Document Sample Powered By Docstoc
					 REVIEW                                                         Load Balancing

P   rofessional hardware-based load
    balancers are now a „must“ in large
                                            Load Balancers from KEMP
hosted Web environments. Appliances
of this kind are also often used when-
ever it is necessary to cope with the ex-
tremely high-volume DNS or SMTP
data traffic which can occur with pro-
viders or in large companies.
                                            Beam Balance
   Even within the networks of medium-
sized companies, however, a type of load
                                            Jörg Riether
distribution with a range of functions
which goes beyond the simple DNS
round robin or load distribution mecha-     Availability and load distribution play an important
nisms of operating systems is required.
This is because the integrated load
                                            role with regard to data flows in the Internet and distributed
compensation methods can cause pro-         applications. The load balancers from KEMP show the
blems, as Exchange MVP Frank Carius
describes on his Exchange FAQ page [c].
                                            extent to which the former can be realized using
                                            easy-to-operate appliances.
Avoiding the
single point of failure                        The answer is either to resort to a      vers. These methods should go far
If you want high availability in addition   high-availability (HA) product or at        beyond simple ICMP tests and should
to load distribution, you will soon rea-    least to purchase a device which can        ideally reach up to the application lay-
lize that one device alone is not enough.   subsequently be expanded to form a          er (OSI 7). This is because there is a
There is too great a danger that the load   high-availability system. At the same       distinct possibility that a web applica-
balancer of all things will pack up on      time, it is important for the load balan-   tion etc. has just stopped working but
you and inadvertently become the sin-       cer used to include mechanisms which        the server continues to answer via
gle point of failure (SPOF).                are able to monitor the published ser-      ICMP.

Reprint iX 3/2012                                                                                                             1
 REVIEW                                                                    Load Balancing

