Configuring Upstream Groups - AudioCodes Mediant 4000 SBC User Manual

CHAPTER 16 Services
Parameter
'Upstream TLS Context'
upstream-tls-
context
[TcpUdpServer_
UpstreamTLSContext]
'Upstream Verify
Certificate'
upstream-verify-
cert
[TcpUdpServer_
UpstreamVerifyCertificate]

Configuring Upstream Groups

The Upstream Groups table lets you configure up to 10 Upstream Groups. Once configured, you
can configure Upstream Hosts for the Upstream Group (see
page 274).
An Upstream Group is a set of one or more hosts (Upstream Host) that can serve a particular set of
data. The HTTP Proxy distributes the requests among the members (hosts) of the Upstream Group
according to the specified load balancing mode.
The Upstream Group may be made up of one or more primary hosts and zero or more backup hosts.
HTTP requests for the Upstream Group are distributed among all the primary hosts. Backup hosts
do not receive requests unless all the primary hosts are down.
The following procedure describes how to configure Upstream Groups through the Web interface.
You can also configure it through ini file [UpstreamGroup] or CLI (configure network >
http-proxy > upstream-group).
➢
To configure an Upstream Group:
1. Open the Upstream Groups table (Setup menu > IP Network tab > HTTP Proxy folder >
Upstream Groups).
Assigns a TLS Context for the TLS connection with the HTTP
location. To configure TLS Contexts, see
Certificate Contexts on page 124.
Note:
■ The parameter is applicable only if the 'Upstream Side SSL'
parameter is configured to Enable (see above).
■ The NGINX directives for this parameter are "proxy_ssl_
certificate", "proxy_ssl_certificate_key", "proxy_ssl_
ciphers", "proxy_ssl_protocols", and "proxy_ssl_password_
file".
Enables TLS certificate verification of the Upstream Host on
outgoing connection requests to the Upstream Group, when the
connection is SSL.
■ [0] No = (Default) No certificate verification is done.
■ [1] Yes = The device verifies the authentication of the
certificate received from the host. The device authenticates
the certificate against the trusted root certificate store
associated with the assigned TLS Context (see 'Upstream
TLS Context' parameter above) and if ok, allows
communication with the host. If authentication fails, the
device denies communication (i.e., handshake fails). The
device can also authenticate the certificate by querying with
an Online Certificate Status Protocol (OCSP) server whether
the certificate has been revoked. This is also configured for
the associated TLS Context.
Note:
■ The parameter is applicable only if the 'Upstream Side SSL'
parameter is configured to Enable (see above).
■ The NGINX directive for this parameter is "proxy_ssl_
verify".
- 272 -
Mediant 4000 SBC | User's Manual
Description
Configuring TLS
Configuring Upstream Hosts on