser
ACE Load
Performance Balancer
Security Outlook
(remote user)
Client Access
Server farm
Outlook (local user)
 The Cisco Application Control Engine (ACE)
provides validated solutions for Microsoft
applications
Cisco ACE 4710 Cisco ACE Module

0.5 – 4Gbps 4–16 Gbps
Design Considerations
One Armed
Load Balancer not inline
Allows direct server access
Requires Source NAT
Routed Mode
Easy to deploy
Requires at least two IP subnets
Servers in dedicated IP subnet
Bridged Mode
Easy migration for servers
Requires one IP subnets
Recommend for none-lb traffic
Introduction to ACE Load Balancer
 Cisco ACE provides many advanced load balancing
feature which can be applied to meet challengers with
deploying today's applications
These features include:
1. Access-control (permit or deny
a request)
2. Management traffic
3. TCP normalization/connection
parameters
4. Server load balancing
5. Fix-ups/application inspection
6. Source NAT
7. Destination NAT
Virtual Context Setup
 Virtual contexts are virtualized ACEs. Each virtual

context has independent configuration and dedicated
resources assigned. One context can pull resources
from another
Microsoft Exchange
2010
Microsoft SharePoint
2010
Cisco UCS
 Virtual Virtualization of Microsoft Exchange 2010
A separate virtual machine for each of the roles: Two Client
Access Server, Hub Transport, Four Mailbox in a DAG (Database
Availability Group)
Basic Load Balancing for ERP
Applications
Predictors
• Is the server • How do you
active? How can keep the client
• How can you
you check? connected to the
balance the
same server?
connections?
Probes Persistence
Health Probes
SAP Enterprise Portal
Configuration
Health Checks
Watch the Expected Status Code
NetWeaver Web
Administrator
ACE/dc# telnet 169.145.90.16 50100
Trying 169.145.90.16...
Connected to 169.145.90.16.
Escape character is '^]'.
GET /nwa HTTP/1.1
Host: 169.145.90.16
HTTP/1.1 302 Found

server: SAP NetWeaver / AS Java 7.1
content-type: text/html
location:
http://169.145.90.16/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~local
navigation~wd/NWAApp
Probe Configuration Options
 To configure a real server to remain in the OPERATIONAL

state unless all probes associated with it fail (AND logic), use
the fail-on-all command in real server host configuration mode
probe icmp PING-PROBE
interval 5
passdetect interval 5
passdetect count 3
probe tcp TCP80-PROBE
interval 10
port 80
passdetect count 3
probe http HTTP-PROBE
interval 20
request method get url /index.html
expect status 200 499
!
serverfarm TCP80-SF
probe PING-PROBE
probe TCP80-PROBE
probe HTTP-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
!
Predictors—Application Response
 Load balancing based on server response time;

response time calculated over a configured number
of samples and supports the following options
ACE Serverfarm
SYN to SYN-ACK SYN to Close Application Request to Response
Time between SYN send Time between SYN send Time between HTTP request
from ACE to SYN-ACK from ACE to FIN/RST send from ACE to HTTP
received from the server received from the server response received from the
server
Predictors—Application Response
 Measures the response time from when the ACE sends an

HTTP request to a server to the time that the ACE receives a
response from the server for that request
serverfarm TCP80-SF
predictor response app-req-to-resp
rserver SERVER1
inservice
rserver SERVER2
inservice
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: TCP80-SF
172.16.29.10:0 8 OPERATIONAL 0 239287 32
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
average response time (usecs) : 228
Session Persistence
 When customers visit an e-commerce site, they usually

