FUJITSU Software Smart Communication Optimizer V User's Guide

Size: px

Start display at page:

Download "FUJITSU Software Smart Communication Optimizer V User's Guide"

Junior Hamilton
5 years ago
Views:

1 FUJITSU Software Smart Communication Optimizer V1.1.0 User's Guide J2UL ENZ0(00) December 2018

2 Preface Purpose of This Document This manual explains the overview of, and the methods for designing, installing, and operating FUJITSU Software Smart Communication Optimizer (hereafter "this product"). Intended Readers This manual is for people considering using this product and people who will install and oversee operation of this product. Knowledge regarding the following is necessary when reading this manual. - Server virtualization software (VMware vsphere(r) or Red Hat(R) Enterprise Linux(R) Virtual Machine Function) - Public clouds (Amazon Web Services, Microsoft Azure, or FUJITSU Cloud Service K5) - Private clouds (OpenStack) Structure of This Document This manual is composed as follows: Chapter 1 Overview of FUJITSU Software Smart Communication Optimizer Explains the overview of this product. Chapter 2 Design Explains the design work necessary to install and set up this product. Chapter 3 Installation and Setup Explains the installation and setup of this product. Chapter 4 Operation Explains how to operate this product. Appendix A Lists of Useful Design Information Provides lists of information that is frequently referred to during design of this product. Appendix B System Configuration Example of Coordination with the TCP Communication App Shows a system configuration example for the TCP communication app that coordinates with TCP. Appendix C Default Gateway Configuration Example of Coordination with the TCP Communication App Shows a default gateway setting example for the TCP communication app that coordinates with TCP. Appendix D Contents of Performance Information and Audit Log for Downloading Explains the contents of the performance information and audit log to be downloaded. Appendix E Compatibility Information Explains incompatibility items and corrective actions for functions changed from the earlier version. Document Conventions In this manual, the following abbreviations and symbols are used in explanations. Abbreviations The following abbreviations are used in this manual. Proper Name FUJITSU Software Cloud Storage Gateway FUJITSU Cloud Service K5 Abbreviation Cloud Storage Gateway or CSG K5 - i -

3 Proper Name Internet Explorer(R) Microsoft(R) Edge Microsoft Azure Google Chrome(TM) VMware vsphere(r) Red Hat(R) Enterprise Linux(R) 7.x(for Intel64) Red Hat(R) Enterprise Linux(R) Virtual Machine Function Amazon Web Services Internet Explorer Microsoft Edge Azure Chrome VMware RHEL7 KVM AWS Abbreviation Symbols The following symbols are used for the purposes described below in this manual. Symbols Example " " Used to enclose the names of manuals, chapters, and section titles. Refer to "Operation" in the "User's Guide." [ ] Used to enclose the names of screens, menus, tabs, and buttons that compose the Web GUI. [Create Initial User] screen, [Display] menu, [Dashboard] tab, [OK] button [ ]-[ ] Used to show the order in which menus are to be selected. [Setting Category]-[License] < > Used to enclose the names of keyboard keys. <Enter> Other Notation - Text to be entered by the user is indicated using bold text. - Variables are indicated using italic text and underscores. Documentation Road Map Read the manuals for this product based on the following structure diagram and the table explaining their purposes. Structure of the Manuals How to Use the Manuals Manual Name User's Guide [Purpose of Use] To understand the overview and the methods for design, installation, and operation of this product. Conce pt Assess ment POC/ Installa tion Purpose Trainin g Yes Yes Yes Yes Tuning / Migrati on As Requir ed - ii -

4 Purpose Manual Name Conce pt Assess ment POC/ Installa tion Trainin g Tuning / Migrati on As Requir ed [Contained Content] - Overview of the product and explanations of functions - System requirements - Installation and setup procedures - Methods of operation and maintenance [Manuals to Read in Advance] None Reference Guide [Purpose of Use] Yes To refer to the provided commands. To refer to the provided REST API. To correspond to the output messages. To handle trouble. To understand important terms and productspecific terms. [Contained Content] - Explanations of commands - Explanations of REST API - Meanings and corrective actions for messages - Methods for collecting troubleshooting data - Terms and their explanations [Manuals to Read in Advance] None Export Administration Regulation Declaration Exportation/release of this document may require necessary procedures in accordance with the regulations of your resident country and/or United States export control laws. Trademark Information - Amazon Web Services, AWS, Amazon VPC, and Amazon S3 are trademarks of Amazon.com, Inc. or its subsidiaries in the United States and other countries. - Google and Google Chrome are registered trademarks or trademarks of Google Inc. - Intel is a trademark of Intel Corporation or its subsidiaries in the U.S. and/or other countries. - Linux is a registered trademark of Linus Torvalds in the United States and other countries. - Microsoft, Windows, Azure, Active Directory, and Internet Explorer are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. - The OpenStack Word Mark is a registered trademark / service mark or trademark / service mark of the OpenStack Foundation, in the United States and other countries and is used with the OpenStack Foundation's permission. - Red Hat and Red Hat Enterprise Linux are registered trademarks of Red Hat, Inc. in the United States and other countries. - iii -

5 - VMware is a trademark and registered trademark of VMware Inc. in the United States and other countries. - All other company and product names in this manual are trademarks or registered trademarks of their respective owners. Notices - The contents of this manual shall not be reproduced without express written permission from FUJITSU LIMITED. - The contents of this manual are subject to change without notice. Revision History Month/Year Issued, Edition June 2018, Edition 1 December 2018, Edition 2 Manual Code J2UL ENZ0(00) J2UL ENZ0(00) Copyright Notice Copyright 2018 FUJITSU LIMITED - iv -

6 Contents Chapter 1 Overview of FUJITSU Software Smart Communication Optimizer What Is FUJITSU Software Smart Communication Optimizer? Product Configuration of FUJITSU Software Smart Communication Optimizer System Configuration of FUJITSU Software Smart Communication Optimizer Explanations of Each Function Function List Transparent Proxies User Interface Web GUI Console Access REST API SFTP Access User Management Notification Licenses System Requirements Virtual Appliance Resource Requirements Server Virtualization Software System Requirements Admin PC System Requirements Precautions when using this product Chapter 2 Design Design Overview Designing Server System Configurations Designing Server Virtualization Software Designing Clouds Designing Network Configuration Single Virtual NIC Parallel Configuration Single Virtual NIC Parallel Configuration (via a Router) Virtual NIC Parallel Configuration Virtual NIC Parallel Configuration (via a Router) Virtual NIC Pass Bridge Configuration Virtual NIC Pass Bridge Configuration (via a Router) Virtual NIC Pass Bridge Configuration Virtual NIC Pass Bridge Configuration (via a Router) Designing Network Environments Designing a SSL Server CertificateSSL Designing Virtual Network Environments (VMware Environments Only) Designing Function Environments Designing User Management Functions Designing Local Authentication Designing External Authentication Designing the Console User Designing the File Transfer User Designing the Notification Function Designing Transparent Proxy Management Designing the Traffic Control Upper Limit...29 Chapter 3 Installation and Setup Overall Flow of Installation and Setup Installation (VMware Environments) Creating Virtual Networks in VMware Environments Deploying Virtual Appliances to VMware Environments Installation (KVM Environments) Creating Virtual Networks in KVM Environments Deploying Virtual Appliances to KVM Environments v -

7 3.4 Installation (AWS Environments) Installation (Azure Environments) Installation (K5 Environments) Installation (OpenStack Environments) Setup Flow of Setup Initialization Executing the Initialization Wizard Configuring the SSH Authentication Method Configuring Routing Setting the System Time Configuring HTTPS Communication Changing the HTTPS Port Number Configuring the Web Browser Enabling JavaScript Enabling Cookies Configuring SSL/TLS Disabling Internet Explorer Compatibility View Configuring the System Creating the Initial User Configuring Notification Destinations Configuring External Authentication Servers Adding Users Setting the License Preparing Operating Environments Configuring IP Address Conversion for WAN Connection Routers Adding Transparent Proxies Configuring the Default Gateway of the TCP Communication App Uninstallation Uninstallation (VMware Environments) Uninstallation (KVM Environments) Uninstallation (AWS, Azure, K5 and OpenStack Environments)...62 Chapter 4 Operation Login Configuring the Web Browser Logging In Explanation of the Web GUI Configuring the Operation Environment Explanation of the [Settings] Dialog License Login Sessions List of Login Session Items Displaying the List of Login Sessions Displaying the Details of Login Sessions Performing a Forced Logout Local Authentication Users Displaying the List of Local Authentication Users Displaying the Details of Local Authentication Users Creating Local Authentication Users Deleting Local Authentication Users Modifying Local Authentication Users Authentication Servers Displaying the List of Authentication Servers Displaying the Details of Authentication Servers Registering Authentication Servers Deleting Authentication Servers vi -

8 Modifying Authentication Servers Mail Server and Notification Destinations Troubleshooting Data Monitoring Using the Dashboard Monitoring WAN Throughput Downloading Performance Information of the Entire Transparent Proxy Monitoring Event Logs Monitoring Audit Logs Downloading Audit Logs Managing Transparent Proxies Displaying the List of Transparent Proxies Transparent Proxy Statuses Displaying the Details of Transparent Proxies Transparent Proxy Details-Basic Information Transparent Proxy Details-Details Transparent Proxy Details-Performance Information Adding Transparent Proxies Deleting Transparent Proxies Modifying Transparent Proxies Downloading Performance Information for Individual Transparent Proxy Changing the IP Addresses of the Interfaces Used by Transparent Proxies Performing Maintenance Overview of Maintenance Recovering Faulty Server Virtualization Software Recovery when Using High Availability Operation Recovery when Not Using High Availability Operation Performing Regular Maintenance of Server Virtualization Software Regular Maintenance when Using High Availability Operation Regular Maintenance when Not Using High Availability Operation Updating Software Stopping and Restarting the System and Services Appendix A Lists of Useful Design Information A.1 List of Output Log Files A.2 List of Used Port Numbers Appendix B System Configuration Example of Coordination with the TCP Communication App B.1 System Configuration when Coordinating with Cloud Storage Gateway B.2 System Configuration when Coordinating with an FTP Server Appendix C Default Gateway Configuration Example of Coordination with the TCP Communication App C.1 Default Gateway Configuration Example when Coordinating with Cloud Storage Gateway C.2 Default Gateway Configuration Example when Coordinating with FTP Appendix D Contents of Performance Information and Audit Log for Downloading D.1 Contents of Performance Information for Downloading D.2 Contents of Audit Log to be Downloaded Appendix E Compatibility Information vii -

Chapter 1 Overview of FUJITSU Software Smart Communication Optimizer This chapter explains the overview of this product. 1.1 What Is FUJITSU Software Smart Communication Optimizer?

9 Chapter 1 Overview of FUJITSU Software Smart Communication Optimizer This chapter explains the overview of this product. 1.1 What Is FUJITSU Software Smart Communication Optimizer? These days, enterprise WANs are facing the following challenges: - Ongoing globalization means that more communication is taking place over long distances, such as between domestic and overseas business networks. In such cases, obtaining large amounts of data from external sources is slower than when the sources are located shorter distances away. - Increasing use of SaaS and cloud services means that more communication traffic is travelling to and from points outside business networks. In addition, backing up and sharing larger files using these services takes a long time. - More data is being backed up over WANs to data centers in remote locations. The delay involved in this method of backup mean that data replication is not an effective countermeasure against natural disasters. This product realizes accelerated communication over WANs in order to solve these problems. It effectively utilizes the available bandwidth between business networks, or between business networks and clouds, thereby increasing network throughput. The features of this product are as follows: - This product is provided as a virtual appliance (hereafter abbreviated as "SCO-VA") that can be flexibly applied to various configurations found in business networks or on clouds. Two virtual appliances are installed on either side of a connection over a WAN, and operate as a pair. - Transparent proxies use Fujitsu Laboratories' "Transport Acceleration Technology," thereby making it possible to increase communication speeds between SCO-VAs, reduce delays, and reduce the effects of packet loss. Transport Acceleration Technology converts TCP communication to UNAP (Universal Network Acceleration Protocol: a protocol based on UDP, that has an original algorithm for resending data) in order to implement acceleration. - The Web GUI can be used to visualize communication performance, enabling users to see the extent to which throughput has been improved. It can also be used to manage transparent proxies. Figure 1.1 FUJITSU Software Smart Communication Optimizer - 1 -

1.2 Product Configuration of FUJITSU Software Smart Communication Optimizer This product is composed of admin components and gateway components.

10 1.2 Product Configuration of FUJITSU Software Smart Communication Optimizer This product is composed of admin components and gateway components. The admin components are as follows: - Web service Receives and responds to requests sent from the Web GUI of the admin PC. - Admin engine Requests the DB service and gateway component to execute processing. - DB service Accesses the admin DB. The gateway components are as follows: - Transparent Proxies The transparent proxy on the TCP client side provides the function to receive data from the TCP client and transfer the data to the WAN at high speeds. The transparent proxy on the TCP server side provides the function to receive data transferred at high speeds from the WAN and send the data to the TCP server. Figure 1.2 Product Configuration 1.3 System Configuration of FUJITSU Software Smart Communication Optimizer This product is installed on both sides of a connection over a WAN. Since transparent proxies operate as a client-server pair, register them on both sides. This configuration accelerates business applications that use TCP communication between the client and server via a WAN. - This product is compatible with the applications below

11 - Applications where the sending port number is not dynamically updated - FTP communication applications (Passive Mode only) For details, refer to "Appendix B System Configuration Example of Coordination with the TCP Communication App" for a TCP communication app system configuration example that coordinates with TCP. 1.4 Explanations of Each Function This section explains the functions provided with this product Function List The functions provided with this product are as follows: - Transparent Proxies - User Interface - User Management - Notification Transparent Proxies The functions of transparent proxies are as follows: - By converting TCP communication for specific ports (specified service ports for acceleration on transparent proxies) between TCP clients and TCP servers to UNAP communication between transparent proxies, available bandwidth is utilized and communication is accelerated without the influence of WAN delays. - WAN throughput for transparent proxies is automatically adjusted depending on the number of operating transparent proxies. UNAP UNAP is a unique protocol based on UDP. Client transparent proxy types operate as client types and server transparent proxy types operate as server types. Client types request a connection from server type ports that are on standby, and server types respond to the request to establish a connection. UNAP has the following advantages. - Resend control When packet loss has occurred in a UNAP connection, a transparent proxy resends the lost packet by UNAP. Therefore, lost packets on the WAN do not need to be resent via TCP from TCP clients or TCP servers to transparent proxies. - Health Check function In UNAP, a health check is performed for the connection after a UNAP connection has been established. In a health check, UNAP packets from a pair that have not been delivered within a fixed time (connection monitoring interval) are detected and the connection is handled as a disconnection. For connection monitoring intervals, refer to "2.9.3 Designing Transparent Proxy Management." UNAP sends a KeepAlive packet even when data is not being transferred and monitors the connection. When a UNAP disconnection has been detected, a client type reconnects to a server type. WAN Throughput Upper Limit The WAN throughput upper limit for the transparent proxy is the upper limit of throughput when data is transferred between paired transparent proxies. The license throughput upper limit is automatically adjusted to the smaller value of the license throughput upper limits for paired transparent proxies. When using the "Traffic Control Function," since a value smaller than the license throughput upper limit can be configured (the traffic control upper limit), it is automatically adjusted to the smaller value of the traffic control upper limits (the license throughput upper limit when omitted) of the paired transparent proxies. When multiple transparent proxies are registered, all transparent proxies in operation (that are communicating), within their own WAN - 3 -

throughput upper limit, are automatically adjusted so that the total amount of communication does not exceed the license throughput upper limit.

12 throughput upper limit, are automatically adjusted so that the total amount of communication does not exceed the license throughput upper limit. Traffic Control Function The Traffic Control function is a function that can adjust the amount of data transfer within a fixed time for transparent proxies. When you use this function, you can restrict the upper limit of WAN throughput and allocate network bandwidth for other communications. Figure 1.3 Traffic Control function User Interface This product provides the following for the user interface. - Web GUI - Console Access - REST API - SFTP Access Web GUI This product provides a Web GUI that operates via a Web browser. The Web GUI can be used to operate the dashboard and manage transparent proxies. Dashboard The dashboard can be used to monitor WAN throughput, event logs, and audit logs. You can also perform the following from each panel. - [WAN Throughput] panel You can download performance information for WAN throughput. - [Event Log] panel You can display an [Event Log List] and [Event Log Details]. - [Audit Log] panel You can display an [Audit Log List] and [Audit Log Details] and you can also download audit logs from an [Audit Log List]

13 Figure 1.4 Dashboard Transparent Proxy Management It is possible to add, delete, update, and view transparent proxies using the [Transparent Proxy] tab. You can also download performance information for each transparent proxy. Figure 1.5 Transparent Proxy Management - 5 -

14 Console Access You can access the SCO-VA console using server virtualization software or SSH client. You can perform setup and commands on the console. For information on commands, refer to "Commands" in the "Reference Guide." REST API This product provides a REST API. For information on the REST API, refer to "REST API" in the "Reference Guide." The Web GUI and REST API support the following. Table 1.1 Web GUI and REST API Support (User's Guide) Web GUI operations in the User's Guide Creating the Initial User Initial User Creation Setting the License License Login Sessions Login Session Local Authentication Users Local Authentication User Rest API in the corresponding Reference Guide Mail Server and Notification Destinations Mail Server, Mail Notification Monitoring Event Logs Event Log Monitoring Audit Logs Audit Log 4.5 Managing Transparent Proxies Transparent Proxy Monitoring WAN Throughput Performance Transparent Proxy Details-Performance Information Table 1.2 Web GUI and REST API Support (Reference Guide) Web GUI operations in the Reference Guide Collecting Troubleshooting Data SFTP Access Rest API in the corresponding Reference Guide Troubleshooting Data Download You can access the file transfer area in the SCO-VA using SFTP client. The file transfer area is the directory where files are stored temporarily in the following cases: - Configuring the SSH authentication method For details, refer to " Configuring the SSH Authentication Method." - Registering the SSL server certificate For details, refer to "Registering the SSL Server Certificate" in " Configuring HTTPS Communication." - Updating software For details, refer to "4.6.4 Updating Software." - Collecting troubleshooting data For details, refer to "Collecting Troubleshooting Data" in the "Reference Guide." The size and directory name of the file transfer area are shown below. Size 2GB Directory Name /sftp To store or retrieve files in the file transfer area, use SFTP with the account of the file transfer user. For information about the file transfer user, refer to " Designing the File Transfer User." - 6 -

15 Example When transferring the public key file (id_rsa.pub) to the file transfer area when the SCO-VA IP address is # sftp secftpuser@ <Enter> secftpuser@ 's password: password <Enter> Connected to sftp> put id_rsa.pub <Enter> Uploading id_rsa.pub to /sftp/id_rsa.pub id_rsa.pub sftp> bye <Enter> By using the wacadm dir command, it is possible to display information about files or delete unnecessary files in the file transfer area. For details, refer to "wacadm dir Command" in the "Reference Guide." User Management Users of this product are categorized as shown below. Category Authentication Method Role GUI user User for using the Web GUI provided in this product There are the following three authentication methods: There are the following two roles: - Local authentication - Administrator - External authentication (LDAP) - Monitor - External authentication (Active Directory: AD) API user User for using the REST API provided in this product Local authentication Console user User for using the console to set up or perform maintenance of this product The following two authentication methods are available. None - Public key authentication - Password authentication The default values are as follows. - For VMware, KVM, AWS, and Azure: password authentication - For K5 and OpenStack: public key authentication File transfer user User that transfers files via SFTP to the file transfer area. The following two authentication methods are available. - Public key authentication - Password authentication The default setting is password authentication. Using this product, it is possible to create, delete, and modify users that use local authentication methods (local authentication user management), as well as manage users that use the external authentication methods LDAP and AD (external authentication server management). It is also possible to manage the list of login sessions (login session management), and to perform forced logouts

notifications to specified recipients whenever a WARNING- or ERROR-level

16 Figure 1.6 User Management Notification The notification function can be used to send notifications to specified recipients whenever a WARNING- or ERROR-level event occurs. Figure 1.7 Notification 1.5 Licenses This product has the following types of licenses

17 Type Official licenses Trial licenses Licenses that are throughput performance-rated. There are multiple types of licenses, which vary depending on the limits they place on throughput performance for data transfer over a WAN. Licenses provided before the purchase this product, for the purpose of trials. Trial licenses have expiration dates. 1.6 System Requirements Virtual Appliance Resource Requirements The resource requirements for virtual appliances are as follows. Physical CPU Virtual CPUs Resource Intel Xeon (For VMware or KVM) Requirements Requirements vary depending on the limit placed on throughput performance by the license. - When throughput is limited to 3 Gbps or less: 2 or more - When throughput is limited to 10 Gbps or less: 4 or more (Overcommit is not supported) Memory Memory is calculated by license throughput upper limit, traffic control upper limit, and the number of transparent proxies. It is determined by the following formula. Memory size is the result of a calculation that has been rounded up in 1 GB increments. Make values larger than 1 GB. - When not using the Traffic Control function Memory size (GB) = 4(GB) + License throughput upper limit(gbps) * 0.25 * Number of transparent proxies Reference: When the license throughput upper limit is in Mbps increments, use the value divided by When using the Traffic Control function Memory size (GB) = 4(GB) + Total of the memory size for each transparent proxy [*1] *1: Memory size (GB) for each transparent proxy = WAN throughput upper limit (Gbps) [*2] x 0.25 *2: The WAN throughput upper limit (Gbps) is the smaller value of the license throughput upper limit (Gbps) and the traffic control upper limit (Gbps). Reference: When the license throughput upper limit and traffic control upper limit are in Mbps increments, use the value divided by For approximate memory sizes, refer to the following reference information below. Network adapter Virtual disk space Number of virtual NICs For VMware VMXNET3 For KVM Virtio Virtual disk space required for the system of this product: 60 GB 3 or less (however, only one in the cloud) - 9 -

18 Information Memory Size The following shows the memory size for when the Traffic Control function is not used and the number of transparent proxies for each license throughput upper limit is 1 and 20. License Throughput Upper Limit Number of Transparent Proxies Memory Size (GB) 200 Mbps or less 1 5 or more 20 5 or more 500 Mbps or less 1 5 or more 20 7 or more 1 Gbps or less 1 5 or more 20 9 or more 3 Gbps 1 5 or more or more 10 Gbps or less 1 7 or more or more Note - If the specifications of the operating environment differ from the above requirements, this product is not guaranteed to operate properly. This product does not perform any checks as to whether the operating environment meets its requirements. - If the maximum throughput of the hardware is less than the throughput limit configured for the virtual appliance, then throughput will be restricted to that provided by the hardware Server Virtualization Software System Requirements The system requirements for server virtualization software are as follows. Resource Server virtualization software Public clouds Private clouds For VMware VMware vsphere 6 For KVM AWS Azure K5 RHEL7 OpenStack Requirements Admin PC System Requirements The system requirements for the admin PC on which the Web GUI operates are as follows

19 Item Web browser Internet Explorer 11 Microsoft Edge 38 or later Chrome 58 or later Requirements - To transfer files between the admin PC and the file transfer area, SFTP client software is required. Install it if necessary. - To use the REST API, REST client software is required. Install it if necessary Precautions when using this product The precautions when using this product are shown below. - IPv6 is not supported

20 Chapter 2 Design This chapter explains the design work necessary to install and set up this product. 2.1 Design Overview The following tasks must be performed when designing this product: - Designing Server System Configurations - Designing Server Virtualization Software - Designing Clouds - Designing Network Configuration - Designing Network Environments - Designing a SSL Server Certificate - Designing Virtual Network Environments (VMware Environments Only) - Designing Function Environments - Designing User Management Functions - Designing the Notification Function - Designing Transparent Proxy Management 2.2 Designing Server System Configurations This product uses the following functions to support cluster configurations. Installation Environment VMware environments Function vsphere HA function 2.3 Designing Server Virtualization Software Choose either of the following server virtualization software for use with this product: - VMware - KVM Regardless of which software you choose, the functionality of this product will be the same. 2.4 Designing Clouds Choose from among the following clouds to use with this product. - Public clouds - AWS - Azure - K5 - Private clouds - OpenStack Regardless of which cloud you choose, the functionality of this product will be the same

21 Note When using AWS: Only the EC2-VPC environment is supported, the EC2-Classic environment is not supported. When using Azure: When using Azure, you cannot use a function that relies on Azure agent for Azure virtual machines. Do not perform operations that use the following functions. - VM expansion functions - Backups for virtual machines when they are running (when the virtual machine is stopped, backup is possible) - Execution of commands in VMs - Password reset - Management of inventory/tracking changes/updates - Azure site recovery - DNS forward/reverse lookups (when the host name is local host) using SCO-VA host name/private IP If any of the above operations are performed the operation will result in an error or there will be no response. In this case, cancel the operation. In addition, it may take a while for notifications to be made after SCO-VA startup is complete. 2.5 Designing Network Configuration The network configurations of this product are largely classified into the following two categories. - Parallel Configuration A configuration in which SCO-VAs are attached to the communication paths between a TCP client and a WAN router and between a TCP server and a WAN router. - Pass Bridge Configuration A configuration in which SCO-VAs are inserted in the communication paths between a TCP client and a WAN router and between a TCP server and a WAN router. Category Advantages Disadvantages Parallel Configuration Pass Bridge Configuration It can be deployed in the existing environment without changing the network configuration. - It is not necessary to change the default gateway of the TCP clients whose communication is to be accelerated. - There are no performance bottlenecks for high-speed communication such as 10 Gbps. - The TCP clients whose communication is to be accelerated must be configured to change the default gateway to SCO-VA. - There may be performance bottlenecks for high-speed communication such as 10 Gbps. The existing environment must be changed to configure SCO-VA for pass bridge configuration

Category Model Name 1 Parallel Configuration Single Virtual NIC Parallel Configuration 2 Single Virtual NIC Parallel Configuration (via a Router) 3 2-Virtual NIC Parallel Configuration 4 2-Vrtual NIC

22 Figure 2.1 Parallel Configuration Figure 2.2 Pass Bridge Configuration With the combination of the preceding two network configurations and the number of virtual NICs, this product supports the following eight network configurations. No. Category Model Name 1 Parallel Configuration Single Virtual NIC Parallel Configuration 2 Single Virtual NIC Parallel Configuration (via a Router) 3 2-Virtual NIC Parallel Configuration 4 2-Vrtual NIC Parallel Configuration (via a Router) 5 Pass Bridge Configuration 2-Virtual NIC Pass Bridge Configuration 6 2-Virtual NIC Pass Bridge Configuration (via a Router) 7 3-Virtual NIC Pass Bridge Configuration The configuration for a multi-purpose business, WAN, and management network. The configuration for a multi-purpose business, WAN, and management network. In addition to the above, the management network will make access via a router. The configuration for a multi-purpose business and WAN network with an isolated management network. The configuration for a multi-purpose business and WAN network with an isolated management network. In addition to the above, the management network will make access via a router. The configuration for a multi-purpose business and management network with an isolated WAN network. The configuration for a multi-purpose business and management network with an isolated WAN network. In addition to the above, the business and management network will make access via a router. The configuration for an isolated business, WAN, and management network

No. Category Model Name 8 3-Virtual NIC Pass Bridge Configuration (via a Router) The configuration for an isolated business, WAN, and management network.

23 No. Category Model Name 8 3-Virtual NIC Pass Bridge Configuration (via a Router) The configuration for an isolated business, WAN, and management network. In addition to the above, the management network will make access via router. Note Transparent bridge configuration When pass bridge configuration is selected in the network configuration, note that the connection configuration must be designed to avoid loop configuration in the same network as described below: - Connect multiple SCO-VAs to the business network and the WAN network for a pass bridge. - Connect a virtual machine other than SCO-VA to the business network and the WAN network for a pass bridge, and forward the two networks Single Virtual NIC Parallel Configuration This is the configuration for a multi-purpose business, WAN, and management network when using a single virtual NIC. The LAN-side, WAN-side, and Admin interfaces are allocated to a single virtual NIC (For example: br-eth0). The red arrows represent the default gateways. For Cloud Storage Gateway or Azure, it is as follows

2.5.2 Single Virtual NIC Parallel Configuration (via a Router) This is the configuration for a multi-purpose business, WAN, and management network when using a single virtual NIC.

24 2.5.2 Single Virtual NIC Parallel Configuration (via a Router) This is the configuration for a multi-purpose business, WAN, and management network when using a single virtual NIC. In addition to the above, the management network will make access via a router. The LAN-side, WAN-side, and Admin interfaces are allocated to a single virtual NIC (For example: br-eth0). The red arrows represent the default gateways and the blue arrow represents a static route Virtual NIC Parallel Configuration This is the configuration for a multi-purpose business and WAN network with an isolated management network when using two virtual NICs. The LAN and WAN-side interfaces are multi-purpose and are allocated to one virtual NIC (For example: br-eth0) and the Admin Interface

is allocated to the other virtual NIC (For example: br-eth1). The red arrows represent the default gateways. 2.5.

In addition to the above, the management network will make access via a router.

25 is allocated to the other virtual NIC (For example: br-eth1). The red arrows represent the default gateways Virtual NIC Parallel Configuration (via a Router) This is the configuration for a multi-purpose business and WAN network with an isolated management network. In addition to the above, the management network will make access via a router. The LAN and WAN-side interfaces are multi-purpose and are allocated to one virtual NIC (For example: br-eth0) and the Admin Interface is allocated to the other virtual NIC (For example: br-eth1). The red arrows represent the default gateways and the blue arrow represents a static route Virtual NIC Pass Bridge Configuration This is the configuration for a multi-purpose business and management network with an isolated WAN network when using two virtual NICs. The LAN and Admin-side interfaces are multi-purpose and are allocated to one virtual NIC (For example: br-eth1) and the WAN-side interface is allocated to the other virtual NIC (For example: br-eth0). The red arrows represent the default gateways

2.5.6 2-Virtual NIC Pass Bridge Configuration (via a Router) This is the configuration for a multi-purpose business and management network with an isolated WAN network when using two virtual NICs.

The LAN-side and Admin interfaces are multi-purpose and are allocated to one virtual NIC (For example: br-eth1) and the WAN-side interface is allocated to the other NIC (For example br-eth0).

26 Virtual NIC Pass Bridge Configuration (via a Router) This is the configuration for a multi-purpose business and management network with an isolated WAN network when using two virtual NICs. In this configuration, the business and management network will make access via a router. The LAN-side and Admin interfaces are multi-purpose and are allocated to one virtual NIC (For example: br-eth1) and the WAN-side interface is allocated to the other NIC (For example br-eth0). The red arrows represent the default gateways and the blue arrow represents a static route Virtual NIC Pass Bridge Configuration This is the configuration for a network with isolated business, WAN, and management networks when using three virtual NICs. A virtual NIC is allocated to the LAN, WAN, and Admin-side interfaces. The red arrows represent the default gateways

2.5.8 3-Virtual NIC Pass Bridge Configuration (via a Router) This is the configuration for a network with isolated business, WAN, and management networks when using three virtual NICs.

The red arrows represent the default gateways and the blue arrow represents a static route. 2.

27 Virtual NIC Pass Bridge Configuration (via a Router) This is the configuration for a network with isolated business, WAN, and management networks when using three virtual NICs. The management network will make access via a router. A virtual NIC is allocated to the LAN, WAN, and Admin-side interfaces. The red arrows represent the default gateways and the blue arrow represents a static route. 2.6 Designing Network Environments It is necessary to configure the following design items during configuration of a network environment. Item Number of Virtual NICs Virtual NIC Uses The number of virtual NICs to use. Up to three virtual NICs can be used (however, only one in the cloud). Determine the number of virtual NICs to use based on the desired virtual network configuration. Select from among the following uses for each virtual NIC. - Admin Interface (The network interface used for communication between the Admin PC and this product)

28 Item - LAN-side Interface (The network interface used by transparent proxies for TCP communication with clients or servers) Configure the following items for each virtual NIC: - DHCP Server - Network Address - Gateway Address - WAN-side Interface (The network interface used by transparent proxies for communication through a WAN) DHCP Server Select whether to use a DHCP server. - Disable: A DHCP server will not be used - Enable: A DHCP server will be used The default value is "Enable." A DHCP server is required for a network that will use DHCP. When configuring a pass bridge, a DHCP server cannot be used for the WAN-side interface. Network Address Gateway Address DNS Server Domain Name The IP address and the subnet mask of the virtual NIC. If a DHCP server is used, these values will be assigned automatically. The IP address of a router that is connected to a WAN. This router is configured as the default gateway for data transmission. This must be specified when the virtual NIC will be used as a WAN-side interface. The IP addresses of the primary and secondary DNS servers. If a DHCP server is used, these values will be assigned automatically. The domain name. The maximum length of the domain name is 254 characters, minus the length of the host name. For example, if the host name is "host1," which has a length of five characters, the maximum specifiable length of the domain name will be = 249 characters. The following characters can be used: - Alphanumeric characters (This value is not case sensitive) - Hyphens ("-") and periods (".") (Hyphens and periods cannot be used for the first or last characters) When not using a DHCP server, the default value is "localdomain." When using a DHCP server, the default value is as follows. - When the domain name can be obtained from the DHCP server: the obtained domain name - When the domain name cannot be obtained from the DHCP server: "localdomain" Host Name The host name. Specify a character string 1-63 characters in length. The following characters can be used: - Alphanumeric characters (This value is not case sensitive) - Hyphens ("-") (Hyphens cannot be used for the first or last characters) Depending on the installation environment, the default value is as follows. - For VMware, KVM, or AWS: Regardless of whether a DHCP server is used, the host name is "wacva." It is replaced with the host name specified in the Initialization Wizard or the host name specified by DHCP when the Initialization Wizard is executed

29 Item - For Azure: Regardless of whether a DHCP server is used, the host name is "localhost." - For OpenStack or K5: Regardless of whether a DHCP server is used, the virtual server name becomes the host name. Specify the virtual server name using the characters that can be used for the host name. Keymap NTP Servers The keyboard layout. Select from a list of candidates. The default value is "us" (US keyboard). Specify the type of keyboard layout that will be used. For example, "jp106" (Japanese 106 keyboard), "jp-oadg109a" (Japanese 109 keyboard), etc. Choose whether to enable NTP servers. - Disable: Disable NTP servers - Enable: Enable NTP servers When enabling NTP servers, the FQDNs or IP addresses of the NTP servers are required. A maximum of two NTP servers can be registered. The default value is "Disable." Note - When registering two NTP servers, their upper NTP server must be the same. - When enabling the NTP servers, set the configuration so that the host OS also uses the same NTP server for time synchronization. Time Zone HTTPS port number The time zone. Select from a list of candidates. The default value is "UTC." The HTTPS port number. Specify a port number from 1024 to If omitted, 9856 is used. 2.7 Designing a SSL Server CertificateSSL This product performs HTTPS communication with Web browsers (Admin PC), and uses SSL server certificates for encryption of communication data and mutual authentication. It is necessary to configure the following design items when creating an SSL server certificate. Item Expiration Date Country Name State or Province Name Locality Name Organization Name Organizational Unit Name Common Name The number of days until the SSL server certificate expires, counted from the date on which it was created. The longest specifiable period is from the date of creation to January 19, Be sure to specify a number of days that is longer than the anticipated period of use of this product. A two-character country code (ISO-3166). The name of the state or province in which this product will be used. The name of the locality in which this product will be used. The name of the organization or company. The name of the applying organizational unit. The IP address or host name (FQDN) that would be entered in a Web browser

30 Item For example: - When specifying an IP address: When specifying a host name: myhost.example.com Address The contact address. 2.8 Designing Virtual Network Environments (VMware Environments Only) It is necessary to configure the following design items when configuring a virtual network environment. Network label VLAN ID Item A name for identifying the port groups of virtual switches. The network label is used when connecting SCO-VA to virtual switches. Specify any desired name. Identifies the VLAN to be used by the network traffic of the port groups. 2.9 Designing Function Environments This section explains how to design the environment for each function Designing User Management Functions Designing Local Authentication Up to 100 users can be created for local authentication. It is necessary to configure the following design items when using local authentication. Item Name (User name) The user name. Specify a character string 1-64 characters in length. The following characters can be used: - Alphanumeric characters - Symbols (!-_.) Password The password. Specify a character string 8-64 characters in length. The following characters can be used: - Alphanumeric characters - Symbols (!"#$&'()*+,-./@[\]^_`{ }~:;<=>?) At least three of the following four types of characters must be specified: upper case alphabetical characters, lower case alphabetical characters, numbers, and symbols. Role (User role) The role can be either of the following: - Administrator: The system administrator. Can use all functions - Monitor: Can only use reference functions The default user role is "Administrator."

31 Item Mail address The address of the user. Specify a character string 6-63 characters in length. The format is address format (it must contain an at sign "@"), and the following characters can be used: - Alphanumeric characters - Symbols (._%+-@) This value can be omitted. The description of the user. Specify a character string characters in length. There are no restrictions on the characters that can be used. This value can be omitted Designing External Authentication LDAP and Active Directory (AD) are supported for external authentication servers, and up to eight servers can be registered in total. It is necessary to configure the following design items when using external authentication servers. Type Item The type of the authentication server. Specify either of the following: - LDAP: LDAP authentication server - AD: Active Directory (AD) authentication server The default value is "LDAP." IP address Port Domain User search base Group search base Administrator user Administrator password SSL The IP address of the authentication server. The port number of the authentication server. The default value is 389. The domain of the authentication server. The user search base of the authentication server. This is used as the primary identifier when performing user searches with the domain name omitted. If "Type" is "AD," the default value is "cn=users." The group search base of the authentication server. This is used as the primary identifier when performing group searches with the domain name omitted. If "Type" is "AD," the default value is "cn=users." The user name of the administrator of the authentication server. The password of the administrator of the authentication server. One of the following encryption methods is used: - None - SSL/TLS - STARTTLS The default value is "None." Priority The priority of the authentication server. A smaller value means higher priority. This value can be omitted. If omitted, the lowest priority (the largest value) is used. If the specified value is already registered, the priority of that server and subsequent servers are lowered by one (values are incremented). The description of the authentication server. Specify a character string containing up to 256 characters

32 Item There are no restrictions on the characters that can be used. This value can be omitted. External Authentication Server-side Design - When using LDAP authentication, ensure that all user names are 512 or fewer characters in length. - Create the following groups for user roles on each external authentication server, and register each user that will be authenticated externally in the corresponding user role group. Role Administrator Monitor User Role Group Name WacAdmin WacMon Designing the Console User There is only one console user, with the name "administrator." Configure the following design item for the console user. Password Item The password of the console user. The default value is "Admin123#." The password can be changed via the Initialization Wizard. Specify a character string 8-64 characters in length. The following characters can be used: - Alphanumeric characters - Symbols (!"#$&'()*+,-./@[\]^_`{ }~:;<=>?) - Use at least three of the following types of characters: - A-Z - a-z Symbols Designing the File Transfer User There is only one file transfer user with the name "secftpuser." Configure the following design items for the file transfer user. Password Item The password of the file transfer user. The default value is "Secftp123#." The password can be changed via the Initialization Wizard. Specify a character string that is 8-64 characters in length. The following characters can be used: - Alphanumeric characters - Symbols (!"#$&'()*+,-./@[\]^_`{ }~:;<=>?) - Use at least three of the following types of characters: - A-Z - a-z

33 Item Symbols Designing the Notification Function Up to three recipients can be specified for notification. It is necessary to configure the following design items when using notification. Item SMTP server The address of the SMTP server. Specify a character string 1-64 characters in length. The format is IP address format or FQDN format. For FQDN, the following characters can be used. - Alphanumeric characters - Symbols (-.) Sender mail address The content of the "From" field of the s to be sent. Specify a character string 3-63 characters in length. The format is address format (it must contain an at sign "@"), and the following characters can be used: - Alphanumeric characters - Symbols (!#$%&'*+/=?^_`{ }~-.@) SMTP port Authentication method The port number of the SMTP server. Specify a value from 1 to If omitted, the port number of the SMTP server is 25. The authentication method for connecting to the SMTP server. Configure one of the following: - none: Devices will connect to the SMTP server without using authentication The following values use the AUTH SMTP authentication to connect to the SMTP server. For the authentication method, select one according to the security policy of the SMTP server to be used. - cram-md5: "CRAM-MD5" is used as the authentication method - plain: "plain" is used as the authentication method - login: "login" is used as the authentication method User name The name of the user account for connecting to the SMTP server. It is required when the authentication method is not "none." Specify a character string characters in length. The following characters can be used: - Alphanumeric characters - White space - Symbols (!"#$%&'()*+,-./:;<=>?@[\]^_`{ }~) Password The password of the user account for connecting to the SMTP server. It is required when the authentication method is not "none." Specify a character string 1-64 characters in length. The following characters can be used: - Alphanumeric characters - Symbols (!"#$&'()*+,-./@[\]^_`{ }~:;<=>?)

34 Item Subject (Fixed) The fixed character string to be inserted as the prefix for the "Subject" line. Specify a character string 1-30 characters in length. The following characters can be used: - Alphanumeric characters - White space - Symbols (!"#$%&'()*+,-./:;<=>?@[\]^_`{ }~) If omitted, the "Subject" line will be "Smart Communication Optimizer Event Mail." If specified, "Smart Communication Optimizer Event Mail" will be added to the end of the specified character string. Number of Retries Retry Interval (in seconds) SMTP over SSL The maximum number of attempts to resend when sending of an fails. Specify a value from 0 to 5. If omitted, the number of retries is zero (no retries). The interval between attempts to resend. Specify a value from 1 to 300 seconds. If omitted, the retry interval is one (a retry for a one second interval). Determines whether to use SMTP over SSL. Specify either of the following: - disable: SMTP over SSL will not be used - ssl-tls: SMTP over SSL/TLS will be used Confirm that the mail server you are using is compatible with SSL/TLS when selecting "ssl-tls." The default value is "disable." Mail notification The mail address of the notification destination. Specify a character string 3-63 characters in length. The format is address format (it must contain an at sign "@"), and the following characters can be used: - Alphanumeric characters - Symbols (!#$%&'*+/=?^_`{ }~-.@) Designing Transparent Proxy Management For how to place transparent proxies, refer to "1.3 System Configuration of FUJITSU Software Smart Communication Optimizer." A maximum of 20 transparent proxies can be registered in SCO-VA. It is necessary to configure the following design items when creating transparent proxies. Item Transparent Proxy Name The name of the transparent proxy. Specify a character string 1-63 characters in length. The following characters can be used: - Alphanumeric characters - Hyphens ("-") (Hyphens cannot be used for the first or last characters) Transparent proxy names must be unique within SCO-VA. Type The type of the transparent proxy. Specify either of the following: - Client:A transparent proxy of the client type. A transparent proxy of the client type establishes a UNAP connection to a transparent proxy of the server type. - Server:A transparent proxy of the server type. A transparent proxy of the server type waits for a transparent proxy of the client type to establish a UNAP connection

35 Item Pair IP Address Port Number LAN-side Interface A transparent proxy registered with the SCO-VA on the TCP client side may be a server type. A transparent proxy registered with the SCO-VA at the TCP server side may be a client type. The IP address of the WAN-side interface of the transparent proxy to pair with. When the IP address translation has been configured, specify a reachable IP address if necessary. Furthermore, when using multiple transparent proxies in the same SCO-VA, the pair IP address and port number combination must not be overlapping among any of the client types. The port number used by UNAP to enable high-speed data transfer over a WAN. Specify a value from to For the client type, it is the server-side port number. When using several server types in SCO-VA, the number of ports must not be overlapped among all server types. The specified port number must match that of the paired transparent proxy. If the port numbers do not match, then establishment of the UNAP connection will fail. The name of the network interface used by the transparent proxy for TCP communication with client or server applications. Virtual NIC which virtual NIC use is set to "LAN-side Interface" in the Initialization Wizard. The virtual NIC will be one of the following. - br-eth0 - br-eth1 - br-eth2 WAN-side Interface The name of the network interface used by the transparent proxy for WAN-side communication. Virtual NIC which virtual NIC use is set to "WAN-side Interface" in the Initialization Wizard. The virtual NIC will be one of the following. - br-eth0 - br-eth1 - br-eth2 Operation Mode The operation mode of the transparent proxy. Select either of the following: - Transparent: Transparently relays TCP connections. - Terminate: Terminates TCP connections. For client type, "Transparent" is fixed. For server type, make selections similar to the following. - When registering the transparent proxy in AWS, Azure, K5 or OpenStack: "Terminate" - For VMware or KVM, it is different depending on the network configuration. - For parallel configuration: "Terminate" - For pass bridge configuration: "Transparent" - For network configuration, refer to "2.5 Designing Network Configuration." Target Service Port Numbers The list of port numbers of services that are the targets of data transfer performed by the transparent proxy. Specify a value from 1 to Up to 100 port numbers can be specified. To specify multiple port numbers, use a range or a list. Indicate a range using a hyphen. When specifying a range using the format "x-y," x must be less than or equal to y. (For example, "80-83" and "80-80" are valid ranges, but "80-79" is not) Use commas to separate values in a list. (For example, "80,81")

36 Item Maximum Number of TCP Connections Number of Connection Reestablishment Attempts Connection Re-establishment Attempt Interval Connection Monitoring Interval MTU Size Traffic Control Upper Limit When registering multiple transparent proxies with an SCO-VA, the target service port numbers must not be overlapping among the transparent proxies. Specify the target service port numbers only for transparent proxies on the TCP client side. It is not necessary to specify for transparent proxies on the TCP server side. The maximum number of TCP connections that can be established. Specify a value from 1 to The default value is If the number of connections on either the server type or client type transparent proxy exceeds the value specified here, any further connections attempted from the TCP client will be denied. Normally, it is not necessary to configure this item. Use it to restrict the number of connections that can be attempted by the TCP client. The number of reconnection attempts to make when establishing a UNAP connection. Once the specified number of attempts is reached, an event log indicating that UNAP connection has failed is output. Specify a value from 0 to 255. The default value is 5. When "0" is specified, an event log will be output as soon as the first attempt to establish a connection fails. Specify only for client types. The interval (in seconds) between reconnection attempts when establishing a UNAP connection. Specify a value from 1 to 300. The default value is 10. When Round-Trip Time is less than 1 second, it is not necessary to change the initial setting value. When Round-Trip Time exceeds 1 second, configure the value to Round-Trip Time(seconds) * 10. (Ex: When the Round-Trip Time is 2 seconds, specify 20.) Specify only for client types. The connection monitoring interval (in seconds) for a UNAP connection. Specify a value from 1 to 300. The default value is 75. When Round-Trip Time is less than 1.5 seconds, it is not necessary to change the initial setting value. When Round-Trip Time exceeds 1.5 seconds, configure the value to Round-Trip Time(seconds) * 50. (Ex: When the Round-Trip Time is 2 seconds, specify 100.) Specify only for client types. For server type, it will be automatically adjusted to the same value as the client type. The MTU size of UNAP. Specify the maximum specifiable MTU size for the network that data transfer will be performed over. For maximum MTU size, confirm the WAN router settings. Specify a value from 400 to The default value is Specify only for client types. For server type, it will be automatically adjusted to the same value as the client type. Choose whether to use the Traffic Control function. - Disable: Do not use the Traffic Control function - Enable: Use the Traffic Control function The default value is "Disable." When using the Traffic Control function, you can specify the data throughput upper limit that transparent proxies send via UNAP in Mbps or Gbps. You can specify a value from 100Mbps to the license throughput upper limit. For details, refer to " Designing the Traffic Control Upper Limit."

transparent proxies. When the WAN throughput upper limit and the network bandwidth of the physical line are the same, network bandwidth cannot be allocated to other communications.

37 Designing the Traffic Control Upper Limit The WAN throughput upper limit when not using the Traffic Control function, is the smaller value of the license throughput upper limits for paired transparent proxies. When the WAN throughput upper limit and the network bandwidth of the physical line are the same, network bandwidth cannot be allocated to other communications. Therefore, by using the Traffic Control function and restricting the WAN throughput upper limit, network bandwidth can be allocated to other communications. The following shows examples of when the Traffic Control function is not used and when it is used. Figure 2.3 When there is one transparent proxy and the Traffic Control function is not used Figure 2.4 When there are multiple transparent proxies and the Traffic Control function is not used

there are multiple transparent proxies and the Traffic Control function is used Note When

38 Figure 2.5 When there is one transparent proxy and the Traffic Control function is used Figure 2.6 When there are multiple transparent proxies and the Traffic Control function is used Note When multiple transparent proxies are communicating at the same time, set the total of the traffic control upper limit less than the license throughput upper limit

39 Chapter 3 Installation and Setup This chapter explains the installation and setup of this product. 3.1 Overall Flow of Installation and Setup The system configuration of this product can be either of the following combinations. Environment A On-premises On-premises Environment B On-premises Cloud Reference: For the purposes of this explanation of the flow of installation and setup, one part of this combination is referred to as environment A and the other, environment B. There are the following types of on-premises environments and cloud environments. - On-premises - VMware environments - KVM environments - Cloud - AWS environments - Azure environments - K5 environments - OpenStack environments The flow of installation and setup of this product is as follows: 1. Installation of this product on environment A 2. Setup of this product on environment A 3. Installation of this product on environment B 4. Setup of this product on environment B 5. Preparation of the operating environment 6. Configuring the Default Gateway of the TCP Communication App For details on installation, refer to "3.2 Installation (VMware Environments)," "3.3 Installation (KVM Environments)," "3.4 Installation (AWS Environments)," "3.5 Installation (Azure Environments)," "3.6 Installation (K5 Environments)," or "3.7 Installation (OpenStack Environments)," depending on the environment in which you are installing. 3.2 Installation (VMware Environments) This section explains installation in VMware environments. The following example uses vsphere 6.0. The flow of installation in VMware environments is as follows: 1. Creation of the virtual network 2. Deployment of the virtual appliance Creating Virtual Networks in VMware Environments This section explains the procedure for creating the virtual network (port group) for virtual appliances to connect to

40 Preparations Confirm that the following have already been created: - The virtual switch (vswitch) on which the network of this product will be placed Configure the ports of the virtual switch as follows. - MTU: Connections to external networks (uplinks) When using any of the following, connect the device to the virtual switch in advance. - A DHCP server - NTP servers - External authentication servers - A firewall When configuring a firewall, refer to "A.2 List of Used Port Numbers," and approve use of the listed port numbers. Procedure 1. Log in to vsphere Web Client. 2. In the [Navigator] pane, select the [Hosts and Clusters] tab, and then select the host on which the network of this product will be placed. 3. Select [Actions]-[Add Networking] to start the [Add Network] wizard. 4. Follow the instructions in the [Add Network] wizard to configure the network. Step Task Details 1 Select connection type Select [Virtual Machine Port Group for a Standard Switch]. 2 Select target device Select [Select an existing standard switch]. Click the [Browse] button, and then select the virtual switch to use to create the network of this product. 3 Connection settings Specify the network label and the VLAN ID. For the content to specify, refer to "2.8 Designing Virtual Network Environments (VMware Environments Only)." 4 Ready to complete Confirm the selected content and, if there are no problems, click the [Finish] button to close the wizard. 5. When configuring a pass bridge, configure the security settings of port groups. The targets for security configuration are port groups which the network adapters allocated as the SCO-VA LAN-side interface and WAN-side interface connect to. The settings to configure are as follows: - Promiscuous Mode: Accept - Forged Transmits: Accept 6. Note Port groups in which the security settings have been configured must not be associated with the network adapters attached to VMs other than the SCO-VAs

41 3.2.2 Deploying Virtual Appliances to VMware Environments This section explains the procedure for deploying virtual appliances to VMware environments. Procedure 1. Set the DVD of this product in a computer that is logged in to vcenter. 2. Log in to vsphere Web Client. 3. In the [Navigator] pane, select the [VMs and Templates] tab, and then select vcenter Server. 4. Select [Action]-[Deploy OVF Template] to launch the [Deploy OVF Template] wizard. 5. Follow the instructions in the [Deploy OVF Template] wizard to configure the template. Step Task Details 1 Select source Select [Local file]. Click the [Browse] button, and then specify the OVF template file (.ovf) on the DVD of this product. 2 Review details Check the details of the specified OVF template. 3 Select name and folder Specify a name for the template. For the deployment destination, select a "datacenter" or a "folder." 4 Select a resource Select where to run the deployed OVF template. 5 Select storage Select the datastore in which to store the files for the deployed template. Select the following: - Select virtual disk format: "Thick Provision Lazy Zeroed" - VM Storage Policy: Datastore Default 6 Setup networks Select the network created in "3.2.1 Creating Virtual Networks in VMware Environments." 7 Ready to complete Confirm the selected content and, if there are no problems, click the [Finish] button to close the wizard. 6. Wait for deployment of this product to complete. The deployment progress can be confirmed using the progress bar displayed in [Recent Tasks]. 7. Change the number of CPUs and the memory size of the virtual machine of this product based on the requirements described in "1.6.1 Virtual Appliance Resource Requirements." 8. When performing a 1 or 2 virtual NIC configuration, delete network adapters that will not be used in [Edit settings]. Note Adding and Deleting Network Adapters It is not possible to delete or add network adapters after executing the initialization wizard and configuring the initial settings. If executing deletion or addition, execute deployment again. For the initialization wizard, refer to " Executing the Initialization Wizard." Point Use the same procedure as above when deploying this product in VMware vsphere High Availability (vsphere HA) environments. 3.3 Installation (KVM Environments) This section explains installation in KVM environments

42 The flow of installation in KVM environments is as follows: 1. Creation of the virtual network 2. Deployment of the virtual appliance Creating Virtual Networks in KVM Environments Prepare the virtual network for virtual appliances to connect to. Confirm the following: - The virtual network (virtual bridge) that will connect virtual appliances has been created - The virtual bridge is connected to a physical NIC When using any of the following, connect the device to the virtual bridge in advance. - A DHCP server - NTP servers - External authentication servers - A firewall When configuring a firewall, refer to "A.2 List of Used Port Numbers," and approve use of the listed port numbers Deploying Virtual Appliances to KVM Environments This section explains the procedure for deploying virtual appliances to KVM environments. Procedure 1. Copy the tar.gz file on the DVD of this product to the desired folder on the KVM host, and unpack the copied tar.gz file. Example # tar xzvf SCO_v110_kvm.tar.gz <Enter> SCO_v110_kvm/ SCO_v110_kvm/SCO_v110_kvm.qcow2 SCO_v110_kvm/SCO_v110_kvm.xml 2. Copy the files of the unpacked directory to their respective designated destinations. Example # cp SCO_v110_kvm.qcow2 /var/lib/libvirt/images <Enter> # cp SCO_v110_kvm.xml /etc/libvirt/qemu <Enter> 3. Specify the xml file to register the VA image of this product. Example # virsh define /etc/libvirt/qemu/sco_v110_kvm.xml <Enter> 4. Click [Virtual Machine Manager] menu on the desktop screen to open the [Virtual Machine Manager] screen. 5. On the [Virtual Machine Manager] screen, select the VA image of this product, and then click the [Open] button. 6. On the [Virtual Machine] screen, select [View]-[Details] from the menu

43 7. When performing a 1 or 2 virtual NIC configuration, delete network adapters that will not be used on the [Virtual Machine Details] screen. 8. On the [Virtual Machine Details] screen, select [NIC]. Then, select the virtual network or host device that this product will connect to, and click the [Apply] button. 9. Change the number of CPUs and the memory size of the virtual machine of this product based on the requirements described in "1.6.1 Virtual Appliance Resource Requirements." Note Adding and Deleting Network Adapters It is not possible to delete or add network adapters after executing the initialization wizard and configuring the initial settings. If executing deletion or addition, execute deployment again. For the initialization wizard, refer to " Executing the Initialization Wizard." Note When deploying multiple virtual appliances When deploying multiple virtual appliances, note the following to perform the procedure above. - In step 2, copy it as a different name so that previously copied files will not be overwritten. Example # cp SCO_v110_kvm.qcow2 /var/lib/libvirt/images/sco_v110_kvm_2.qcow2 <Enter> # cp SCO_v110_kvm.xml /etc/libvirt/qemu/sco_v110_kvm_2.xml <Enter> - Change the value of the name tag and the source tag in the disk tag of the xml file with a different name to which the file was copied in the step 2 as shown below. Example <domain type='kvm'> <name>sco_v110_kvm_2</name>... <devices> <disk...> <source file='/var/lib/libvirt/images/sco_v110_kvm_2.qcow2'/>... - In step 3, specify the xml file with a different name to which the file has been copied. Example # virsh define /etc/libvirt/qemu/sco_v110_kvm_2.xml <Enter> 3.4 Installation (AWS Environments) This section explains the procedure for installation in an AWS environment

44 Preparations Confirm that the following has already been performed. - An Amazon S3(Simple Storage Service) bucket has been created so that the image of this product can be stored - An AWS account has been created so that the above bucket can be accessed - The VPC that this product will connect to has been created Procedure 1. Set the DVD of this product in an Admin PC that can connect to AWS. 2. Using AWS CLI, upload the virtual appliance image of this product to Amazon S3. Example aws s3 cp /tmp/sco_v110_aws-disk1.vmdk s3://wacva <Enter> The parameters are as follows. Parameter First parameter Second parameter The name of the image file to be uploaded. In the above example, "cp" is specified. The name of the bucket of the upload destination. In the above example, "/tmp/sco_v110_aws-disk1.vmdk s3://wacva" is specified. 3. Use AWS CLI and import the virtual appliance image to create an AMI(Amazon Machine Image) for this product. Example aws ec2 import-image --disk-containers file://containers.json <Enter> The options and parameters are as follows. Option name --disk-containers The file with the defined parameters to be imported. In the above example, "file://containers.json" is specified. For details, refer to the AWS document. Example Definition file example [ ] { } "": "SCO", "Format": "VMDK", "UserBucket": { "S3Bucket": "wacva", "S3Key": "SCO_v110_aws-disk1.vmdk" } 4. Create an instance of this product from the AMI that was created in Step

45 5. In the following procedure, configure an Elastic IP. a. In a Web browser, log in to an AWS Management Console. b. Select [VPC] and the [VPC Management Console] screen is displayed. c. On the pane of the left side of the [VPC Management Console] screen, select [Elastic IP] and on the right side of the [Elastic IP] screen, click the [Allocate new address] button. d. Clicking the [Allocate] button on the [Allocate new address] screen automatically allocates the IP and it is added to the table on the [Elastic IP] screen. 6. In the following procedure, address the Elastic IP to the instance of this product. a. On the pane of the left side of the [VPC Management Console] screen, select [Elastic IP], and from the table on the right side of the [Elastic IP] screen, select the Elastic IP that was created in Step 5. b. On the [Elastic IP] screen, select [Actions]-[Associate address] and the [Associate address] is displayed. c. Specify the following on the [Associate address] screen and click the [Associate] button. - Resource type (Specify "Instance") - Instance (Specify the instance of this product) - Private IP (Select the IP address that you want to associate) 7. Start the instance of this product. 3.5 Installation (Azure Environments) This section explains the procedure for installation in an Azure environment. Preparations Confirm that the following has already been performed. - A virtual appliance image of this product has been stored and the required resource groups, storage accounts, and storage containers for creating resources for virtual machines have been created - The virtual networks, subnets, and public IPs that this product will connect to have been created - On an Admin PC that can connect to Azure, the image to be uploaded from the DVD of this product has been unpacked When using any of the following, connect the device to the network in advance. - A DHCP server - NTP servers - External authentication servers - A firewall When configuring a firewall, refer to the "A.2 List of Used Port Numbers," and approve the use of the listed port numbers. Procedure 1. From the Azure portal screen, select [Storage accounts]-<storage account name to be used>-[blobs]-<container name to be used> to display the [Container] screen, then click the [Upload] button. Next, specify the image file to be uploaded for this product and click the [Upload] button. 2. Click the [cloud-shell] button on the Azure portal screen to display the [cloud-shell] screen(bash). 3. Using the az disk create command, create a management disk from the custom disk that was uploaded

46 Example az disk create --resource-group rscgrp_msdn_westus2 --sku Standard_LRS --location westus2 --name sco_mng_disk --source SCO_v110_azure.vhd <Enter> The options and parameters are as follows. Option name --resource-group --sku --location --name --source The name of the resource group. In the above example, "rscgrp_msdn_westus2" is specified. The type of management disk. In the above example, "Standard_LRS" is specified. The name of the region. In the above example, "westus2" is specified. The name of the management disk. In the above example, "sco_mng_disk" is specified. The URL of the custom disk that has been uploaded. In the above example, the following is specified. " 4. Using the az vm create command, create a virtual machine for this product which will use the management disk. Example az vm create --resource-group rscgrp_msdn_westus2 --location westus2 --name scovm --os-type linux --size Standard_D2_v3 --public-ip-address-allocation static --public-ip-address staticpublic --subnet sco-subnet --vnet-name sco-vnet --attach-os-disk sco_mng_disk <Enter> The options and parameters are as follows. Option name --resource-group --location --name --os-type --size --public-ip-address-allocation --public-ip-address --subnet --vnet-name The name of the resource group. In the above example, "rscgrp_msdn_westus2" is specified. The name of the region. In the above example, "westus2" is specified. The name of the virtual machine. In the above example, "scovm" is specified. The OS type of the virtual machine. Specify "linux." The size of the virtual machine. In the above example, "Standard_D2_v3" is specified. Whether the public IP is released when the virtual machine has been stopped. Specify "static." The name of the public IP. In the above example, "static-public" is specified. The name of the subnet. In the above example, "sco-subnet" is specified. The name of the virtual network. In the above example, "sco-vnet" is specified

47 --attach-os-disk Option name The name of the management disk. Specify the name of the management disk that was created in Step 3. In the above example, "sco_mng_disk" is specified. 5. Using the az vm boot-diagnostics command, enable the virtual machine Boot Health Check function so that the serial console can be used. Example az vm boot-diagnostics enable --name scovm --resource-group rscgrp_msdn_westus2 --storage <Enter> The options and parameters are as follows. Option name --name --resource-group --storage The name of the virtual machine. Specify the name of the virtual machine that was created in Step 4. In the above example, "scovm" is specified. The name of the resource group. In the above example, "rscgrp_msdn_westus2" is specified. The BLOB SERVICE endpoint for the storage account. In the above example, " is specified. 6. Refer to "A.2 List of Used Port Numbers" for networks in which virtual machines have been created and configure network security groups. 3.6 Installation (K5 Environments) This section explains the procedure for installation in a K5 environment. Preparation Confirm that the following has already been created: - A network to which this product will be connected - A network for using a Floating IP (if an external connection is necessary) - Connections to external networks (uplinks) When using any of the following, connect the device to the network in advance. - A DHCP server - NTP servers - External authentication servers - A firewall When configuring a firewall, refer to the "A.2 List of Used Port Numbers," and approve the use of the listed port numbers. Procedure 1. Log in to the K5 IaaS Service Portal. 2. Using the [API Execution] screen, create an Object Storage container. a. Configure the following: - HTTP Method: Select "PUT"

48 - Endpoints: Select "objectstorage" - Add "/container_name" to the end of the path displayed for the URI. b. Click the [Execute API] button. c. Confirm the execution results in the response field. 3. Configure the API execution environment. For details, refer to the "FUJITSU Cloud Service K5 API User Guide." 4. Set the DVD of this product in the API execution environment. You can also transfer the vmdk file included on the DVD of this product to the API execution environment. 5. Create the shell for registering the image of this product in the created Object Storage container. Refer to the following when creating the shell. #!/bin/bash../get_token.sh CONTAINER=<container_name> OBJECT=<image_file_of_this_product (for example: "SCO_v110_k5-disk1.vmdk")> UPLOAD_FILE=<name_of_the_image_file_of_this_product (for example: "./SCO_v110_k5-disk1.vmdk")> # Upload object echo "*** CURL" echo 'curl -Ss -T '$UPLOAD_FILE' '$OBJECTSTORAGE'/v1/AUTH_'$TENANT_ID'/'$CONTAINER'/'$OBJECT' -X PUT -H "Transfer-Encoding: chunked" -H "X-Detect-Content-Type: true" -H "Accept:application/ json" -H "X-Auth-Token: '$OS_AUTH_TOKEN'"' resp=`curl -Ss -T $UPLOAD_FILE $OBJECTSTORAGE/v1/AUTH_$TENANT_ID/$CONTAINER/$OBJECT -X PUT -H "Transfer-Encoding: chunked" -H "X-Detect-Content-Type: true" -H "Accept:application/json" -H "X- Auth-Token: $OS_AUTH_TOKEN"` echo $resp jq. 6. Use the shell to register the image of this product in the Object Storage container. The image file of this product that you registered using the shell is placed in the corresponding folder. 7. Log in to the K5 IaaS Service Portal. 8. Using the [API Execution] screen, confirm the objects registered in the Object Storage container. a. Configure the following: - HTTP Method: Select "GET" - Endpoints: Select "objectstorage" - Add "/container_name" to the end of the path displayed for the URI. b. Click the [Execute API] button. c. Confirm in the response field that the object has been registered. 9. Using the [API Execution] screen, register the image of the object that was registered in the Object Storage container. a. Configure the following: - HTTP Method: Select "POST" - Endpoints: Select "vmimport" - For the URI, input the following path of the API for image registration. /v1/imageimport - Configure the following request parameters in the request body

49 Request Parameter name location min_ram min_disk os_type activate Image name Value Object name in the container ("/v1/auth_tenant_id/container_name/ object_name") Memory capacity (MB) Disk capacity (GB) centos true b. Click the [Execute API] button. c. Confirm in the response field that execution of the API was accepted. 10. From the [Execute API] screen, confirm image registration status. a. On the [Execute API] screen, configure the following. - HTTP Method: Select "GET" - Endpoints: Select "vmimport" - For the URI, input the following path of the API for image registration. /v1/imageimport/{import_id}/status The import process ID that the request API returns in Step 9 is import_id. b. Click the [Execute API] button. c. Confirm whether image registration has been completed based on the response. 11. When processing completes, the image will be registered on the [Image List] screen, with the image name specified during image registration. 12. On the [Image List] screen, select the registered image and click the [Action] button. From the displayed pull-down menu, select "Create Storage." 13. On the [Create Storage] screen, create the storage in which the image of this product will be stored. a. Configure the following: - Specify the storage name - Select the type - Specify the disk size - Select the AZ 14. Using the [Key Pair List] screen, create the key pair to be used by this product. 15. Using the [Virtual Network List] screen, create the local network for this product. Create a subnet as well. 16. On the [Virtual router list] screen, select the created virtual router and click the [Action] button. From the displayed pull-down menu, select "Gateway settings." a. On the [Gateway settings] screen, configure the following. - Select the external virtual network 17. On the [Virtual Router List] screen, select the created virtual router, and add an interface to it. a. On the [Add interface] screen, configure the following: - For the subnet, select the subnet of the local network that was created in advance - For the IP address, select the IP address of the gateway of the selected subnet

50 18. From the [Virtual Server List] screen, create the virtual server on which this product will operate. Configure the following: - Select the AZ - Specify the virtual server name - Select the virtual server type - Select the boot source (storage) for the virtual server - Select the device name - Select the virtual network to connect to - Select the key pair - Select the security group (security groups must be created in advance) - It is not necessary to specify a provisioning script 19. On the [Virtual Server List] screen, confirm that the status of the created virtual server becomes "ACTIVE." 20. If an external connection is necessary for the virtual server of this product, use the [Global IP List] screen to allocate a global IP to the virtual server. 3.7 Installation (OpenStack Environments) This section explains the procedure for installation in an OpenStack environment. Preparations Confirm that the following has already been created. - A network to which this product will be connected - A network for using a Floating IP (if an external connection is necessary) - Connections to external networks (uplinks) When using any of the following, connect the device to the network in advance. - A DHCP server - NTP servers - External authentication servers - A firewall When configuring a firewall, refer to the "A.2 List of Used Port Numbers," and approve the use of the listed port numbers. Procedure 1. Set the DVD of this product in an Admin PC that can connect to the host OS of OpenStack. 2. Log in to the host OS of OpenStack, and then create the directory for storage of the virtual appliance image of this product. 3. Upload the virtual appliance image of this product that was set in the step 1 to the directory created in the step Use the "openstack image create" command targeting the above directory to register the virtual appliance image of this product. Example # openstack image create --disk-format qcow2 --container-format bare --file /root/shizai/ SCO_v110_openstack.qcow2 sco-image <Enter> The options and parameters are as follows

51 Option name --disk-format --container-format --file Parameter The disk format of the virtual appliance image. Specify "qcow2." The container format of the virtual appliance image. Specify "bare." The name of the image file to be registered. Specify the directory name created in step 2 and the file name uploaded in step 3. In the preceding example, "/root/shizai/sco_v110_openstack.qcow2" is specified. The name of the virtual appliance image to be created. In the preceding example, "sco-image" is specified. 5. Use the "openstack flavor create" command to register a flavor with the flavor information of this product. Example # openstack flavor create --id auto --ram disk 60 --vcpus 2 sco-flavor <Enter> The options and parameters are as follows. Option name --id --ram --disk --vcpus Parameter The ID of the flavor. If "auto" is specified, a UUID will be generated automatically. The memory size (MB). Specify a value by referring to "1.6.1 Virtual Appliance Resource Requirements." The disk size (GB). Specify a value no less than 60. The number of the virtual CPUs. Specify a value by referring to "1.6.1 Virtual Appliance Resource Requirements." The name of the flavor to be created. In the preceding example, "sco-flavor" is specified. 6. Generate a key pair using the ssh-keygen command or another method, and then use the "openstack keypair create" command to register that key pair. Example # openstack keypair create --public-key /root/.ssh/id_rsa.pub sco-keypair <Enter> The options and parameters are as follows. Option name --public-key Parameter The file path of the public key. In the preceding example, "/root/.ssh/id_rsa.pub" is specified. The name of the key to be created. In the preceding example, "sco-keypair" is specified. 7. Use the "openstack volume create" command to create a new volume

52 Example # openstack volume create --size 60 --image sco-image sco-volume <Enter> The options and parameters are as follows. Option name --size --image Parameter The size of the volume (GB). Specify a value no less than 60. The name of the virtual appliance image to be used. Specify the virtual appliance image name that has been specified for the "openstack image create" command in step 4. In the preceding example, "sco-image" is specified. The name of the volume to be created. In the preceding example, "sco-volume" is specified. 8. Use the "openstack server create" command to create and start a new virtual server. Example # openstack server create --volume sco-volume --flavor sco-flavor --key-name sco-keypair --nic net-id=4f6df1ac-5b97-4f97-ac75-a19ae8f385ba sco-server <Enter> The options and parameters are as follows. Option name --volume --flavor --key-name --nic net-id= Parameter The name of the volume to be used when starting. Specify the volume name that has been specified for the "openstack volume create" command in step 7. In the preceding example, "sco-volume" is specified. The name of the flavor to be used for the virtual server. Specify the flavor name that has been specified for the "openstack flavor create" command in step 5. In the preceding example, "sco-flavor" is specified. The name of the key to be used for the virtual server. Specify the name of the key that has been designated for the "openstack keypair create" command in step 6. In the preceding example, "sco-keypair" is specified. The ID of the NIC to be used for the virtual server. Specify the ID of the network created for this product. (*1) In the preceding example, "4f6df1ac-5b97-4f97-ac75-a19ae8f385ba" is specified. The name of the virtual server to be created. In the preceding example, "sco-server" is specified. *1: To confirm the ID of the NIC to specify for --nic net-id, use the following procedure. # openstack network list <Enter> 9. If an external connection is necessary for the virtual server of this product, use the "openstack floating ip create" command to allocate a floating IP to the virtual server. Example # openstack floating ip create --port a35b77a4-3f5a-460c-92ac-92316cde07a0 sco-network <Enter>

53 The options and parameters are as follows. --port Option name Parameter The port (name or ID) to be associated with the floating IP. Specify a port that has an IP address allocated for the virtual server that has been created using the "openstack server create" command in step 8. (*2) In the preceding example, "a35b77a4-3f5a-460c-92ac-92316cde07a0" is specified. The network (name or ID) from which a floating IP will be allocated. In the preceding example, "sco-network" is specified. *2: To confirm the port identifier to specify for --port, use the following procedure. Example # openstack port list --server sco-server <Enter> The options and parameters are as follows. Option name --server The name of the virtual server. Specify the name of the virtual server created using the "openstack server create" command in step 8. In the preceding example, "sco-server" is specified. 3.8 Setup This section explains setup Flow of Setup The flow of setup is as follows: 1. Initialization 2. Configuration of the Web browser 3. Configuration of the System Initialization This section explains initialization. The flow of initialization is as follows: 1. Execution of the initialization wizard 2. Configuring the SSH Authentication Method 3. Configuration of routing 4. Setting the system clock 5. Configuration of HTTPS communication 6. Changing of the HTTPS port number Executing the Initialization Wizard This section explains the procedure for initialization using the initialization wizard. You can omit executing the initialization wizard in the following cases:

54 - For on-premises (VMware, KVM) When there is one virtual NIC being used and when a DHCP server can be used. - For the cloud (AWS, Azure, K5, OpenStack) When a DHCP server can be used. Preparations - If you did not start the virtual machine during installation, use the functions of the server virtualization software on the installation destination to start the virtual appliance. - Refer to " Designing the Console User" for the account of the console user, and note down the information. - Refer to " Designing the File Transfer User" for file transfer users and note down the information. - Refer to "2.6 Designing Network Environments" for the items to configure in the initialization wizard, and decide them in advance. - To change the items specified in the Initialization Wizard, start the Initialization Wizard again. In addition, to make a restoration to the state just after the installation, save a snapshot just after the installation, and use the snapshot to restore to that state. Procedure 1. Log in to the console using the console user account. 2. Execute the following command in the current directory to launch the initialization wizard. (After typing "init," pressing the <Tab> key can supplement entry of the initial_setup command) # initial_setup <Enter> 3. Follow the instructions in the initialization wizard to configure the initial settings. Note - The default keymap is "us". Please be careful while entering information (e.g. changing password) before setting the keymap. - If the <ESC> key or <Alt> + <any another key> is pressed while the initialization wizard is running, the wizard may be aborted. When aborted, press the <Ctrl>+<c> key to terminate the initialization wizard, and then execute the wizard again to redo the configuration from the beginning. Step Screen Title Task Details Check Command (*1) 1 menu Select whether to start the initialization wizard. None - Setup: Start the initialization wizard - Exit: Close the initialization wizard 2 Change Password Changes the password of console users and file transfer users. To change users, select from the following. None 3 Configure Network Uses - administrator: console user - secftpuser: file transfer user For details, refer to " Designing the Console User"or " Designing the File Transfer User." If you change the password, you will be prompted to re-enter the new password for the purpose of confirmation. If you do not change the password, select the [<Next>] button. From a security standpoint, it is recommended that you change the password. Determine the purpose of the virtual NIC. In the sequence of Admin interface, WAN-side interface, and None

55 Step Screen Title Task Details Check Command (*1) LAN-side interface, select the virtual NIC to be used from the following. - br-eth0 - br-eth1 - br-eth2 Virtual NICs that will be used may be overlapped. When not making any changes, select the [<Next>] button. If the purpose of a virtual NIC has not been determined, the [<Next>] button is not displayed. 4 Network Uses Confirmation Check the content of the settings for the purpose of virtual NICs. If there are no problems with the content, click the [<OK>] button. 5 Configure Network Select a virtual NIC to configure the network from the list, and then perform the following steps. None None - DHCP configuration (Step 7) - Network address configuration (Step8) - DNS configuration (Step 9) - Domain configuration (Step 10) - Gateway configuration (Step 11) Virtual NICs that have already been configured are indicated with "[Set]." Once you have finished the settings, select the [<Next>] button and proceed to Step Configure Network When configuring the network, select the [<Edit>] button, and when executing reset, select the [<Reset>] button. If reset is executed, the value reverts to the value when the Initialization wizard started. 7 Configure DHCP Configure whether to use a DHCP server. When not making any changes, skip this step. None wacadm network show Note When configuring a pass bridge, it is not possible to select "Enable" (A DHCP server will be used) for the WAN-side Interface. 8 Configure Network Configure the network address (IP address and subnet mask). When not making any changes, skip this step. When using a DHCP server, this step is skipped automatically. 9 Configure DNS Configure the DNS server (the primary and secondary). When not making any changes, skip this step. When using a DHCP server, this step is skipped automatically. wacadm network device wacadm network show

56 Step Screen Title Task Details Check Command (*1) Note When using multiple virtual NICs, configure as follows according to DHCP server usage. - When using a DHCP server Specify the DNS server in the DHCP server settings so that it will be configured automatically by the DHCP server. - When not using a DHCP server Specify only for virtual NICs that can make access to the network connected to the DNS server. 10 Configure Domain Configure the domain name. When not making any changes, skip this step. wacadm network show Note When using multiple virtual NICs, configure as follows according to DHCP server usage. - When using a DHCP server Specify a domain name in the DHCP server settings so that it will be configured automatically by the DHCP server. - When not using a DHCP server Specify only for virtual NICs that can make access to the network connected to the DNS server. 11 Configure Network Configure the gateway address. When not making any changes, skip this step. When not connecting to a WAN, or when using a DHCP server, this step is skipped automatically. 12 Network Confirmation Confirm the configured content. If there are no problems, click the [<OK>] button, and proceed to network selection (Step 5). 13 Remaining Setting Confirm whether or not to execute the following settings. wacadm route show None None - Host name settings (Step 14) - Keymap settings (Step 15) - NTP server settings (Step 16) - Time zone settings (Step 17) When not making any changes, skip this step. 14 Setting Hostname Set the host name. When not making any changes, skip this step. Skip this step when using OpenStack or K5, since the host name is configured automatically. When using a DHCP server, this step is skipped automatically. wacadm system show

