ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security Gateway or Cluster towards servers behind the Check Point Security Gateway or Cluster. ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.
Load-balanced servers are represented by one virtual IP address. Define a Logical server, a network object that represents a group of physical servers. The Logical server takes service requests for the load-balanced application and directs the requests to the applicable physical server.
When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway.
Item |
Description |
1 |
Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server). |
2 |
Internet - The service request goes through the Internet. |
3 |
Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server rule in the Rule Base. The gateway directs the request to the internal IP address of the Logical Server group. |
4 |
Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method. |
Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services.
To define a Logical Server:
Make sure the IP address is a public IP address. All traffic to be load-balanced, must be directed through the cluster.
In cluster setups, if the assigned IP address is on the same subnet as a cluster virtual IP address, you also need to configure a Manual ARP proxy entry for this IP address.
$FWDIR/conf/local.arp
file as described in sk30197.When you create the Logical server object, configure the server type as HTTP or Other. This distinction is important. ConnectControl handles the connection to the client differently for each server type.
The HTTP server type uses HTTP redirection. This type supports offsite HTTP servers and form-based applications, but only works with the HTTP protocol. An HTTP Logical server makes sure that all HTTP-connection sessions are directed to one server, which is a requirement for many Web applications. ConnectControl finds the correct physical server, behind the firewall or offsite, based on the selected load-balancing method. The session connections continue to go to that one server.
The Other server type uses NAT (address translation) to send traffic to the grouped servers. This Logical server supports all protocols (including HTTP) and gives the most effectively balanced load. It requires servers to be NATed by the gateway. ConnectControl mediates each service request and then selects the server to get that request. It uses NAT to change the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client. The server's source address in the packet is translated to the IP address of the Logical server. On the packet's return, the firewall translates the packet's original address to the IP address of the Logical server.
Persistent server mode maintains a client's connection to the server that ConnectControl first selected.
Item |
Description |
1 |
Multiple client requests for HTTP and FTP. |
2 |
Internet |
3 |
Security Gateway - The service requests arrive at the destination public IP address of the Logical Server, which is on the Security Gateway. The gateway directs the requests to the internal IP address of the Logical Server group. |
4 |
Logical Server group with two servers, each with FTP and HTTP services. ConnectControl balances the load between the servers. |
If you enable Persistent server mode, you can set a timeout for a client to use one server. If a server becomes unavailable, ConnectControl directs new connections to a new, available server. This bypasses the persistency and optimizes load balancing.
To set persistent server mode timeout:
ConnectControl distributes network traffic to load-balanced servers according to predefined balancing methods:
Important - This method is not supported for Logical Servers.
Important - This method is not supported for Logical Servers.
For more information, see sk31162.
You can configure how ConnectControl finds available servers.
To set server availability configurations:
This procedure explains the steps to set up ConnectControl in your environment.
To configure ConnectControl:
Define the objects for the servers that will be load-balanced.
HTTP_Server_Group
).We recommend adding no more than 29 Logical Servers to a group.
Make sure the IP address you assign is a public IP address. All traffic to be load-balanced, is directed through the cluster.
Source |
Destination |
Services & Applications |
Action |
---|---|---|---|
|
Logical Server object |
Load-balanced Services |
|
Source |
Destination |
Services & Applications |
Action |
---|---|---|---|
|
|
|
|