start out by browsing the site
 Depending on the application, the site may require that
the client become "stuck" to one server once the
connection is established, or the application may not
require this until the client starts to build a shopping cart
 This is known as stickiness or session persistence
 Sticky requires a resource class configured. If your
forget ANM will send you the following message
Session Persistence Methods
How to Uniquely Identify a Client…
Source HTTP
Cookie SSL ID RDP SIP GPP
IP Redirect
SD, Session
How client = SSL LB Regex
client = a Directory. Client =
Client= its session ID Redirects matches on
Does It SRC IP
cookie
to Specific
Routing Token Session
TCP and
Work value = server IP + Call-ID
(V)Server UDP data
Port
Full IP Static
Masked Full SSID
Variation IP Dynamic custom
Offset
Insert
Info
Stored LB LB LB Client LB LB LB
on
Recovering SIP- Flexible for
Good No Cookie No State
Simplicity Flexibility Disconnected specific custom
For support on LB
WTS sessions stickiness applications
HTTP only
HTTP No Token,
SSL v3 Absolute
only needs to fall Specific to
Caveats Proxies Renegotiatio URLs
back to source application
Clear
n Bookmark IP
Test
s
Basic ERP Web Load Balancing
Persistence Options
 Configuration shows two different sticky options;
HTTP Cookie and source IP sticky
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert
timeout 720
serverfarm HTTP-SF
!
sticky ip-netmask 255.255.240.0 address source IPSTICKY
serverfarm HTTPS-SF
!
policy-map type loadbalance first-match WEB-PM
class class-default
sticky-serverfarm COOKIESTICKY
policy-map type loadbalance first-match TCP80-PM
class class-default
sticky-serverfarm IPSTICKY
cookie insert browser-expire
serverfarm TCP80-SF
!
policy-map type loadbalance first-match HTTP-PM
class class-default
policy-map multi-match LOADBALANCE
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
interface vlan 2
ip address 10.10.119.55 255.255.255.0
access-group input EVERYONE
service-policy input LOADBALANCE
service-policy input REMOTE-MGNT
no shutdown
class-map match-all TCP80-CM
2 match virtual-address 10.10.119.112 tcp eq 80
!
serverfarm TCP80-SF
rserver host SERVER1
probe TCP80-PROBE
ip address 10.10.119.1
probe HTTP-PROBE
inservice
predictor leastconns slowstart 200
rserver host SERVER2
rserver SERVER1
ip address 10.10.119.222
inservice
inservice
rserver SERVER2
probe tcp TCP80-PROBE
inservice
interval 10
port 80
serverfarm TCP80-SF
passdetect count 3
!
probe http HTTP-PROBE
policy-map type loadbalance first-match HTTP-PM
interval 20
class class-default
request method get url /index.html
class HTTP-CM
interface vlan 2
ip address 10.10.119.55 255.255.255.0
access-group input EVERYONE
service-policy input LOADBALANCE
service-policy input REMOTE-MGNT
no shutdown
parameter-map type http INSENSITIVE
case-insensitive
Where’s the Cookie? persistence-rebalance
set header-maxparse-len 8192
Default Header Parse policy-map multi-match LOADBALANCE
class HTTP-CM
Length 2K loadbalance vip inservice
loadbalance policy SAP-PM
appl-parameter http advanced-options INSENSITIVE
switch/SAP-Datacentre# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 151 , TCP data msgs sent : 152
Inspect parse result msgs : 0 , SSL data msgs sent : 495
sent
TCP fin/rst msgs sent : 8 , Bounced fin/rst msgs sent: 8
SSL fin/rst msgs sent : 18 , Unproxy msgs sent : 14
Drain msgs sent : 118 , Particles read : 1718
Reuse msgs sent : 0 , HTTP requests : 156
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 254 , HTTP redirects : 0
HTTP chunks : 37 , Pipelined requests : 0
HTTP unproxy conns : 14 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 110 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 3
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
URL Parsing
class-map type http loadbala match-any URL-MATCHING
2 match http url .*
class-map type http loadbala match-any URL-IMAGE
2 match http url /image/.*
class-map match-all HTTP-CM
serverfarm IMAGE-SF
probe IMAGE-PROBE
rserver IMAGE1 sticky http-cookie IMAGE-COOKIES IMAGECOOKIE
inservice cookie insert browser-expire
rserver IMAGE2 serverfarm IMAGE-SF backup WEB-SF
inservice sticky http-cookie WEB-COOKIES WEBCOOKIE
serverfarm WEB-SF cookie insert browser-expire
probe WEB-PROBE serverfarm WEB-SF
rserver SERVER1 !
inservice policy-map type loadbala first-match HTTP-PM
rserver SERVER2 class URL-IMAGE
inservice sticky-serverfarm IMAGE-COOKIE
class URL-MATCHING
sticky-serverfarm WEB-COOKIE
policy-map multi-match L4
class HTTP-CM
appl-para http advanced-option INSENSITIVE
Resources Allocation
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Virtual Context Setup
 Every ACE device contains a special virtual context called