                                                                                                  nected servers have approximately
                                                                                                  comparable system resources and an
                                                                                                  equivalent connection, the „round ro-
                                                                                                  bin“ method is a good choice. Here all
                                                                                                  incoming requests are sent to a virtual
                                                                                                  IP address previously established on the
                                                                                                  LoadMaster. The latter then distributes
                                                                                                  the requests evenly over all servers lo-
                                                                                                  cated behind it. A special weighting pro-
                                                                                                  cess does not take place.
                                                                                                     In contrast, if you don’t want to do
                                                                                                  without a round robin algorithm but
                                                                                                  still want to carry out weighting, you
                                                                                                  can use the „weighted round robin“.
                                                                                                  Here you can give any published server
                                                                                                  a weighting which is subsequently
                                                                                                  complied with in distribution. For
                                                                                                  example, if you’ve got two web ser-
                                                                                                  vers, one of which is designed to be
                                                                                                  about twice as strong as the other, you
                                                                                                  can assign twice as high a weight to the
                                                                                                  stronger one. The round robin then on-
nitial setup: the two green squares at the top next to the time indicate that both                ly distributes every third request to the
units function in a HA network (Fig. 1).                                                          weaker server.
                                                                                                     Both round robin techniques have a
                                                                                                  tiny catch, however: they do not take
   This is why a good load balancer                LM-2200 in the HA version was pro-
                                                                                                  sessions kept up for longer periods into
should be able to understand and read              vided for testing.
                                                                                                  account. The „least connection“ me-
protocols like HTTP(S), SMTP, RDP                     The unit is easy to take into opera-
                                                                                                  thod can be put to use at this point.
or DNS. Also, a device of this kind                tion – a monitor and a USB keyboard
                                                                                                  This explicitly monitors the actual
has to have technologies at its dispo-             can be directly connected to the unit.
                                                                                                  number of connections and tries to dis-
sal which guarantee that a client is ab-           Once you have specified the IP address
                                                                                                  tribute the quantities evenly between
le to communicate with the same pu-                of the unit as well as a virtual, higher-
                                                                                                  the published servers. If the strength of
blicly accessible servers again and                level HA-IP address and then chosen a
                                                                                                  the servers differs greatly, as in the pre-
again. The latter can be extremely im-             password, the load distributor can be
                                                                                                  vious example, a weighted variant is
portant in commercial web systems,                 accessed for further configuration via its
                                                                                                  available here too – KEMP calls it a
terminal server farms or exchange                  web interface with the help of HTTPS.
                                                                                                  „weighted least connection“.
networks in particular in order to en-                It is even easier still to set up the se-
sure that the user finds the environ-              cond unit for the HA network – all you
ment he exited beforehand – this is                need is the IP configuration matching          Agents adapt
known as affinity, session persistence             the master and a password. After that
or stickiness.                                     the unit fetches the configuration from
                                                                                                  One special method uses a technique
                                                   there. The „second“ unit then works as
                                                                                                  which the manufacturer terms „agent-
                                                   a hot standby. If the master fails or re-
Configurable                                       start is carried out, the hot standby unit
                                                                                                  based adaptive balancing“. At regular
                                                                                                  intervals, LoadMaster fetches ASCII
for each web interface                             immediately assumes the role of the
                                                                                                  files from the published servers, which
                                                   master and publishes the common vir-
                                                                                                  have entered their own up-to-date load
LoadMaster is the name of a series of              tual IP address. Once the previous mas-
                                                                                                  data there beforehand. This allows the
professional load balancers manu-                  ter is accessible again, it serves as a hot
                                                                                                  LoadMaster to make realistic, sensible
factured by the KEMP company,                      standby.
                                                                                                  decisions with regard to load distri-
which offers them in various hardware                 The KEMP systems include several
                                                                                                  bution. For Windows systems, KEMP
versions and as virtual appliances. An             load distribution methods. If the con-
                                                                                                  provides a special client on its homepa-
                                                                                                  ge and supplies an example of code for
                                                                                                  Linux systems in section „P“ of the do-
                                         x-TRACT                                                  cumentation.
                                                                                                     There may well be scenarios in
    G   Load balancers like the units from KEMP can increase performance and reduce               which the focus is on the availability
        costs, especially in the case of large server farms.                                      only. „Fixed weighted“ is available for
                                                                                                  this purpose. Here, as with the other lo-
    G   Virtual machines for devices of this kind are not a secret any more.
                                                                                                  ad distribution methods, the administra-
    G   The volume of functions designed for configuring the network and the identities has       tor is able to publish multiple servers
        increased, in particular as a result of cloud computing.                                  under a virtual IP address. The diffe-
                                                                                                  rence is that each is given a fixed
                                                                                                  weighting. For example, if two servers

2                                                                                                                           Reprint iX 3/2012
have been published and server A has a        the first. Also, the LoadMaster can exa-
higher weighting than server B, all que-      mine the query string of a URL to find
ries go to A only. The LM only hands          the query item. It then hands on que-
the queries on to the server with the lo-     ries with the identical query item to         * ˇnumerous enterprise features
wer weighting if A fails. If all servers      the same server as before. Finally, the       * ˇprompt support by the manufacturer
in the surrounding area fail, the unit al-    „selected header“ method allows the
lows the queries to be diverted to an al-     manual specification of a header name         * ˇtrivial operation and monitoring
ternative URL.                                whose value is used for the affinity by
                                              the unit. And then there is „content          _ ˇCookie affinity on request only
                                              switching“. This allows the person in
It has to                                     charge of the system to carry out a
                                              URL-based split between entire back-
stay close by                                 end groups.                                  customer makes a purchase in a web
                                                  This is the time when a few old          shop and then goes to the checkout, the
The affinity is just as important as the      hands in the field of load balancers will    system hopefully redirects him to an
actual load distribution in present-day       start to ask about the cookie affinities –   SSL page immediately and not later.
load balancers. Just imagine a relati-        if they haven’t already done so. Indeed,     For each port following, the LoadMas-
vely large web shop system consisting         this feature was missing from the cur-       ter remembers the redirection and uses
of numerous servers which cannot              rent GUI although it was still included      SSL to send the customer on to preci-
synchronize their shopping baskets,           in the first versions of the 5.1 firmware.   sely the server on which he made his
accounting data and in particular au-         When asked, KEMP explained that it           choice beforehand.
thentications without a time delay. In        could be activated at no additional cost,       The last examples and methods
a large number of cases, it is vital that     so it is now apparently concealed in the     work if the load balancer is in a posi-
user A stays at server A after logging        firmware. Perhaps the manufacturer is        tion to read any HTTP traffic which
in there and does not automatically           trying to find out if the users of today     may occur. But what happens if some-
land on a different server after a cer-       still want to use cookies to ensure the      one asks for SSL encoding? Of course,
tain time.                                    affinity – whether this makes sense or       it would be no problem at all to just
   KEMP’s LoadMaster series can               not is a moot point.                         hand the encoded data stream on with-
handle Layer 4 as well as Layer 7 af-             The developers have also implemen-       out touching it – but then the Layer 7
finity. In the first case, however, you       ted a port following: for example, if a      tests and methods would be all for
are very restricted when the aim is to
establish an efficient affinity. Only the
source IP address of the clients ma-
king the query is then available to re-
member the path embarked upon pre-
viously. Also, there are two stumbling
blocks behind all this: all systems
which make access via an NAT gate-
way are seen under the same IP ad-
dress by the load balancer. On the ot-
her hand, it can be that the IP address
of a client changes.

Seeking for clues                             Exemplary: publication of an Exchange2010 CAS array consisting of two servers
                                              (Fig. 2)
The methods available on Layer 7 level
seem more promising – KEMP for
example calls them Super HTTP in the
HTTP/S field. This means that the sys-
tem tries to generate an unambiguous
fingerprint of the client making the
query. For this purpose it uses the User-
Agent field as well as trying to use the
authorization header of the client if there
is one. The load balancer remembers
the combination and hands on new
queries coming from the client to the
same published server.
   In addition, the unit has a whole ran-
ge of other methods at its disposal. For
example, you can instruct it to remem-
ber the URL or the host header opened         Golden yellow: the colour of the LM2200 is more conspicuous than the inter-
and then hand any identical calls on like     faces. Thanks to USB and VGA, the appliance is easy to configure (Fig. 3).

Reprint iX 3/2012                                                                                                                   3
 REVIEW                                                               Load Balancing

                                                                                              select the type of forwarding. This is
                                                                                              quite complex – after all, it is not pos-
                                                                                              sible to control everything via a simple
                                                                                              destination NAT.
                                                                                                  In normal cases, the load balancer
                                                                                              accepts a query from a client and hands
                                                                                              it on to the target server via destination
                                                                                              NAT, so the address of the sender re-
                                                                                              mains unchanged. This gives rise to
                                                                                              difficulties, however, for the answer
                                                                                              from the server now has to go back
                                                                                              through the load balancer in order to
                                                                                              cancel the NAT again.
                                                                                                  The problem becomes much clearer
                                                                                              if you look at the process from the ot-
                                                                                              her side: if the published backend ser-
                                                                                              ver sends the response via its gateway
                                                                                              without including the load balancer, it
                                                                                              is delivered to the client, but he has to
                                                                                              reject it as the address of the sender is
                                                                                              that of the real published server and not
                                                                                              that of the load balancer.
                                                                                                  A common approach to solving this
                                                                                              problem is to enter the load balancer at
                                                                                              the target server as a default gateway.
                                                                                              However, this soon comes up against
                                                                                              its limits when clients reside in the sa-
Mousy grey: in the 1U housing, one PCIe slot is still free under the sheet metal
                                                                                              me subnetwork as the published server
on the inside (Fig. 4).
                                                                                              system. This is because the backend
                                                                                              server involved does not use the Load-
nothing. The systems from KEMP of-                are thus completely eliminated on the       Master as a gateway. It would be ideal
fer several ways out here. It is possible         published servers. In order to imple-       to push the backend servers or the
to terminate SSL connections at the               ment the methods, the LoadMaster re-        clients into a different subnetwork. Per-
load balancer, which reads the deco-              quires the necessary certificates, and      haps you don’t want to do this or are
ded data and then hands it on newly               these can be imported via the GUI. In       not able to in your environment, so you
encoded. The affinity algorithms of               parallel, you can cause certificates        will need to use a few tricks in special
the firmware can then take effect and             signed by the LM itself to be issued.       cases of this kind.
do their job as desired.                          In a publicly accessible Web environ-
                                                  ment, however, certificates of this kind
Secure Socket Layer                               should be out of the question.              Box of tricks
                                                     With the exception of the LM-2200,
ideas                                             all larger siblings of KEMP have an
                                                  SSL hardware accelerator which can
                                                                                              First there is the so-called non-trans-
                                                                                              parent load balancing which KEMP’s
If you want to take load away from pu-            carry out all calculations necessary for    LoadMaster is able to provide for
blished servers at the same time, it              this. The load on the main system,          Layer 7 publications. It additionally
seems natural to terminate the SSL at             which provides the actual load balan-       activates a source NAT. From the
the load balancer and hand it on to the           cing, remains completely unaffected by      viewpoint of the target system, there-
internal servers in unencoded form via            this. According to KEMP, all other          fore, the query comes from the LM
port 80. SSL calculations of any kind             functions of the system can run on          and not from the actual client, so the
                                                  unimpaired, even at a theoretical maxi-     response automatically goes back to
                                                  mum load of the SSL accelerator.            the KEMP system.
    Specifications and Prices                                                                    However, there are special backend
                                                                                              systems which get confused when
    LoadMaster LM2200                             Publication of servers                      tricks of this kind are used. In many
                                                                                              cases, you want to be able to see the
    Equipment: redundant appliance with four      It is extremely easy to publish back-end    real browser IP in the protocol of your
    GBE ports and connections for 2 x USB,        servers of any kind. First you create a     Web server. You can do this by using
    VGA and Ethernet (service); SD; 180 W power   virtual server via the GUI, give it an IP   a simple trick: the LoadBalancer in-
    supply with on/off switch; 1U; firmware for   address in addition to a port or wild-      serts the additional HTTP headers and
                                                  card and then define TCP or UDP as a        you configure the Web server to include
    dynamic load distribution
                                                  protocol. Once you have configured          the header in the protocol. Unfortuna-
    Manufacturer: KEMP,               load compensation and affinity para-        tely, there are even more complex situa-
    Price: 1890 Euro each                         meters, you can set up the backend ser-     tions: an exchange CAS array for exam-
                                                  vers to be published and in particular      ple cannot use S-NAT to transparently

