Applies To:

Show Versions Show Versions

Manual Chapter: Implementing Paired Tunneling
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

28 
When you have two BIG-IP systems that are separated by a wide area network (WAN), you can optimize the data transfer between the two systems. You accomplish this by creating a special optimization pathway, or tunnel, between the two systems. When either system sends data to the other using this tunnel, the data is compressed in a way that optimizes compression quality and speed.
You can also configure the two systems to encrypt and decrypt the traffic that passes through the tunnel, to ensure a secure connection for the traffic when it crosses the WAN.
In a paired tunneling configuration, two BIG-IP systems running Local Traffic Manager are located on either side of a wide area network (WAN) and have established a tunnel between them, for the purpose of optimizing data transfer across the WAN. Figure 28.1 shows this configuration.
The client-side system is the system closest to the client node that initiates a request over the WAN for data that resides on a server node. The server-side system is the system closest to the server node that services the request.
In a paired tunneling configuration, the BIG-IP systems compress data and headers pertaining to any TCP-related protocol, such as FTP, Telnet, HTTP, and so on. A paired tunneling configuration can also compress dynamically-generated data.
The method of compression that the BIG-IP systems actually use depends on some combination of user configuration and performance optimization. The compression methods available for the BIG-IP systems in a paired tunneling configuration are:
deflate
This is a higher-quality compression algorithm that is typically slower than the lzo algorithm, unless the system is also using hardware acceleration. The deflate algorithm is ideal for achieving better compression through slower links (for example, a T1 or DS3 link).
lzo
This is a fast, medium-quality compression algorithm with low latency. The Lempel-Ziv-Oberhumer (lzo) algorithm is ideal for interactive protocols (such as Telnet) or high-bandwidth protocols that compress easily (such as data replication).
adaptive
This is a compression method that chooses the best algorithm (deflate, lzo, or off) as traffic conditions change. The adaptive method is both the recommended and the default compression method.
off
When the compression method is set to off, no compression occurs for traffic passing between the two BIG-IP systems. This option is ideal for protocols that cannot be compressed, such as streaming media (already compressed), or encrypted protocols.
The compression methods that you configure on the two BIG-IP systems must match, unless one of them is set to adaptive compression. For example:
If you configure one system to use the deflate method and the other to use the lzo method, any connections currently passing through the tunnel are reset, and no further traffic is allowed.
If you configure one system to use deflate and the other to use adaptive compression, the data is compressed using the deflate method.
If you configure both systems to use the adaptive method (the default setting), the systems uses either deflate, lzo, or off, depending on traffic conditions. This is the recommended configuration.
Warning: You should ensure that the data that a BIG-IP system sends through the iSession tunnel is not already compressed or encrypted through some other mechanism. Data targeted for the tunnel that has been already optimized cannot be optimized any further and could produce adverse effects.
All local traffic management objects that you create, such as pools, profiles, and virtual servers, are created in the current administrative partition. Therefore, you should ensure that the current administrative partition on each system is set appropriately.
Paired tunneling configurations fully support route domains. That is, any virtual servers and pool members that you create as part of a paired tunneling configuration can reside in a non-default route domain.
For more information on these topics, see the TMOSTM Management Guide for BIG-IP® Systems.
The configuration procedure for the client-side BIG-IP system requires you to perform the following tasks, in the order shown:
Create an endpoint pool with one member, whose IP address is the same address that you intend to assign to the virtual server on the server-side BIG-IP system. (For information on creating the virtual server on the server-side system, see Configuring the server-side system.)
The first task in configuring the client-side system is to create an endpoint pool on the client-side system (for example, clientside_endpoint_pool). This pool acts as an endpoint of the tunnel between the two systems. The pool has one pool member, which is the server-side virtual server (IP address and service).
1.
On the Main tab of the navigation menu, expand Local Traffic, and click Pools.
This displays the list of pools on the system.
2.
In the upper-right corner, click Create.
The New Pool screen displays.
Note: If the Create button is unavailable, you do not have permission to create a pool. You must have the appropriate user role assigned to your user account.
3.
In the Name box, type a name for the pool, such as clientside_endpoint_pool.
4.
For the New Members setting:
a)
Click New Address.
b)
In the Address box, type the virtual address assigned to the virtual server on the server-side BIG-IP system.
c)
In the Service Port box, specify a service.
d)
Click Add.
This adds the specified IP address and service to the pool as a pool member.
5.
Click Finished.
The next task is to create a custom iSession profile on the client-side system. The iSession profile specifies the type of compression that you want the BIG-IP system to use, and specifies the endpoint pool that you created in the previous section.
1.
On the Main tab of the navigation menu, expand Local Traffic, and click Profiles.
This displays the list of HTTP profiles on the system.
3.
In the upper-right corner, click Create.
The New iSession Profile screen displays.
Note: If the Create button is unavailable, you do not have permission to create a profile. You must have the appropriate user role assigned to your user account.
4.
In the Name box, type a name for the profile, such as clientside_isession_profile.
5.
Verify that the Mode setting is set to Enabled.
6.
From the Compression list, select the compression algorithm that you want the system to use.
Note: The compression algorithm you select must match the type you select on the server-side system, unless one of the systems is set to adaptive. The default value is adaptive.
7.
Verify that the Port Transparency and Reuse Connection settings are set to Enabled.
8.
Verify that the Target Virtual setting is set to None.
9.
From the Endpoint Pool list, select the endpoint pool that you created earlier on the server-side system. In our example, this pool name is clientside_endpoint_pool.
10.
Click Finished.
The final task in setting up the client-side BIG-IP system is to create a virtual server. The purpose of this virtual server is to capture client traffic that is destined for a specific server node or subnet that resides on the other side of the wide-area network (WAN). The virtual server then forwards that traffic through the iSession tunnel for optimization.
Figure 28.2 shows a sample client-side virtual address configuration, based on the destination IP address of the packet.
If the virtual address you specify is an address representing a subnet, the BIG-IP systems in the paired tunneling configuration optimize traffic for the entire subnet on which the destination server resides.
The default TCP optimization profiles
By configuring the virtual server to reference two default TCP optimization profiles, you ensure optimal system performance when processing both local and wide-area TCP traffic.
The default Server SSL profile
The BIG-IP system provides a default profile named serverssl, which enables server-side SSL processing. The serverssl profile ensures that traffic sent from the client-side BIG-IP system to the server-side BIG-IP system is encrypted.
The custom iSession profile
This profile, which you created in the previous step, specifies the endpoint pool that you previously created, which in turn references the server-side virtual server address.
Note: As an option, you can use the RAM Cache feature. The result is that the client-side BIG-IP system can process some client requests without needing to connect to a backend server on the other side of the WAN.
1.
On the Main tab of the navigation menu, expand Local Traffic, and click Virtual Servers.
This displays the list of virtual servers on the system.
2.
In the upper-right corner, click Create.
The New Virtual Server screen displays.
Note: If the Create button is unavailable, you do not have permission to create a virtual server. You must have the appropriate user role assigned to your user account.
3.
In the Name box, type a name for the virtual server, such as clientside_virtual_server.
4.
For the Destination setting:
a)
Click Host or Network, depending on whether the address you specify represents a specific server node or a subnet, respectively.
b)
In the Address box, type a destination IP address
This address should be either the destination IP address of the specific server node to which the client node is sending the request, or an address that matches the subnet on which the server node resides.
c)
If you clicked Network in step 4.a., then in the Mask box, type the subnet mask.
5.
From the Service Port list, select a service, such as HTTP or *All Ports.
This causes the virtual server to listen for traffic on the specified port or ports. If you select a specific service port (such as HTTP), the virtual server ignores all other traffic types.
6.
From the Configuration list, select Advanced.
7.
Verify that the Type value is Standard.
8.
From the Protocol Profile (Client) list, select tcp-lan-optimized.
9.
From the Protocol Profile (Server) list, select tcp-wan-optimized.
10.
From the SSL Profile (Client) list, retain the default value of None.
11.
From the SSL Profile (Server) list, select serverssl.
This causes the BIG-IP system to initiate an SSL connection to send the traffic through the tunnel.
12.
From the VLAN Traffic list, select All VLANS.
13.
For the iSession Profile setting:
a)
From the list on the left, select the name of the custom iSession profile you created previously on this system. In our example, this is clientside_isession_profile.
b)
From the Context list, select Server.
Selecting Server specifies that the local endpoint of the tunnel is located on the server-side of the virtual server you are creating.
14.
Click Finished.
To configure the server-side BIG-IP system for paired tunneling, you simply need to create a virtual server. The purpose of this virtual server is strictly to forward traffic to the local-area network (LAN) behind the server-side BIG-IP system, rather than to load balance connections to a pool of servers.
The IP address that you assign to the virtual server can be any address to which the client-side virtual server can route. In a typical configuration, this address resides on the same subnet as the actual destination server node. Note that the address you assign to this server-side virtual server is also specified as the single member of the endpoint pool that you configured on the client-side BIG-IP system.
Figure 28.3 shows a sample server-side virtual address configuration, based on the client-side virtual address configuration.
The default TCP optimization profiles
By configuring the virtual server to reference two default TCP optimization profiles, you ensure optimal system performance when processing both local and wide-area TCP traffic.
The default Client SSL profile
The BIG-IP system provides a default profile named clientssl, which enables client-side SSL processing. The clientssl profile ensures that traffic sent from the client-side BIG-IP system to the server-side BIG-IP system is authenticated and decrypted.
The default iSession profile
Assigning this profile to the virtual server implements the server-side endpoint for the paired tunneling configuration.
1.
On the Main tab of the navigation menu, expand Local Traffic, and click Virtual Servers.
This displays the list of virtual servers on the system.
2.
In the upper-right corner, click Create.
The New Virtual Server screen displays.
Note: If the Create button is unavailable, you do not have permission to create a virtual server. You must have the appropriate user role assigned to your user account.
3.
In the Name box, type a name for the virtual server, such as serverside_forwarding_virtual_server.
4.
For the Destination setting:
a)
Click Host.
b)
In the Address box, type an IP address.
Important: This IP address should match the pool member address you specified when creating the endpoint pool on the client-side BIG-IP system.
5.
From the Service Port list, select *All Ports.
For more information, see Specifying service ports.
6.
From the Configuration list, select Advanced.
7.
Verify that the Type value is Standard.
8.
From the Protocol Profile (Client) list, select tcp-wan-optimized.
This setting is optional.
9.
From the Protocol Profile (Server) list, select tcp-lan-optimized.
10.
From the SSL Profile (Client) list, select clientssl.
This causes the BIG-IP system to terminate the SSL connection for traffic coming from the tunnel.
11.
Verify that the SSL Profile (Server) setting is set to None.
12.
From the VLAN Traffic list, select All VLANS.
13.
For the iSession Profile setting:
b)
From the Context list, select Client.
Selecting Client specifies that the local endpoint of the tunnel is located on the client-side of the virtual server you are creating.
14.
Click Finished.
When you configure the server-side virtual server, F5 recommends that you set the Service Port setting to *All Ports. In this case, the actual service ports on which the server-side virtual server listens vary, depending on how you have configured port transparency on the client-side BIG-IP system. Port transparency is a feature that you configure within the client-side iSession profile.
Table 28.1 shows how the Port Transparency setting on the client-side system affects server-side virtual server behavior.
Table 28.1 Effect of the client-side Port Transparency setting on server-side virtual server
If client-side port transparency is set to...
Enabled
(the default setting)
The same service port that is configured on the client-side virtual server.
If the client-side service port is set to HTTP, then the server-side virtual server listens on port 80.
If the client-side service port is set to HTTP, then the server-side virtual server listens on port 3701.
Once you have created a paired tunneling configuration, and the two BIG-IP systems are processing traffic across the WAN, you can view data compression statistics on the client-side system.
To view these statistics, you can use the bigpipe utility on the client-side system, as follows:
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)