Load Balancing Fujifilm SYNAPSE. Deployment Guide v Copyright Loadbalancer.org

Similar documents
Load Balancing Microsoft OCS Deployment Guide v Copyright Loadbalancer.org

Load Balancing RSA Authentication Manager. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing OKI DICOM-Embedded Printers. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Load Balancing VMware Horizon View. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Sharepoint 2010 / Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Terminal Services. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Nuance AutoStore. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Medical Imaging & Information System Protocols. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org, Inc

Microsoft Sharepoint 2010 Deployment Guide

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Loadbalancer.org WAF Gateway with Metaswitch EAS DSS/SSS

Load Balancing Microsoft Lync 2010 / Deployment Guide v Copyright Loadbalancer.org

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Web Servers with OWASP Top 10 WAF in AWS

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org, Inc

Enterprise Azure Quick Start Guide v8.3.0

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

Load Balancing Nuance Equitrac. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Skype For Business. Deployment Guide v Copyright Loadbalancer.org, Inc

LB Cache Quick Start Guide v1.0

Load Balancing Xerox Print Servers. Deployment Guide v Copyright Loadbalancer.org

Load Balancing FreePBX / Asterisk in AWS

Appliance Quick Start Guide. v7.5

Appliance Quick Start Guide v8.0

Appliance Quick Start Guide v8.1

Loadbalancer.org Virtual Appliance quick start guide v6.3

Appliance Administration Manual. v7.2

Appliance Quick Start Guide v8.0

Appliance Quick Start Guide v7.1

Appliance Administration Manual. v7.1

Load Balancing Oracle Application Server

Load Balancing Microsoft Print Server

Appliance Administration Manual v8.3.0

Loadbalancer.org. Loadbalancer.org appliance quick setup guide. v6.4

This guide provides a quick reference for setting up SIP load balancing using Loadbalancer.org appliances.

Appliance Administration Manual. v6.17

Appliance Administration v6.6

Appliance Quick Start Guide v7.1

Appliance Administration Manual. v6.7

Appliance Quick Start Guide v6.11

Appliance Administration Manual v8.3.1

Appliance Administration Manual. v6.12

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Installing or Upgrading ANM Virtual Appliance

Configure the Cisco DNA Center Appliance

HySecure Quick Start Guide. HySecure 5.0

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide


Alteon Virtual Appliance (VA) version 29 and

KeyNexus Hyper-V Deployment Guide

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware ESX ESXi and vsphere. Installation Guide

How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor

Configuring the SMA 500v Virtual Appliance

Connectra Virtual Appliance Evaluation Guide

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

UDP Director Virtual Edition

jetnexus Virtual Load Balancer

Online Help StruxureWare Data Center Expert

Online Help StruxureWare Central

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

SRA Virtual Appliance Getting Started Guide

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Horizon View Deployment

Forescout. Quick Installation Guide. Single Appliance. Version 8.1

Enterprise EC2 Quick Start Guide v1.3

VRX VIRTUAL REPLICATION ACCELERATOR

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

jetnexus Virtual Load Balancer

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

VMware Enterprise Systems Connector Installation and Configuration

PlateSpin Transformation Manager Appliance Guide. June 2018

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Installing the Cisco Virtual Network Management Center

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

Installation Guide Advanced Authentication Server. Version 6.0

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

RecoverPoint for Virtual Machines

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

Transcription:

Load Balancing Fujifilm SYNAPSE Deployment Guide v0.1 Copyright Loadbalancer.org

Table of Contents 2. 3. 4. 5. 6. About this Guide...4 Loadbalancer.org Appliances Supported...4 Loadbalancer.org Software Versions Supported...4 Fujifilm SYNAPSE Software Versions Supported...4 Fujifilm SYNAPSE...5 Load Balancing Fujifilm SYNAPSE...5 Persistence (aka Server Affinity)... 5 Virtual Service (VIP) Requirements... 5 Port Requirements... 5 TLS/SSL Termination... 6 Health Checks... 6 Server Feedback Agent... 6 7. Deployment Concept...6 8. Loadbalancer.org Appliance the Basics...7 Virtual Appliance Download & Deployment... 7 Initial Network Configuration... 7 Accessing the Web User Interface (WebUI)... 8 HA Clustered Pair Configuration... 9 9. Appliance Configuration for Fujifilm SYNAPSE...10 Configuring VIP 1 HTTP Virtual Service... 10 Configuring the Virtual Service (VIP)... 10 Defining the Real Servers (RIPs)... 10 Configuring VIP 2 DICOM Virtual Service... 11 Configuring the Virtual Service (VIP)... 11 Defining the Real Servers (RIPs)... 12 Configuring VIP 3 External Virtual Service (HTTPS)...12 Configuring the Virtual Service (VIP)... 12 Defining the Real Servers (RIPs)... 13 Finalizing the Configuration... 13 10. TLS/SSL Termination Options for External VIP...14 1 TLS/SSL Termination on the SYNAPSE Servers (aka SSL Pass-through)...14 2 TLS/SSL Termination on the Load Balancer (aka SSL Offloading)...14 3 TLS/SSL Termination on the Load Balancer with Re-encryption to the Servers (aka SSL Bridging)...17 1 Testing & Verification...19 Using System Overview... 19 12. 13. 14. 15. Technical Support...19 Further Documentation...19 Conclusion...20 Appendix...21 Server Feedback Agent... 21 Windows Agent Download... 21 Starting the Agent... 22

Configuration... 23 Clustered Pair Configuration Adding a Slave Unit... 24 Company Contact Information... 26

About this Guide About this Guide This guide details the steps required to configure a load balanced Fujifilm SYNAPSE environment utilizing Loadbalancer.org appliances. It covers the configuration of the load balancers and also any Fujifilm SYNAPSE configuration changes that are required to enable load balancing. For more information about initial appliance deployment, network configuration and using the Web User Interface (WebUI), please also refer to the relevant Administration Manual: v7 Administration Manual v8 Administration Manual 2. Loadbalancer.org Appliances Supported All our products can be used for load balancing Fujifilm SYNAPSE. The complete list of models is shown below: Discontinued Models Current Models * Enterprise R16 Enterprise R20 Enterprise VA R16 Enterprise MAX Enterprise VA Enterprise 10G Enterprise R320 Enterprise Ultra Enterprise VA R20 Enterprise VA MAX Enterprise AWS ** Enterprise AZURE ** * For full specifications of these models please refer to: http://www.loadbalancer.org/products/hardware ** Some features may not be supported, please check with Loadbalancer.org support 3. Loadbalancer.org Software Versions Supported V7.6.4 and later 4. Fujifilm SYNAPSE Software Versions Supported Fujifilm SYNAPSE all versions Page 4

Fujifilm SYNAPSE 5. Fujifilm SYNAPSE SYNAPSE is a Picture Archiving and Communication System (PACS) by Fujifilm. It allows the archiving and distribution of vast amounts of image information from all modalities, managing it all with a single system. The SYNAPSE system consists of the following servers: Database Server Windows Internet Information Server (IIS) Storage Server Digital Imaging and Communications in Medicine (DICOM) Server Hospital Information System (HIS) Server Loadbalancer.org facilitates the deployment of SYNAPSE servers in a cluster. By clustering servers behind a load balancer, guarantee zero downtime and greatest resource efficiency. This provides a cost-effective, highly available, and scalable SYNAPSE solution. 6. Load Balancing Fujifilm SYNAPSE It's highly recommended that you have a working Fujifilm SYNAPSE environment first before implementing the load balancer. PERSISTENCE (AKA SERVER AFFINITY) It is necessary to use persistence when load balancing connections to Fujifilm SYNAPSE. This is true for all three of the virtual services that are involved. Source IP persistence is recommended and is used by default. VIRTUAL SERVICE (VIP) REQUIREMENTS To provide load balancing and HA for Fujifilm SYNAPSE, the following VIPs are required: HTTP DICOM HTTPS (for external HTTPS traffic) PORT REQUIREMENTS The following table shows the ports that are load balanced: Port Protocols Use 80 TCP/HTTP Internal HTTP traffic 104 TCP/DICOM DICOM traffic 443 TCP/HTTPS External HTTPS traffic Page 5

Load Balancing Fujifilm SYNAPSE TLS/SSL TERMINATION External connections are secured using TLS/SSL (HTTPS). This ensures that data is encrypted as it passes between an external client and a back end server. TLS/SSL connections can either be terminated on the load balancer (aka SSL offloading) or on the real servers (aka SSL pass-through). When terminating on the load balancer, it's also possible to enable re-encryption so that the connection from the load balancer to the real servers is protected (aka SSL bridging). Please refer to page 14 onward for more information. TLS/SSL termination on the load balancer can be very CPU intensive. In most cases, for a scalable solution, terminating TLS/SSL on the SYNAPSE servers is the best option. HEALTH CHECKS Regular SYNAPSE server monitoring ensures that failed servers are marked as down and client requests are only directed to functional servers. Health checks can range from a simple ICMP PING to a full negotiate check where content on a certain page is read and verified. By default, a simple Connect to port health check is used by the virtual services described in this guide. We also have an informative blog on DICOM Echo health checking, which can be used if required: https://www.loadbalancer.org/blog/load-balancing-dicom-pacs-health-check/ SERVER FEEDBACK AGENT It may be useful to adjust how much traffic is passed to the back end servers depending on their CPU load. This can be done by installing the Loadbalancer.org server feedback agent on each real server and then reconfiguring the Virtual Service to make use of the agent. Please refer to section 1 of the appendix on page 21 for full details on installing and configuring the server feedback agent. 7. Deployment Concept VIPs = Virtual IP Addresses The load balancer can be deployed as a single unit, although Loadbalancer.org recommends a clustered pair for resilience & high availability. Please refer to section 2 in the appendix on page 24 for more details on configuring a clustered pair. Page 6

Loadbalancer.org Appliance the Basics 8. Loadbalancer.org Appliance the Basics VIRTUAL APPLIANCE DOWNLOAD & DEPLOYMENT A fully featured, fully supported 30 day trial is available if you are conducting a PoC (Proof of Concept) deployment. The VA is currently available for VMware, Virtual Box, Hyper-V, KVM and XEN and has been optimized for each Hypervisor. By default, the VA is allocated 1 CPU, 2GB of RAM and has an 8GB virtual disk. The Virtual Appliance can be downloaded here. The same download is used for the licensed product, the only difference is that a license key file (supplied by our sales team when the product is purchased) must be applied using the appliance's WebUI. Please refer to the Administration Manual and the ReadMe.txt text file included in the VA download for more detailed information on deploying the VA using various Hypervisors. INITIAL NETWORK CONFIGURATION The IP address, subnet mask, default gateway and DNS settings can be configured in several ways as detailed below: Method 1 - Using the Network Setup Wizard at the console After boot up, follow the instructions on the console to configure the IP address, subnet mask, default gateway and DNS settings. Method 2 - Using the WebUI Using a browser, connect to the WebUI on the default IP address/port: http://192.168.2.21:9080 To set the IP address & subnet mask, use: Local Configuration > Network Interface Configuration To set the default gateway, use: Local Configuration > Routing To configure DNS settings, use: Local Configuration > Hostname & DNS Method 3 - Using Linux commands At the console, set the initial IP address using the following command: ip addr add <IP address>/<mask> dev eth0 At the console, set the initial default gateway using the following command: route add default gw <IP address> <interface> At the console, set the DNS server using the following command: echo nameserver <IP address> >> /etc/resolv.conf If method 3 is used, you must also configure these settings using the WebUI, otherwise the settings will be lost after a reboot. Page 7

Loadbalancer.org Appliance the Basics ACCESSING THE WEB USER INTERFACE (WEBUI) The WebUI can be accessed via HTTP at the following URL: http://192.168.2.21:9080/lbadmin * Note the port number 9080 The WebUI can be accessed via HTTPS at the following URL: https://192.168.2.21:9443/lbadmin * Note the port number 9443 (replace 192.168.2.21 with the IP address of your load balancer if it's been changed from the default) Login using the following credentials: Username: loadbalancer Password: loadbalancer To change the password, use the WebUI menu option: Maintenance > Passwords. Once logged in, the WebUI will be displayed as shown on the following page: Page 8

Loadbalancer.org Appliance the Basics (shows v8.2.x) HA CLUSTERED PAIR CONFIGURATION Loadbalancer.org recommend that load balancer appliances are deployed in pairs for high availability. In this guide a single unit is deployed first, adding a secondary slave unit is covered in section 2 of the appendix on page 24. Page 9

Appliance Configuration for Fujifilm SYNAPSE 9. Appliance Configuration for Fujifilm SYNAPSE When deploying Fujifilm SYNAPSE, three virtual services must be configured. CONFIGURING VIP 1 HTTP VIRTUAL SERVICE CONFIGURING THE VIRTUAL SERVICE (VIP) Using the web user interface, navigate to Cluster Configuration > Layer 7 Virtual Services and click on Add a new Virtual Service 2. Enter an appropriate name for the VIP in the Label field, e.g. Synapse-Cluster 3. Set the Virtual Service IP address field to the required IP address, e.g. 192.168.180 4. Set the Virtual Service Ports field to 80 5. Set the Layer 7 Protocol to TCP Mode 6. Click Update to create the virtual service 7. 8. 9. 10. Click Modfiy next to the newly created Synapse-Cluster VIP Set Persistence Mode to Source IP persistence Set Persistence Timeout to 60 (the units are minutes, so this value equals 1 hour) Set Balance Mode (the load balancing algorithm) according to your needs. The default setting is Weighted Least Connections, and should work well in most deployments 1 Click Update DEFINING THE REAL SERVERS (RIPS) Using the web user interface, navigate to Cluster Configuration > Layer 7 Real Servers and click on Add a new Real Server next to the newly created Synapse-Cluster VIP 2. Enter an appropriate name for the server in the Label field, e.g. Synapse1 3. Change the Real Server IP Address field to the required IP address, e.g. 192.168.190 4. Set the Real Server Port field to 80 5. Click Update 6. Repeat these steps to add additional SYNAPSE servers as required Page 10

Appliance Configuration for Fujifilm SYNAPSE CONFIGURING VIP 2 DICOM VIRTUAL SERVICE CONFIGURING THE VIRTUAL SERVICE (VIP) Using the web user interface, navigate to Cluster Configuration > Layer 7 Virtual Services and click on Add a new Virtual Service 2. Enter an appropriate name for the VIP in the Label field, e.g. Synapse-DICOM 3. Enter the same IP address in the Virtual Address text box as you did when setting up the SynapseCluster virtual service previously, which in the example presented here is 192.168.180 4. Set the Virtual Service Ports field to 104 5. Set the Layer 7 Protocol to TCP Mode 6. Click Update to create the virtual service 7. 8. 9. 10. Click Modfiy next to the newly created Synapse-DICOM VIP Set Persistence Mode to Source IP persistence Set Persistence Timeout to 60 Set Balance Mode (the load balancing algorithm) according to your needs. The default setting is Weighted Least Connections, and should work well in most deployments 1 Click Update Page 11

Appliance Configuration for Fujifilm SYNAPSE TCP connections on port 104 are recognized as DICOM requests and are forwarded to the DICOM server which the Loadbalancer.org appliance determines is the most available based on server weight configuration. DEFINING THE REAL SERVERS (RIPS) Using the web user interface, navigate to Cluster Configuration > Layer 7 Real Servers and click on Add a new Real Server next to the newly created Synapse-DICOM VIP 2. Enter an appropriate name for the server in the Label field, e.g. Synapse-DICOM-Server 3. Change the Real Server IP Address field to the required IP address, e.g. 192.168.191 4. Set the Real Server Port field to 104 5. Click Update 6. Repeat these steps to add additional SYNAPSE servers as required CONFIGURING VIP 3 EXTERNAL VIRTUAL SERVICE (HTTPS) The steps for configuring this VIP are for the recommended mode of operation, which is TLS/SSL pass-through mode. In such a set up, TLS/SSL connections are terminated on the real servers, and the load balancer has no involvement in TLS/SSL termination or decryption. If there is a requirement to terminate TLS/SSL connections on the load balancer then either TLS/SSL offloading or TLS/SSL bridging should be used instead of the default TLS/SSL passthrough setup. To do this, first follow the instructions presented here to configure this VIP in the default way. Then see page 14 for the additional steps required to set up TLS/SSL termination. CONFIGURING THE VIRTUAL SERVICE (VIP) Using the web user interface, navigate to Cluster Configuration > Layer 7 Virtual Services and click on Add a new Virtual Service 2. Enter an appropriate name for the VIP in the Label field, e.g. Synapse-External 3. Enter the same IP address in the Virtual Address text box as you did when setting up the SynapseCluster virtual service previously, which in the example presented here is 192.168.180 4. Set the Virtual Service Ports field to 443 5. Set the Layer 7 Protocol to TCP Mode 6. Click Update to create the virtual service Page 12