"Admin", which has settings for the ACE device itself.
 You can configure load balancing within the Admin context, it
is recommended that you create separate virtual contexts for
load balancing
 Every The capacity
of each ACE virtual
context is determined
by its resource class
 If Admin context is not configured
correctly admin could be starved of all resources
When configuring resource allocations in ACE, it is possible to allocate
100% of resources to non-Admin contexts, so that the Admin context is no
longer reachable via ICMP, telnet, SNMP, etc
Recommended Settings for
Admin Context
resource-class ADMIN
limit-resource conc-connections minimum 5.00 maximum equal-to-min
limit-resource mgmt-connections minimum 5.00 maximum equal-to-min
limit-resource rate bandwidth minimum 5.00 maximum equal-to-min
limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min
limit-resource rate mgmt-traffic minimum 5.00 maximum equal-to-min
limit-resource rate conc-connections minimum 5.00 maximum equal-to-min
!
resource-class STICKY
limit-resource all minimum 1.00 maximum unlimited
limit-resource acl-memory minimum 5.00 maximum equal-to-min
limit-resource conc-connections minimum 5.00 maximum equal-to-min
limit-resource rate bandwidth minimum 5.00 maximum equal-to-min
limit-resource rate connections minimum 5.00 maximum equal-to-min
limit-resource sticky minimum 6.00 maximum equal-to-min
limit-resource rate ssl-connections minimum 5.00 maximum equal-to-min
Does Your Application Use SSL?
SSL Server Offload
 To terminate or initiate HTTPS connections with ACE, the

virtual context must have at least one SSL proxy service. An
SSL proxy contains the certificate and key information needed
to terminate HTTPS connections from the client or initiate
them to the servers
 ANM (Application Network Manager) provides you with a

guided setup to import an SSL key pair into the ACE
Sample SSL Key/Cert Pair
 ACE shipped with a default RSA 1024 bit. Certificate is

based on this key pair
 The sample certificate and key are named cisco-
sample-cert and cisco-sample-key
 You can view the sample SSL key and cert
 The sample SSL key and cert files can be exported

using the ‘crypto export’ command
Basic SSL Load Balancing
Redirecting Clients to Use SSL
rserver redirect REDIRECT
webhost-redirection https://%h%p 302 %h %p
inservice
!
serverfarm redirect REDIRECT-SF http://www.cisco.com/go/ace
rserver REDIRECT
inservice
! https://www.cisco.com/go/ace
class-map match-all HTTP
!
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SF
!
class HTTP
loadbalance policy REDIRECT-PM
SSL Server Offload Configuration
 In order to configure SSL, you need to add the

following to a L3 / L4 class map:
‘parameter-map type ssl’
‘ssl-proxy service’
‘policy-map’
 parameter-map is used to define parameters for
SSL connections (e.g., SSL version, cipher suites,
close protocol behavior)
 ssl-proxy is used to define the
certificates and keys to be used
in SSL connections
SSL Packet Flow With ACE
Client SYN (tcp—443) L3 Server 1
Flow
SYN SYN/ACK ACK
SSL Handshake HTTP—GET index.html
HTTPS—GET index.html HTTP—200 Ok Response index.html
Accept-Encoding: gzip, deflate
HTTPS—Response TCP
Flow
ssl-proxy service CLIENT-SSL policy-map type loadbalance first-mat SSL-PM

key mykey.pem
cert mycert.pem class class-default
! serverfarm WEB-PROTOCOLS
serverfarm WEB-PROTOCOLS !
rserver SERVER1 81 policy-map multi-match L4
inservice class HTTPS-CM
rserver SERVER2 81 loadbalance vip inservice
inservice loadbalance policy SSL-PM
probe HTTP-GET loadbalance vip icmp-reply
!
class-map match-all HTTPS-CM ssl-proxy server CLIENT-SSL
Basic SSL Offload Example
rserver host SERVER1 serverfarm WEB-PROTOCOLS
ip address 192.168.1.1 probe HTTPs-GET
inservice rserver SERVER1 81
rserver host SERVER2 inservice
ip address 192.168.1.2 rserver SERVER2 81
inservice inservice
! !
probe http HTTP-GET sticky http-cook WEBCKE STICKYCKE
interval 5 cookie insert
port 81 serverfarm WEB-PROTOCOLS
passdetect interval 3 !
request method get url /secure/index.html policy-map type load first-mat SSL
expect status 200 200 class class-default
! sticky-serverfarm STICKYCKE
parameter-map type ssl CLIENT_PARAM policy-map multi-match L4
cipher RSA_WITH_RC4_128_MD5 priority 2 class HTTPS-CM
cipher RSA_WITH_AES_128_CBC_SHA priority 3 loadbalance vip inservice
cipher RSA_WITH_AES_256_CBC_SHA priority 5 loadbalance policy SSL
session-cache timeout 600 loadbalance vip icmp-reply
ssl-proxy service CLIENT-SSL ssl-proxy server CLIENT-SSL
key mykey.pem
cert mycert.pem
ssl advanced-options CLIENT_PARAM
!
class-map match-all HTTPS-CM
!
Linking Vmware VCenter Manager to
the ANM 3.1
Enabling a New Server in a VM
Environment
ACE Load Balancer ESX Cluster
Application servers
Server Farm VM
r3
A 3
A
r2 A VM
A
r1 A 2
Application
VIP VM
A
A 1
Application Network
Vmware VCenter
Manager (ANM 3.0)
SLB Team Server Team
Enabling a New Server in a VM
Environment
 ANM 3.1 VCenter plug-in lets Sysadmins activate, suspend,
configure and monitor rservers
ACE Load Balancer ESX Cluster
Application servers
Server Farm VM
r3
A 3
A
r2 A VM
r1 A A 2
Application
VIP VM
A
A 1
Application Network Vmware VCenter

BRKAPP-2020
Manager© 2010
(ANM 3.1)
Cisco and/or its affiliates. All rights reserved. Cisco Public Sysadmin 34
ANM 3.1 Plug-In for Vmware VCenter
ACE Tab from ANM
ANM 3.1 Plug-in for Vmware VCenter
activate,
suspend,
configure
and monitor
rservers
Deploying VMWare View w/Cisco ACE
Why Add a Cisco ACE?
 Scalability: Larger deployments require multiple

security servers or multiple connection servers
Cisco ACE balances client connections across available
connection servers
VMware rates a single view connection server at 1,500
concurrent non-tunneled connections, and 30% less if
tunneled
 Fault tolerance
Cisco ACE detects the failure of view components, and
directs traffic around the failure
 Performance
Reduce CPU usage on Connection servers by offloading
HTTPS cryptography
VMware View Deployment with
Cisco ACE
General Types of View Deployments
 LAN non-tunneled deployment
RDP traffic does not pass through the view
connection server
 LAN tunneled deployment

RDP traffic is encapsulated in HTTPS and passes through
the view connection server
 Secure (DMZ) tunneled deployment

RDP traffic is encapsulated in HTTPS and passes through
the view security server
View security server does not participate in active directory,
and can be safely placed in DMZ
Cisco ACE
LAN Tunneled Deployment w/ACE
1. Authentication
 More secure —All traffic
View Client encapsulated in SSL. Virtual
2a. RDP desktop IP addresses do not
need to be reachable by
2b. RDP clients
Decrypted
 Offload benefit—SSL
2c. RDP Brokered cryptography offloaded by
cisco ACE, reducing CPU
Cisco ACE utilization on connection
servers
 Recommended for LAN
deployments on secure
networks. Connection
servers participate in active
directory and should not be
exposed to the internet
ESX Cluster
Connection Containing
Servers Virtual Desktops
Cisco ACE
Secure Tunneled Deployment (DMZ)
View Client
1. HTTP(S) – Authentication & * Client RDP connection is
Desktop Selection 3 1 tunneled over HTTPS to
Security Server
2. AJP/JMS Authentication
3. RDP Over HTTPS Security

Server
4. RDP Un-Tunneled By 2
Security Server 4
Active Directory vCenter Connection ESX Cluster

Server Server Containing
Virtual Desktops
Cisco ACE
Secure Tunneled Deployment (DMZ) w/ACE
1a. Authentication  Most secure —All traffic encapsulated in
View Client SSL. No public exposure of connection
1b. Authentication servers
Decrypted
1c. Authentication  Requires careful planning, since security
Proxied servers depend on their paired
connection server
2a. RDP
ACE
2b. RDP Security
Decrypted Servers
2c. RDP Brokered
Connection ESX Cluster

Servers Containing
Virtual Desktops
Optional Configuration for OWA
 Use Microsoft Cookie instead of ACE cookie for HTTP session

persistence across the CAS servers
sticky http-cookie sessionid exchange-sticky-sessionid-grp
timeout 20
serverfarm CAS
 Additional health monitoring probe that you could add to check

the availability of Exchange
probe http http-probe
interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
probe https https-probe

interval 60
passdetect count 2
request method get url /owa/auth/login.aspx
 Using HTTP Compression for OWA to compress the following objects:

JavaScript
GIF files
CSS
parameter-map type http CompressObjects
persistence-rebalance
compress mimetype "text/css" Specify compressible mimetypes
compress mimetype "images/gif"
compress mimetype "application/x-javascript“
policy-map type loadbalance first-match OWA-OutlookAnywhere

match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
sticky-serverfarm CAS-RPC-HTTP
class class-default
compress default-method gzip Enable compression
sticky-serverfarm OWA-STICKY
policy-map multi-match Exchange2007

class VIP-HTTPS-OWA-OutlookAnywhere
loadbalance policy OWA-OutlookAnywhere
appl-parameter http advanced-options CompressObjects
ssl-proxy server exch-ace-tme.com
HTTP URL Inspection for Securing OWA
 Using the application inspection engine on ACE for securing
Exchange 2007
 ACE will reset and log any request that does not match the
polices below: class-map type http inspect match-all HTTP_Header
2 match header length request range 0 255
3 match url length range 0 10239
class-map type http inspect match-all HTTP_Methods
2 match request-method rfc post
class-map type http inspect match-any White_list

2 match url /owa.*
3 match url /exchweb.*
4 match url /exchange.*
5 match url /rpc.*
6 match url /OAB.*
7 match url /AutoDiscover.*
8 match url /Microsoft-Server-Activesync.*
9 match url /public.*
12 match url .
13 match url /ews.*
14 match url /unifiedmessaging.*
15 match url email.company.com/.*
policy-map type inspect http all-match L7_URL_WHITE
class White_list
permit log
class HTTP_Header
permit log
class HTTP_Methods
permit log
class class-default
reset log
policy-map multi-match CAS_LB

class L4_CAS_VIP
loadbalance policy L7_CAS_default
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server eme_email_SSL_PS
class HTTP_CLASS
inspect http policy L7_URL_WHITE url-logging
appl-parameter http advanced-options L7_URL_WHITE_PARAM
parameter-map type http L7_URL_WHITE_PARAM

case-insensitive
Outlook Anywhere and OWA ACE
Configuration Example
ssl-proxy service OWA-SSL Certificates must be signed by
key owa.pem trusted CA for Outlook Client
cert owa.pem
class-map match-all OWA-OUTLOOKANYWHERE-SSL

2 match virtual-addr 172.16.11.190 tcp eq 443
!
sticky http-cookie Cookie OWA-STICKY
replicate sticky
serverfarm CAS-80
sticky http-header Authorization CAS-RPC-HTTP
serverfarm CAS-80
!
policy-map type loadbalan first-ma OWA-OUTLOOKANYWHERE
class class-default
!
class OWA-OUTLOOKANYWHERE-SSL
loadbalance policy OWA-OUTLOOKANYWHERE
ssl-proxy server OWA-SSL
Complete Your Online
Session Evaluation
 Give us your feedback and you

could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don’t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
 Use Microsoft Cookie instead of ACE cookie for HTTP session

persistence across the CAS servers
sticky http-cookie sessionid exchange-sticky-sessionid-grp
timeout 20
serverfarm CAS
 Additional health monitoring probe that you could add to check

the availability of Exchange
probe http http-probe
interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
probe https https-probe

interval 60
passdetect count 2
request method get url /owa/auth/login.aspx
 Using HTTP Compression for OWA to compress the following objects:

JavaScript
GIF files
CSS
parameter-map type http CompressObjects
persistence-rebalance
compress mimetype "text/css" Specify compressible mimetypes
compress mimetype "images/gif"
compress mimetype "application/x-javascript“
policy-map type loadbalance first-match OWA-OutlookAnywhere

class class-default
compress default-method gzip Enable compression

class VIP-HTTPS-OWA-OutlookAnywhere
loadbalance policy OWA-OutlookAnywhere
appl-parameter http advanced-options CompressObjects
ssl-proxy server exch-ace-tme.com
 Using the application inspection engine on ACE for securing
Exchange 2007
 ACE will reset and log any request that does not match the
polices below: class-map type http inspect match-all HTTP_Header
2 match header length request range 0 255
3 match url length range 0 10239
class-map type http inspect match-all HTTP_Methods
2 match request-method rfc post
class-map type http inspect match-any White_list

2 match url /owa.*
3 match url /exchweb.*
4 match url /exchange.*
5 match url /rpc.*
6 match url /OAB.*
7 match url /AutoDiscover.*
8 match url /Microsoft-Server-Activesync.*
9 match url /public.*
12 match url .
13 match url /ews.*
14 match url /unifiedmessaging.*
15 match url email.company.com/.*
policy-map type inspect http all-match L7_URL_WHITE
class White_list
permit log
class HTTP_Header
permit log
class HTTP_Methods
permit log
class class-default
reset log
policy-map multi-match CAS_LB

class L4_CAS_VIP
loadbalance policy L7_CAS_default
loadbalance vip advertise active
ssl-proxy server eme_email_SSL_PS
class HTTP_CLASS
inspect http policy L7_URL_WHITE url-logging
appl-parameter http advanced-options L7_URL_WHITE_PARAM
parameter-map type http L7_URL_WHITE_PARAM

case-insensitive
Outlook Anywhere and OWA ACE
Configuration Example
ssl-proxy service OWA-SSL Certificates must be signed by
key owa.pem trusted CA for Outlook Client
cert owa.pem
class-map match-all OWA-OUTLOOKANYWHERE-SSL

2 match virtual-addr 172.16.11.190 tcp eq 443
!
sticky http-cookie Cookie OWA-STICKY
replicate sticky
serverfarm CAS-80
sticky http-header Authorization CAS-RPC-HTTP
serverfarm CAS-80
!
policy-map type loadbalan first-ma OWA-OUTLOOKANYWHERE
class class-default
!
class OWA-OUTLOOKANYWHERE-SSL
loadbalance policy OWA-OUTLOOKANYWHERE
ssl-proxy server OWA-SSL
Complete Your Online
Session Evaluation
 Give us your feedback and you

could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don’t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.

Development Application

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Development Application

Încărcat de

Drepturi de autor:

Formate disponibile

ACE Deployment in an Application

 Load Balancing Today’s Web Application

 Linking Vmware VCenter Manager to the ANM 3.1

 Benefits of traffic management—Why application

Cisco ACE 4710 Cisco ACE Module

 Virtual contexts are virtualized ACEs. Each virtual

HTTP/1.1 302 Found

 To configure a real server to remain in the OPERATIONAL

 Load balancing based on server response time;

SYN to SYN-ACK SYN to Close Application Request to Response

 Measures the response time from when the ACE sends an

 When customers visit an e-commerce site, they usually

 Every ACE device contains a special virtual context called

 To terminate or initiate HTTPS connections with ACE, the

 ANM (Application Network Manager) provides you with a

 ACE shipped with a default RSA 1024 bit. Certificate is

 The sample SSL key and cert files can be exported

 In order to configure SSL, you need to add the

ssl-proxy service CLIENT-SSL policy-map type loadbalance first-mat SSL-PM

Application Network Vmware VCenter

ACE Tab from ANM

 Scalability: Larger deployments require multiple

 LAN tunneled deployment

 Secure (DMZ) tunneled deployment

3. RDP Over HTTPS Security

Active Directory vCenter Connection ESX Cluster

2c. RDP Brokered

Connection ESX Cluster

 Use Microsoft Cookie instead of ACE cookie for HTTP session

 Additional health monitoring probe that you could add to check

probe https https-probe

 Using HTTP Compression for OWA to compress the following objects:

policy-map type loadbalance first-match OWA-OutlookAnywhere

policy-map multi-match Exchange2007

class-map type http inspect match-any White_list

policy-map multi-match CAS_LB

parameter-map type http L7_URL_WHITE_PARAM

class-map match-all OWA-OUTLOOKANYWHERE-SSL

 Give us your feedback and you

 Use Microsoft Cookie instead of ACE cookie for HTTP session

 Additional health monitoring probe that you could add to check

probe https https-probe

 Using HTTP Compression for OWA to compress the following objects:

policy-map type loadbalance first-match OWA-OutlookAnywhere

policy-map multi-match Exchange2007

class-map type http inspect match-any White_list

policy-map multi-match CAS_LB

parameter-map type http L7_URL_WHITE_PARAM

class-map match-all OWA-OUTLOOKANYWHERE-SSL

 Give us your feedback and you

S-ar putea să vă placă și