ConnectControl - Server Load Balancing
|
Important - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation MBS-14173). |
ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. towards servers behind the Check Point Security Gateway or Cluster.
ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.
ConnectControl Packet Flow
Load-balanced servers are represented by one Virtual IP address.
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you define a Logical Server object that represents a group of physical servers.
The Logical Server takes service requests for the load-balanced application and directs the requests to the applicable physical server.
When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway or Cluster.
Item |
Description |
---|---|
1 |
Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server). |
2 |
Internet - The service request goes through the Internet. |
3 |
Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The Security Gateway directs the request to the internal IP address of the Logical Server group. |
4 |
Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method. |
|
Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services. |
Configuring ConnectControl
This procedure explains the steps to set up ConnectControl in your environment.
-
In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
-
Define a Host object for each of the servers that will be load-balanced.
In the Object Explorer, from the toolbar, click New > Host.
-
Define a Network Group object to contain all Host objects for each of the servers that will be load-balanced.
InstructionsIn the Object Explorer, from the toolbar, click New > Network Group.
-
Name the group (for example,
HTTP_Server_Group
). -
Add the Host objects for each of the servers.
Best Practice - We recommend adding no more than 29 objects.
-
-
Define the Logical Server object.
Instructions-
In the Object Explorer, from the toolbar, click New > Network Object > More > Logical Server.
-
In the New Logical Server window, enter a name for the ConnectControl Logical Server.
-
Enter a Virtual IP address.
Make sure the IP address is a public IP address.
All traffic to be load-balanced, must be directed through the cluster.
Note for a cluster environmentIf the assigned IP address is on the same subnet as a Cluster Virtual IP address, you also need to configure a Manual ARP proxy entry for this IP address.
-
Click . >Global properties > NAT - Network Address Translation
-
Select Merge manual proxy ARP configuration.
-
Click OK.
-
Configure the
$FWDIR/conf/local.arp
file as described in sk30197. -
Install the Access Control Policy on this cluster object.
-
-
Select the Server type.
Logical Server TypesWhen you create the Logical server object, configure the server type as HTTP or Other. This distinction is important. ConnectControl handles the connection to the client differently for each server type.
-
The HTTP server type uses HTTP redirection.
This type supports offsite HTTP servers and form-based applications, but only works with the HTTP protocol. An HTTP Logical server makes sure that all HTTP-connection sessions are directed to one server, which is a requirement for many Web applications. ConnectControl finds the correct physical server, behind the Security Gateway or offsite, based on the selected load-balancing method. The session connections continue to go to that one server.
-
The Other server type uses NAT (address translation) to send traffic to the grouped servers.
This Logical server supports all protocols (including HTTP) and gives the most effectively balanced load. It requires servers to be NATed by the Security Gateway. ConnectControl mediates each service request and then selects the server to get that request. It uses NAT to change the destination IP address of the incoming packet. If a return connection is opened, the connection is automatically established between the server and the client. The server's source address in the packet is translated to the IP address of the Logical server. On the packet's return, the Security Gateway translates the packet's original address to the IP address of the Logical server.
-
-
Select the Server group.
Select the Server Group object that you defined earlier (or define a new Server Group object).
The members of the group must be hosts, Security Gateways, or OSE devices.
-
Select Use persistent server mode that fits your environment.
PersistencyThis setting maintains a client's connection to the server that ConnectControl first selected.
-
Persistency by server is useful for HTTP applications, such as forms, in a load-balanced environment with multiple Web servers. ConnectControl directs an HTTP client to one server for all requests. This allows clients to fill forms without the data loss that occurs if different servers take the requests.
-
Persistency by service is useful if you are load balancing multiple services in your server group. For example, in a redundant environment of two servers, each running HTTP and FTP, ConnectControl directs traffic from one client to the server of the correct service. This prevents heavy load on one server, which can happen with Persistency by server.
Item
Description
1
Multiple client requests for HTTP and FTP.
2
Internet.
3
Security Gateway.
The service requests arrive at the destination public IP address of the Logical Server, which is on the Security Gateway.
The Security Gateway directs the requests to the internal IP address of the Logical Server group.
4
Logical Server group with two servers, each with FTP and HTTP services.
ConnectControl balances the load between the servers.
-
-
Select a Balance method that fits your environment.
Load Balancing MethodsConnectControl distributes network traffic to load-balanced servers according to one of these predefined balancing methods:
-
Click OK.
-
-
Close the Object Explorer window.
-
From the left navigation panel, click Security Policies and click Access Control.
-
Add the Load Balancing rule to the Access Control Policy Rule Base:
-
For applications that use HTTP redirection, add a rule to allow the Network Group object (that contains load-balanced server objects) to communicate directly with the clients:
-
Configure global settings for ConnectControl.
Instructions-
At the top, click > Global properties.
-
From the left tree, click ConnectControl.
-
Configure the settings that fit your environment:
-
Server Availability
This configures how ConnectControl finds available servers.
-
The Server availability check interval control the number of seconds between pings from the Security Gateway or Cluster to the load-balanced servers.
-
The Server check retries controls the number of attempts to contact a non-responsive server after ConnectControl stops directing connections to it.
-
-
Server Persistency
If you enabled Persistency by server, you can set a timeout for a client to use one server. If a server becomes unavailable, ConnectControl directs new connections to a new, available server. This bypasses the persistency and optimizes load balancing.
-
Server Load Balancing
Not supported.
-
-
Click OK.
-
-
Install the Access Control Policy on this Security Gateway or Cluster object.