Print Download PDF Send Feedback

Previous

Next

ConnectControl - Server Load Balancing

ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security Gateway or Cluster towards servers behind the Check Point Security Gateway or Cluster. ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.

ConnectControl Packet Flow

Load-balanced servers are represented by one virtual IP address. Define a Logical server, a network object that represents a group of physical servers. The Logical server takes service requests for the load-balanced application and directs the requests to the applicable physical server.

ConnectControl

When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway.

Item

Description

1

Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server).

2

Internet - The service request goes through the Internet.

3

Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server rule in the Rule Base. The gateway directs the request to the internal IP address of the Logical Server group.

4

Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method.

Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services.

Defining a Logical Server

To define a Logical Server:

  1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
  2. From the toolbar, click New > Network Object > More > Logical Server.
  3. In the New Logical Server window, enter a name for the ConnectControl Logical server.
  4. Enter a virtual IP address.

    Make sure the IP address is a public IP address. All traffic to be load-balanced, must be directed through the cluster.

    In cluster setups, if the assigned IP address is on the same subnet as a cluster virtual IP address, you also need to configure a Manual ARP proxy entry for this IP address.

    1. Click Menu menu > Global properties > NAT - Network Address Translation.
    2. Select Merge manual proxy ARP configuration.
    3. Click OK.
    4. Configure the $FWDIR/conf/local.arp file as described in sk30197.
    5. Install the Access Control Policy on this cluster object.
  5. Select the Server type.
  6. Select the Server group (the members of the group must be hosts, gateways, or OSE devices).
  7. Select Use persistent server mode and select the mode that fits your environment.
  8. Select a Balance method that fits your environment.
  9. Click OK.
  10. Install the Access Control Policy on this cluster object.

Logical Server Types

When you create the Logical server object, configure the server type as HTTP or Other. This distinction is important. ConnectControl handles the connection to the client differently for each server type.

The HTTP server type uses HTTP redirection. This type supports offsite HTTP servers and form-based applications, but only works with the HTTP protocol. An HTTP Logical server makes sure that all HTTP-connection sessions are directed to one server, which is a requirement for many Web applications. ConnectControl finds the correct physical server, behind the firewall or offsite, based on the selected load-balancing method. The session connections continue to go to that one server.

The Other server type uses NAT (address translation) to send traffic to the grouped servers. This Logical server supports all protocols (including HTTP) and gives the most effectively balanced load. It requires servers to be NATed by the gateway. ConnectControl mediates each service request and then selects the server to get that request. It uses NAT to change the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client. The server's source address in the packet is translated to the IP address of the Logical server. On the packet's return, the firewall translates the packet's original address to the IP address of the Logical server.

Persistent Server Mode

Persistent server mode maintains a client's connection to the server that ConnectControl first selected.

Persistent Server Timeout

If you enable Persistent server mode, you can set a timeout for a client to use one server. If a server becomes unavailable, ConnectControl directs new connections to a new, available server. This bypasses the persistency and optimizes load balancing.

To set persistent server mode timeout:

  1. Open Global Properties.
  2. Click ConnectControl.
  3. In Persistent server timeout, enter the timeout in seconds.

Load-Balancing Methods

ConnectControl distributes network traffic to load-balanced servers according to predefined balancing methods:

For more information, see sk31162.

Server Availability

You can configure how ConnectControl finds available servers.

To set server availability configurations:

  1. Open Global Properties.
  2. Click ConnectControl.
  3. In Server availability check interval, enter the number of seconds between pings from the gateway to the servers.
  4. In Server check retries, enter the number of attempts to contact a nonresponsive server after ConnectControl stops directing connections to it.

End to End ConnectControl

This procedure explains the steps to set up ConnectControl in your environment.

To configure ConnectControl:

  1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
  2. In the Object Explorer, from the toolbar, click New > Host.

    Define the objects for the servers that will be load-balanced.

  3. In the Object Explorer, from the toolbar, click New > Network Group.
    1. Name the group (for example, HTTP_Server_Group).
    2. Add the server objects to the group.

    We recommend adding no more than 29 Logical Servers to a group.

  4. In the Object Explorer, from the toolbar, click New > Network Object > More > Logical Server.
  5. Define the Logical server.

    Make sure the IP address you assign is a public IP address. All traffic to be load-balanced, is directed through the cluster.

  6. Select the Server type:
    1. Select the server group that you defined earlier.
    2. Select Use persistent Server Mode and select the mode that fits your environment.
    3. Select a Balance Method that fits your environment.
  7. Add the Load Balancing rule to the Access Control Policy Rule Base:

    Source

    Destination

    Services & Applications

    Action

    *Any

    Logical Server object

    Load-balanced Services

    Accept
    or
    User Auth
    or
    Client Auth

  8. For applications that use HTTP redirection, add a rule to allow the server group to communicate directly with the clients:

    Source

    Destination

    Services & Applications

    Action

    *Any

    HTTP_Server_Group

    http

    accept

  9. Click Menu > Global properties > ConnectControl.
  10. Configure the Server Persistency and Server Availability settings that fit your environment.
  11. Click OK.
  12. Install the Access Control Policy on this cluster object.