57 Step Screen Title Task Details Check Command (*1) 15 Configure Keymap Configure the keymap. When not making any changes, skip this step. 16 Configure NTP Configure whether to enable NTP servers. When not making any changes, skip this step. wacadm locale show wacadm time show Note When enabling the NTP servers, set the configuration so that the host OS also uses the same NTP server for time synchronization. 17 Configure time zone Configure the time zone. When not making any changes, skip this step. 18 Confirmation Check the content of the settings. If there are no problems with the content, click the [<OK>] button. 19 Result The results of the setting content are displayed. If there are no problems with the content, a success message will be displayed If there are any problems with the content, an error message will be displayed. Make the necessary corrections. 20 Reboot During reflection of the content of the settings, a message prompting reboot of the system is displayed. Clicking the [<OK>] button reboots the system. wacadm time show None None None Note The system is required to be restarted to activate the setting content. If the Initialization Wizard terminates without restarting the system, restart the system by executing the following command. # wacadm power restart <Enter> For details, refer to "wacadm power Command" in the "Reference Guide." *1: The check command column contains the commands for checking the content set in the initialization wizard. When the initialization wizard is started, previously set content is displayed as the initial value so you can check the settings you have made. To check only part of the set content, execute the commands described in the check command column. For details on the corresponding commands, refer to "Commands" in the "Reference Guide." Configuring the SSH Authentication Method This section explains the procedure for configuring the SSH Authentication Method (password authentication or public key authentication) when performing an SSH connection to SCO-VA. Users targeted for these settings are console users and file transfer users. For details on console users, refer to " Designing the Console User." For details on file transfer users, refer to " Designing the File Transfer User." If it is not necessary to change the default settings, it is not necessary to perform this operation. However, from a security standpoint, it is recommended that you configure public key authentication when using the cloud (AWS, Azure, K5, or OpenStack). Passwords to be used in password authentication are the current passwords of console users or file transfer users

58 Procedure (For configuring public key authentication) 1. Transfer the public key file to the file transfer area. Transfers are performed on an Admin PC and use SFTP (use a file transfer user account). For details on file transfer areas, refer to " SFTP Access." Example When the SCO-VA IP address is and the public key file is id_rsa.pub # sftp secftpuser@ <Enter> secftpuser@ 's password: password <Enter> Connected to sftp> put id_rsa.pub <Enter> Uploading id_rsa.pub to /sftp/id_rsa.pub id_rsa.pub sftp> bye <Enter> 2. Log in to the console using the console user account. 3. Perform the following command to configure the SSH authentication method of the user to public key authentication. Specify the public key file that was transferred in Step 1. Example When modifying console users # wacadm user modify -auth-type public-key -file id_rsa.pub administrator <Enter> For details, refer to "wacadm user Command" in the "Reference Guide." Note Since it is necessary to change authentication back to password authentication when configuration for public key authentication fails, do not log out of the SSH connection until configuration for public key authentication is complete. 4. Using public key authentication, confirm that an SSH connection can be made to SCO-VA with the user that was modified in Step 3. a. If you have modified a console user, log in with a different SSH connection from the connection you used in Step 3. If you have modified a file transfer user, log in with a SFTP connection. b. If you cannot log in, perform the following steps. 1. Using the SSH connection from Step 3, change the authentication back to password authentication. For the procedure to change the authentication back to password authentication, refer to "Procedure (For configuring password authentication)." 2. Confirm whether the public key file and secret key used in the SSH connection in Step 4 are correct. 3. Change to public key authentication again. c. If you were able to log in, log out of the SSH connection you performed in Step 3 and Step 4. Procedure (For configuring password authentication) 1. Log in to the console using the console user account. 2. Perform the following command to configure the SSH authentication method of the user to password authentication

59 Example When modifying console users # wacadm user modify -auth-type password administrator <Enter> For details, refer to "wacadm user Command" in the "Reference Guide." Note Do not log out of the SSH connection until configuration for password authentication is complete. 3. Using password authentication, confirm that an SSH connection can be made to SCO-VA with the user that was modified in Step 3. a. If you have modified a console user, log in with a different SSH connection from the connection you used in Step 2. If you have modified a file transfer user, log in with a SFTP connection. b. If you cannot log in, confirm whether the password you entered is correct. c. If you were able to log in, log out of the SSH connection you performed in Step 2 and Step Configuring Routing This section explains the procedure for configuring routing. Perform this procedure if a router exists between the admin PC or the TCP communication app and SCO-VA. Procedure Execute the following command to configure routing to access the TCP communication app or the admin PC from SCO-VA. Example When the network address of the Admin PC is /24, the router of the network that SCO-VA connects to is , and the admin interface is br-eth0: # wacadm route add -net gw netmask br-eth0 <Enter> For details, refer to "wacadm route Command" in the "Reference Guide." Results Confirmation Execute the following command and confirm the results. # wacadm route show <Enter> Destination Gateway Genmask Flags Metric Ref Use Iface UG br-eth U br-eth0 For details, refer to "wacadm route Command" in the "Reference Guide." Setting the System Time This section explains the procedure for setting the system time. If no changes are necessary, or if NTP servers are enabled, then it is not necessary to perform this operation. Point How to confirm whether an NTP server is enabled

60 Perform the following command and if "NTP synchronized: yes" is displayed, the NTP server is enabled. # wacadm time show <Enter> Local time: Fri :18:29 UTC Universal time: Fri :18:29 UTC Time zone: Etc/UTC (UTC, +0000) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a NTP Servers: 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* us[+3925us] +/- 10.2s For details, refer to "wacadm time Command" in the "Reference Guide." Procedure Execute the following command to configure the date/time. Example To configure the date and time to June 1st, 2018/11:26:00: # wacadm time set-time :26:00 <Enter> For details, refer to "wacadm time Command" in the "Reference Guide." Results Confirmation Execute the following command and confirm the results. # wacadm time show <Enter> Local time: Fri :26:00 UTC Universal time: Fri :26:00 UTC Time zone: Etc/UTC (UTC, +0000) NTP enabled: no NTP synchronized: no RTC in local TZ: no DST active: n/a NTP Servers: 506 Cannot talk to daemon For details, refer to "wacadm time Command" in the "Reference Guide." Configuring HTTPS Communication This product performs HTTPS communication with Web browsers (Admin PC), and uses SSL server certificates for encryption of communication data and mutual authentication. During installation, self-signed certificates are used. There are no problems with using self-signed certificates in an intranet that is protected by a firewall, or another type of network in which all communication partners are trustworthy and there is no risk of certificates being spoofed. However, when using a Web browser, the following warnings are displayed regarding use of this product over the Internet: - When starting a Web browser and first connecting to this product, a warning regarding security certificates is displayed

61 - When using Internet Explorer to connect to this product, the background of the address bar turns red, and "Certificate error" is displayed on the right side of the address bar. In addition, a warning icon from the phishing risk detection function is displayed in the status bar. To stop the display of these warnings when specifying the URL of this product, it is necessary to create an SSL certificate corresponding to the IP address or host name of this product, and import that certificate into your Web browser. The detailed procedure, from creating the SSL server certificate to importing it, is shown below. Creating the SSL Server Certificate Using a user PC (Windows or Linux), execute the openssl command to create an SSL server certificate. Be sure to create a server certificate without a pass phrase. Example When specifying " " as the IP address of this product and an SSL server certificate validity period of 20 years (-days 7300) >openssl.exe req -sha256 -new -x509 -nodes -newkey rsa:2048 -out example.crt -keyout example.key - days config openssl.cnf <Enter> Loading 'screen' into random state - done Generating a 2048 bit RSA private key writing new private key to 'example.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) []:<Enter> State or Province Name (full name) []:<Enter> Locality Name (eg, city) []:<Enter> Organization Name (eg, company) []:<Enter> Organizational Unit Name (eg, section) []:<Enter> Common Name (eg, YOUR name) []: <Enter> Address []:<Enter> The option and input items for the openssl command are described below. For details on each item, refer to "2.6 Designing Network Environments." - Option -out -keyout -days -config - Input Items Option Specify the name of the crt file to generate. Specify the name of the key file to generate. The validity period of the SSL server certificate. Specify openssl.cnf, in which the default operations of the openssl command are described. Prepare openssl.cnf in advance. Country Name Input Item State or Province Name Specify a two-character country code (ISO-3166). Specify the state or province name

62 Input Item Locality Name Organization Name Organizational Unit Name Common Name Address Specify the locality name. Specify the organization name. Specify the organization unit name. Specify the IP address or the host name (FQDN) of the virtual machine on which this product operates. This item is mandatory. Specify the address. Registering the SSL Server Certificate Register the SSL server certificate using the following procedure: 1. Log in to the console using the console user account. For information about the console user, refer to " Designing the Console User." 2. If necessary, back up the existing SSL server certificate. The procedure is as follows: a. Execute the following command to export the SSL server certificate to the file transfer area. # wacadm sslcert export <Enter> For details on this command, refer to "wacadm sslcert Command" in the "Reference Guide." For file transfer area, refer to " SFTP Access." b. Forward the SSL server certificate that was exported to the file transfer area to the admin PC. To forward the certificate, use SFTP (using the file transfer user account) on the admin PC. For file transfer users, refer to " Designing the File Transfer User." Example When the SCO-VA IP address is and the SSL server certificate is server.crt and server.key # sftp secftpuser@ <Enter> secftpuser@ 's password: password <Enter> Connected to sftp> ls <Enter> server.crt server.key sftp> get server.crt <Enter> Fetching /sftp/server.crt server.crt server.crt sftp> get server.key <Enter> Fetching /sftp/server.key server.key server.key sftp> bye <Enter> 3. Forward the created SSL server certificate to the file transfer area. To forward the certificate, use SFTP (using the file transfer user account) on the admin PC. Example When the SCO-VA IP address is and the SSL server certificate is example.crt and example.key # sftp secftpuser@ <Enter> secftpuser@ 's password: password <Enter> Connected to

63 sftp> put example.crt <Enter> Uploading example.crt to /sftp/example.crt example.crt sftp> put example.key <Enter> Uploading example.key to /sftp/example.key example.key sftp> bye <Enter> 4. Register the SSL server certificate that was forwarded in Step 3 via the following command. Example When the SSL server certificate is example.crt and example.key # wacadm sslcert set -key example.key -crt example.crt <Enter> For details, refer to "wacadm sslcert Command" in the "Reference Guide." If a pass phrase is requested when registering the SSL server certificate, abort the registration, delete the pass phrase, and then redo from step 2. Example Procedure to delete the pass phrase >ren example.key example-pass.key <Enter> >openssl.exe rsa -in example-pass.key -out example.key <Enter> Enter pass phrase for example-pass.key: password <Enter> The options for openssl.exe are as follows. Option name -in -out Specify a key file with a pass phrase. In the preceding example, "example-pass.key" is specified. Specify a key file name to create without a pass phrase. In the preceding example, "example.key" is specified. 5. Execute the following command to reflect the SSL server certificate in the HTTP service of this product. # wacadm service restart fjsvwaccp-webserver.service <Enter> For details, refer to "wacadm service Command" in the "Reference Guide." Confirming Registration of the SSL Certificate Confirm that the SSL server certificate has been registered using the following procedure: 1. Log in to the console using the console user account. 2. Execute the following command to see the SSL server certificate. # wacadm sslcert show <Enter> For details, refer to "wacadm sslcert Command" in the "Reference Guide." Importing the SSL Server Certificate Import the SSL server certificate to your Web browser. The procedure for importing varies depending on the Web browser being used

64 Changing the HTTPS Port Number If it is necessary to change the HTTPS port number, perform the following procedure. If no change is necessary, it is not necessary to perform this operation. Procedure 1. Log in to the console using the console user account. 2. Change the HTTPS port number by the following command. Example When changing the port number to 1024 # wacadm service modify -port 1024 <Enter> You need to reboot the system to enable the new settings. Immediately reboots the system. [y/n]: y <Enter> For details, refer to "wacadm service Command" in the "Reference Guide." Configuring the Web Browser This section explains the Web browser configuration that is necessary for performing system configuration. The flow of Web browser configuration is as follows: 1. Enabling JavaScript 2. Enabling Cookies 3. Configuring SSL/TLS 4. Disabling Internet Explorer Compatibility View Enabling JavaScript Enable JavaScript in your Web browser. The procedure for enabling JavaScript is as follows: For Internet Explorer 1. Select [Tools]-[Internet options] to display the [Internet Options] window. 2. Open the [Security] tab and select [Trusted sites]. Then, click the [Sites] button to display the [Trusted sites] window. 3. Input the URL of this product in [Add this website to the zone], and then click the [Add] button. The input URL is added to the [Websites] list. 4. Click the [Close] button to return to the [Internet Options] window. 5. Select [Trusted sites], and then click the [Custom level] button to display the [Security Settings] window. 6. On the [Security Settings] window, in [Scripting] find [Active scripting] and select [Enable]. For Microsoft Edge No configuration is necessary. For Chrome 1. Click the [...] (Google Chrome settings) menu button on the top right of the browser screen. Click [Settings] on the displayed menu to display the [Settings] tab

65 2. On the [Settings] tab, select [Advanced]-[Privacy and security], and then click [Content settings] to display the [Content settings] screen. 3. Click [JavaScript] to display the [JavaScript] settings screen. 4. Turn on [Allowed (recommended)]. If there are some sites for which you wish to disable JavaScript from functioning, turn off [Allowed (recommended)], and add the URL of this product to the list of allowed sites Enabling Cookies Enable cookies in your Web browser. The procedure for enabling cookies is as follows: For Internet Explorer 1. Select [Tools]-[Internet options] to display the [Internet Options] window. 2. Open the [Privacy] tab, and click the [Advanced] button. The [Advanced Privacy Settings] window is displayed. 3. Check the [Override automatic cookie handling] checkbox, and select [Accept] under [First-party Cookies]. For Microsoft Edge 1. Click the [...] (Settings and more) menu button on the top right of the browser screen. Click [Settings] on the displayed menu to display the [Settings] menu. 2. Click the [View advanced settings] button under the [Advanced settings] category to display the [Advanced settings] menu. 3. Find [Cookies] under the [Privacy and services] category, and select [Don't block cookies]. For Chrome 1. Click the [...] (Google Chrome settings) menu button on the top right of the browser screen. Click [Settings] on the displayed menu to display the [Settings] tab. 2. On the [Settings] tab, select [Advanced]-[Privacy and security], and then click [Content settings] to display the [Content settings] screen. 3. Click [Cookies] to display the [Cookies] settings screen. 4. On the [Cookies] settings screen, turn on [Allow sites to save and read cookie data (recommended)] Configuring SSL/TLS If TLS1.1 is not necessary, enable TLS1.2 only for the Web browser security settings. The procedure for configuration is as follows. For Internet Explorer 1. Select [Tools]-[Internet options] to display the [Internet Options] window. 2. Open the [Advanced] tab on the [Internet Options] screen and under [Security] in [Settings], check the [Use TLS 1.2] checkbox and clear the following checkboxes. - [Use SSL 2.0] - [Use SSL 3.0] - [Use TLS 1.0] - [Use TLS 1.1] For Microsoft Edge 1. Click [Internet Options] in the Control Panel to display the [Internet Properties] screen

66 2. Open the [Advanced] tab on the [Internet Properties] screen and under [Security] in [Settings], check the [Use TLS 1.2] checkbox and clear the following checkboxes. - [Use SSL 2.0] - [Use SSL 3.0] - [Use TLS 1.0] - [Use TLS 1.1] For Chrome 1. Click the [...] (Google Chrome settings) menu button on the top right of the browser screen. Click [Settings] on the displayed menu to display the [Settings] tab. 2. On the [Settings] tab, select [Advanced], and then click [System]-[Open proxy settings] to display the [Internet Properties] screen. 3. Open the [Advanced] tab on the [Internet Properties] screen and under [Security] in [Settings], check the [Use TLS 1.2] checkbox and clear the following checkboxes. - [Use SSL 2.0] - [Use SSL 3.0] - [Use TLS 1.0] - [Use TLS 1.1] Disabling Internet Explorer Compatibility View When using Internet Explorer, disable Compatibility View. The procedure for disabling is as follows: 1. Select [Tools]-[Compatibility View settings] to display the [Compatibility View Settings] window. 2. On the [Compatibility View Settings] window, if the URL of this product is displayed under [Websites you've added to Compatibility View:], select the URL, and click the [Remove] button. 3. Clear the [Display intranet sites in Compatibility View] checkbox. Note that performing this step may disable Compatibility View for some sites for which it was enabled. As a result, the appearance of these sites may change. If this change in appearance interferes with your ability to operate any of these sites, input the URLs of the relevant sites from the [Compatibility View Settings] window to enable Compatibility View for the relevant sites Configuring the System This section explains system configuration. The flow of system configuration is as follows: 1. Creation of the initial user 2. Configuration of notification destinations 3. Configuration of external authentication servers 4. Addition of users 5. Setting of the license Creating the Initial User This section explains the procedure for creating the initial user used to log in to the Web GUI

See It is possible to create initial users on the REST API. For details, refer to "Initial User Creation" in the "Reference Guide." Procedure 1. Open a Web browser window on the admin PC. 2.

67 See It is possible to create initial users on the REST API. For details, refer to "Initial User Creation" in the "Reference Guide." Procedure 1. Open a Web browser window on the admin PC. 2. Specify the following URL to connect to the Web console. The [Create initial user account] screen is displayed. Figure 3.1 [Create initial user account] Screen 3. Configure the necessary items and then click the [Done] button. The Web GUI is displayed. For details on the necessary items, refer to " Designing Local Authentication." Items marked with "*" on the screen are mandatory Configuring Notification Destinations For the procedure for configuring notification destinations, refer to "4.3.6 Mail Server and Notification Destinations." If notification is not necessary, then it is not necessary to perform this operation. These settings can also be configured during operation if necessary Configuring External Authentication Servers For the procedure for configuring external authentication servers, refer to " Registering Authentication Servers." When not using external authentication, it is not necessary to perform this operation. These settings can also be configured during operation if necessary Adding Users For the procedure for adding users, refer to " Creating Local Authentication Users." If it is not necessary to add users, then it is not necessary to perform this operation. Users can also be added during operation if necessary

3.8.4.5 Setting the License This section explains the procedure for configuring a license for use of this product. See It is possible to configure licenses on the REST API.

Clicking the [Settings] icon on the global pane of the Web GUI displays the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[license] to display the [License] screen. 3.

68 Setting the License This section explains the procedure for configuring a license for use of this product. See It is possible to configure licenses on the REST API. For details, refer to "Licenses" in the "Reference Guide." Preparations Confirm that a license has been obtained in advance. For details on licenses, refer to "1.5 Licenses." Procedure 1. Clicking the [Settings] icon on the global pane of the Web GUI displays the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[license] to display the [License] screen. 3. On the [License] screen, select [Action]-[Add] to display the [Register license] screen. 4. For [License], input the license key, and then click the [Done] button. Results Confirmation Registration of the license is processed asynchronously. For this reason, when the number of active processes on the Global Pane is "0," confirm that the following are displayed in the [License] screen. Item Name Registration date License name Throughput upper limit Expiration date Displays the date the license was registered. Displays the name of the registered license. Displays the throughput upper limit of the license that was registered. For official licenses, "Unlimited" is displayed. For a trial license, the expiration date of the license is displayed

69 Item Name In addition, when using a trial license, the number of days remaining until the license expires is displayed in the Global Pane of the Web GUI. Point Changing Licenses - Changing from a trial license to an official license When a trial license has expired, the corresponding message is output to the event log, and the service ports for all transparent proxies are disabled. In order to resolve this, it is necessary to change from the expired trial license to an official license. To change the license, open the [Register license] screen and overwrite the key input for [License] with the key of an official license, and then click the [Done] button. - Changing official licenses When an official license has been registered, it is no longer possible to execute [Action]-[Add]. Note Precautions for when a license has been changed When all of the following conditions have been met there are cases where the traffic control upper limit may become lower than before the license was changed. - When you are using the Traffic Control function. - When you have made the license throughput upper limit smaller than it was previously. 3.9 Preparing Operating Environments This section explains preparation of operating environments Configuring IP Address Conversion for WAN Connection Routers When using global IP addresses to communicate over a WAN, it is necessary to configure IP address conversion on the WAN connection router. This section explains the procedure for configuring IP address conversion. For detailed instructions, refer to the manual of the router being used. Procedure 1. Log in to the WAN connection router. 2. Configure IP address conversion between private and global IP addresses. If a server other than the one for this product will also perform WAN communication using the same global IP address, perform configuration so that SNAPT is used. If this is not the case, perform configuration so that 1:1 NAT is used. 3. Log out of the WAN connection router Adding Transparent Proxies Add transparent proxies to the installations of SCO-VA deployed at both ends of the connection over the WAN. It is recommended that you register the order of transparent proxies from the server type. For the procedure, refer to "4.5.4 Adding Transparent Proxies" in "Chapter 4 Operation."

70 3.10 Configuring the Default Gateway of the TCP Communication App If the LAN-side interface and the WAN-side interface are shared and the TCP communication app and SCO-VA are in the same network, configure the IP address of the LAN-side interface of SCO-VA to the default gateway of the TCP communication app. For a configuration example of the TCP communication app that coordinates with TCP, refer to the "Appendix C Default Gateway Configuration Example of Coordination with the TCP Communication App." 3.11 Uninstallation This section explains uninstallation of this product Uninstallation (VMware Environments) This section explains the procedure for uninstallation in VMware environments. Procedure 1. Stop the system. For details, refer to "4.7 Stopping and Restarting the System and Services." 2. Start vsphere Web Client. 3. Right-click the installed virtual machine of this product, and select [Delete from Disk]. 4. When keeping the TCP communication app and uninstalling SCO-VA only and when the default gateway of the TCP communication app is set to SCO-VA, change the default gateway of the TCP communication app to the WAN connection router Uninstallation (KVM Environments) This section explains the procedure for uninstallation in KVM environments. Procedure 1. Stop the system. For details, refer to "4.7 Stopping and Restarting the System and Services." 2. Start Virtual Machine Manager. 3. Right-click the installed virtual machine of this product, and select [Delete]. 4. When keeping the TCP communication app and uninstalling SCO-VA only and when the default gateway of the TCP communication app is set to SCO-VA, change the default gateway of the TCP communication app to the WAN connection router Uninstallation (AWS, Azure, K5 and OpenStack Environments) This section explains the procedure for uninstallation in AWS, Azure, K5 and OpenStack environments. Procedure 1. Stop the system. For details, refer to "4.7 Stopping and Restarting the System and Services." 2. Delete all resources that were created during installation

Chapter 4 Operation This chapter explains how to operate this product. 4.1 Login This section explains the procedure for logging in to the Web GUI from the admin PC. 4.1.1 Configuring the Web Browser Before logging into the Web GUI, configure the Web browser.

71 Chapter 4 Operation This chapter explains how to operate this product. 4.1 Login This section explains the procedure for logging in to the Web GUI from the admin PC Configuring the Web Browser Before logging into the Web GUI, configure the Web browser. The procedure for configuration is as follows: - Enabling JavaScript - Enabling Cookies - Disabling Internet Explorer Compatibility View For details, refer to "3.8.3 Configuring the Web Browser." Logging In This section explains the procedure for logging in to the Web GUI. Procedure 1. Open a Web browser window on the admin PC. 2. Input the URL of this product. URL: 3. The login screen is displayed. Input a user name and password, and click the [Login] button. Item Necessity User name Mandatory Specify a user name. Specify a character string containing up to 512 characters

72 Item Necessity When using external authentication (using LDAP or Active Directory), specify the user name using the format Password Mandatory Specify the password. Specify a character string containing up to 64 characters. Note If the message "This user is already logged in on the same terminal." is output and you cannot log in, close all web browsers and then try to log in again. 4.2 Explanation of the Web GUI This section explains the Web GUI displayed after logging in. If the Web GUI is open for 60 minutes without any operation being performed, the login session is canceled, and the [Force logout] screen is displayed. The following is an explanation of the Global Pane displayed at the top of the Web GUI. Figure 4.1 Global Pane Overall Status ( ) The overall status shows the statuses of transparent proxies. For details on transparent proxy statuses, refer to "4.5.2 Transparent Proxy Statuses." The overall status is one of the following three statuses. Status Normal status. Warning status. There is one or more transparent proxy with warning status. Error status. There is one or more transparent proxy with error status. Clicking the overall status takes you to the [Dashboard] tab. Number of Active Processes ( ) The number of active processes is displayed. When the number of active processes exceeds 50, "+49" is displayed. When the pull down menu is clicked, a list of the active processes and processes completed within the last 24 hours is displayed. Up to 50 items can be displayed. The value for the number of active processes is the number of processes active and does not include the number of processes completed in the last 24 hours

73 Due to this, even when the number of active processes is 0, the process list may still display a list of processes. When the number of active processes is anything other than 0, display the list of active processes and confirm whether or not the process you are attempting to execute is already running. If the same process is running, execute the process after the already running process has completed. The content of the items shown in the list of processes are as seen below. Date Item State/Result The date that process information is updated. The format is YYYY/MM/DD hh:mm:ss. When there are active processes, either of the following will be displayed. - : Submit (Awaiting execution) - : Start (Being executed) If the process is complete, either of the following will be shown. - : Success (Completed successfully) - : Warning (Warning) - : Failed (Failed) Action User name A character string representing the processing content. Example: "Create transparent proxy," "Create User," "Login," "Enable license," etc. The name of the user who performed the operation. When [Date] in the list of processes is clicked, the [Details] screen of processes will be shown. The content of the items shown on the [Details] screen are as seen below. Item Update date Action The date that the latest process is updated. The format is YYYY/MM/DD hh:mm:ss. A character string representing the processing content. Example: "Create transparent proxy," "Create User," "Login," "Enable license," etc

74 Item User name Target The name of the user who performed the operation. The name of the target of operation. One of the following: - transparent_proxy_name: An operation targeting the transparent proxy - -: A logout operation - System: An operation other than those above State The execution status is processing. One of the following is displayed: - Submit: Awaiting execution - Start: Being executed - Complete: Execution complete Result The execution results are processing. One of the following is displayed: - Success: Completed successfully - Warning: Warning - Failed: Failed Detail Message The process parameters. These will be output in the following format: *key1=value, key2=value. Detailed messages of operations. Number of Unconfirmed Event Logs ( ) The number of unconfirmed event logs is displayed. When the number of unconfirmed event logs is clicked, the [Event Log List] screen will be displayed. Furthermore, it is possible to open a separate window by right clicking. On the [Event Log List] screen, event logs in which the status is unconfirmed (confirmation status is unconfirmed) are displayed. For details, refer to "4.4.2 Monitoring Event Logs." Number of Unconfirmed Audit Logs( ) The number of unconfirmed audit logs is displayed. When the number of unconfirmed audit logs is clicked, the [Audit Log List] screen will be displayed

Furthermore, it is possible to open a separate window by right clicking. On the [Audit Log List] screen, logs in which the status is unconfirmed (confirmation status is unconfirmed) are displayed.

75 Furthermore, it is possible to open a separate window by right clicking. On the [Audit Log List] screen, logs in which the status is unconfirmed (confirmation status is unconfirmed) are displayed. For details, refer to "4.4.3 Monitoring Audit Logs." License Status ( ) The license status is displayed. The license statuses and displayed messages are shown below. License Status No license is registered A trial license is registered The period of a trial license has expired An official license is registered Displayed Message No license is applied Trial period expires in {remaining_number_of_days} days Trial period expired No message is displayed For license settings, refer to " Setting the License." Refresh ( ) Refreshes the displayed screen. The screen is automatically refreshed every 30 seconds only on the global pane. Settings ( ) Displays the [Settings] dialog. For details, refer to "4.3.1 Explanation of the [Settings] Dialog." User Menu ( ) Displays the logged in user. The pull down menus of the user menu are described below. Menu Language Used to change the display language of the Web GUI. In the [Language setting] dialog, select either of the following for [Language]: - Japanese - English During the initial login, if the language setting for the Web browser is configured to Japanese, "Japanese" will be configured automatically, while "English" will be configured in the case of any other language setting. If the display language is changed using the [Language setting] dialog, the selected language will be used from the second and later logins. Version The version information is displayed. This information can also be displayed by the following command

76 Menu # wacadm system show <Enter> For details, refer to "wacadm system Command" in the "Reference Guide." License agreement Logout Displays the license agreement. Logs you out of the system and takes you to the login screen. [Dashboard] Tab Displays WAN throughput, event logs, and audit logs. For details, refer to "4.4 Monitoring Using the Dashboard." [Transparent Proxy] Tab Can be used to manage transparent proxies. For details, refer to "4.5 Managing Transparent Proxies." 4.3 Configuring the Operation Environment The operation environment can be configured using the [Settings] dialog Explanation of the [Settings] Dialog Click the [Settings] icon on the Global Pane of the Web GUI to display the [Settings] dialog. The following sections describe each item in the left pane of the [Settings] dialog License For the procedure to configure a license to use this product, refer to " Setting the License." Login Sessions It is possible to check which users are currently logged in. See Login Session management is also possible with REST API. For details, see "Login Session" in the "Reference Guide." List of Login Session Items This section explains the items displayed in the list view and the detailed view of login sessions. How to Read the Table - List: "Yes" or "No" indicates whether the item is displayed when viewing the list of login sessions - Detail: "Yes" or "No" indicates whether the item is displayed when viewing the details of login sessions Item List Details ID Yes Yes The session ID. An automatically generated serial number. Clicking the ID displays the [Login session details] screen. For details, refer to " Displaying the Details of Login Sessions." User name Yes Yes The name of the logged in user

77 Item List Details User role Yes (*1) Yes The role of the logged in user. It can be either of the following: - Administrator: The system administrator. Can use all functions - Monitor: Can only use reference functions Authentication server Yes (*1) Yes The IP address of the authentication server that authenticated the user. Client IP address Yes (*1) Yes The IP address of the client. Last login time Yes (*1) Yes The date and time of the most recent login. The format "YYYY/MM/DD hh:mm:ss" is used. Last operation time Yes (*1) Yes The date and time of the most recent operation. The format "YYYY/MM/DD hh:mm:ss" is used. *1: This item can be set to be displayed or hidden using the [Display settings] dialog. For details, refer to " Displaying the List of Login Sessions" Displaying the List of Login Sessions This section explains the procedure for displaying the list of login sessions. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[login session] to display the [Login session list] screen. For an explanation of the items displayed on the [Login session list] screen, refer to " List of Login Session Items." 3. By clicking the [Display settings] button on the [Login session list] screen, it is possible to change the displayed items Displaying the Details of Login Sessions This section explains the procedure for displaying the details of login sessions. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[login session] to display the [Login session list] screen

3. Click the [ID] of the target session to display the [Login session details] screen. For an explanation of the displayed items, refer to "4.3.3.1 List of Login Session Items.

Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2.

78 3. Click the [ID] of the target session to display the [Login session details] screen. For an explanation of the displayed items, refer to " List of Login Session Items." Performing a Forced Logout This section explains the procedure for forcibly logging out another user. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[login session] to display the [Login session list] screen. 3. Select one or multiple users to forcibly log out, and then click the [Force logout] button. This displays the [Force logout] screen

4. Click the [Done] button. Results Confirmation Confirm that the forcibly logged out user has been removed from the [Login session list] screen. 4.3.

79 4. Click the [Done] button. Results Confirmation Confirm that the forcibly logged out user has been removed from the [Login session list] screen Local Authentication Users This section explains how to manage (display in a list, create, delete, and modify) local authentication users. See Local Authentication User management is also possible with REST API. For details, see "Local Authentication User" in the "Reference Guide." Displaying the List of Local Authentication Users This section explains the procedure for displaying the list of local authentication users. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[local authentication user] to display the [Local authentication user list] screen. The following items are displayed: - ID

80 - User name 3. By clicking the [Display settings] button on the [Local authentication user list] screen, it is possible to change the displayed items, and enable whether each of the following items are displayed: - User role - Mail address - "ID" is an automatically assigned user ID. Clicking it displays the [Local authentication user list] screen. For details, refer to " Displaying the Details of Local Authentication Users." For information on the other items, refer to " Designing Local Authentication." Displaying the Details of Local Authentication Users This section explains the procedure for displaying the details of local authentication users. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[local authentication user] to display the [Local authentication user list] screen. 3. Click the [ID] of the target user to display the [Local authentication user details] screen. The following items are displayed: - ID - User name - User role - Mail address - "ID" is an automatically assigned user ID. For information on the other items, refer to " Designing Local Authentication." Creating Local Authentication Users This section explains the procedure for creating local authentication users

81 Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[local authentication user] to display the [Local authentication user list] screen. 3. Select [Action]-[Create] to display the [Create local authentication user] screen. Configure the following items. Items marked with "*" on the screen are mandatory. - Name - Password (Confirm password) - Role - Mail address - For information on each item, refer to " Designing Local Authentication." 4. Input the necessary items, and then click the [Done] button. Results Confirmation Confirm that the created user is displayed on the [Local authentication user list] screen Deleting Local Authentication Users This section explains the procedure for deleting local authentication users. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[local authentication user] to display the [Local authentication user] screen

82 3. Select one or multiple users to delete, and then select [Action]-[Delete] to display the [Delete user] screen. 4. Click the [Done] button. Results Confirmation Confirm that the deleted users have been removed from the [Local authentication user list] screen. Note - Logged in users cannot be deleted. - There must be at least one internal authentication user with "Administrator" role, which means the last internal authentication user with "Administrator" role cannot be deleted Modifying Local Authentication Users This section explains the procedure for modifying local authentication users. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[local authentication user] to display the [Local authentication user list] screen

83 3. Select the user to modify, and then select [Action]-[Modify] to display the [Modify local authentication users] screen. The following items can be modified: - Password - Role - Mail address - For information on each item, refer to " Designing Local Authentication." Note that it is not possible to modify the role of a logged in user. 4. On the [Modify local authentication users] screen, modify the user information as desired, and then click the [Done] button. Results Confirmation Confirm that the changes made to the user are reflected on the [Local authentication user details] screen. For details, refer to " Displaying the Details of Local Authentication Users." Authentication Servers This section explains how to manage (display in a list, create, delete, and modify) the servers necessary for external authentication Displaying the List of Authentication Servers This section explains the procedure for displaying the list of authentication servers. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog

84 2. In the [Settings] dialog, select [Setting category]-[authentication]-[authentication server] to display the [Authentication server list] screen. The following items are displayed: - ID - IP address - Priority 3. By clicking the [Display settings] button on the [Authentication server list] screen, it is possible to change the displayed items, and enable whether each of the following items are displayed: - Type - Port - Domain - User search base - Group search base - Administrator user - SSL - "ID" is an automatically assigned authentication server ID. Clicking it displays the [Authentication server details] screen. For details, refer to " Displaying the Details of Authentication Servers." For information on the other items, refer to " Designing External Authentication." Displaying the Details of Authentication Servers This section explains the procedure for displaying the details of authentication servers. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[authentication server] to display the [Authentication server list] screen

85 3. Click the [ID] of the target server. If the server type is "LDAP," the [Authentication server(ldap)] screen is displayed. If the server type is "AD," the [Authentication server(ad)] screen is displayed. The following items are displayed: - ID - IP address - Priority level - Port - Domain - User search base - Group search base - Administrator user - SSL - "ID" is an automatically assigned authentication server ID. For information on the other items, refer to " Designing External Authentication." Registering Authentication Servers This section explains the procedure for registering authentication servers. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[authentication server] to display the [Authentication server list] screen

3. Select [Action]-[Add] to display the [Register authentication server] screen. Configure the following items. Items marked with "*" on the screen are mandatory.

86 3. Select [Action]-[Add] to display the [Register authentication server] screen. Configure the following items. Items marked with "*" on the screen are mandatory. - Type - IP address - Port - Domain - User search base - Group search base - Administrator user - Administrator password - SSL - Priority - For information on each item, refer to " Designing External Authentication." 4. On the [Register authentication server] screen, input the necessary items, and then click [Done]. Results Confirmation Confirm that the registered authentication server is displayed on the [Authentication server list] screen Deleting Authentication Servers This section explains the procedure for deleting authentication servers. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog

87 2. In the [Settings] dialog, select [Setting category]-[authentication]-[authentication server] to display the [Authentication server list] screen. 3. Select one or multiple authentication servers to delete, and then select [Action]-[Delete] to display the [Delete authentication server] screen. 4. Click the [Done] button. Results Confirmation Confirm that the deleted authentication servers have been removed from the [Authentication server list] screen. Note Even if an authentication server is deleted, the sessions of users who logged in using that server are not deleted. These users can continue using the Web GUI until they log off Modifying Authentication Servers This section explains the procedure for modifying authentication servers. Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog. 2. In the [Settings] dialog, select [Setting category]-[authentication]-[authentication server] to display the [Authentication server list] screen

88 3. Select the authentication server to modify, and then select [Action]-[Modify] to display the [Modify authentication server] screen. The following items can be modified: - IP address - Port - Domain - User search base - Group search base - Administrator user - Administrator password - SSL - Priority - For information on each item, refer to " Designing External Authentication." 4. Modify the server information as desired, and then click the [Done] button. Results Confirmation Confirm that the changes made to the authentication server are reflected on the [Authentication server (LDAP)] or [Authentication server (AD)] screen. For details, refer to " Displaying the Details of Authentication Servers." Mail Server and Notification Destinations This section explains the procedure for configuring the mail server and notification destinations. See Mail server and notification destinations set up is also possible with REST API. For details, see "Mail Server" and " Notification Destinations" in the "Reference Guide." Procedure 1. Click the [Settings] icon in the global pane of the Web GUI to display the [Settings] dialog

89 2. In the [Settings] dialog, select [Setting category]-[monitoring]-[mail server] to display the [Mail server] screen. The following items are displayed: Items marked with "*" on the screen are mandatory. - SMTP server - Sender mail address - SMTP port - Authentication method - User name - Password - Subject (Fixed) - Number of Retries - Retry Interval (in seconds) - SMTP over SSL For information on each item, refer to "2.9.2 Designing the Notification Function." 3. On the [Mail server] screen, input the necessary items, and then click [Apply]

90 4. In the [Settings] dialog, select [Setting category]-[monitoring]-[mail notification] to display the [Mail notification] screen. 5. On the [Mail notification] screen, input the notification destinations, and then click [Apply]. Up to three notification destinations can be specified. Information To delete the configuration of the mail server and notification destinations, perform the following operations. - Mail server: Delete [SMTP server] and [Sender mail address], and click [Apply]. - notification destination: Delete [Mail address], and click [Apply]. Results Confirmation 1. On the [Mail notification] screen, click the [Send test mail] button. 2. "The test mail will be sent to the specified mail addresses. Is it OK?" is displayed. Click the [Yes] button. 3. Confirm that the specified notification destination addresses receive the test . Mail Content The content of the sent s is as follows. Item Content Subject [Subject_(Fixed)] Smart Communication Optimizer Event Mail The value specified for [Subject (Fixed)] on the [Mail server] screen, with the following character string added to the end. Smart Communication Optimizer Event Mail If nothing has been specified for [Subject (Fixed)], the subject is only the above string. From sender_mail_address The address specified for [Sender mail address] on the [Mail server] screen. To notification_destination_ _address One of the addresses specified for [Mail address 1], [Mail address 2], or [Mail address 3] on the [Mail notification] screen. Body Severity: "Warning" or "Error" Date: date_and_time_of_event Host Name: host_name Target Name: transparent_proxy_name or "System" - Severity: The event level ("Warning" or "Error"). - Date: The date and time on which the event occurred. The ISO 8601 format "YYYY-MM-DDTHH:mm:ssZ" is used. - Host Name: The SCO-VA host name

91 Item Content Message ID: message_id Message: message - Target Name: The name of the target event. - Message ID: The message ID of the event log. - Message: The message body of the event log. The subject and body of the test are as follows. Item Subject Body Content [Subject_(Fixed)] Smart Communication Optimizer Test Mail Severity: Information Date: date_and_time_of_event Host Name: host_name Target Name: - Message ID: - Message: TEST MAIL Troubleshooting Data Collect troubleshooting data when trouble occurs during use of this product. For how to collect troubleshooting data, refer to "Collecting Troubleshooting Data" in the "Reference Guide." 4.4 Monitoring Using the Dashboard This section explains how to monitor using the Dashboard. The Dashboard can be displayed by selecting the [Dashboard] tab of the Web GUI. The following information is displayed: - WAN throughput - Event logs - Audit logs Monitoring WAN Throughput Using the [WAN Throughput] panel of the Dashboard, it is possible to confirm the throughput from all transparent proxies to the WAN (outgoing throughput, "OUT") and the throughput from the WAN to all transparent proxies (incoming throughput, "IN"). The WAN throughput to and from an individual transparent proxy can be confirmed using the [Details] screen for that transparent proxy. For details, refer to "4.5.3 Displaying the Details of Transparent Proxies."

92 Figure 4.2 [WAN Throughput] Panel The [WAN Throughput] panel displays the following information. Name Latest and Maximum Throughput Throughput Transition Latest and maximum values of the throughput are displayed separately for OUT and IN directions. The latest values are the largest values within the last 5 minutes. Maximum value is the highest value in the last two days. The progress of throughput for the past 2 days is displayed in 5 minute intervals. The following four types of throughputs are displayed: - OUT (Max) - IN (Max) - Out (Avg) - IN (Avg) By clicking on the legend, it is possible to toggle whether specific items are displayed or hidden in the line graph. Moving the cursor over a point on a line in the graph displays the date, time, and throughput for that point as a tooltip Downloading Performance Information of the Entire Transparent Proxy On the [WAN Throughput] panel, it is possible to download the performance information for WAN throughput of the entire transparent proxy. The download period is specified by the start date and the end date. For the contents output to the CSV file, refer to "D.1 Contents of Performance Information for Downloading." The downloaded file is compressed to ZIP format. See Downloading performance information is also possible with REST API. For details, see "Performance Information" in the "Reference Guide."

Procedure 1. On the [WAN Throughput] panel, select [Action]-[Download Performance Information] to display the [Download Performance Information] dialog. 2.

93 Procedure 1. On the [WAN Throughput] panel, select [Action]-[Download Performance Information] to display the [Download Performance Information] dialog. 2. In the [Download Performance Information] dialog, specify the target download period. Since the performance information is stored for 31 days, specify it within that period. Item Name Start date End date Start date of the target download period. Specify a date earlier than end date. If omitted, it will be 31 days before the date of downloading. End date of the target download period. Specify a date later than start date. If omitted, it will be the date of downloading. Information About the start time and end time of the target download period The target download period is specified in the [Download Performance Information] dialog. The start time and end time are as follows. - Start time: 00:00:00 of the start date. - End time: 23:59:59 of the end date. However, if the end date is the date when the download is executed, it will be the time of downloading. 3. In the [Download Performance Information] dialog, click [Download] to download the performance information. If the download destination is not set in the Web browser in advance, specify it in the dialog for specifying the download destination. The default filename for performance information is "wacperf_start date_end date.zip." Note To download performance information, the capacity required for management PC is maximum 3.1MB Monitoring Event Logs Event logs record the following types of messages, and can be used to trace the causes of trouble. - Notification messages from transparent proxies - Messages regarding the expiration of trial licenses

- Service monitoring massages Event logs are stored for 31 days. See Event logs monitoring is also possible with REST API.

" On the [Event Log] panel of the dashboard, the event logs of the 50 most recent, unconfirmed, Warning or Error levels will be displayed. Figure 4.

Events logs that have been confirmed are removed from the [Event Log] panel. Figure 4.

94 - Service monitoring massages Event logs are stored for 31 days. See Event logs monitoring is also possible with REST API. For details, see "Event Logs" in the "Reference Guide." On the [Event Log] panel of the dashboard, the event logs of the 50 most recent, unconfirmed, Warning or Error levels will be displayed. Figure 4.3 [Event Log] Panel Clicking on a date in the [Date] column of the [Event Log] panel displays the [Event Log Details] screen for confirming the details of that event. Events logs that have been confirmed are removed from the [Event Log] panel. Figure 4.4 [Event Log Details] Screen Alternatively, click [Display All Logs] on the [Event Log] panel to display the [Event Log List] screen. The [Event Log List] screen displays all event logs, regardless of whether they have been confirmed. Clicking on a date in the [Date] column will also display the [Event Log Details] screen. Figure 4.5 [Event Log List] Screen The operations for the table section of the [Event Log List] screen are shown below

95 Item Items xx/yy Displays the [Filter Event Log List] dialog. It is possible to filter the content displayed on the [Event Log List] screen by specifying some or all of "Confirmation," "Date," "Level," "Target Event," and "Message" as filter conditions and then clicking the [Filter] button. The number of logs after filtering/the total number of logs. Switches to the first page. Switches to the previous page. x/y The current page number/the total number of pages. Switches to the next page. Switches to the last page. Figure 4.6 [Filter Event Log List] Dialog The event log content displayed in each screen is described below. Item Event Log Event Log List Event Log Details Confirmation N o Y es N o Whether the details of the event log have been confirmed using the [Event Log Details] screen. When the status has not been confirmed (unconfirmed), will be displayed. When the status has been confirmed (confirmed), nothing will be displayed. Date Y es Y es Y es The date and time on which the event occurred. The format "YYYY/MM/DD hh:mm:ss" is used. Clicking a date on the [Event Log] panel or the [Event Log List] screen displays the [Event Log Details] screen. Level Y es Y es Y es The level of the event log. One of the following is displayed: - Error: Error level - Warning: Warning level - Information: Information level

96 Item Event Log Event Log List Event Log Details Note that only the icon for the event level is displayed on the [Event Log] panel and the [Event Log List] screen. Target Event N o Y es Y es The name of the target event. It will be either of the following: - transparent_proxy_name: An event log output by that transparent proxy - System: An event log output by a source other than a transparent proxy Message ID Y es N o Y es The message ID of the event log. Message N o Y es Y es The message body of the event log. Yes: Displayed, No: Not displayed Monitoring Audit Logs Audit logs record login histories and operation histories, and can be used in the same way as event logs to trace the causes of trouble. Audit logs are stored for 31 days. See Audit logs monitoring is also possible with REST API. For details, see "Audit Logs" in the "Reference Guide." On the [Audit Log] panel of the dashboard, the audit logs of the 50 most recent, unconfirmed, Warning or Failed levels will be displayed. Figure 4.7 [Audit Log] Panel Clicking on a date in the [Date] column of the [Audit Log] panel displays the [Audit Log Details] screen for confirming the details of that operation. Audit logs that have been confirmed are removed from the [Event Log] panel

9 [Audit Log List] Screen The operations for the table section of the [Audit Log List] screen are shown below. Item Items xx/yy Displays the [Filter Audit Log List] dialog.

97 Figure 4.8 [Audit Log Details] Screen Alternatively, click [Display All Logs] on the [Audit Log] panel to display the [Audit Log List] screen. The [Audit Log List] screen displays all audit logs, regardless of whether they have been confirmed. Clicking on a date in the [Date] column will also display the [Audit Log Details] screen. Figure 4.9 [Audit Log List] Screen The operations for the table section of the [Audit Log List] screen are shown below. Item Items xx/yy Displays the [Filter Audit Log List] dialog. It is possible to filter the content displayed on the [Audit Log List] screen by specifying some or all of "Confirmation," "Date," "Status," "Result," "User name," "Target of Operation," "Action," and "Message" as filter conditions and then clicking the [Filter] button. The number of logs after filtering/the total number of logs. Switches to the first page. Switches to the previous page. x/y The current page number/the total number of pages. Switches to the next page. Switches to the last page

98 Figure 4.10 [Filter Audit Log List] Dialog The audit log content displayed in each screen is described below. Item Audit Log Audit Log List Audit Log Details Confirmation N o Y es N o Whether the content of the audit log has been confirmed using the [Audit Log Details] screen. When the status has not been confirmed (unconfirmed), will be displayed. When the status has been confirmed (confirmed), nothing will be displayed. Furthermore, the status becomes unconfirmed when a process completes and when it results in an error (the result is Warning or Failed). Date Y es Y es Y es The date on which the audit log was last updated. The format "YYYY/MM/DD hh:mm:ss" is used. Clicking a date on the [Audit Log] panel or the [Audit Log List] screen displays the [Audit Log Details] screen. Status N o Y es Y es The execution status of processing. One of the following is displayed: - Submit: Awaiting execution - Start: Being executed - Complete: Execution complete Note that only the icon for the status is displayed in the [Audit Log] panel and the [Audit Log List] screen. Result Y es Y es Y es The execution results of processing. One of the following is displayed: - Success: Completed successfully - Warning: Warning - Failed: Failed Note that only the icon for the status is displayed in the [Audit Log] panel and the [Audit Log List] screen

99 Item Audit Log Audit Log List Audit Log Details User name N o N o Y es The name of the user who performed the operation. Target of Operation N o Y es Y es The name of the target of operation. One of the following: - transparent_proxy_name: An operation targeting that transparent proxy - -: A logout operation - System: An operation other than those above Action N o Y es Y es A character string representing the processing content. Example: "Create transparent proxy," "Create User," "Login," "Enable license," etc. Detail N o N o Y es The parameters for processing. * Parameters are output in the format "key1=value, key2=value." Operation Source N o N o Y es Displays the operation source. Fixed as "GUI" (an operation performed using the Web GUI). Message ID Y es N o Y es The message ID of the audit log. Message N o Y es Y es The message body of the audit log Downloading Audit Logs On the [Audit Log List] screen, it is possible to download audit log. Audit logs for downloading include the following two types. Type Web GUI/REST API audit log Console audit log Audit log requested by the Web GUI or the REST API. Audit log is displayed on the dashboard. The download period is specified by the start date and the end date. Audit (Initialization Wizard and command) log requested by the console. Audit log is not displayed on the dashboard. For the contents output to the CSV file, refer to "D.2 Contents of Audit Log to be Downloaded." The downloaded files for each audit log are compressed to ZIP format

Procedure 1. On the [Audit Log List] screen, select [Action]-[Download] to display the [Download Audit Log] dialog. 2. In the [Download Audit Log] dialog, specify the target download period.

100 Procedure 1. On the [Audit Log List] screen, select [Action]-[Download] to display the [Download Audit Log] dialog. 2. In the [Download Audit Log] dialog, specify the target download period. Since the audit log is stored for 31 days, specify it within that period. However, even if the target download period is specified for the audit log, all audit logs are downloaded. Item Name Start date End date Start date of the target download period. Specify a date earlier than end date. If omitted, it will be 31 days before the date of downloading. End date of the target download period. Specify a date later than start date. If omitted, it will be the date of downloading. Information About the start time and end time of the target download period The target download period is specified in the [Download Audit Log] dialog. The start time and end time are as follows. - Start time: 00:00:00 of the start date. - End time: 23:59:59 of the end date. However, if the end date is the date when the download is executed, it will be the time of downloading. 3. In the [Download Audit Log] dialog, click [Download] to download the performance information. If the download destination is not set in the Web browser in advance, specify it in the dialog for specifying the download destination. The default filename for performance information is "wacaudit_start date_end date.zip." Note - To download audit log, the capacity required for management PC is maximum 52.4MB. - Cannot download while filtering the audit log. Remove the filter then download. 4.5 Managing Transparent Proxies This section explains how to manage (display in a list, display details of, add, delete, modify, and modify the IP addresses of) transparent proxies

See Transparent proxy management is also possible with REST API. For details, see "Transparent Proxies" in the "Reference Guide." 4.5.

101 See Transparent proxy management is also possible with REST API. For details, see "Transparent Proxies" in the "Reference Guide." Displaying the List of Transparent Proxies This section explains the procedure for displaying the list of transparent proxies. Procedure 1. Select the [Transparent Proxy] tab of the Web GUI to display the [Transparent Proxy List] screen. The operations for the table section of the [Transparent Proxy List] screen are shown below. Item Switches to the first page. Switches to the previous page. x/y The current page number/the total number of pages. Switches to the next page. Switches to the last page. The following items are displayed: Item Transparent Proxy Name Status Type The name of the transparent proxy. The status of transparent proxies. The type of the transparent proxy. Specify either of the following: - Client: A transparent proxy of the client type. A transparent proxy of the client type establishes a UNAP connection to a transparent proxy of the server type. - Server: A transparent proxy of the server type. A transparent proxy of the server type waits for a transparent proxy of the client type to establish a UNAP connection. Pair IP Address Port Number The IP address of the WAN-side interface of the transparent proxy to pair with. The port number used by UNAP to enable high-speed data transfer over a WAN. For details on statuses, refer to "4.5.2 Transparent Proxy Statuses." For details on other items, refer to "2.9.3 Designing Transparent Proxy Management." Clicking on the name of a transparent proxy displays the [Details] screen. For details, refer to "4.5.3 Displaying the Details of Transparent Proxies."

102 4.5.2 Transparent Proxy Statuses The statuses of transparent proxies are as follows. Status Icon Detailed Status Normal Stopped The initial state of a transparent proxy. Starting Waiting for Connection Connecting Connected Restarting Finished The state of starting a transparent proxy. A transparent proxy has completed startup for a client type. A server type is waiting for a UNAP connection to be established from a client type. A UNAP connection is being established from a client type to a server type (for client types only). A UNAP connection has been established from a client type to a server type. A transparent proxy is being restarted due to a transparent proxy change. The transparent proxy has been deleted Warning Reconnecting A UNAP disconnection has been detected and the client type is re-establishing a connection (for client types only). Waiting for Reconnection Disconnecting (Active) Disconnecting (Passive) Unavailable A UNAP disconnection has been detected and it is waiting for a UNAP connection to be re-established from the client type (for server types only). A UNAP connection is being disconnected by the local transparent proxy. A UNAP connection is being disconnected by the paired transparent proxy. The trial license has expired Error Waiting for Deletion A transparent proxy is waiting for deletion. As any transparent proxy that is in this state must be deleted, the transparent proxy will only accept delete operations. Disconnected Failure A UNAP connection has been disconnected. The transparent proxy has failed and has stopped operating Displaying the Details of Transparent Proxies This section explains the procedure for displaying the details of transparent proxies. Procedure 1. Select the [Transparent Proxy] tab of the Web GUI to display the [Transparent Proxy List] screen. 2. Click the target [Transparent Proxy Name] to display the [Transparent Proxy Details] screen. 3. The [Transparent Proxy Details] screen is composed of the following three panels. Clicking the [Performance Information] button on the top of the screen closes all panels other than the [Performance Information] panel. - [Basic Information] panel - [Details] panel - [Performance Information] panel Transparent Proxy Details-Basic Information This panel displays the basic information of an individual transparent proxy

Figure 4.11 [Transparent Proxy Details] Screen [Basic Information] Panel The following items are displayed: Item Transparent Proxy Name Status Type The name of the transparent proxy.

103 Figure 4.11 [Transparent Proxy Details] Screen [Basic Information] Panel The following items are displayed: Item Transparent Proxy Name Status Type The name of the transparent proxy. The status of transparent proxies. The type of the transparent proxy. Specify either of the following: - Client: A transparent proxy of the client type. A transparent proxy of the client type establishes a UNAP connection to a transparent proxy of the server type. - Server: A transparent proxy of the server type. A transparent proxy of the server type waits for a transparent proxy of the client type to establish a UNAP connection. Pair IP Address Port Number LAN-side Interface WAN-side Interface Operation Mode The IP address of the WAN-side interface of the transparent proxy to pair with. The port number used by UNAP to enable high-speed data transfer over a WAN. The name of the network interface used by the transparent proxy for TCP communication with client or server applications. The name of the network interface used by the transparent proxy for WAN-side communication. The operation mode of the transparent proxy. Select either of the following: - Transparent: Transparently relays TCP connections. - Terminate: Terminates TCP connections. Target Service Port Numbers WAN throughput upper limit The list of port numbers of the services that are targets of data transfer performed by the transparent proxy. WAN throughput upper limit (Mbps or Gbps) determined with the paired transparent proxy. This item is displayed when the status of transparent proxy pair is as follows. - Connected - Reconnecting - Waiting for reconnection

104 For details of the statuses, refer to "4.5.2 Transparent Proxy Statuses." For details of other items, refer to "2.9.3 Designing Transparent Proxy Management." Transparent Proxy Details-Details This panel displays the details of an individual transparent proxy. Figure 4.12 [Transparent Proxy Details] Screen [Details] Panel The following items are displayed: Item Maximum Number of TCP Connections Number of Connection Reestablishment Attempts (*1) Connection Re-establishment Attempt Interval (*1) Connection Monitoring Interval MTU Size Traffic control upper limit The maximum number of TCP connections that can be established. The number of reconnection attempts to make when establishing a UNAP connection. The interval (in seconds) between reconnection attempts when establishing a UNAP connection. The connection monitoring interval (in seconds) for a UNAP connection. The MTU size of UNAP. Whether or not to use the traffic control function. The throughput upper limit value (Mbps or Gbps) for the data, which the transparent proxy transmits with UNAP when using the traffic control function. *1: Not displayed for a server type transparent proxy. For details on each item, refer to "2.9.3 Designing Transparent Proxy Management." Transparent Proxy Details-Performance Information This panel displays the performance information of an individual transparent proxy. Select the performance information to display from the [Item] pull-down menu. - WAN Throughput - LAN Throughput - Round-Trip Time

105 - Packet Loss Rate Figure 4.13 [Transparent Proxy Details]-[Performance Information]-[WAN Throughput] Figure 4.14 [Transparent Proxy Details]-[Performance Information]-[LAN Throughput]

106 Figure 4.15 [Transparent Proxy Details]-[Performance Information]-[Round-Trip Time] Figure 4.16 [Transparent Proxy Details]-[Performance Information]-[Packet Loss Rate] The graph shows progress of the past 2 days displayed in 5 minute intervals. By clicking on the legend, it is possible to toggle whether specific items are displayed or hidden in the line graph. Moving the cursor over a point on a line in the graph displays the date, time, and throughput for that point as a tooltip. The figure below the graph shows the targets for which performance information is displayed. The parts other than the targets are displayed in gray. The displayed items are explained below. WAN Throughput (MB/sec) Displayed Item OUT [Max] IN [Max] Displays the maximum value every 5 minutes for the amount of communication per second (*1) from the transparent proxies to the WAN. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the maximum value every 5 minutes for the amount of communication per second (*2) from the WAN to the transparent proxies

107 LAN Throughput (MB/sec) Round-Trip Time (msec) Packet Loss Rate (%) Displayed Item OUT [Avg] IN [Avg] OUT [Max] IN [Max] OUT [Avg] IN [Avg] Latency [Avg] Latency [Min] When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the average value every 5 minutes for the amount of communication per second (*1) from the transparent proxies to the WAN. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the average value every 5 minutes for the amount of communication per second (*2) from the WAN to the transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the maximum value every 5 minutes for the amount of communication per second (*3) from the transparent proxies to the application. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the maximum value every 5 minutes for the amount of communication per second (*4) from the application to the transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the average value every 5 minutes for the amount of communication per second (*3) from the transparent proxies to the application. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the average value every 5 minutes for the amount of communication per second (*4) from the application to the transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the average value every 5 minutes for the time from sending data to receiving acknowledgement (ACK) between transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. Displays the smallest value every 5 minutes for the time from sending data to receiving acknowledgement (ACK) between transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. OUT [Max] Displays the largest value every 5 minutes for the ratio of lost data per second (*5) from the transparent proxies to the WAN. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. IN [Max] Displays the largest value every 5 minutes for the ratio of lost data per second (*6) from the WAN to the transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. OUT [Avg] Displays the average value every 5 minutes for the ratio of lost data per second (*5) from the transparent proxies to the WAN. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes 0. IN [Avg] Displays the average value every 5 minutes for the ratio of lost data per second (*6) from the WAN to the transparent proxies. When a UNAP connection has not been established and when there is no TCP communication to be accelerated, the value becomes

*1: Transmission rate = The total size (in MB) of UNAP packets received in 1 second by the paired transparent proxy / 1 (sec) *2: Reception rate = The total size (in MB) of UNAP packets received in 1

108 *1: Transmission rate = The total size (in MB) of UNAP packets received in 1 second by the paired transparent proxy / 1 (sec) *2: Reception rate = The total size (in MB) of UNAP packets received in 1 second by the transparent proxy / 1 (sec) *3: Transmission rate = The total size (in MB) of TCP packets transmitted in 1 second by the transparent proxy / 1 (sec) *4: Reception rate = The total size (in MB) of TCP packets received in 1 second by the transparent proxy / 1 (sec) *5: Loss rate = (the number of lost UNAP packets detected in 1 second by the paired transparent proxy / (the number of UNAP packets received in 1 second by the paired transparent proxy + the number of lost UNAP packets detected in 1 second by the paired transparent proxy)) * 100 *6: Loss rate = (the number of lost UNAP packets detected in 1 second / (the number of UNAP packets received in 1 second + the number of lost UNAP packets detected in 1 second)) * Adding Transparent Proxies This section explains the procedure for adding transparent proxies. If no license is registered or if the trial license has expired, it is not possible to add transparent proxies ([Action] is not displayed). Procedure 1. Select the [Transparent Proxy] tab of the Web GUI to display the [Transparent Proxy List] screen. 2. On the [Transparent Proxy List] screen, select [Action]-[Register] to display the [Register Transparent Proxy] wizard. 3. Follow the instructions of the [Register Transparent Proxy] wizard. For an explanation of the items to input in the [Register Transparent Proxy] wizard, refer to "2.9.3 Designing Transparent Proxy Management." Step Basic Information Details Confirm Complete Input Item Transparent Proxy Name Type Pair IP Address Port Number Operation Mode (*1) Target Service Port Maximum Number of TCP Connections Number of Connection Re-establishment Attempts (*2) Connection Re-establishment Attempt Interval (*2) Connection Monitoring Interval (*2) MTU Size (*2) Traffic control upper limit Confirm the input information. If there are no problems, click the [Add] button. Click the [Done] button to return to the [Transparent Proxy List] screen. *1: Required for a server type transparent proxy. *2: Required for a client type transparent proxy

109 Results Confirmation 1. Addition of the transparent proxy is processed asynchronously. For this reason, when the number of active processes on the Global Pane is "0," confirm that the added transparent proxy is displayed on the [Transparent Proxy List] screen. 2. Confirm that when only one of the transparent proxies has been registered, the status of the transparent proxy is "Waiting for Connection" and when a pair of transparent proxies have been registered, the status of the transparent proxy is "Connected." In the event that the status is not as it is written above, refer to "Unable to connect to the transparent proxies to pair with" in the "Errors during Connection" section of the "Reference Guide." Deleting Transparent Proxies This section explains the procedure for deleting transparent proxies. Procedure 1. Select the [Transparent Proxy] tab of the Web GUI to display the [Transparent Proxy List] screen. 2. On the [Transparent Proxy List] screen, click the target [Transparent Proxy Name] to display the [Transparent Proxy Details] screen, then select [Action]-[Delete]. 3. In the [Delete Transparent Proxy] dialog, click the [Yes] button to delete the transparent proxy. A notification is displayed indicating that the processing has been received. 4. Click the [Close] button to return to the [Transparent Proxy List] screen. Results Confirmation Deletion of the transparent proxy is processed asynchronously. For this reason, when the number of active processes on the Global Pane is "0," confirm that the deleted transparent proxy is not displayed on the [Transparent Proxy List] screen Modifying Transparent Proxies This section explains the procedure for modifying transparent proxies. If no license is registered or if the trial license has expired, it is not possible to modify transparent proxies. Procedure 1. Select the [Transparent Proxy] tab of the Web GUI to display the [Transparent Proxy List] screen

110 2. Click the target [Transparent Proxy Name] to display the [Transparent Proxy Details] screen. 3. On the [Transparent Proxy Details] screen, select [Action]-[Modify] to display the [Modify Transparent Proxy] wizard. 4. Follow the instructions of the [Modify Transparent Proxy] wizard. For an explanation of the items which can be modified using the [Modify Transparent Proxy] wizard, refer to "2.9.3 Designing Transparent Proxy Management." Step Basic Information Details Confirm Complete Input Item Pair IP Address (*1) Port Number (*1) Operation Mode (*1) (*2) Target Service Port Maximum Number of TCP Connections Number of Connection Re-establishment Attempts (*3) Connection Re-establishment Attempt Interval (*3) Connection Monitoring Interval (*3) MTU Size (*1) (*3) Traffic control upper limit(*1) Confirm the input information. If there are no problems, click the [Modify] button. Click the [Done] button to return to the [Transparent Proxy Details] screen. *1: When modifications have been made, communication will temporarily not be able to place until the transparent proxy will has been restarted and reconnection has been made. *2: Required for a server type transparent proxy. *3: Required for a client type transparent proxy. Note If you cannot modify an item you would like to modify using the [Modify Transparent Proxy] Wizard, after deleting the transparent proxy, try to re-register it again

111 Results Confirmation 1. Modification of the transparent proxy is processed asynchronously. For this reason, when the number of active processes on the Global Pane is "0," confirm that the changes made to the transparent proxy have been reflected from the [Details] screen. 2. Confirm that when only one of the transparent proxies has been registered, that the status of the transparent proxy is "Waiting for Connection." When a pair of transparent proxies has been registered, confirm that the status of the transparent proxies are "Connected." In the event that the status is not as it is written above, refer to "Unable to connect to the transparent proxies to pair with" in the "Errors during Connection" section of the "Reference Guide." Downloading Performance Information for Individual Transparent Proxy On the [Transparent Proxy Details] screen, it is possible to download performance information for individual transparent proxies. The download period is specified by the start date and the end date. For the contents output to the CSV file, refer to "D.1 Contents of Performance Information for Downloading." The downloaded file is compressed to ZIP format. Procedure 1. On the [Transparent Proxy Details] screen, select [Action]-[Download Performance Information] to display the [Download Performance Information] dialog. 2. In the [Download Performance Information] dialog, specify the target download period. Since the performance information is stored for 31 days, specify it within that period. Item Name Start date End date Start date of the target download period. Specify a date earlier than end date. If omitted, it will be 31 days before the date of downloading. End date of the target download period. Specify a date later than start date. If omitted, it will be the date of downloading. Information About the start time and end time of the target download period The target download period is specified in the [Download Performance Information] dialog. The start time and end time are as follows

112 - Start time: 00:00:00 of the start date. - End time: 23:59:59 of the end date. However, if the end date is the date when the download is executed, it will be the time of downloading. 3. In the [Download Performance Information] dialog, click [Download] to download the performance information. If the download destination is not set in the Web browser in advance, specify it in the dialog for specifying the download destination. The default filename for performance information is "wacperf_transparent proxy ID_transparent proxy name_start date_end date.zip." The transparent proxy ID is a unique ID assigned to the transparent proxy. Note To download performance information, the capacity required for management PC is maximum 11.4MB Changing the IP Addresses of the Interfaces Used by Transparent Proxies Users of this product may wish to configure one set of IP addresses for the interfaces used by transparent proxies for use during the testing period before production, and after testing is complete, switch to another set of IP addresses for actual use in production. This section explains the procedure for changing the IP addresses of the interfaces used by transparent proxies. Procedure 1. Execute the initialization wizard to change the IP address of the transparent proxy. For details, refer to " Executing the Initialization Wizard." 2. If the IP address of the WAN-side interface (including cases of combined use) has been changed, configure the [Pair IP Address] of the paired transparent proxy to the new IP address. For details, refer to "4.5.6 Modifying Transparent Proxies." 3. If the IP address of the LAN-side interface (including cases of combined use) has been changed, and if the default gateway of the TCP communication app is set to SCO-VA, the IP address that was changed will be set to the default gateway of the TCP communication app. Results Confirmation On the [Transparent Proxy List] screen or on the [Details] screen of the [Transparent Proxy] panel, confirm that the status of the transparent proxy is "Connected." For details on the [Transparent Proxy List] screen, refer to "4.5.1 Displaying the List of Transparent Proxies." For details on the [Transparent Proxy] panel of the [Details] screen, refer to " Transparent Proxy Details-Basic Information." 4.6 Performing Maintenance This section explains maintenance Overview of Maintenance There are the following maintenance tasks: - Recovering faulty server virtualization software - Performing regular maintenance of server virtualization software - Updating software

113 4.6.2 Recovering Faulty Server Virtualization Software This section explains the procedure for recovering faulty server virtualization software. The recovery procedure varies depending on whether the system uses high availability operation Recovery when Using High Availability Operation This section explains the recovery procedure when using high availability operation. Procedure 1. Repair or replace the faulty server. 2. Install and then start the server virtualization software. 3. If the information of a previous deployment of this product has been lost due to disk failure, reinstall this product. For details, refer to "Chapter 3 Installation and Setup." Recovery when Not Using High Availability Operation This section explains the recovery procedure when not using high availability operation. Procedure Information If recovery can be performed in a short enough period of time such that there is no anticipated effect on operation, then it is not necessary to perform steps 1 and 5 below. 1. If the TCP communication app is not influenced by a server virtual software failure, and if the default gateway of the TCP communication app is configured to SCO-VA, temporarily change the default gateway of the TCP communication app to the WAN connection router. 2. Repair or replace the faulty server. 3. Install and then start the server virtualization software. 4. If the information of a previous deployment of this product has been lost due to disk failure, reinstall this product. For details, refer to "Chapter 3 Installation and Setup." 5. Revert the settings modified in step 1 to their original state Performing Regular Maintenance of Server Virtualization Software This section explains the procedure for performing regular maintenance of server virtualization software. The regular maintenance procedure varies depending on whether the system uses high availability operation Regular Maintenance when Using High Availability Operation This section explains the regular maintenance procedure when using high availability operation. Procedure 1. Remove a single instance of server virtualization software on which this product is not operating (an inactive server) from the cluster. 2. Perform maintenance of the server instance that was removed from the cluster in step Once maintenance is complete, return the server instance to the cluster. If there are more than three server instances in the cluster, perform steps 1 through 3 again for each instance of server virtualization software on which this product is not operating. 4. Migrate this product from the instance of server virtualization software on which it is currently operating to another instance of server virtualization software

114 5. Remove the instance of server virtualization software on which this product was previously operated from the cluster. 6. Perform maintenance of the server instance that was removed from the cluster in step Once maintenance is complete, return the server instance to the cluster Regular Maintenance when Not Using High Availability Operation This section explains the regular maintenance procedure when not using high availability operation. Procedure Note If you are unable to prepare a different instance of server virtualization software, use the same procedure for maintenance as in " Recovery when Not Using High Availability Operation." 1. Migrate this product to a different instance of server virtualization software. 2. Perform maintenance of the server. 3. Once maintenance is complete, return this product to the instance of server virtualization software you migrated it from Updating Software This section explains the procedure for updating software. Preparations Confirm that you have obtained the patch file. Procedure 1. If the default gateway of the TCP communication app is configured to SCO-VA, temporarily change the default gateway of the TCP communication app to the WAN connection router. 2. Transfer the obtained patch file to the file transfer area. To transfer the file, use SFTP (using the file transfer user account) on the admin PC. For file transfer users, refer to " Designing the File Transfer User." For file transfer area, refer to " SFTP Access." Example When the SCO-VA IP address is and the obtained patch file is WAC110_S tar.gz # sftp secftpuser@ <Enter> secftpuser@ 's password: password <Enter> Connected to sftp> put WAC110_S tar.gz <Enter> Uploading WAC110_S tar.gz to /sftp/wac110_s tar.gz WAC110_S tar.gz sftp> bye <Enter> 3. Log in to the console using the console user account. For information about the console user, refer to " Designing the Console User." 4. Execute the following command to display system information to confirm whether the patch file can be applied. # wacadm system show <Enter>

115 For details on the command, refer to "wacadm system Command" in the "Reference Guide." To determine whether it is possible to apply the patch, refer to the document attached to the obtained patch file. 5. Execute the following command to stop the service. # wacadm service stop fjsvwaccp-database.service <Enter> # wacadm service stop fjsvwaccp-system.service <Enter> # wacadm service stop fjsvwaccp-webserver.service <Enter> # wacadm service stop fjsvwacdp-tproxy-management.service <Enter> For details, refer to the "wacadm service Command" in the "Reference Guide." 6. Using the patch file that was transferred in Step 2, update the software via the following command. Example When the obtained patch file is WAC110_S tar.gz # wacadm system patch-add -file WAC110_S tar.gz <Enter> For details, refer to "wacadm system Command" in the "Reference Guide." Use the "wacadm dir delete" command to delete the patch file after applying. Example When WAC110_S tar.gz is no longer needed # wacadm dir show <Enter> WAC110_S tar.gz Size Used Avail Use% 2.0G 413M 1.6G 20% # wacadm dir delete WAC110_S tar.gz <Enter> rm: remove regular file 'WAC110_S tar.gz'? yes <Enter> For details, refer to "wacadm dir Command" in the "Reference Guide." 7. Execute the following command to restart the system. # wacadm power restart <Enter> For details, refer to the "wacadm power Command" in the "Reference Guide." 8. Revert the settings modified in step 1 to their original state. 4.7 Stopping and Restarting the System and Services This section explains the procedure for stopping and restarting the system and services. Procedure 1. Confirm that there are no active processes by viewing the "Number of active processes" on the Global Pane and the [Audit Log List] screen of the Dashboard. 2. On the Global Pane, select [User Menu]-[Logout] to log out. 3. Log in to the console using the console user account. For information about the console user, refer to " Designing the Console User."

116 4. Execute the corresponding commands for the desired operations. For details of the commands, refer to "wacadm power Command" or "wacadm service Command" in the "Reference Guide." Corresponding Command When stopping the system When restarting the system When stopping services # wacadm power stop <Enter> # wacadm power restart <Enter> Execute the following when applicable to stop services. # wacadm service stop fjsvwaccp-database.service <Enter> # wacadm service stop fjsvwaccp-system.service <Enter> # wacadm service stop fjsvwaccp-webserver.service <Enter> # wacadm service stop fjsvwacdp-tproxy-management.service <Enter> When restarting services Execute the following when applicable to restart services. # wacadm service restart fjsvwaccp-database.service <Enter> # wacadm service restart fjsvwaccp-system.service <Enter> # wacadm service restart fjsvwaccp-webserver.service <Enter> # wacadm service restart fjsvwacdp-tproxy-management.service <Enter> If staring up after stopping the service, execute the following. # wacadm service start fjsvwaccp-database.service <Enter> # wacadm service start fjsvwaccp-system.service <Enter> # wacadm service start fjsvwaccp-webserver.service <Enter> # wacadm service start fjsvwacdp-tproxy-management.service <Enter>

117 Appendix A Lists of Useful Design Information This appendix provides lists of information that is frequently referred to during design of this product. A.1 List of Output Log Files The log files output by this product are shown below. Table A.1 List of Output Log Files Log Name Use and Content Reference Method Rotation Event logs Audit logs Audit logs for console Record the notification messages from the transparent proxy, trial license expiry notification messages, and service monitoring messages. Record history of the operations requested by Web GUI or REST API. Records history of the operations requested by console (Initialization Wizard and commands) See Web GUI and REST API. For details on Web GUI, see "4.4.2 Monitoring Event Logs." For details on REST API, see "Event Log" in "Reference Guide." See Web GUI and REST API, and download the log. For details on Web GUI and downloading, see "4.4.3 Monitoring Audit Logs." For details on REST API, see "Audit Logs" in "Reference Guide." See REST API and download the log. For details on REST API, see "Audit Logs" in "Reference Guide." For details on downloading, see "4.4.3 Monitoring Audit Logs." Logs are stored for 31 days. Retains up to 5 generations. A.2 List of Used Port Numbers The port numbers used by this product are listed below. Table A.2 List of Used Port Numbers Communication Source Admin PC Server Port Number Variable value Communication Destination Server Port Number Update This product 22 Not possible SSH, SFTP 9856 Possible HTTPS TCP client (*1) Possible Port of the target service for data transfer using UNAP This product TCP server (*1) Possible Port of the connecting target service using TCP when the operation mode of a transparent proxy is "Terminate." Mail server 25 Possible SMTP DHCP server 67, 68 Not possible DNS server 53 Not possible NTP Servers 123 Not possible LDAP or AD server DHCP DNS NTP 389 Possible LDAP / Active Directory Use

118 Communication Source Server Port Number Communication Destination Server Port Number Update Metadata server 80 Not possible Paired installations of this product (*2) Possible UNAP Use For the communication of Cloud-init, which is used in clouds (OpenStack or K5) *1: The port number specified for the target service during transparent proxy registration. *2: The port number specified for UNAP communication during transparent proxy registration

Appendix B System Configuration Example of Coordination with the TCP Communication App This section shows a system configuration example for the TCP communication app that coordinates with

1 System Configuration when Coordinating with Cloud Storage Gateway Configuration when Transferring Data from a Single Cloud Storage Gateway to a Single Cloud Object Storage Install SCO-VA

119 Appendix B System Configuration Example of Coordination with the TCP Communication App This section shows a system configuration example for the TCP communication app that coordinates with TCP. B.1 System Configuration when Coordinating with Cloud Storage Gateway Configuration when Transferring Data from a Single Cloud Storage Gateway to a Single Cloud Object Storage Install SCO-VA and register a single transparent proxy on both the client and server sides. Configuration when Transferring Data from Multiple Cloud Storage Gateway to a Single Cloud Object Storage - When there are multiple client networks On the client side, register a single transparent proxy in each SCO-VA. On the server side, register multiple transparent proxies in a single SCO-VA

SCO-VA. On the server side, register a single transparent proxy in each SCO- VA. B.

120 - When there is a single client network Install SCO-VA and register a single transparent proxy on both the client and server sides. Configuration when Transferring Data from Multiple Cloud Storage Gateway to Multiple Clouds' (AWS, K5 and OpenStack) Object Storage On the client side, register a single transparent proxy in each SCO-VA. On the server side, register a single transparent proxy in each SCO- VA. B.2 System Configuration when Coordinating with an FTP Server Configuration when Transferring Data from an FTP Client to an FTP Server When coordinating with an FTP server, configure FTP to use Passive Mode, and install SCO-VA and register a single transparent proxy on both the client and server sides. Configure the target service port numbers of the transparent proxy located on the FTP client side to contain the following "a." and "b." a. The range of the port numbers used for FTP data transfer b. The port number used for the FTP control connection when the operation mode of the transparent proxy located on the FTP server side is "Terminate."

121

FUJITSU Software Smart Communication Optimizer V User's Guide

FUJITSU Software Smart Communication Optimizer V1.0.0 User's Guide J2UL-2332-01ENZ0(00) June 2018 Preface Purpose of This Document This manual explains the overview of, and the methods for designing, installing,