4                                                                                                                       Reprint iX 3/2012
authenticate an internal client via             adapter is not permitted to give out         cated HA link and as a simple failover
NTLM (NT LAN Manager), so it has                any ARP responses.                           trunk or LACP network. VLAN trun-
to ask you to enter the login infor-                In the Load Master documentation,        king is also possible. In addition, you
mation again, and that should be avoi-          the authors have described the method        can link an interface to a certain pu-
ded at all costs. This is why trans-            in detail for Windows as well as Linux       blished server, allowing complex net-
parent methods are always the first             systems. There is one side-effect with       work topologies to be realized. The
choice in such cases such as these in           DSR: it relieves the load on the load        Firmwareˇ6 brought the support for
order that the backend server really as-        balancer considerably, for all respon-       IPv6 into the portfolio – only DSR is
sumes that the query is coming direct-          ses coming from the server return di-        not available via IPv6.
ly from the client and not from the             rectly to the client. With this method,         All systems from KEMP have an
LM, for example.                                therefore, the load distributor must not     integrated intrusion detection based
   If you don’t want to make any                be configured as the standard gateway        on SNORT which you can optionally
changes to your network structure and           of the server, and the network admi-         activate for published servers via
you don’t want to move certain sys-             nistrator does not need to change his        HTTP(S). SNORT rule sets can be im-
tems to a different subnetwork, you             established network in any way, even         ported manually, and for each virtual
can use a method which KEMP de-                 if it has active routes. For this to work,   service you can also choose between a
scribes as „direct server return“ (DSR)         however, DSR is only possible for            DROP action or a REJECT action in
– this is generally known under the             Layer 4 publications, and the possibi-       the case of a hit. This can be indicated
term „flat-based server load balan-             lities of Layer 7 load balancing are not     in the system protocol, and you can
cing“. The published backend server is          available.                                   ask to be informed of it by e-mail. The
given a separate network interface                                                           system administrator can send any e-
with the same IP as the LoadMaster.                                                          mail messages, differentiated through-
The latter does not carry out NAT on
                                                Some more                                    out the whole system for different
IP level any more – it hands the entire         specialities                                 warning levels, to one defined group
query on to the desired backend server                                                       of recipients per warning level.
instead. However, it modifies the               For checking services on the published          The Firmware 6.0.23 newly pub-
MAC address of the Ethernet frames              servers, the system from KEMP can            lished in January had a small bug: it
in such a way that it replaces the MAC          handle the SMTP, DNS, HTTP/S,                was not possible to edit published mul-
address of the LM by that of the target         IMAP, POP3, NNTP, Telnet and RDP             ti-port servers afterwards. A message
server (MAC Address Translation,                protocols. In the case of publications       from the customer to the manufacturer
MAT).                                           via HTTP/S, caching and compression          was answered less than two hours later
                                                can also be activated on request.            by the remark that this is indeed a bug
                                                   Even in the case of numerous ser-         and that a patch would very probably
Address Resolution                              vices which are published in a com-          be developed on the same day. The
Protocol magic                                  pletely transparent way, such as SMTP        patch arrived in the course of the day
                                                clusters, you could be excused for           and eliminated the error.
From this point on, all those in charge         wanting a limitation of the accesses at
of IT have good reason to be alarmed,           the load balancer itself, for example in
for the target server has to have the same      order to implement an upstream relay         Conclusion
IP address as the load balancer – two           protection. Also, perhaps you do not
identical IP addresses in the same net-         want to (or are not able to) publish         The KEMP LoadMaster is worth loo-
work. How do you get the target ser-            certain services transparently. Since        king into, even just for its numerous
ver to accept queries sent to this IP ad-       Firmware Version 6, the KEMP load            features, some of which are often only
dress, but on no account respond to             balancers can handle configurable black      to be found in the high-end range.
any ARP queries which may be sent to            lists and white lists for each system           It is also quite good value for mo-
it? The secret is to use a loopback             published, and this makes it easier to       ney. Web interface operation is trivial
adapter which you have to install on            get round obstacles of this kind.            and reacts promptly. Good support by
the target server and which then res-              The LM-2200 has four Gigabit net-         the manufacturer and a much-frequen-
ponds to the IP address of the load ba-         work interfaces. These can be selected       ted and well-maintained forum round
lancer. At the same time, the loopback          optionally and individually: as a dedi-      off the positive overall picture. It is to
                                                                                             be hoped that the cookie affinity is of-
                                                                                             ficially included again in future. (rh)
 Online resources
 [a] Documentation            JÖRG RIETHER
 [b]ˇ Forum                                               specializes in the fields of IT security,
 [c]ˇ Frank Carius                                 high availability and virtualization.
 [d] Trial Versions for
                                                                                                He works as departmental manager
      vSphere and Hyper-V                                                                       for IT at Vitos Haina gGmbH.
 [e] Prices and Models
                                                                                               All links:           x

Reprint iX 3/2012                                                                                                                           5

Shared By: