Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

ConnectControl - Server Load Balancing

Related Topics

Introduction to ConnectControl

Load-Balancing Methods

ConnectControl Packet Flow

Logical Server Types

Persistent Server Mode

Server Availability

Load Measuring

Configuring ConnectControl

Introduction to ConnectControl

ConnectControl is Check Point's solution for server load balancing. ConnectControl distributes network traffic among a number of servers, which reduces the load on a single machine and thereby improves network response time and provides high availability. In addition to the performance benefits, spreading the load over multiple machines creates redundancy for your application and reduces the risk of downtime.

Load-balanced servers are represented by a single virtual IP address, so clients are unaware that more than one server is serving their requests. This is accomplished using a Logical server, which is a network object defined in SmartDashboard that represents a group of physical servers. The Logical server fields service requests for the load-balanced application and directs them to the appropriate physical server.

ConnectControl runs on the gateway and does not impose any additional memory or processing requirements. It continuously checks the availability of each server and if a server fails or is unreachable, ConnectControl stops directing connections to that server until it becomes available.

Load-Balancing Methods

ConnectControl distributes network traffic to load-balanced servers according to predefined balancing methods, which include:

  • Server Load: Measures the load on each server to determine which server has the most available resources to service a request. Each server in the group runs a load measuring agent that automatically reports the current system load to ConnectControl on the Security Gateway. Server Load is a good choice if your servers run other demanding applications in addition to supporting your load-balanced application. See also Load Measuring.
  • Round Trip: Ensures that incoming requests are handled by the server with the fastest response time. ConnectControl ascertains the response times of the servers in the group at a user-defined interval, whereupon the gateway executes a series of ICMP echo requests (pings) and reports which server has the shortest average round trip time. ConnectControl then directs the service request to that server. The round trip method is a good choice if there are large variations in the traffic load on your network or when load balancing over WAN connections.
  • Round Robin: Assigns service requests to the next server in the sequence. The round robin method provides optimal load balancing when the load balanced servers all have similar RAM and CPU and are located on the same segment.
  • Random: Assigns service requests to servers at random. The random method provides optimal load balancing when the load-balanced servers all have similar RAM and CPU and are located on the same segment.
  • Domain: Directs service requests based on domain name.

ConnectControl Packet Flow

When a client requests access to an application that is load balanced by ConnectControl, the following is the packet flow:

  1. A client initiates a connection with the logical IP address of the application server, which is actually the address assigned to the Logical server.
  2. The service request arrives at the gateway and is matched by the Logical server rule in the Rule Base. The firewall then directs the packet to the Logical server.
  3. ConnectControl determines which of the servers in the group can best fulfill the request based on the load-balancing method.

Flow

Logical Server Types

When creating the Logical server object, you must identify the server type as either HTTP or Other. This distinction is important, as ConnectControl handles the connection to the client differently for each server type. To direct network traffic, the HTTP server type uses HTTP redirection, while the Other server type uses address translation.

HTTP

The HTTP Logical server type employs HTTP redirection to distribute network traffic and supports only HTTP services. The redirection mechanism ensures that all sessions comprising an HTTP connection are directed to a single server. This is critical for many Web applications, such as those using HTTP-based forms, which require that a single server process all user data.

The HTTP redirection mechanism works in conjunction with ConnectControl's load-balancing methods. The initial HTTP connection is directed to the proper server based on the selected load-balancing method. ConnectControl then notifies the client that subsequent connections should be directed to the IP address of the selected physical server, rather than to the IP address of the Logical server. The IP address can be the address of a server behind the firewall or of an offsite server. The remainder of the session is conducted without ConnectControl intervention and all operations are transparent to the user.

The Logical server may direct the client to an HTTP server behind the firewall or to an offsite HTTP server, depending on the result of ConnectControl's load balancing.

LSH

All further communication between the client and the server takes place without the intervention of ConnectControl.

Other

The Other Logical server type can be used for all services supported by A Security Gateway including HTTP. It uses NAT to direct network traffic to the grouped servers. ConnectControl mediates each service request, even when clients continue a session. When you create an Other Logical server type, ConnectControl allows the connection by automatically placing entries in the Security Gateway kernel table. ConnectControl determines which server receives the request and uses NAT to modify the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client and the server's source address in the packet is translated to that of the Logical server. The following illustration shows a connection being directed to a NATed FTP server inside the firewall.

LSO

On the packet's return, the firewall translates the packet's original address to that of the Logical server.

You can also use an Other Logical server type to handle HTTP service requests. In contrast to the HTTP type, once a connection between the client and server has been established, the Other Logical server type does not disconnect. Instead, ConnectControl handles each HTTP service request from the client and multiple service requests from one client can be directed to different servers.

Considering Logical Server Types

When considering the proper implementation for your environment, there are three decisive criteria: use of HTTP forms, server location and servers configured for NAT. The HTTP type supports offsite HTTP servers and form based applications, but only works with the HTTP protocol. The Other type supports all protocols and may provide the most effectively balanced load, but requires servers to be NATed by the gateway.

Persistent Server Mode

Persistent server mode is a ConnectControl feature that maintains a client's connection to the server to which it was first directed. When using this feature, you must decide whether the persistency is by server or by service.

Persistency By Server

Persistency by server is useful for certain types of HTTP applications, such as forms support in a load-balanced environment comprised of multiple Web servers. When Persistency by server is enabled, ConnectControl directs an HTTP client to a specific server and each subsequent request by the client is directed to the same server. This mode allows clients to fill out forms without the data loss that occurs if separate service requests are directed to different servers. If you support forms, enable Persistent server mode (the default setting) and the Persistency by server option.

Persistency By Service

The persistency by service feature is useful if you are load balancing multiple services in your server group, for example, in a redundant environment of two machines, each running HTTP and FTP.

PersbyService

Using persistency by service, the client can be directed to one server for HTTP services and another for FTP services. This prevents you from being locked in to a server under a heavy load, as may occur if you opt for persistency by server in this configuration. Persistency by service directs previously load-balanced clients, which request a different service, to be load balanced and directed once again to the correct server.

Persistent Server Timeout

The Persistent server timeout sets the amount of time that a client, once directed to a particular server, continues to be directed to that server. In the event that a server becomes unavailable, new connections are directed to an available server, even if Persistent server mode is enabled. For optimal load balancing between servers, disable Persistent server mode so that all application traffic is distributed according to the load-balance method. The Persistent server timeout is configured in the ConnectControl page of the Global Properties window.

Server Availability

You can configure various properties of ConnectControl in order to check the availability of servers in the Logical server group. You can define how often the gateway pings the servers to ensure they are still active and the number of attempts it makes to contact a nonresponsive server after ConnectControl stops directing connections to it.

These settings are located in the ConnectControl page of the Global Properties window. The Server availability check interval option defines how often the servers are pinged. The Server check retries option defines the number of attempts to contact nonresponsive servers.

Load Measuring

The server load-balancing method is unique because it requires a load-measuring agent to run on each server in the group. The agent is lightweight and does not add additional latency or system overhead to the server. It uses the UDP transport protocol to support communication between the load-measuring agent and ConnectControl.

Check Point provides a sample load-measuring agent application for installation on servers, as well as a load-measuring application programming interface (API) for organizations who want to write their own agents. You can download the load agent application for your OS from the Check Point Support site. Sign in to view the solution.

You can configure certain properties of the load-measuring agent in the ConnectControl page of the Global Properties window. The Load agents port property determines the port that the load agent uses to communicate with the Security Gateway. All the load-measuring agents in a configuration must use the same port number. The Load measurement interval property defines the interval at which the agent returns information about the server's load to the firewall (the default is every 20 seconds).

For Windows servers, configure and enable the load-measuring agent using the load_agent_nt <port_number> <load_value> syntax.

The default port used by ConnectControl is 18212. The values for load_value are 0, 1, 2, where:

  • 0 measures the load over a 1 minute interval
  • 1 measures the load over a 5 minute interval
  • 2 measures the load over a 15 minute interval

Configuring ConnectControl

To configure ConnectControl:

  1. In SmartDashboard, right-click Network Objects in the Network Objects tree and select New > Node > Host.
  2. Define a server object that represents a load-balanced server.
  3. Repeat step 2 for each server you place in the group.
  4. In Security Management, right-click Network Objects and select New > Group > Simple Group.
  5. Name the group (for example, HTTP_Server_Group).
  6. Add the server objects to the group in the Group Properties box. It is recommended to add no more than 29 Logical servers to a group.
  7. In SmartDashboard, right-click Network Objects in the Network Objects tree and select New > Logical Server. Ensure the IP address you assign is a routable IP address. All traffic to be load-balanced should be directed through the gateway.
  8. Select the Server's Type.
  9. Add the Group object you created in step 3 to the Servers Group.
  10. To enable Persistent server mode, select either Persistency by service or server (the default mode is Persistency by service).
  11. Select a load-balance method as the Balance Method.
  12. Add the following rule to the Rule Base:

Load Balancing Rule

Source

Destination

Service

Action

Any

Logical_Server

[load-balanced service(s)]

Accept
or User Auth
or Client Auth
or Session Auth

  1. For applications using HTTP redirection (HTTP Logical server type), add a second rule to allow the physical server group to communicate directly with clients after sessions have started.

Server Group Connection Rule

Source

Destination

Service

Action

Any

HTTP_Server_Group

http

Accept

  1. From the Policy menu, select Global Properties > ConnectControl. Review the default settings and adjust according to your implementation. The following options are available:
    • Servers Availability: Manages how often ConnectControl ensures that the load-balanced servers are running and responding to service requests and how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it. The Server availability check interval option default value is 20 seconds. The Server check retries option default value is 3 times.
    • Servers Persistency: Defines the amount of time that a client, once directed to a particular server, directs traffic to it. The Persistent server timeout option default value is 1800 seconds.
    • Servers Load Balancing: Manages how often the load measuring agents (if employed) report their load status to ConnectControl and the port from which they communicate with ConnectControl. The Load agents port option default value is 18212. The Load measurement interval default value is 20 seconds.
 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print