ConnectControl - Server Load Balancing

ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security Gateway or Cluster towards servers behind the Check Point Security Gateway or Cluster. ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.

ConnectControl Packet Flow

Load-balanced servers are represented by one virtual IP address. Define a Logical server, a network object that represents a group of physical servers. The Logical server takes service requests for the load-balanced application and directs the requests to the applicable physical server.

When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway.

Item	Description
1	Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server).
2	Internet - The service request goes through the Internet.
3	Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server rule in the Rule Base. The gateway directs the request to the internal IP address of the Logical Server group.
4	Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method.

Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services.

Defining a Logical Server

To define a Logical Server:

1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
2. From the toolbar, click New > Network Object > More > Logical Server.
3. In the New Logical Server window, enter a name for the ConnectControl Logical server.
4. Enter a virtual IP address.

   Make sure the IP address is a public IP address. All traffic to be load-balanced, must be directed through the cluster.

   In cluster setups, if the assigned IP address is on the same subnet as a cluster virtual IP address, you also need to configure a Manual ARP proxy entry for this IP address.

   1. Click Menu menu > Global properties > NAT - Network Address Translation.
   2. Select Merge manual proxy ARP configuration.
   3. Click OK.
   4. Configure the $FWDIR/conf/local.arp file as described in sk30197.
   5. Install the Access Control Policy on this cluster object.
5. Select the Server type.
6. Select the Server group (the members of the group must be hosts, gateways, or OSE devices).
7. Select Use persistent server mode and select the mode that fits your environment.
8. Select a Balance method that fits your environment.
9. Click OK.
10. Install the Access Control Policy on this cluster object.

Logical Server Types

When you create the Logical server object, configure the server type as HTTP or Other. This distinction is important. ConnectControl handles the connection to the client differently for each server type.

The HTTP server type uses HTTP redirection. This type supports offsite HTTP servers and form-based applications, but only works with the HTTP protocol. An HTTP Logical server makes sure that all HTTP-connection sessions are directed to one server, which is a requirement for many Web applications. ConnectControl finds the correct physical server, behind the firewall or offsite, based on the selected load-balancing method. The session connections continue to go to that one server.

The Other server type uses NAT (address translation) to send traffic to the grouped servers. This Logical server supports all protocols (including HTTP) and gives the most effectively balanced load. It requires servers to be NATed by the gateway. ConnectControl mediates each service request and then selects the server to get that request. It uses NAT to change the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client. The server's source address in the packet is translated to the IP address of the Logical server. On the packet's return, the firewall translates the packet's original address to the IP address of the Logical server.

Persistent Server Mode

Persistent server mode maintains a client's connection to the server that ConnectControl first selected.

• Persistency by server is useful for HTTP applications, such as forms, in a load-balanced environment with multiple Web servers. ConnectControl directs an HTTP client to one server for all requests. This allows clients to fill forms without the data loss that occurs if different servers take the requests.
• Persistency by service is useful if you are load balancing multiple services in your server group. For example, in a redundant environment of two servers, each running HTTP and FTP, ConnectControl directs traffic from one client to the server of the correct service. This prevents heavy load on one server, which can happen with Persistency by server.

  Item	Description
  1	Multiple client requests for HTTP and FTP.
  2	Internet
  3	Security Gateway - The service requests arrive at the destination public IP address of the Logical Server, which is on the Security Gateway. The gateway directs the requests to the internal IP address of the Logical Server group.
  4	Logical Server group with two servers, each with FTP and HTTP services. ConnectControl balances the load between the servers.

Persistent Server Timeout

If you enable Persistent server mode, you can set a timeout for a client to use one server. If a server becomes unavailable, ConnectControl directs new connections to a new, available server. This bypasses the persistency and optimizes load balancing.

To set persistent server mode timeout:

1. Open Global Properties.
2. Click ConnectControl.
3. In Persistent server timeout, enter the timeout in seconds.

Load-Balancing Methods

ConnectControl distributes network traffic to load-balanced servers according to predefined balancing methods:

• Domain: Directs service requests based on domain name.

  Important - This method is not supported for Logical Servers.

• Random: Directs service requests to servers at random. The random method is a good choice when all the load-balanced servers have similar RAM and CPU and are located on the same segment.
• Round Robin: Directs service requests to the next server in the sequence. The round robin method is a good choice when all the load balanced servers have similar RAM and CPU and are on the same segment.
• Round Trip: Directs incoming requests to the server with the fastest response time. ConnectControl calculates the fastest server from average round-trip time to respond to ICMP echo requests. The round trip method is a good choice if there are large variations in the traffic load on your network or when load balancing over WAN connections.

  Important - This method is not supported for Logical Servers.

For more information, see sk31162.

Server Availability

You can configure how ConnectControl finds available servers.

To set server availability configurations:

1. Open Global Properties.
2. Click ConnectControl.
3. In Server availability check interval, enter the number of seconds between pings from the gateway to the servers.
4. In Server check retries, enter the number of attempts to contact a nonresponsive server after ConnectControl stops directing connections to it.

End to End ConnectControl

This procedure explains the steps to set up ConnectControl in your environment.

To configure ConnectControl:

1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
2. In the Object Explorer, from the toolbar, click New > Host.

   Define the objects for the servers that will be load-balanced.

3. In the Object Explorer, from the toolbar, click New > Network Group.
   1. Name the group (for example, HTTP_Server_Group).
   2. Add the server objects to the group.

   We recommend adding no more than 29 Logical Servers to a group.

4. In the Object Explorer, from the toolbar, click New > Network Object > More > Logical Server.
5. Define the Logical server.

   Make sure the IP address you assign is a public IP address. All traffic to be load-balanced, is directed through the cluster.

6. Select the Server type:
   1. Select the server group that you defined earlier.
   2. Select Use persistent Server Mode and select the mode that fits your environment.
   3. Select a Balance Method that fits your environment.
7. Add the Load Balancing rule to the Access Control Policy Rule Base:

   Source	Destination	Services & Applications	Action
   *Any	Logical Server object	Load-balanced Services	Accept or User Auth or Client Auth

8. For applications that use HTTP redirection, add a rule to allow the server group to communicate directly with the clients:

   Source	Destination	Services & Applications	Action
   *Any	HTTP_Server_Group	http	accept

9. Click Menu > Global properties > ConnectControl.
10. Configure the Server Persistency and Server Availability settings that fit your environment.
11. Click OK.
12. Install the Access Control Policy on this cluster object.