Appliance Configuration for Fujifilm SYNAPSE 7. 8. 9. 10. Click Modfiy next to the newly created Synapse-External VIP Set Persistence Mode to Source IP persistence Set Persistence Timeout to 60 Set Balance Mode (the load balancing algorithm) according to your needs. The default setting is Weighted Least Connections, and should work well in most deployments 1 Click Update DEFINING THE REAL SERVERS (RIPS) Using the web user interface, navigate to Cluster Configuration > Layer 7 Real Servers and click on Add a new Real Server next to the newly created Synapse-External VIP 2. Enter an appropriate name for the server in the Label field, e.g. Synapse-HTTPS 3. Change the Real Server IP Address field to the required IP address, e.g. 192.168.192 4. Set the Real Server Port field to 443 5. Click Update 6. Repeat these steps to add additional SYNAPSE servers as required FINALIZING THE CONFIGURATION To apply the new settings, HAProxy must be restarted as follows: Using the WebUI, navigate to: Maintenance > Restart Services and click Restart HAProxy Page 13

TLS/SSL Termination Options for External VIP 10. TLS/SSL Termination Options for External VIP The recommended and default setup for the external virtual service, named Synapse-External in the example setup presented in this guide, is to pass TLS/SSL connections through to the back end servers unaltered. This means that TLS/SSL connections are terminated on the real servers, and the load balancer has no involvement in TLS/SSL termination or decryption. If it is required, it is also possible to terminate TLS/SSL connections on the load balancer. The instructions on setting this up are presented below. With the load balancer, TLS/SSL termination can be handled in the following three ways: 2. 3. On the SYNAPSE Servers (recommended) aka SSL Pass-through On the load balancer aka SSL Offloading On the load balancer with re-encryption to the SYNAPSE Servers aka SSL Bridging 1 TLS/SSL TERMINATION ON THE SYNAPSE SERVERS (AKA SSL PASSTHROUGH) Notes: This is the recommended and default setup. Following the steps in section Configuring VIP 3 External Virtual Service (HTTPS) on page 12 will create this setup; no additional configuration is needed Data is encrypted from client to server. This provides full end-to-end data encryption as shown in the diagram below: This is our recommended solution, as TLS/SSL termination on the load balancer can be very CPU intensive. For a scalable solution, terminating TLS/SSL on the real servers is the best option, as they are best placed to perform this function. The steps on page 12 will create this setup; no additional configuration is needed. 2 TLS/SSL TERMINATION ON THE LOAD BALANCER (AKA SSL OFFLOADING) Notes: Since TLS/SSL is terminated on the load balancer, data from the load balancer to the real servers is not encrypted as shown in the diagram below. This may or may not be an issue depending on the network structure between the load balancer and real servers and your security requirements Page 14

TLS/SSL Termination Options for External VIP Re-encryption is possible between the load balancer and the SYNAPSE servers (aka SSL bridging). Please see page 17 for more details. An stunnel TLS/SSL VIP can be used to terminate TLS/SSL connections. The backend for this VIP should be the Synapse-External virtual service. The following diagram shows this: TLS/SSL termination on the load balancer can be very CPU intensive. For this reason, we recommend using option 1, SSL pass-through, by default. To create this type of set up, the steps in section Configuring VIP 3 External Virtual Service (HTTPS) on page 12 should be followed first. Once finished, the following steps should also then be followed. Using the web user interface, navigate to Cluster Configuration > Layer 7 Real Servers and click on Modify next to the first server listed under the Synapse-External VIP 2. Change the Real Server Port value from 443 to 80, as connections to the back end servers are now going to be un-encrypted and so should be sent on port 80 (HTTP) 3. Click Update 4. Repeat these steps for each real server listed under the Synapse-External VIP Navigate to Cluster Configuration > Layer 7 Virtual Services and click on Modify next to the Synapse-External VIP 6. Change the Virtual Service Ports value from 443 to a different and convenient value that is not currently in use on the load balancer. Port 8080 is used in the example presented here 7. Click Update 5. Page 15

TLS/SSL Termination Options for External VIP 8. Navigate to Cluster Configuration > SSL Termination and click Add a New Virtual Service 9. Set an appropriate Label for the VIP, e.g. Synapse-SSL 10. No SSL certificate is required for this configuration, and the default self-signed certificate can be used 1 Set the Virtual Service IP Address to be the same IP address as the Synapse-External virtual service, which in the example presented here is 192.168.180 12. Set the Virtual Service Port value to 443 13. Set the Backend Virtual Service IP Address to be the same IP address as the Synapse-External virtual service, which in the example presented here is 192.168.180 14. Set the Backend Virtual Service Port value to the port that the Synapse-External VIP was moved to earlier, which in the example presented here is port 8080 15. Click Update to create the virtual service Page 16

TLS/SSL Termination Options for External VIP To apply the new settings, HAProxy and stunnel must be restarted as follows: 2. Using the WebUI, navigate to: Maintenance > Restart Services and click Restart HAProxy Using the WebUI, navigate to: Maintenance > Restart Services and click Restart STunnel 3 TLS/SSL TERMINATION ON THE LOAD BALANCER WITH RE-ENCRYPTION TO THE SERVERS (AKA SSL BRIDGING) Notes: This is similar to SSL offloading. The only difference is that the connections from the load balancer to the real servers are re-encrypted using TLS/SSL, as shown in the diagram below: TLS/SSL termination on the load balancer can be very CPU intensive. For this reason, we recommend using option 1, SSL pass-through, by default. To create this type of set up, the steps in section Configuring VIP 3 External Virtual Service (HTTPS) on page 12 should be followed first. Once finished, the following steps should also then be followed. 2. 3. Using the web user interface, navigate to Cluster Configuration > Layer 7 Virtual Services and click on Modify next to the Synapse-External VIP Change the Virtual Service Ports value from 443 to a different and convenient value that is not currently in use on the load balancer. Port 8080 is used in the example presented here Check the Enable Backend Encryption box Page 17

TLS/SSL Termination Options for External VIP 4. 5. 6. 7. 8. 9. 10. 1 12. Click Update Navigate to Cluster Configuration > SSL Termination and click Add a New Virtual Service Set an appropriate Label for the VIP, e.g. Synapse-SSL No SSL certificate is required for this configuration, and the default self-signed certificate can be used Set the Virtual Service IP Address to be the same IP address as the Synapse-External virtual service, which in the example presented here is 192.168.180 Set the Virtual Service Port value to 443 Set the Backend Virtual Service IP Address to be the same IP address as the Synapse-External virtual service, which in the example presented here is 192.168.180 Set the Backend Virtual Service Port value to the port that the Synapse-External VIP was moved to earlier, which in the example presented here is port 8080 Click Update to create the virtual service Page 18

TLS/SSL Termination Options for External VIP To apply the new settings, HAProxy and stunnel must be restarted as follows: 2. Using the WebUI, navigate to: Maintenance > Restart Services and click Restart HAProxy Using the WebUI, navigate to: Maintenance > Restart Services and click Restart STunnel 1 Testing & Verification USING SYSTEM OVERVIEW The System Overview can be viewed in the WebUI. It shows a graphical view of all VIPs & RIPs (i.e. the Fujifilm SYNAPSE servers) and shows the state/health of each server as well as the state of the cluster as a whole. The example below shows that both SYNAPSE servers are healthy and available to accept connections for all of the three virtual services: 12. Technical Support For more details about configuring the appliance and assistance with designing your deployment please don't hesitate to contact the support team using the following email address: support@loadbalancer.org 13. Further Documentation The Administration Manual contains much more information about configuring and deploying the appliance. It's available here: http://pdfs.loadbalancer.org/loadbalanceradministrationv8.pdf Page 19

Further Documentation 14. Conclusion Loadbalancer.org appliances provide a very cost effective solution for highly available load balanced Fujifilm SYNAPSE environments. Page 20

Appendix 15. Appendix 1 SERVER FEEDBACK AGENT The load balancer can modify the weight (amount of traffic) of each server by gathering data from either a custom agent or an HTTP server. For Layer 7 VIPs, like those used when load balancing Fujifilm SYNAPSE, only the agent method is supported. A telnet to port 3333 on a Real Server with the agent installed will return the current idle stats as an integer value in the range 0 100. The figure returned can be related to CPU utilization, RAM usage or a combination of both. This can be configured using the XML configuration file located in the agent s installation folder (by default C:\ProgramData\LoadBalancer.org\LoadBalancer). The load balancer typically expects a 0-99 integer response from the agent which by default relates to the current CPU idle state, e.g. a response of 92 would imply that the Real Servers CPU is 92% idle. The load balancer will then use the formula (92/100*requested_weight) to find the new optimized weight. The 'Requested Weight' is the weight set in the WebUI for each Real Server. For more information please also refer to the following blog article: http://www.loadbalancer.org/blog/open-source-windows-service-for-reporting-server-loadback-to-haproxy-load-balancer-feedback-agent WINDOWS AGENT DOWNLOAD The latest Windows feedback agent can be downloaded from: http://downloads.loadbalancer.org/agent/loadbalanceragent.msi To install the agent, run loadbalanceragent.msi on each Real Server: Click Next Page 21

Appendix Select the installation folder and click Next Click Next to start the installation The agent should be installed on all Real Servers in the cluster. STARTING THE AGENT Once the installation has completed, you'll need to start the service on the Real Servers. The service is controlled by the Feedback Agent Monitor program that is also installed along with the Agent. The monitor can be accessed on the Windows server using: All Programs > Loadbalancer.org > Monitor. It's also possible to start the service using the services snap-in the service is called 'Loadbalancer CPU monitor'. Page 22

Appendix To start the service, click the Start button To stop the service, click the Stop button CONFIGURATION Each layer 7 VIP can be configured to use the feedback agent. To Configure Virtual Services to use Agent Feedback follow the steps below: 2. Go to Cluster Configuration > Layer 7 - Virtual Services Click Modify next to the Virtual Service 3. Change the Feedback Method to Agent 4. Click Update 5. Reload/restart services as prompted Page 23

Appendix 2 CLUSTERED PAIR CONFIGURATION ADDING A SLAVE UNIT If you initially configured just the master unit and now need to add a slave - our recommended procedure, please refer to the relevant section below for more details: A number of settings are not replicated as part of the master/slave pairing process and therefore must be manually configured on the slave appliance. These are listed below: Hostname & DNS settings SNMP settings Network settings including IP addresses, bonding configuration and VLANs Routing configuration including default gateways and static routes Date & time settings Physical Advanced Configuration settings including Internet Proxy IP address & port, Firewall table size, SMTP relay and Syslog server Graphing settings Firewall Script & Firewall Lockdown Script settings Software updates Version 7: Please refer to Chapter 8 Appliance Clustering for HA in the v7 Administration Manual. Version 8: To add a slave node i.e. create a highly available clustered pair: Deploy a second appliance that will be the slave and configure initial network settings Using the WebUI, navigate to: Cluster Configuration > High-Availability Configuration Page 24

Appendix Specify the IP address and the loadbalancer users password (the default is 'loadbalancer') for the slave (peer) appliance as shown above Click Add new node Once complete, the following will be displayed: To finalize the configuration, restart heartbeat and any other services as prompted in the blue message box at the top of the screen The pairing process now commences as shown below: Clicking the Restart Heartbeat button on the master appliance will also automatically restart heartbeat on the slave appliance. Please refer to chapter 9 Appliance Clustering for HA in the Administration Manual for more detailed information on configuring HA with 2 appliances. Page 25

Appendix 3 COMPANY CONTACT INFORMATION Website North America (US) URL: www.loadbalancer.org Loadbalancer.org, Inc. 4550 Linden Hill Road, Suite 201 Wilmington, DE 19808 USA Tel: +1 833.274.2566 Email (sales): sales@loadbalancer.org Email (support): support@loadbalancer.org North America (Canada) Loadbalancer.org Appliances Ltd. 300-422 Richards Street Vancouver, BC V6B 2Z4 Canada Tel: +1 302.213.0122 Email (sales): sales@loadbalancer.org Email (support): support@loadbalancer.org Europe (UK) Loadbalancer.org Ltd. Compass House North Harbour Business Park Portsmouth, PO6 4PS UK Tel: +44 (0)330 380 1064 Email (sales): sales@loadbalancer.org Email (support): support@loadbalancer.org Europe (Germany) Loadbalancer.org GmbH Tengstraße 27 80798 München Germany Tel: +49 (0)89 2000 2179 Email (sales): vertrieb@loadbalancer.org Email (support): support@loadbalancer.org Page 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback