ConnectControl - Server Load Balancing

Important - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation MBS-14173).

ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. towards servers behind the Check Point Security Gateway or Cluster.

ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.

ConnectControl Packet Flow

Load-balanced servers are represented by one Virtual IP address.

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you define a Logical Server object that represents a group of physical servers.

The Logical Server takes service requests for the load-balanced application and directs the requests to the applicable physical server.

When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway or Cluster.

Item

Description

1

Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server).

2

Internet - The service request goes through the Internet.

3

Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. The Security Gateway directs the request to the internal IP address of the Logical Server group.

4

Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method.

Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services.

Configuring ConnectControl

This procedure explains the steps to set up ConnectControl in your environment.

  1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).

  2. Define a Host object for each of the servers that will be load-balanced.

    In the Object Explorer, from the toolbar, click New > Host.

  3. Define a Network Group object to contain all Host objects for each of the servers that will be load-balanced.

    In the Object Explorer, from the toolbar, click New > Network Group.

    1. Name the group (for example, HTTP_Server_Group).

    2. Add the Host objects for each of the servers.

    Best Practice - We recommend adding no more than 29 objects.

  4. Define the Logical Server object.

    1. In the Object Explorer, from the toolbar, click New > Network Object > More > Logical Server.

    2. In the New Logical Server window, enter a name for the ConnectControl Logical Server.

    3. Enter a Virtual IP address.

      Make sure the IP address is a public IP address.

      All traffic to be load-balanced, must be directed through the cluster.

      If the assigned IP address is on the same subnet as a Cluster Virtual IP address, you also need to configure a Manual ARP proxy entry for this IP address.

      1. Click Menu >Global properties > NAT - Network Address Translation.

      2. Select Merge manual proxy ARP configuration.

      3. Click OK.

      4. Configure the $FWDIR/conf/local.arp file as described in sk30197.

      5. Install the Access Control Policy on this cluster object.

    4. Select the Server type.

      When you create the Logical server object, configure the server type as HTTP or Other. This distinction is important. ConnectControl handles the connection to the client differently for each server type.

      • The HTTP server type uses HTTP redirection.

        This type supports offsite HTTP servers and form-based applications, but only works with the HTTP protocol. An HTTP Logical server makes sure that all HTTP-connection sessions are directed to one server, which is a requirement for many Web applications. ConnectControl finds the correct physical server, behind the Security Gateway or offsite, based on the selected load-balancing method. The session connections continue to go to that one server.

      • The Other server type uses NAT (address translation) to send traffic to the grouped servers.

        This Logical server supports all protocols (including HTTP) and gives the most effectively balanced load. It requires servers to be NATed by the Security Gateway. ConnectControl mediates each service request and then selects the server to get that request. It uses NAT to change the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client. The server's source address in the packet is translated to the IP address of the Logical server. On the packet's return, the Security Gateway translates the packet's original address to the IP address of the Logical server.

    5. Select the Server group.

      Select the Server Group object that you defined earlier (or define a new Server Group object).

      The members of the group must be hosts, Security Gateways, or OSE devices.

    6. Select Use persistent server mode that fits your environment.

      This setting maintains a client's connection to the server that ConnectControl first selected.

      • Persistency by server is useful for HTTP applications, such as forms, in a load-balanced environment with multiple Web servers. ConnectControl directs an HTTP client to one server for all requests. This allows clients to fill forms without the data loss that occurs if different servers take the requests.

      • Persistency by service is useful if you are load balancing multiple services in your server group. For example, in a redundant environment of two servers, each running HTTP and FTP, ConnectControl directs traffic from one client to the server of the correct service. This prevents heavy load on one server, which can happen with Persistency by server.

      Item

      Description

      1

      Multiple client requests for HTTP and FTP.

      2

      Internet.

      3

      Security Gateway.

      The service requests arrive at the destination public IP address of the Logical Server, which is on the Security Gateway.

      The Security Gateway directs the requests to the internal IP address of the Logical Server group.

      4

      Logical Server group with two servers, each with FTP and HTTP services.

      ConnectControl balances the load between the servers.

    7. Select a Balance method that fits your environment.

      ConnectControl distributes network traffic to load-balanced servers according to one of these predefined balancing methods:

      Method

      Description

      Random

      The Security Gateway directs service requests to servers at random.

      This method is a good choice when all the load-balanced servers have similar RAM and CPU and are located on the same segment.

      Server load

      The Security Gateway determines which server is best equipped to handle the new connection.

      Round Robin

      The Security Gateway directs service requests to the next server in the sequence.

      This method is a good choice when all the load balanced servers have similar RAM and CPU and are on the same segment.

      Round Trip

      Not supported.

      Domain

      Not supported.

    8. Click OK.

  5. Close the Object Explorer window.

  6. From the left navigation panel, click Security Policies and click Access Control.

  7. Add the Load Balancing rule to the Access Control Policy Rule Base:

    Source

    Destination

    Services & Applications

    Action

    *Any

    Logical Server object

    Load-balanced Services

    Accept
    or
    User Auth
    or
    Client Auth

  8. For applications that use HTTP redirection, add a rule to allow the Network Group object (that contains load-balanced server objects) to communicate directly with the clients:

    Source

    Destination

    Services & Applications

    Action

    *Any

    Network Group object

    http

    Accept

  9. Configure global settings for ConnectControl.

    1. At the top, click Menu > Global properties.

    2. From the left tree, click ConnectControl.

    3. Configure the settings that fit your environment:

      • Server Availability

        This configures how ConnectControl finds available servers.

        • The Server availability check interval control the number of seconds between pings from the Security Gateway or Cluster to the load-balanced servers.

        • The Server check retries controls the number of attempts to contact a non-responsive server after ConnectControl stops directing connections to it.

      • Server Persistency

        If you enabled Persistency by server, you can set a timeout for a client to use one server. If a server becomes unavailable, ConnectControl directs new connections to a new, available server. This bypasses the persistency and optimizes load balancing.

      • Server Load Balancing

        Not supported.

    4. Click OK.

  10. Install the Access Control Policy on this Security Gateway or Cluster object.