Subscriber Traffic Redirection

Similar documents
Third-Party Network Devices with Scripting Service in the SRC Network

Juniper Secure Analytics

Subscriber Management in a Wireless Roaming Environment

PCMM Devices in an SRC-Managed Network

Junos Space. Reports. Release Published: Copyright 2014, Juniper Networks, Inc.

Security Certificates for the SRC Software

Junos Pulse Secure Access Service

Juniper Secure Analytics Virtual Appliance Installation Guide

Web Device Manager Guide

Interface and Subscriber Classification Scripts

Junos Pulse Secure Access Service

JunosE Software for E Series Broadband Services Routers

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

JunosE Software for E Series Broadband Services Routers

Service Now Getting Started Guide

Virtual Route Reflector

Juniper Secure Analytics

STRM Series to JSA Series

Service Management in a PCMM Environment

Junos Pulse Secure Access Service

NSM Plug-In Users Guide

NSM Plug-In Users Guide

Juniper Extension Toolkit Applications Guide

Juniper Secure Analytics

Junos Space Service Now Getting Started Guide

SRC Software Upgrades

Flow Monitoring Feature Guide for EX9200 Switches

Junos Pulse Access Control Service

Juniper Secure Analytics Patch Release Notes

JunosE Software for E Series Broadband Services Routers

Pulse Policy Secure. UAC Interoperability with the ScreenOS Enforcer. Product Release 5.1. Document Revision 1.0 Published:

Juniper Secure Analytics Patch Release Notes

Mac OS X Quick Start Guide

Device Security Feature Guide for EX9200 Switches

Juniper Secure Analytics Patch Release Notes

Juniper Extension Toolkit Applications Guide

IDP Detector Engine Release Notes

JUNOSPHERE RELEASE NOTES

Troubleshooting Guide

Junos Space Virtual Appliance Installation and Configuration Guide

Junos Pulse Access Control Service

Junos OS. J-Web User Guide for Security Devices. Modified: Copyright 2017, Juniper Networks, Inc.

Upgrading STRM to

Adaptive Log Exporter Users Guide

Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Junosphere. Connector Guide. Release 2.4. Published: Revision 4. Copyright 2012, Juniper Networks, Inc.

Junos OS. J-Web User Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Service Automation Monitoring and Troubleshooting

JUNOSPHERE RELEASE NOTES

EX2500 Ethernet Switch 3.1 Release Notes

STRM Administration Guide

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Juniper Secure Analytics

Juniper Secure Analytics Patch Release Notes

Junos Pulse. Client Customization Developer Guide. Release 5.0. Published: Copyright 2013, Juniper Networks, Inc.

Junos Space. Network Director API. Release 3.0. Modified: Copyright 2017, Juniper Networks, Inc.

Juniper Networks CTPOS Release 7.0R1 Software Release Notes

Juniper Extension Toolkit Developer Guide

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

vmx Getting Started Guide for Microsoft Azure Release 17.4 Modified: Copyright 2018, Juniper Networks, Inc.

Junos OS. NETCONF Java Toolkit Developer Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Space Virtual Appliance Installation and Configuration Guide

Cloud Analytics Engine Feature Guide for the QFX Series

Juniper Secure Analytics Log Event Extended Format Guide

Juniper Secure Analytics

Junos Space Network Management Platform

Junos OS. Unified Access Control Solution Guide for SRX Series Services Gateways. Release Junos Pulse Access Control Service 4.2/Junos OS 12.

Juniper Secure Analytics Tuning Guide

Network Configuration Example

STRM Log Manager Administration Guide

Junos Space Virtual Appliance Installation and Configuration Guide

Network Configuration Example

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Network Configuration Example

JUNOS OS. NETCONF XML Management Protocol Guide. Release Published: Copyright 2011, Juniper Networks, Inc.

Junos OS Radio-to-Router Protocols for Security Devices

Junos Snapshot Administrator in Python

JUNOSPHERE RELEASE NOTES

Contrail Release Release Notes

SRX 5600 Services Gateway DC Power Supply Installation Instructions

JunosE Software for E Series Broadband Services Routers

Junos OS. IDP Series Appliance to SRX Series Services Gateway Migration Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Space High Availability Deployment Guide

EX2500 Ethernet Switch 3.0 Release Notes

Network Configuration Example

Junos Space. Junos Space Frequently Asked Questions. Release Modified: Copyright 2016, Juniper Networks, Inc.

Junos OS. ICMP Router Discovery Protocol Feature Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Network Configuration Example

SRX 5600 and SRX 5800 Services Gateway Routing Engine Installation Instructions

Technology Overview. Retrieving VLAN Information Using SNMP on an EX Series Ethernet Switch. Published:

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Junos Pulse Mobile Security Dashboard

Junos Pulse Mobile Security Dashboard

Junos OS. Common Criteria Evaluation Configuration Guide for Devices Running Junos OS Release Releases 13.2X50-D19 and 13.

JunosV App Engine. Administration Guide. Release Published: Copyright 2014, Juniper Networks, Inc.

NSM Plug-In Users Guide

Cloud CPE Centralized Deployment Model

Network Configuration Example

Junos Space. Network Director API. Release 2.5. Modified: Copyright 2016, Juniper Networks, Inc.

Network Configuration Example

Transcription:

Subscriber Traffic Redirection Published: 2014-06-06

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Subscriber Traffic Redirection All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

Table of Contents About the............................................ ix and Release Notes.................................. ix Supported Platforms............................................. ix Conventions....................................... ix Conventions....................................... x Feedback......................................... xii Requesting Technical Support..................................... xii Self-Help Online Tools and Resources........................... xiii Opening a Case with JTAC..................................... xiii Part 1 Overview Chapter 1 Software Features Overview......................................... 3 Traffic Redirection Overview........................................... 3 Proxy Request Management....................................... 3 HTTP Proxy and DNS............................................. 4 HTTPS Traffic Redirection Support.................................. 5 Protection Against Denial-of-Service Attacks.......................... 5 Redirect Server Redundancy........................................... 5 Part 2 Configuration Chapter 2 Configuration Tasks................................................ 9 Before You Configure the Redirect Server on a C Series Controller............ 10 Configuring the Redirect Server (SRC CLI)............................... 10 Configuring the Redirect Server (C-Web Interface)......................... 11 Configuring General Properties for the Redirect Server (SRC CLI)............. 12 Configuring General Properties for the Redirect Server (C-Web Interface)...... 13 Configuring a Connection Between the Redirect Server and the Directory (SRC CLI)........................................................... 14 Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface)...................................................... 15 Defining Traffic to Transmit to the Redirect Server (SRC CLI)................ 15 Defining Traffic to Transmit to the Redirect Server (C-Web Interface)......... 16 Changing the Number of Requests That the Redirect Server Accepts (SRC CLI)........................................................... 17 Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface)...................................................... 18 Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI)..... 18 Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface)...................................................... 19 iii

Subscriber Traffic Redirection Configuring the DNS Server for the Redirect Server (SRC CLI)............... 20 Configuring the DNS Server for the Redirect Server (C-Web Interface)......... 21 Configuring the Redirect Server to Support HTTP Proxies (SRC CLI)........... 21 Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface)... 22 Configuring Redirect Server to Support HTTPS Traffic (SRC CLI)............. 23 Before You Configure Redundancy for a Redirect Server.................... 24 Configuring a Redundant Redirect Server (SRC CLI)....................... 24 Configuring a Redundant Redirect Server (C-Web Interface)................ 26 Configuring Logging for the Redirect Server.............................. 26 Enabling the Redirect Server.......................................... 26 Changing the Configuration for the Redirect Server........................ 27 Chapter 3 Configuration Statements.......................................... 29 Configuration Statements for the Redirect Server (SRC CLI)................ 29 Part 3 Administration Chapter 4 Management Tasks................................................ 33 Verifying Configuration for the Redirect Server (SRC CLI)................... 33 Assessing Load for Redirect Server (C-Web Interface)..................... 33 Chapter 5 Monitoring the Redirect Server...................................... 35 Viewing Statistics for the Redirect Server (SRC CLI)....................... 35 Viewing Statistics for the Redirect Server (C-Web Interface)................ 35 Viewing Statistics About Filtered Traffic (SRC CLI)........................ 36 Viewing Information for Filtered Traffic (C-Web Interface).................. 37 Chapter 6 Routine Monitoring................................................ 39 Viewing Information About Components Installed (SRC CLI)................ 39 Viewing Information About Components Installed (C-Web Interface)......... 40 Part 4 Troubleshooting Chapter 7 Troubleshooting Procedures........................................ 43 Collecting Data with the Activity Monitor (SRC CLI)....................... 43 Collecting Data with the Activity Monitor (C-Web Interface)................ 44 Viewing Graphs (C-Web Interface)..................................... 45 Viewing Graphs from a Web Page...................................... 45 Viewing Graphs for a Preset Time Period from a Web Page.............. 45 Viewing Graphs for Specified Time Periods from a Web Page............ 46 Part 5 Index Index.......................................................... 51 iv

List of Figures Part 1 Overview Chapter 1 Software Features Overview......................................... 3 Figure 1: Failover of a Redirect Server.................................... 6 v

Subscriber Traffic Redirection vi

List of Tables About the.......................................... ix Table 1: Notice Icons.................................................. x Table 2: Notice Icons................................................. xi Table 3: Text Conventions............................................. xi Part 3 Administration Chapter 6 Routine Monitoring................................................ 39 Table 4: Output Fields for show component............................. 39 vii

Subscriber Traffic Redirection viii

About the and Release Notes and Release Notes on page ix Supported Platforms on page ix Conventions on page ix Feedback on page xii Requesting Technical Support on page xii Supported Platforms To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books. For the features described in this document, the following platforms are supported: C Series Conventions Table 1 on page x defines notice icons used in this guide. ix

Subscriber Traffic Redirection Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Conventions Table 1 on page x defines the notice icons used in this guide. Table 3 on page xi defines text conventions used throughout this documentation. x

About the Table 2: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 3: Text Conventions Convention Bold text like this Description Represents keywords, scripts, and tools in text. Represents a GUI element that the user selects, clicks, checks, or clears. Examples Specify the keyword exp-msg. Run the install.sh script. Use the pkgadd tool. To cancel the configuration, click Cancel. Bold text like this Represents text that the user must type. user@host# set cache-entry-age cache-entry-age Fixed-width text like this Represents information as displayed on your terminal s screen, such as CLI commands in output displays. nic-locators { login { resolution { resolver-name /realms/ login/a1; key-type LoginName; value-type SaeId; } Regular sans serif typeface Represents configuration statements. Indicates SRC CLI commands and options in text. Represents examples in procedures. Represents URLs. system ldap server{ stand-alone; Use the request sae modify device failover command with the force option user@host#... http://www.juniper.net/techpubs/software/ management/sdx/api-index.html xi

Subscriber Traffic Redirection Table 3: Text Conventions (continued) Italic sans serif typeface Represents variables in SRC CLI commands. user@host# set local-address local-address Angle brackets In text descriptions, indicate optional keywords or variables. Another runtime variable is <gfwif>. Key name Indicates the name of a key on the keyboard. Press Enter. Key names linked with a plus sign (+) Indicates that you must press two or more keys simultaneously. Press Ctrl + b. Italic typeface Emphasizes words. Identifies book names. Identifies distinguished names. Identifies files, directories, and paths in text but not in command examples. There are two levels of access: user and privileged. SRC-PE Getting Started Guide. o=users, o=umc The /etc/default.properties file. Backslash At the end of a line, indicates that the text wraps to the next line. Plugin.radiusAcct-1.class=\ net.juniper.smgt.sae.plugin\ RadiusTrackingPluginEvent Words separated by the symbol Represent a choice to select one keyword or variable to the left or right of this symbol. (The keyword or variable may be either optional or required.) diagnostic line Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. xii

About the Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/. JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/infocenter/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html. xiii

Subscriber Traffic Redirection xiv

PART 1 Overview Software Features Overview on page 3 1

Subscriber Traffic Redirection 2

CHAPTER 1 Software Features Overview Traffic Redirection Overview Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 The redirect server is part of a captive portal system that redirects subscribers Web requests to a captive portal page. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources. Proxy Request Management The redirect server examines requested paths and detects proxy HTTP requests by the proxy prefix <scheme>: followed by the address of the requested host. If the requested URL is served by the captive portal server: 1. The redirect server opens a TCP connection to the captive portal and forwards the request for the URL. The redirect server adds to the request an X-Forwarded-For header that specifies the IP address of the client. 2. The captive portal server inspects the incoming request for the X-Forwarded-For header for the IP address. The captive portal server uses this address instead of the source IP address to determine the originator of the request. 3. If the captive portal authorizes the client and activates a service that enables a direct connection between the client and the proxy, the redirect server then sends the returned data to the subscriber s Web browser. or If the requested URL is not served by the captive portal server, the redirect server opens a TCP port (8800 by default) and sends the type of response configured to a subscriber s browser in response to a captured request: HTTP 200 OK response with an HTML document that includes the <HTTP-Equiv="Refresh"> header (default) HTTP 302 Found response to a subscriber s browser in response to a captured request 3

Subscriber Traffic Redirection The subscriber browser follows the redirect request, and the proxied request is served by the redirect server again, which opens a connection to the captive portal. Support for HTTP proxy requests requires the following: A local HTTP proxy server that can handle the traffic from all clients configured with a proxy. A location for the local HTTP proxy server that is one IP hop from each access router. A proxy service that the captive portal server can activate to send proxy requests to the local HTTP proxy server when the portal server authorizes proxy clients. A proxy service activation policy that includes a next-hop policy that points to the local HTTP proxy server, and a classifier that matches the client s IP address and the address of the proxy server configured on the client. Services that the client accesses through the proxy server, such as HTTP and FTP, cannot be activated based on destination address. You must redirect all ports to the redirect server because you cannot know which ports are configured on the client for the proxy. Consequently, the redirect server receives non-http requests as well as HTTP requests. The non-http requests generate error log entries. To reduce overhead, HTTP error messages are logged as system log debug messages. HTTP Proxy and DNS Make sure that your network includes a domain name service (DNS) server to resolve unknown names to a fixed IP address. A DNS server is required because proxy servers can be configured with DNS names in private domains that are not valid in the public environment. You can use the DNS server included with the redirect server, or another DNS server on your network. The DNS server can be configured on a client with DHCP. Alternatively, the service provider can set up a transparent DNS proxy by configuring a next-hop policy on the JunosE router for UDP and TCP port 53 traffic. The policy redirects traffic on these two ports to the redirect server s DNS server. Because proxy addresses must be resolved even if general access to the Internet is enabled, the DNS server must continue to resolve all client requests for proxy clients. Nonproxy clients can use their regular DNS server after the initial service has been activated. The redirect server s DNS server either forwards the request to a set of configured DNS servers or resolves the request by using the root domain name server. If a request for an IPv4 address cannot be resolved and the request results in an NXDOMAIN error, the DNS server returns a configurable IP address. The redirect server returns an error message to the clients for any other type of request that cannot be resolved. 4

Chapter 1: Software Features Overview HTTPS Traffic Redirection Support The SRC software supports to redirect HTTPS traffic by using the redirect server. The redirect server redirects HTTPS traffic to a configured destination web server. The redirect server requires a Secure Sockets Layer (SSL) certificate. NOTE: Whenever you open up an HTTPS page, you get a security warning in the browser for the mismatch between common name of the certificate with the domain name of the URL until you add an exception for the certificate in the browser. Protection Against Denial-of-Service Attacks The redirect server incorporates a number of properties to protect against denial-of-service attacks. The following list shows the default values set for these properties: The redirect server can serve no more than 12,000 requests per minute, with a burst of 18,000 requests. The redirect server can serve no more than 25 requests per client per minute, with a burst of 50 requests. Incoming requests can be no larger than 4 KB. Incoming requests have a time limit of 2 seconds. You can change the values for any of these properties. Redirect Server Redundancy on page 5 Configuration Statements for the Redirect Server (SRC CLI) on page 29 Before You Configure Redundancy for a Redirect Server on page 24 Configuring the Redirect Server (SRC CLI) on page 10 Configuring the Redirect Server (C-Web Interface) on page 11 Redirect Server Redundancy You can configure the redirect server to provide redundancy to help ensure that a redirect server is always available. You install the redirect server software on two different hosts; then you configure one redirect server as the primary redirect server, and the other as the redundant redirect server. The active and redundant redirect servers regularly poll each other to confirm each other s availability. If the primary redirect server becomes unavailable, the redundant server assumes the active role. When a redirect server assumes the primary role, it configures on the router a static route from the virtual IP address to the server s real IP address. Clients send requests to the virtual IP address, and the router automatically sends the request to the active redirect server through a static route. The virtual IP address is used only in the static route 5

Subscriber Traffic Redirection configured on the router and the next-hop policy installed by SAE. End users do not see the virtual IP address. Figure 1 on page 6 shows a configuration in which two redirect servers use the same virtual IP address, 192.168.254.1. Figure 1: Failover of a Redirect Server Traffic Redirection Overview on page 3 Before You Configure Redundancy for a Redirect Server on page 24 Configuring a Redundant Redirect Server (SRC CLI) on page 24 Configuring a Redundant Redirect Server (C-Web Interface) on page 26 6

PART 2 Configuration Configuration Tasks on page 9 Configuration Statements on page 29 7

Subscriber Traffic Redirection 8

CHAPTER 2 Configuration Tasks Before You Configure the Redirect Server on a C Series Controller on page 10 Configuring the Redirect Server (SRC CLI) on page 10 Configuring the Redirect Server (C-Web Interface) on page 11 Configuring General Properties for the Redirect Server (SRC CLI) on page 12 Configuring General Properties for the Redirect Server (C-Web Interface) on page 13 Configuring a Connection Between the Redirect Server and the Directory (SRC CLI) on page 14 Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) on page 15 Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 15 Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 16 Changing the Number of Requests That the Redirect Server Accepts (SRC CLI) on page 17 Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) on page 18 Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI) on page 18 Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) on page 19 Configuring the DNS Server for the Redirect Server (SRC CLI) on page 20 Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 21 Configuring the Redirect Server to Support HTTP Proxies (SRC CLI) on page 21 Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 22 Configuring Redirect Server to Support HTTPS Traffic (SRC CLI) on page 23 Before You Configure Redundancy for a Redirect Server on page 24 Configuring a Redundant Redirect Server (SRC CLI) on page 24 Configuring a Redundant Redirect Server (C-Web Interface) on page 26 Configuring Logging for the Redirect Server on page 26 Enabling the Redirect Server on page 26 Changing the Configuration for the Redirect Server on page 27 9

Subscriber Traffic Redirection Before You Configure the Redirect Server on a C Series Controller Before you configure the redirect server on a C Series Controller: Configure the connection between the redirect server and the JunosE router by configuring policies on the C Series Controller: Configure and enable the HTTP local server on the JunosE router On the C Series Controller, configure a policy that includes the following policy actions to define which traffic to send to the redirect server: An exception action to specify that an HTTP application receive traffic. An http redirect policy action to specify the URL to receive packets identified in the exception application action. NOTE: Alternatively, if the distance between the JunosE routers and the C Series Controller is one hop away, you can configure a next-hop policy on the JunosE router that specifies a destination address that is the virtual IP address of the active redirect server rather than configuring an SRC policy. If you plan to configure a redundant redirect server, make sure that you are familiar with the network configuration required. Before You Configure Redundancy for a Redirect Server on page 24 Configuring the Redirect Server (SRC CLI) on page 10 Configuring the Redirect Server (C-Web Interface) on page 11 Redirect Server Redundancy on page 5 Traffic Redirection Overview on page 3 Configuring the Redirect Server (SRC CLI) The redirect server on a C Series Controller manages IP layer redirection. To configure the redirect server: 1. Configure general properties for the redirect server. See Configuring General Properties for the Redirect Server (SRC CLI) on page 12. 2. Configure a connection from the redirect server to the directory. See Configuring a Connection Between the Redirect Server and the Directory (SRC CLI) on page 14. 10

Chapter 2: Configuration Tasks 3. (Optional) Define traffic to be forwarded to the redirect server. In most cases you can accept the default values traffic destined for port 80 (Web requests) and forwarded from all interface on a C Series Controller. See Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 15. 4. (Optional) Configure the number of requests that the redirect server accepts. See Changing the Number of Requests That the Redirect Server Accepts (SRC CLI) on page 17. 5. (Optional) Configure the types of files for which the redirect server accepts requests. See Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI) on page 18. 6. (Optional) For a configuration to support HTTP proxies, configure DNS. You can configure the DNS server included with the redirect server, or another DNS server on your network. If you use another DNS server, you do not need to configure the DNS server included with the redirect server. For information about configuring the DNS server included with the redirect server, see Configuring the DNS Server for the Redirect Server (SRC CLI) on page 20. 7. (Optional) Configure support for HTTP proxies. See Configuring the Redirect Server to Support HTTP Proxies (SRC CLI) on page 21. 8. (Optional) Configure support for HTTPS traffic redirection. See Configuring Redirect Server to Support HTTPS Traffic (SRC CLI) on page 23. 9. (Optional) Configure a redundant redirect server. See Configuring a Redundant Redirect Server (SRC CLI) on page 24. 10. Enable the redirect server. See Enabling the Redirect Server on page 26. Configuration Statements for the Redirect Server (SRC CLI) on page 29 Configuring the Redirect Server (C-Web Interface) on page 11 Viewing Statistics for the Redirect Server (SRC CLI) on page 35 Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 Configuring the Redirect Server (C-Web Interface) Configure the redirect server on a C Series Controller to manage IP layer redirection. To configure the redirect server: 11

Subscriber Traffic Redirection 1. Configure general properties for the redirect server. See Configuring General Properties for the Redirect Server (C-Web Interface) on page 13. 2. Configure a connection from the redirect server to the directory. See Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) on page 15. 3. (Optional) Define traffic to be forwarded to the redirect server. In most cases you can accept the default values traffic destined for port 80 (Web requests) and forwarded from all interface on a C Series Controller. See Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 16. 4. (Optional) Configure the number of requests that the redirect server accepts. See Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) on page 18. 5. (Optional) Configure the types of files for which the redirect server accepts requests. See Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) on page 19. 6. (Optional) For a configuration to support HTTP proxies, configure DNS. You can configure the DNS server included with the redirect server, or another DNS server on your network. If you use another DNS server, you do not need to configure the DNS server included with the redirect server. For information about configuring the DNS server included with the redirect server, see Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 21. 7. (Optional) Configure support for HTTP proxies. See Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 22. 8. (Optional) Configure a redundant redirect server. See Configuring a Redundant Redirect Server (C-Web Interface) on page 26. Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 Configuring the Redirect Server (SRC CLI) on page 10 Configuring General Properties for the Redirect Server (SRC CLI) Use the following configuration statements to configure general properties for the redirect server: redirect-server { destination-url destination-url; 12

Chapter 2: Configuration Tasks tcp-port tcp-port; refresh; } To configure properties for the redirect server: 1. From configuration mode, access the configuration statement that configures the redirect server. user@host# edit redirect-server 2. Specify the URL to which to send subscriber traffic. [edit redirect-server] user@host# set destination-url destination-url 3. (Optional) Specify the TCP port on which the redirect server listens for requests. [edit redirect-server] user@host# set tcp-port tcp-port 4. (Optional) Specify whether the redirect server sends an HTTP 200 OK response with an HTML document that includes the <HTTP-Equiv="Refresh"> header to a subscriber s browser in response to a captured request. [edit redirect-server] user@host# set refresh If you do not use the refresh option, the redirect server sends an HTTP 302 Found response to a subscriber s browser in response to a captured request. By setting the refresh option, the load on the Web server is decreased because non-browser (or non-html) client applications that use HTTP do not follow this refresh message; however, most client applications do follow HTTP 302 messages. Configuring the Redirect Server (SRC CLI) on page 10 Configuring General Properties for the Redirect Server (C-Web Interface) on page 13 Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Traffic Redirection Overview on page 3 Configuring General Properties for the Redirect Server (C-Web Interface) To configure general properties for the redirect server: 1. Click Configure>Redirect Server. The Redirect Server pane appears. 2. Enter information as described in the Help text in the main pane, and click Apply. 13

Subscriber Traffic Redirection Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 Configuring a Connection Between the Redirect Server and the Directory (SRC CLI) Use the following configuration statements to configure a connection between the redirect server and the directory: redirect-server ldap { url url; bind-dn bind-dn; bind-password bind-password; base-dn base-dn; } To configure a connection between the redirect server and the directory: 1. From configuration mode, access the configuration statement that configures the connection. user@host# edit redirect-server ldap 2. List the URLs for directories employed by the redirect server. [edit redirect-server ldap] user@host# set url url For each URL, use the format: ldap://<host>:<portnumber> where <host> is the IP address or hostname of the directory host and <portnumber> is the TCP port 3. Specify the DN that the redirect server uses to authorize connections to the directory. [edit redirect-server ldap] user@host# set bind-dn bind-dn The DN must have authorization to read from o=network, o=umc in the directory. 4. Specify the password that the redirect server uses to bind to the directory. [edit redirect-server ldap] user@host# set bind-password bind-password 5. Specify the base DN that is the root of the directory tree. [edit redirect-server ldap] user@host# set base-dn base-dn 14

Chapter 2: Configuration Tasks Configuring the Redirect Server (SRC CLI) on page 10 Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) on page 15 Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Traffic Redirection Overview on page 3 Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) To configure a connection between the redirect server and the directory: 1. Click Configure, expand Redirect Server, then click Ldap. The Ldap pane appears. 2. Enter information as described in the Help text in the main pane, and click Apply to trigger an automatic commit. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 Defining Traffic to Transmit to the Redirect Server (SRC CLI) You can define traffic to be forwarded to the redirect server by identifying the destination port number (typically, HTTP port 80 and HTTPS port 443 for Web requests) for packets and the physical interface on a C Series Controller from which subscriber traffic is forwarded to the redirect server. In most cases you can accept the default values for configuration for IP redirection. If you do not specify an interface, traffic is accepted on all interfaces. Use the following configuration statements to define traffic to transmit to the redirect server: redirect-server ip-redirect{ interface interface; port port; https-port https-port; } To change the values of the port for traffic and/or the C Series interface on which traffic is forwarded to the redirect server: 1. From configuration mode, access the configuration statement that configures IP redirection for the redirect server. user@host# edit redirect-server ip-redirect 15

Subscriber Traffic Redirection 2. (Optional) Specify one or more interfaces on which subscriber traffic is forwarded from the B-RAS to the C Series Controller. [edit redirect-server ip-redirect] user@host# set interface interface If you do not specify an interface, the C Series Controller accepts traffic from all interfaces. 3. (Optional) Specify the TCP port of the redirected traffic. If you do not specify a port, the redirect server uses port 80 (HTTP). [edit redirect-server ip-redirect] user@host# set port port 4. (Optional) Specify the HTTPS port of the redirected traffic. If you do not specify an HTTPS port, the redirect server uses port 443. [edit redirect-server ip-redirect] user@host# set https-port https-port Configuring the Redirect Server (SRC CLI) on page 10 Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 16 Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Traffic Redirection Overview on page 3 Defining Traffic to Transmit to the Redirect Server (C-Web Interface) You can define traffic to be forwarded to the redirect server by identifying the destination port number (typically, port 80 for Web requests) for packets and the physical interface on a C Series Controller from which subscriber traffic is forwarded to the redirect server. In most cases you can accept the default values for configuration for IP redirection. If you do not specify an interface, traffic is accepted on all interfaces. To change the values of the port for traffic and/or the C Series interface on which traffic is forwarded to the redirect server: 1. Click Configure, expand Redirect Server, and then click IP Redirect. The IP Redirect pane appears. 2. Click the Create button. The IP Redirect pane reappears. 3. Enter the information as described in the Help text in the main pane, and click Apply. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 16

Chapter 2: Configuration Tasks Changing the Number of Requests That the Redirect Server Accepts (SRC CLI) If you want to change the number of redirection requests that the redirect server accepts, change the values for the request rates and the client rates. Use the following configuration statements to configure the number of requests that the redirect server accepts: redirect-server { request-rate request-rate; request-burst-size request-burst-size; client-rate client-rate; client-burst-size client-burst-size; } To configure the number of redirection requests that the redirect server can accept: 1. From configuration mode, access the configuration statement that configures the redirect server. user@host# edit redirect-server 2. Specify the number of requests that the redirect server can accept per minute from all clients (global sustained rate). [edit redirect-server] user@host# set request-rate request-rate 3. Specify the maximum number of requests that the redirect server can accept from all clients (burst size). [edit redirect-server] user@host# set request-burst-size request-burst-size This value should exceed the value for the request rate. If the value for the request rate exceeds this value, the redirect server drops the excess requests. 4. Specify the number of requests that the redirect server can accept per minute for a single client (per-client sustained rate). [edit redirect-server] user@host# set client-rate client-rate 5. Specify the maximum number of requests that the redirect server can accept for a single client (per client burst size). [edit redirect-server] user@host# set client-burst-size client-burst-size This value should exceed the value for the client rate. Configuring the Redirect Server (SRC CLI) on page 10 17

Subscriber Traffic Redirection Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) on page 18 Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Traffic Redirection Overview on page 3 Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) If you want to change the number of redirection requests that the redirect server accepts, change the values for the request rates and the client rates. To configure the number of redirection requests that the redirect server can accept: 1. Click Configure>Redirect Server. The Redirect Server pane appears. 2. Change the values in the following boxes as described in the Help text in the main pane: Request Rate Request Burst Size Client Rate Client Burst Size 3. Click Apply. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI) If you do not specify the types of files that the redirect server accepts, the redirect server accepts all file types. You can identify file types by specifying the file extensions for the files that the redirect server is to accept. Use the following configuration statements to configure the file extensions that the redirect server accepts: redirect-server { check-file-extensions; file-extensions file-extensions; } To specify the extensions for the types of files accepted by the redirect server: 1. From configuration mode, access the configuration statement that configures the redirect server. user@host# edit redirect-server 18

Chapter 2: Configuration Tasks 2. Specify whether the redirect server should accept only URLs that point to files that have standard file extensions <empty>,.asp,.htm,.html,.jsp,.php,.shtm,.shtml, and.xml. [edit redirect-server] user@host# set check-file-extensions If you enable check-file-extensions and the file does not have a standard file extension, the redirect server returns an HTTP 403 Forbidden message. 3. List file extensions to augment the standard file extensions you configured. Precede each extension with a period. Make sure that you specify the correct case for each character; entries are case-sensitive. [edit redirect-server] user@host# set file-extensions file-extensions Separate each file extensions by a comma. For example: set file-extensions.cgi,.aspx Configuring the Redirect Server (SRC CLI) on page 10 Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) on page 19 Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Traffic Redirection Overview on page 3 Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) If you do not specify the types of files that the redirect server accepts, the redirect server accepts all file types. You can identify file types by specifying the file extensions for the files that the redirect server is to accept. To specify the extensions for the types of files accepted by the redirect server: 1. Click Configure>Redirect Server. The Redirect Server pane appears. 2. To enable or disable checking file extensions, clear or select the Check File Extensions box as described in the Help Text in the main pane. 3. Click Apply. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 19

Subscriber Traffic Redirection Configuring the DNS Server for the Redirect Server (SRC CLI) A DNS server is required to support HTTP proxies to resolve the name of any HTTP proxy, even if the name is valid only in the private domain of the client. You can use an external DNS or the DNS server that is included with the redirect server for this purpose. If you plan to use an external DNS server, you can skip this section. This section describes how to configure the DNS server that is included with the redirect server. Use the following configuration statements to configure the DNS server that is included with the redirect server: redirect-server dns { enable; tcp-port tcp-port; udp-port udp-port; forwarder forwarder; error-ip-address error-ip-address; } To configure DNS for the redirect server that is included with the redirect server: 1. From configuration mode, access the configuration statement that configures DNS for the redirect server. user@host# edit redirect-server dns 2. Enable DNS for the redirect server. [edit redirect-server dns] user@host# set enable 3. Specify the TCP port on which the DNS server listens: If you set the value to 0, no TCP socket is opened. [edit redirect-server dns] user@host# set tcp-port tcp-port 4. Specify the UDP port on which the DNS server listens. [edit redirect-server dns] user@host# set udp-port udp-port 5. Specify the IP addresses of DNS servers to which resolution requests are forwarded; use commas to separate addresses, but do not add a space after the comma. [edit redirect-server dns] user@host# set forwarder forwarder For example: [edit redirect-server dns] user@host# set forwarder 192.0.2.24,192.0.4.25 20

Chapter 2: Configuration Tasks If you do not specify DNS servers, DNS resolves incoming requests by using the normal DNS method. 6. Specify the IP address that is returned when a DNS request results in an unknown name (NXDOMAIN) error. [edit redirect-server dns] user@host# set error-ip-address error-ip-address Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 21 Before You Configure the Redirect Server on a C Series Controller on page 10 Configuring the Redirect Server (SRC CLI) on page 10 Traffic Redirection Overview on page 3 Configuring the DNS Server for the Redirect Server (C-Web Interface) A DNS server is required to support HTTP proxies to resolve the name of any HTTP proxy, even if the name is valid only in the private domain of the client. You can use an external DNS or the DNS server that is included with the redirect server for this purpose. NOTE: If you plan to use an external DNS server, do not follow this procedure. The following procedure describes how to configure the DNS server that is included with the redirect server. Proxy support must be enabled before configuring the DNS server. See Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 22. To configure the DNS server that is included with the redirect server: 1. Click Configure, expand Redirect Server, and click DNS. The DNS pane appears. 2. Enter information as described in the Help text in the main pane, and click Apply. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 Configuring the Redirect Server to Support HTTP Proxies (SRC CLI) Support for proxy requests is an optional feature of the redirect server. If you configure proxy support, you must also have DNS configured. You can use DNS servers already installed on your network, or use the server included with the SRC software. 21

Subscriber Traffic Redirection Use the following configuration statements to configure the redirect server to support HTTP proxies: redirect-server { proxy-support; proxy-destination-url proxy-destination-url; } To configure the redirect server to support HTTP proxies: 1. From configuration mode, access the configuration statement that configures the redirect server. user@host# edit redirect-server 2. Enable HTTP proxy support. [edit redirect-server] user@host# set proxy-support 3. Specify the URL sent as a response to proxy requests. [edit redirect-server] user@host# set proxy-destination-url proxy-destination-url If you do not configure a value, then the URL defaults to the redir.url value. You can use this property to send proxy requests to a page different from the direct request page on the captive portal. Before You Configure the Redirect Server on a C Series Controller on page 10 Configuring the Redirect Server (SRC CLI) on page 10 Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 22 For information about configuring the DNS server included with the SRC software, see Configuring the DNS Server for the Redirect Server (SRC CLI) on page 20 Traffic Redirection Overview on page 3 Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) Support for proxy requests is an optional feature of the redirect server. If you configure proxy support, you must also have DNS configured. You can use DNS servers already installed on your network, or use the server included with the SRC software. To configure the redirect server to support HTTP proxies: 1. Click Configure>Redirect Server. The Redirect Server pane appears. 2. Clear the Proxy Support checkbox box to disenable HTTP proxy support. Select the checkbox to enable HTTP proxy support. Refer to the information in the Help text in the main pane. 22

Chapter 2: Configuration Tasks 3. In the Destination Url box, type the URL sent as a response to proxy requests. 4. Click Apply. Traffic Redirection Overview on page 3 Configuring the Redirect Server (C-Web Interface) on page 11 For information about configuring the DNS server included with the SRC module, see Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 21 Configuring Redirect Server to Support HTTPS Traffic (SRC CLI) The SRC software supports to redirect HTTPS traffic to a configured destination web server by using the redirect server. The SRC software intercepts the traffic at port 443 and forward it to the port in which the redirect server is configured to listen for HTTPS traffic. The redirect server accepts HTTPS traffic only from the ports that you configured by using the https-port option at the [edit redirect-server ip-redirect] hierarchy level. Before you start with setting up a redirection for HTTPS traffic, you must create a certificate with the domain name of the URL. NOTE: Whenever you open up an HTTPS page, you get a security warning in the browser for the mismatch between common name of the certificate with the domain name of the URL until you add an exception for the certificate in the browser. Use the following statements to configure the redirect server to support HTTPS traffic: redirect-server https { port port; certificate-identifier certificate-identifier ; } To configure the redirect server to support HTTPS traffic: 1. In configuration mode, enter the configuration statement that allows the SRC redirect server to redirect HTTPS traffic to a configured destination web server. [edit] user@host# redirect-server https 2. Configure the HTTPS port on which the redirect server listens for requests. [edit redirect-server https] user@host# set port port 3. Configure the imported Secure Sockets Layer (SSL) certificate. To import the SSL certificate, use the request security import-certificate command. For information about manually obtaining certificates, see Manually Obtaining Digital Certificates (SRC CLI). 23

Subscriber Traffic Redirection [edit redirect-server https] user@host# certificate-identifier certificate-identifier Configuration Statements for the Redirect Server (SRC CLI) on page 29 Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 15 Commands to Manage Digital Certificates Before You Configure Redundancy for a Redirect Server If you plan to use a redundant configuration for the redirect server, ensure that: If you use a next-hop address for policies that capture Web traffic and send it to the redirect server, that the virtual IP address to be used is also the next-hop address. The redirect server has SNMP write access to the virtual routers connected to it. Each VR must have at least a write community configured. (The static route from the virtual IP address to the server s real IP address is installed on the router through SNMP.) If additional access controls are enabled on the JunosE router, the hosts on which the redirect server runs must be included. Configuring a Redundant Redirect Server (SRC CLI) on page 24 Configuring a Redundant Redirect Server (C-Web Interface) on page 26 Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 Configuring a Redundant Redirect Server (SRC CLI) Although configuration of a redundant redirect server is optional, we recommend that you configure redundancy to maintain high availability for the server. Before you configure the redirect server, review configuration prerequisites. See Before You Configure Redundancy for a Redirect Server on page 24. Use the following configuration statements to configure redundancy for the redirect server: redirect-server { redundancy; } redirect-server monitor { redundant-host-ip-address redundant-host-ip-address; virtual-ip-address virtual-ip-address; real-ip-address real-ip-address; primary-server; check-interval check-interval; virtual-routers virtual-routers; 24

Chapter 2: Configuration Tasks } To configure redundancy for the redirect server: 1. From configuration mode, access the configuration statement that configures the redirect server. user@host# edit redirect-server 2. Enable redundancy for the redirect server. [edit redirect-server] user@host# set redundancy 3. Configure redundancy properties for the redirect server. [edit redirect-server] user@host# edit redirect-server monitor 4. Configure the IP address or hostname of the redundant redirect server. [edit redirect-server] user@host# set redundant-host-ip-address redundant-host-ip-address 5. Configure the virtual IP address of the redirect server. [edit redirect-server] user@host# set virtual-ip-address virtual-ip-address 6. Configure the real IP address of the redirect server. [edit redirect-server] user@host# set real-ip-address real-ip-address When a primary redirect server is started, it dynamically establishes and maintains a static route on the client router to which it connects. The static route directs traffic destined for the virtual IP address of the server to the real IP address of the active redirect server. 7. (Optional) Set the system on which you enter the command as the primary redirect server. [edit redirect-server] user@host# set primary-server 8. (Optional) Set the interval at which the redirect server polls the redundant redirect server. [edit redirect-server] user@host# set check-interval check-interval A shorter time in the range leads to faster detection of problems and results in higher consumption of CPU resources. 25

Subscriber Traffic Redirection 9. List of virtual routers to which the redirect server connects. [edit redirect-server] user@host# set virtual-routers vrname@routername, vrname@routername... Configuring the Redirect Server (SRC CLI) on page 10 Configuring the Virtual IP Address (SRC CLI) Configuring a Redundant Redirect Server (C-Web Interface) on page 26 Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 Configuring a Redundant Redirect Server (C-Web Interface) Although configuration of a redundant redirect server is optional, we recommend that you configure redundancy to maintain high availability for the server. Before you configure the redirect server, review configuration prerequisites. See Before You Configure Redundancy for a Redirect Server on page 24. To configure redundancy for the redirect server: 1. Click Configure>Redirect Server. The Redirect Server pane appears. 2. To enable or disable redundancy for the redirect server, clear (or select) the Redundancy checkbox as described in the Help text in the main pane. Traffic Redirection Overview on page 3 Redirect Server Redundancy on page 5 Configuring the Redirect Server (C-Web Interface) on page 11 Configuring a Redundant Redirect Server (SRC CLI) on page 24 Configuring Logging for the Redirect Server The redirect server logs incoming HTTP and HTTPS requests through system log with a priority of INFO and log facility of LOCAL7. Configuring an SRC Component to Store Log Messages in a File (SRC CLI) Configuring System Logging (SRC CLI) Enabling the Redirect Server To enable the redirect server: 26

Chapter 2: Configuration Tasks user@host> enable component redir Before You Configure the Redirect Server on a C Series Controller on page 10 Configuring the Redirect Server (SRC CLI) on page 10 Traffic Redirection Overview on page 3 Changing the Configuration for the Redirect Server When you change the configuration for the redirect server and commit that configuration, the redirect server is automatically restarted. Configuring the Redirect Server (SRC CLI) on page 10 Traffic Redirection Overview on page 3 27

Subscriber Traffic Redirection 28

CHAPTER 3 Configuration Statements Configuration Statements for the Redirect Server (SRC CLI) on page 29 Configuration Statements for the Redirect Server (SRC CLI) Use the following configuration statements to configure the redirect server at the [edit] hierarchy level. redirect-server { tcp-port tcp-port; destination-url destination-url; proxy-support; proxy-destination-url proxy-destination-url; refresh; request-rate request-rate; request-burst-size request-burst-size; client-rate client-rate; client-burst-size client-burst-size; check-file-extensions; file-extensions file-extensions; redundancy; } redirect-server https { port port; certificate-identifier certificate-identifier; } redirect-server ip-redirect { interface interface; port port; https-port https-port; } redirect-server ldap { url url; bind-dn bind-dn; bind-password bind-password; base-dn base-dn; } redirect-server dns { enable; tcp-port tcp-port; udp-port udp-port; forwarder forwarder; 29

Subscriber Traffic Redirection error-ip-address error-ip-address; } redirect-server monitor { redundant-host-ip-address redundant-host-ip-address; virtual-ip-address virtual-ip-address; real-ip-address real-ip-address; primary-server; check-interval check-interval; virtual-routers virtual-routers; } Traffic Redirection Overview on page 3 Configuring the Redirect Server (SRC CLI) on page 10 For detailed information about each configuration statement, see the SRC PE CLI Command Reference 30

PART 3 Administration Management Tasks on page 33 Monitoring the Redirect Server on page 35 Routine Monitoring on page 39 31

Subscriber Traffic Redirection 32

CHAPTER 4 Management Tasks Verifying Configuration for the Redirect Server (SRC CLI) on page 33 Assessing Load for Redirect Server (C-Web Interface) on page 33 Verifying Configuration for the Redirect Server (SRC CLI) Purpose Verify the configuration for the redirect server. Action At the [edit redirect-server] hierarchy level, enter the show command: [edit redirect-server] user@host# show tcp-port 8800; destination-url ; refresh; refresh-document etc/refresh.html; user-name nobody; request-rate 12000; request-burst-size 18000; client-rate 25; client-burst-size 50; Configuring the Redirect Server (SRC CLI) on page 10 Viewing Statistics for the Redirect Server (SRC CLI) on page 35 Viewing Statistics About Filtered Traffic (SRC CLI) on page 36 Traffic Redirection Overview on page 3 Assessing Load for Redirect Server (C-Web Interface) Purpose View the number of requests sent to the redirect server, and whether the requests reach the configured limit for the server and for server users. You can then use this information to fine-tune the properties for redirect server. Action 1. Click Monitor>Redirect Server>Statistics. The Redirect Server Statistics pane appears. 2. From the Output Style list, select an output style as described in the Help text in the main pane. 33

Subscriber Traffic Redirection 3. Click OK. The Redirect Server pane displays the following statistics: Uptime Accepted requests Rejected requests Number of user-limit leaky buckets Number of user limits reached Number of global limits reached You can also obtain statistics for redirect server through SNMP. The name of the MIB for redirect server is Juniper-SDX-REDIRECTOR-MIB. Configuring General Properties for the Redirect Server (SRC CLI) on page 12 Viewing Statistics for the Redirect Server (C-Web Interface) on page 35 Viewing Information for Filtered Traffic (C-Web Interface) on page 37 Traffic Redirection Overview on page 3 34

CHAPTER 5 Monitoring the Redirect Server Viewing Statistics for the Redirect Server (SRC CLI) on page 35 Viewing Statistics for the Redirect Server (C-Web Interface) on page 35 Viewing Statistics About Filtered Traffic (SRC CLI) on page 36 Viewing Information for Filtered Traffic (C-Web Interface) on page 37 Viewing Statistics for the Redirect Server (SRC CLI) Purpose View statistics for redirect server. Action user@host> show redirect-server statistics Redirect Server Uptime: 1270724.713 s Accepted Requests: 25 Rejected Requests: 0 User limit leaky buckets: 0 User limits reached: 0 Global limits reached: 0 Configuring the Redirect Server (SRC CLI) on page 10 Viewing Statistics About Filtered Traffic (SRC CLI) on page 36 Viewing Statistics for the Redirect Server (C-Web Interface) on page 35 Traffic Redirection Overview on page 3 Viewing Statistics for the Redirect Server (C-Web Interface) Purpose View statistics for the redirect server. Action 1. Click Monitor>Redirect Server>Statistics. The Statistics pane appears. 35

Subscriber Traffic Redirection 2. Select a style from the Output Style list. 3. Click OK. The Statistics pane displays the redirect server statistics. Configuring General Properties for the Redirect Server (C-Web Interface) on page 13 Configuring the Redirect Server (C-Web Interface) on page 11 Viewing Statistics for the Redirect Server (SRC CLI) on page 35 Viewing Information for Filtered Traffic (C-Web Interface) on page 37 Traffic Redirection Overview on page 3 Viewing Statistics About Filtered Traffic (SRC CLI) Purpose You can obtain information about the packets filtered on a C Series Controller by accessing statistics for the iptables Linux tool. You can also reset the counters for this tool. Action To view information about packet filtering on a C Series Controller: user@host> show iptables <nat filter mangle> <reset-counters> where nat Displays information for the nat table for the iptables tool. The nat table provides rules for rewriting packet addresses. filter Displays information for the filter table for the iptables tool. The filter table provides rules for defining packet filters. mangle Displays information for the mangle table for the iptables tool. The mangle table provides rules for adjusting packet options, such as quality of service. For example: user@host> show iptables Chain INPUT (policy ACCEPT 25M packets, 9401M bytes) pkts bytes target prot opt in out source destination 36

Chapter 5: Monitoring the Redirect Server Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 24M packets, 4506M bytes) pkts bytes target prot opt in out source destinationreset-counters To reset the values in the output for the show iptables command: user@host> show iptables reset counters Configuring the Redirect Server (SRC CLI) on page 10 Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 15 Viewing Statistics for the Redirect Server (SRC CLI) on page 35 Viewing Information for Filtered Traffic (C-Web Interface) on page 37 Traffic Redirection Overview on page 3 Viewing Information for Filtered Traffic (C-Web Interface) Purpose View information about filtered traffic with the iptables Linux tool when you are using C-Web to monitor the C Series Controller. Action To view information about the filtered traffic: 1. Click Monitor>Iptables. The Iptables pane appears. 2. Select the type of table that you want to display from the Table list: nat Displays information for the iptables NAT table filter Displays information for the iptables filter table mangle Displays information for the iptables mangle table 37

Subscriber Traffic Redirection 3. Select the Reset Counters check box to rest the counters of items in the output. 4. Click OK. The Iptables pane displays information about filtered traffic. Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 16 Configuring the Redirect Server (C-Web Interface) on page 11 Viewing Statistics About Filtered Traffic (SRC CLI) on page 36 Viewing Statistics for the Redirect Server (C-Web Interface) on page 35 Traffic Redirection Overview on page 3 38

CHAPTER 6 Routine Monitoring Viewing Information About Components Installed (SRC CLI) on page 39 Viewing Information About Components Installed (C-Web Interface) on page 40 Viewing Information About Components Installed (SRC CLI) Purpose View release and status information for SRC components installed on a system. Action user@host> show component Installed Components Name Version Status cli Release: 7.0 Build: CLI.A.7.0.0.0171 running acp Release: 7.0 Build: ACP.A.7.0.0.0174 disabled jdb Release: 7.0 Build: DIRXA.A.7.0.0.0176 running editor Release: 7.0 Build: EDITOR.A.7.0.0.0176 running redir Release: 7.0 Build: REDIR.A.7.0.0.0176 disabled licsvr Release: 7.0 Build: LICSVR.A.7.0.0.0179 stopped nic Release: 7.0 Build: GATEWAY.A.7.0.0.0170 disabled sae Release: 7.0 Build: SAE.A.7.0.0.0166 running www Release: 7.0 Build: UMC.A.7.0.0.0169 disabled jps Release: 7.0 Build: JPS.A.7.0.0.0172 disabled agent Release: 7.0 Build: SYSMAN.A.7.0.0.0174 running webadm Release: 7.0 Build: WEBADM.A.7.0.0.0173 disabled Meaning Table 4 on page 39 describes the output fields for the show component command. Output fields are listed in the order in which they appear. Table 4: Output Fields for show component Field Name Field Description Name Name of the component Version Version of the component Status State of the component, running or disabled Viewing Information About Components Installed (C-Web Interface) on page 40 Viewing C Series Controller Information 39

Subscriber Traffic Redirection Directories on the C Series Controller Viewing Information About Components Installed (C-Web Interface) Purpose View the installed SRC components. Action Click Monitor>Component. The Component pane displays the status of each installed component. Viewing Information About Components Installed (SRC CLI) on page 39 Viewing C Series Controller Information Directories on the C Series Controller 40

PART 4 Troubleshooting Troubleshooting Procedures on page 43 41

Subscriber Traffic Redirection 42

CHAPTER 7 Troubleshooting Procedures Collecting Data with the Activity Monitor (SRC CLI) on page 43 Collecting Data with the Activity Monitor (C-Web Interface) on page 44 Viewing Graphs (C-Web Interface) on page 45 Viewing Graphs from a Web Page on page 45 Collecting Data with the Activity Monitor (SRC CLI) You can collect data with the Activity Monitor for specific components over a specified time and save them to a tar.gz file in the /opt/umc/activity/var/diagnostic/* directory. You can view the exact file name and path after you execute the request support information command. Before you perform data collection with the Activity Monitor, make sure the filter for the specific components is enabled. To perform data collection with the Activity Monitor: user@host> request support information Some of the information retrieved includes: System log messages from the /var/log/messages/* directory. The configuration in text format, XML format, and set format. The host name in the name of the diagnostic file. To perform data collection for specific components: user@host> request support information component where component is one of the following: acp SRC Admission Control Plug-In activity Activity Monitor agent SNMP agent appsvr Application server cli SRC CLI diameter Diameter application 43

Subscriber Traffic Redirection dsa Dynamic Service Activator extsubmon External Subscriber Monitor ims IP multimedia subsystem jdb Juniper Networks database jps Juniper Policy Server licsvr License server nic Network information collector redir Redirect server sae SAE webadm C-Web interface To perform data collection for a specified number of days: user@host> request support information days where days is in the range of 1 36500. Before You Load a Configuration Viewing Graphs (C-Web Interface) on page 45 Viewing Graphs from a Web Page on page 45 Monitoring Activity on C Series Controllers Collecting Data with the Activity Monitor (C-Web Interface) You can collect data with the Activity Monitor for specific components over a specified time. Before you configure data collection for the Activity Monitor, make sure the Activity Monitor (activity), CLI (cli), and C-Web interface (webadm) components are enabled. To perform data collection with the Activity Monitor: 1. Click Manage>Request>Support>Information. The Support Information pane appears. 2. From the Components list, select the components you want to monitor, and click OK. 3. (Optional) Enter the number of days for which you want to collect data, and click OK. Viewing Graphs (C-Web Interface) on page 45 Viewing Graphs from a Web Page on page 45 Monitoring Activity on C Series Controllers 44

Chapter 7: Troubleshooting Procedures Viewing Graphs (C-Web Interface) You can display graphs for components for which the Activity Monitor has collected data. To display graphs from the Activity Monitor with the C-Web interface: 1. Click Graphs. 2. In the side pane, select the component and the graph that you want to display. The pane for selecting the time period displayed by the graph appears. 3. Select one of the preset values or enter the time range in the From and To boxes, and click OK. The graphs appear. Collecting Data with the Activity Monitor (C-Web Interface) on page 44 Viewing Graphs from a Web Page on page 45 Monitoring Activity on C Series Controllers Viewing Graphs from a Web Page You can display graphs for components for which the Activity Monitor has collected data from a Web page. Before you display these graphs, make sure the Activity Monitor (activity) and C-Web interface (webadm) components are enabled. For more secure displays, configure the C-Web interface to use HTTPS and use POST requests. Viewing Graphs for a Preset Time Period from a Web Page on page 45 Viewing Graphs for Specified Time Periods from a Web Page on page 46 Viewing Graphs for a Preset Time Period from a Web Page To display graphs with preset time periods from the Activity Monitor from a Web page: http://ip-address/graph?&id=username&pw=password&name=graph-name&time=time-period where ip-address IP address of the C Series Controller username Username used to log in to the C Series Controller password Password used to log in to the C Series Controller graph-name Name of graph to display in the format <component>-<graph>, where <graph> is the name of the graph as specified in the C-Web interface in all lowercase letters with hyphens separating words time-period Period of time that data was collected for display in a graph in the format <number><units> 45

Subscriber Traffic Redirection The <number> is the number of <units>, which are specified as one of the following values: m minutes h hours d days w weeks M months y years For example, to view the CPU graph for the System component for the past 10 minutes on the C Series Controller called c2000 for the user admin: http://c2000/graph?&id=admin&pw=secret&name=system-cpu&time=10m The CPU Usage graph appears. Viewing Graphs for Specified Time Periods from a Web Page To display graphs for specified time periods from the Activity Monitor from a Web page: http://ip-address/graph?&id=username&pw=password&name=graph-name&start=date-time &end=date-time where ip-address IP address of the C Series Controller username Username used to log in to the C Series Controller password Password used to log in to the C Series Controller 46

Chapter 7: Troubleshooting Procedures graph-name Name of graph to display in the format <component>-<graph>, where <graph> is the name of the graph as specified in the C-Web interface in all lowercase letters with hyphens separating words date-time Date and time that data was collected for display in a graph in the format yyyymmddhhmm, where: yyyy year MM month dd day HH hour mm minute For example, to view the heap usage graph for the SAE component from January 15 to January 28 on the C Series Controller called c2000 for the user admin: http://c2000/graph?&id=admin&pw=secret&name=sae-heap&start=200901150000 &end=200901280000 The SAE Heap Usage graph appears. Collecting Data with the Activity Monitor (SRC CLI) on page 43 Collecting Data with the Activity Monitor (C-Web Interface) on page 44 Viewing Graphs (C-Web Interface) on page 45 Monitoring Activity on C Series Controllers 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback