Table of Contents
Advertisement
Chapter 6: Administering Virtual Clusters
noteworthy, however, that even when moving bulk data at 600Mbit/s, Xcel removes the entire load of HTTPS/SSL
processing from the servers in the cluster.
One final issue to be aware of is that Xcel supports only 3DES and RC4 encryption; it does not support AES. It also
does not support SSL or TLS cipher suites that use ephemeral or anonymous Diffie-Hellman exchange (cipher suites
whose names contain "EDH", "DHE", or "ADH").
The default configuration for HTTPS clusters created with Xcel enabled will not use the modes described above. If,
however, one either modifies the cluster's
with clients. This will not lead to incorrect operation of the system, but encryption for these cipher suites will occur
in software instead of taking advantage of the improved performance provided by the Xcel hardware.
Providing FTP Services on a Virtual Cluster
The FTP protocol dates from the 1970s, and was designed to be used in an environment where:
•
the network topology is simple
•
the FTP server and client communicate directly with one another
•
the addresses used by the client and server for active FTP data connections can be negotiated over the FTP
control connection
•
the FTP server is able to make connections back to the FTP client
These operational characteristics of FTP require special configuration for load balancers (as well as firewalls and
NAT devices) that pass traffic between FTP servers and FTP clients:
•
NAT devices and routers (including load balancers like Equalizer) on the client and server sides must be
configured to monitor FTP transactions and provide appropriate address translation and packet rewriting.
•
Firewalls on the client and server sides must be configured to let traffic on the ports used for FTP through
the firewall.
Consult the documentation for the firewalls and NAT devices used at your site to determine how to set up those
devices appropriately for FTP transfers. See the next section for how to configure an Equalizer cluster for
responding to FTP requests from clients.
FTP Cluster Configuration
When configuring an FTP cluster on Equalizer, the following guidelines must be followed:
1.
The
for the cluster must be
protocol
2.
The
parameter for the cluster must be set to port
start port
specify it when adding the cluster.)
3.
The
flag must be enabled for the cluster.
spoof
4.
If your servers are on a network the outside world cannot reach, consider enabling Equalizer's
global flag. This option causes the Equalizer to rewrite outgoing FTP PASV control messages from
translation
the servers so they contain the IP address of the virtual cluster rather than that of the server. Note that if you
select this option, clients will only be able to connect to the cluster in passive (PASV) mode.
Also observe the following notes and limitations:
•
Port redirection cannot be used with an FTP cluster; that is, the port range defined for the cluster and the
port ranges defined for the servers in the cluster must be identical.
•
Defining a port range that includes but does not start at port 21 does not define an FTP cluster. The port
range must begin at port 21. In other words, specifying a start_port of 19 and an end_port of 50 does not
define an FTP cluster; Equalizer will assume that services other than FTP will be running on these ports.
138
string to use them, it is possible that they may be negotiated
cipher suite
.
Layer 4 TCP
. (Note that port 20 is also used, but you do not
21
Equalizer Installation and Administration Guide
passive FTP
Hide quick links:
Advertisement
Table of Contents
