7022833: Overview of Load Balancing and Reflection for the Web or Reflection Security Gateway

Load Balancing Support Sample Configuration

In our example, providing load balancing support requires that a front-end device (for example, a load balancer, domain name server, proxy server, firewall, router, or switch) be added to the network. This device (named MyFrontEndDevice in this example) determines to which server a client will connect (named MyServerNameA and MyServerNameB in this example.) The servers below represent either web servers or security proxy servers. Either server or both can be load balanced.

  1. Client computer connects to MyFrontEndDevice.
  2. Front-end device determines with which identical server, MyServerName A or MyServerName B, a client will communicate based on load balancing rules. (For specific configuration options, refer to the front-end device’s documentation.)
  3. MyServerName A and MyServerName B are configured identically to provide load balancing. The common name in the certificate on each server must match the name of the front-end device. The name of the front-end device can be the fully qualified name, the NetBIOS name, or the ip address of the device, depending on how the device is being accessed.

If the servers are security proxy servers and “server identity verification check” is enabled (the default value), name mismatches cause authentication failure and the terminal session will not be established. Server identity verification is configured in the Administrative WebStation, under Security Setup > Security (in versions earlier than 8.5, Settings > Security.) For increased security, keep server identity verification check enabled. See the product help for more information about this setting.

Note: For details about how Reflection for the Web connects to a host and how certificates are used, see subsequent sections, Connecting to a Host and Connecting to a Host through a Security Proxy Server.

Installation Instruction Links

You can use the replication feature to make Reflection for the Web and Reflection Security Gateway administration easier in a load balanced environment. For details, see Enabling and Configuring Replication.

Special Considerations When Configuring Load Balancing

Note the following considerations when you configure load balancing:

For more information, see the Single Sign-On Overview help topic in Reflection for the Web 2011. (On Administrative WebStation Home, under Reference click Overview > Single Sign-On Overview.)

  • If the web server’s access control method is NTFS file permissions, when you initially configure the management servers, configure access control on each server. Do not copy the Tsessions.mdb file from one server to another, either during initial configuration or for maintenance purposes. If you make changes to sessions on the primary management server, copy the modified .asp files from the ReflectionDataAccessControldynamic and ReflectionDataAccessControlstatic folders to the other server. Then set the file permissions on .asp files.

Optional Background Information

The following topics provide information about how Reflection for the Web and Reflection Security Gateway makes host connections. This basic overview of Reflection’s host connection process may help you understand the factors to consider when you configure support for load balancing.

Connecting to a Host

Reflection uses a three-step process to connect to a host.

  1. The client computer uses a browser to communicate with the web server. If the connection to the web server is HTTPS, the client browser will attempt to authenticate the SSL server certificate of the web server. A certificate warning message will occur if the certificate is not trusted by the browser, if the certificate has expired, or if the common name of the certificate does not match the server name in the URL.
  2. The web server downloads the Reflection for the Web applet or session configuration to the client.
  3. The Reflection for the Web applet or session connects to the host.
1510_4.gif

Connecting to a Host through a Security Proxy Server

  1. When the Reflection management server on the web server and the security proxy server are configured, they exchange certificates so that each server has the certificate information of the other. After the exchange, the security proxy certificate is stored in the Emulator Applet Trusted Certificate Store on the management server. The management server certificate is stored in the Trusted Certificate Store of the security proxy server.
  2. The browser makes an HTTP or HTTPS connection to the web server which hosts the management server. If an access control (other than None or NTFS file permissions) method is configured, the management server checks the credentials of the client. When the credentials are verified, the management server allows access to sessions authorized for this client.
  3. A session is selected in one of two ways: the client makes a selection from the Links List or the URL launched by the client contains the session parameters.

The management server sends to the client: the Reflection for the Web emulator applet, the session configuration information, the authorization token, and the trusted certificate store which contains the security proxy certificate. The authorization token contains the name of the destination host and port and is signed with the management server’s certificate.

  1. When connecting through the Reflection security proxy server, two different authentications are performed. One authentication uses the security proxy server certificate and the other uses the Reflection management server certificate.
    1. Security Proxy Server Certificate: The emulator applet initiates the SSL handshake with the security proxy. The security proxy server sends its certificate to the applet on the client machine. To verify that the security proxy’s certificate is trusted, the applet checks its cached trusted certificate store (the one that has been downloaded from the management server). If “server identity verification check” is enabled (in the Administrative WebStation, Security Settings > Security tab), the applet will also check the common name of the certificate against the name/ip address used to contact the security proxy. If the security proxy certificate and common name are verified, the applet successfully authenticates the proxy server and the process proceeds to the second authentication.
    2. Management Server Certificate: This authentication uses the authorization token downloaded from the management server. This step occurs only if “Client Authorization” is enabled in the security proxy server (the default—configured on the Advanced Tab of the Security Proxy Wizard). The emulator applet forwards the token to the security proxy server. The security proxy server verifies the signature against its trusted certificate store, which contains the management server’s certificate. Once the security proxy server authenticates the management server as the source of the authorization token, the security proxy server knows that the management server authorized this client to connect to the destination host and port identified within the token.
  2. When the authentications are successfully completed, the security proxy server connects to the host and the terminal session can begin.

Related:

  • No Related Posts

Enabling Linux clients to download LiveUpdate content using the Apache web server as a reverse proxy

I need a solution

Hi

I am trying to setup the reverse proxy on our SEPM server. I am using the procedure described here : https://support.symantec.com/en_US/article.HOWTO85034.html

/luproxy is responding when opening http://localhost:8014/luproxy/masttri.zip in browser but I am getting response

The access log from E:Program Files (x86)SymantecSymantec Endpoint Protection Managerapachelogs shows 503 which is not really good ;>

127.0.0.1 - - [05/Apr/2018:12:52:40 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:01:07 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:02:36 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:03:52 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:04:05 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:06:39 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:10:13 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299
127.0.0.1 - - [05/Apr/2018:13:39:55 +0200] - "GET /luproxy/masttri.zip HTTP/1.1" 503 299

httpd.conf

[..]

Listen 8014

[..]

#AsyncSendFile anydirectory

AsyncSendFile givendirectory
ForceAsyncSendFile "E:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/Inetpub/content"

[..]

# SEPM_APACHE_AS_PROXY_START Preserve this line to maintain configuration across SEPM upgrades
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule setenvif_module modules/mod_setenvif.so
     
<IfModule mod_proxy.c>
  <IfModule mod_cache.c>
    <IfModule mod_cache_disk.c>
      <IfModule mod_setenvif.c>
        SetEnvIf Request_URI "/luproxy/" dolog
        SetEnvIf Request_URI "/luproxy/.*_livetri.zip" no-cache
        CustomLog "|| bin/rotatelogs.exe logs/access-%Z.log 25M" common env=dolog
      </IfModule>
      ProxyPass /luproxy/ http://liveupdate.symantecliveupdate.com/ retry=0 smax=0 ttl=60
      CacheRoot "cache-root"
      # CacheRoot is a path defined relative to "E:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/apache"

      CacheEnable disk /luproxy/
      CacheDirLevels 1
      CacheDirLength 5

      # directives to override any caching prohibitions in LiveUpdate content headers
      # see TECH230862
      CacheStoreNoStore On
      CacheIgnoreCacheControl On
      CacheStoreExpired On
      CacheIgnoreHeaders Cache-Control Pragma

      #allow downloads up to 1 GB
      CacheMaxFileSize 1000000000
    </IfModule>
  </IfModule> 
</IfModule>
# SEPM_APACHE_AS_PROXY_END Preserve this line to maintain configuration across SEPM upgrades

Our SEPM server has access to public internet only through proxy, SEPM is configured to use proxy but i am wondering if maybe a separete configuration is require for apache?! E:Program Files (x86)SymantecSymantec Endpoint Protection Managerapachecache-root is still empty, the service running “Symantec Endpoint Protection Manager Webserver” has full control on the folder

Thanks

0

1522930063

Related:

  • No Related Posts

How to Configure Content Switching on NetScaler to Access Multiple Web Sites

To configure the Content Switching feature on the NetScaler appliance to access multiple Web sites hosted on a Web server, complete the following procedures.

NetScaler GUI

To configure the Content Switching feature on the NetScaler appliance, complete the following procedure:

  1. To add Load Balancing Servers with the IP Address/Domain Name field set to the hostname of the web servers, complete the following sub-procedure:
    1. Expand the Traffic Management > Load Balancing node.
    2. Select the Servers node.
    3. Click Add.
    4. If IP Address is selected, enter the IP address of the web server. Or, change the selection to Domain Name and enter the FQDN of the web server. This assumes that the NetScaler is able to resolve the DNS name.
    5. Click OK.
  2. To create multiple Load Balancing Service Groups configured to point to the new Servers, complete the following sub-procedure:
    1. Expand the Traffic Management > Load Balancing node.
    2. Select the Monitors node.
    3. Click Add.
    4. Give the monitor a name. Keep in mind that you’ll have a different monitor for each website and each protocol (e.g. HTTP vs SSL)
    5. Configure the monitor as needed for your website. Usually you want a monitor that requests a healthcheck page and looks for a successful response.
    6. Click Create.
    7. Create more Monitors for each website and protocol.
  3. To create multiple Load Balancing Service Groups configured to point to the new Servers, complete the following sub-procedure:
    1. Expand the Traffic Management > Load Balancing node.
    2. Select the Service Groups node.
    3. Click Add.
    4. Give the Service Group a name. Keep in mind that you’ll create a different Service Group for each website, and a different Service Group for each protocol (e.g. HTTP vs SSL)
    5. Add the members by selecting the Load Balancing Servers created in step 1 and entering their port number (e.g. 80 or 443).
    6. Bind a monitor to the Service Group. Each Service Group usually has a website-specific monitor.
    7. Click Create.
    8. Create more Service Groups for each website and protocol.
  4. To create Load Balancing Virtual Servers (VServers) for each website, complete the following sub- procedure:
    1. Expand the Traffic Management > Load Balancing node.
    2. Select the Virtual Servers node.
    3. Click Add.
    4. Give the Virtual Server a name. Keep in mind that you’ll have a different Virtual Server for each website and each protocol (e.g. HTTP vs SSL).
    5. Change the IP Address Type to Non-addressable.

      User-added image

    6. Click Create.
    7. Create more Load Balancing Virtual Servers for each website and protocol.
  5. To create Content Switching policies for each URL, complete the following sub-procedure:
    1. Expand the Traffic Management > Content Switching node.
    2. Select the Policies node.
    3. Click Add.
    4. Give the Content Switching Policy a name. Keep in mind that you’ll need a separate Content Switching Policy for each website and protocol (e.g. HTTP vs SSL)
    5. Enter the required expression. An example hostname-based expression is: HTTP.REQ.HOSTNAME.EQ(“portal.company.com”). An example path-based expression is HTTP.REQ.URL.PATH.STARTSWITH(“/portal/”).
    6. There is no need to select an Action at this time.

      User-added image

    7. Click Create.
    8. Create more Content Switching Policies for each website and protocol.
  6. To create a Content Switching VServer, such that one Virtual IP address can access both Web sites, complete the following sub-procedure:
    1. Expand the Traffic Management > Content Switching node.
    2. Select the Virtual Servers node.
    3. Click Add.
    4. Give the Content Switching Virtual Server a name. Keep in mind that you will have a different Content Switching Virtual Server for each protocol (e.g. HTTP vs SSL). However, each protocol-specific Content Switching Virtual Server will handle all of the websites.
    5. Click where it says No Content Switching Policy Bound.
    6. Click where it says Client to Select and select one of your Content Switching Virtual Servers.
    7. In the Target Load Balancing Virtual Server field, select the Load Balancing Virtual Server that matches the Content Switching Policy. Click Bind.
    8. Repeat the Content Switching Policy bindings for each website.

      User-added image

    9. If this Content Switching Virtual Server is SSL, then bind a Server Certificate, configure ciphers, disable SSL v3, etc.
    10. Click Create to finish creating the Content Switching Virtual Server.
    11. Create another Content Switching Virtual Server for other protocols (e.g. HTTP vs SSL).

NetScaler CLI

To configure the Content Switching VServer, similar to the one configured in the preceding procedure, from the command line interface of the appliance, run the following commands:

add server webserver1 webserver1.example.comadd server webserver2 webserver2.example.comadd serviceGroup portal_svcgrp Example HTTP 80bind serviceGroup portal_svcgrp webserver1bind serviceGroup portal_svcgrp webserver2add serviceGroup www_svcgrp Example HTTP 80bind serviceGroup www_svcgrp webserver1bind serviceGroup wwww_svcgrp webserver1add lb vserver portal_vserver-http HTTP 0.0.0.0 0 -persistenceType SOURCEIP -cltTimeout 180bind lb vserver portal_vserver-http portal_svcgrpadd lb vserver www_vserver-http HTTP 0.0.0.0 0 -persistenceType SOURCEIP -cltTimeout 180bind lb vserver www_vserver-http www_svcgrpadd cs policy csw_pol_portal-http -rule "HTTP.REQ.HOSTNAME.EQ("portal.example.com")"add cs policy csw_pol_www-http -rule "HTTP.REQ.HOSTNAME.EQ("www.example.com")"add cs vserver csw_vserv-http HTTP 192.168.168.170 80 -cltTimeout 180bind cs vserver csw_vserv-http portal_vserver-http -policyName csw_pol_portal-http -priority 100bind cs vserver csw_vserv-http www_vserver-http -policyName csw_pol_www-http -priority 110

Related:

  • No Related Posts

7021584: Web Builder .NET Project Errors on Windows 7 or Windows Server 2008

When running Verastream Host Integrator (VHI) Web Builder on newer Windows platforms, .NET projects may fail to build or run.

Note: Beginning in VHI version 7.5, the HTML 5 Web Application project type, which is platform and technology independent, is available in Web Builder. The .NET and Java Web Application project types are still available but deprecated on the Legacy tab.

When running VHI Web Builder on Windows 7, Windows Server 2008, or Windows Vista, you may see an error when building or running a .NET project.

After successfully building a .NET web application project, you may see the following IIS runtime error when the web application is launched:

HTTP Error 403.14 - Forbidden

The Web server is configured to not list the contents of this directory.

View Full Size

Figure 1. Internet Information Services 7.5 Server Error
Figure 1. Internet Information Services 7.5 Server Error

When building a .NET web service project (created in version 6.6 or earlier), you may see a build error similar to the following:

BUILD FAILED

Reason: The following error occurred while executing this line:

C:Program FilesVHIprojectsMyModelbuild.xml:24: The following error occurred while executing this line:

C:Program FilesVHIprojectsMyModelbuild.xml:63: The following error occurred while executing this line:

C:Program FilesVHIprojectsMyModelbuild.xml:115: The following error occurred while executing this line:

C:Program FilesVHIprojectsMyModelbuild.xml:132: The following error occurred while executing this line:

C:Program FilesVHIprojectsMyModelbuild.xml:138: Can't get http://localhost/MyModel/MyModel.asmx?wsdl to C:Program FilesVHIprojectsMyModelwsdlMyModel.wsdl

Related:

  • No Related Posts

7021533: Verastream Host Integrator Web Server Port Conflict

The VHI web server, which runs Java or HTML 5 projects created in Web Builder, is configured to run at TCP port 8081 by default. Beginning in version 7.5, port 8443 is also used for HTTPS.

There can, however, be other software already running at this port. For example, Network Associates’ McAfee software (for anti-virus and network security) runs a web server on port 8081 by default for its “Agent Wake-Up Call” service or FrameworkService.exe.

If port 8081 (or 8443) is already in use, the VHI Web Server is not able to start. When attempting to deploy or run a web project, the URL file path is not found in the web server used by the third-party software, resulting in a “file not found” error.

Related:

  • No Related Posts

CYBERWARFARE: The New Battlefield of Memes and #Hashtags

This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.html) before continuing to operate your HTTP server.

If you are a normal user of this web site and don’t know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site’s administrator.

Related:

  • No Related Posts

How to serve static images from our HTTP Server instead of WebSphere 8.5 application?

Currently, all our static images are hosted on the Websphere side (out of our app). We would like to take a subset of these and serve them from the IHS HTTP Server instead. Like for example, this URL is served by Websphere, but we would like to serve instead from our HTTP Server:

http://acmeinternal.com/qa03-b/LT/images/img_08915.jpg

We have copied down our static image files to the HTTP Server, but seems like something else is needed? I tried this rewriterule also, but it doesn’t seem to work. Request is still getting served by WebSphere side:

LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine on
RewriteRule ^/LT/images/(.*) /images/$1 [PT]
I think the plugin-cfg.xml is still taking the request because of this though:

We would like to take 2 static images folders in our WAR file (/images and /pics) and serve these from our HTTP Server.

Related:

  • No Related Posts

Can I monitor WebSphere Edge Components with ITCAM for WAS v7.2 agent on AIX 7.2?

I’d like to monitor the following WebSphere Edge Components features using TCAM for WAS v7.2 agent on AIX 7.2:

– Edge Component Load Balancer availability (process)
– Destination HTTP Servers availability (process)
– Web Traffic
– Latency
– Log

Is it possible?

Related: