This tutorial shows how to configure a cluster with two DualShield servers. This cluster is load-balanced by Kemp LoadMaster.
Import SSL Cert
If you are securing your DualShield Servers va SSL then you will need to import your SSL certificates to the LoadMaster
Log into Kemp LoadMaster console and Navigate to "Certificate & Security> SSL Certificates" :
Click "Import Certificate" button on top right.
Here you can import your private/public key, or upload a PFX file.
Once you Save the Certificate file, please select it from the drop down and then click on Use Certificate.
For my test I am just using the inbuilt Self Signed.
Create Virtual Services with TLS Termination
A DualShield server hosts a number of services. Each services works on a specific port. Below is a list of DualShield services and their port numbers:
Service Name | Port | Short Name |
---|---|---|
Administration | 8070 | |
Authentication | 8071 | |
Provision | 8072 | DPS |
Management Console | 8073 | DMC |
SSO Service | 8074 | SSO |
SSO Management | 8075 | |
Self-Service Console | 8076 | DSS |
For my example I am going to create a Virtual Service for Ports 8073 and 8074.Tha Management Console and Single Sign on Ports, respectively.
Navigate to "Virtual Services > View/Modify Services".
Click "Add New" from either in the main menu or within View/Modify Services screen
Now specify the Virtual IP address you wish to use, The Port number (In my example I shall use Port 8073) and the Protocal will be TCP
Click on Add This Virtual Service on the bottom right.
This will take you to the Layer 7 properties screen...
Please select the options as follows
Basic Properties set the Service type to HTTP-HTTPS/2-HTTPS (see picture above)
Standard Options set Mode in Persitance Options to Source IP (See picture below)
SSL Properties , enable SSL Accelration and check Reencrypt.
In the Certificates section Highlight the certificate you imported earlier and move it accross to the right hand box, then click Set Certificates.
Advanced Properties in the section Add HTTP Headers select X-Forwarded-For (No Via) From the drop down
Real Servers. Click on teh Add New Button
Type the IPv4 Address of the Primary DualShield Server
The Port should have autocompleted with the port number you specified when creating the virtual service (see above) If it doesn't please add the port number you are referring to.
Click the Add This Real Server button on the right hand side.
Click OK on the confirmation message at that appears at the top. Repeat the process to Add the IP address of the Secodary DualShield Server.
The configured Real Servers will appear on the bottom left hand side.
Once completed click on Back button. The list of real IP's will appear as below.
Click Virtual Services->View/Modifies Services in the main menu again and Add New.
Repeat the steps above, again to add another Virtual Service tied to another Port.
In my example I have only added Services for ports 8073 and 8074.
C
Now, we have create a service group called "DualShield_DSS" for the DualShield Self-Service Console. This group includes 2 real servers: "DualShield-Server_1" and "DualShield-Server_2"
Repeat the same steps above to create service groups for other DualShield services, such as: SSO, DMC, DPS, etc
Create Virtual Servers
Now that we have created all service groups, we will create load balancing virtual servers.
Navigate to "Load Balancing > Virtual Serves", click "Add".
Enter "Name", "IP Address" and "Port" for the virtual server.
Click "OK" to save it.
Now, we need to bind the newly created virtual server to a service group. In this example, we'll bind this virtual server to the DSS service group:
Click "Load Balancing Virtual Service Group Binding"
Click "Add Binding"
Select the "Service Group Name"
Click "Bind", and "Done".
Now, a virtual server has been successfully create for the DualShield SSO.
Repeat the same steps to create virtual servers for other DualShield services, e.g. DMC, DPS, DSS etc.
Create Persistency Group
The last item we need to create is a Persistency Group.
Navigate to "Load Balancing > Persistency Group", click "Add".
Enter "Name", enable "Use vServer Persistence" and add all the virtual servers we have created.