Ipanema System User Manual 8.1

Ipanema System
User Manual
8.1
Issue: October 2014
Headquarters, France
Ipanema Technologies, 28 rue de la Redoute, 92260 Fontenay-aux-Roses
email: info@ipanematech.com
tel: +33 (0)1 55 52 15 00
Technical support
email: support@ipanematech.com
tel: +33 (0)1 55 52 15 22
Belgium
Ipanema Technologies, Av. du Bourg. Etienne Demunter 3, 1090 Bruxelles
tel: +32 498 17 95 09
Germany
Ipanema Technologies GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden
tel: +49 611 97774 285
Italy
Ipanema Technologies, Piazzale Biancamano 8, 20121 Milano
tel: +39 02 6203 2185
Singapore
Ipanema Technologies APAC, 105 Cecil Street, Level 11 The Octagon, Singapore 069534
tel: +65 68201235
Spain
Ipanema Technologies, Av. de Europa 19, Parque Empresarial La Moraleja, Alcobendas, 28108 Madrid
tel: +34 91 793 21 30
Switzerland
Ipanema Technologies, Zollikerstrasse 153, CH-8008 Zurich
tel: +41 (0)43 488 45 06
The Netherlands
Ipanema Technologies, Vaartserijnstraat 16, 3523 Utrecht
tel: +31 30 890 6680
United Kingdom
Ipanema Technologies Ltd, The Podium, One Eversholt Street London NW1 2DN
tel: +44 (0)207 554 0822
USA
Ipanema Technologies Corp., 200 Fifth Avenue, Waltham, MA 02451
tel: +1 781 890 8008
Technical support
email: support@ipanematech.com
tel: +1 617 862 0033
toll free number: 888 485 4884
The information contained in this document is subject to change without notice.

The information and specifications contained in this document are not contractual. The information
contained in this document is sincerely considered by Ipanema Technologies to be accurate and
reliable, but implies no warranty, either explicit or implicit. Users are responsible for their personal use
of the information and specifications. Ipanema Technologies shall not be liable for any errors which may
appear in this document.
Reproduction in any form whatsoever, without the written authorization of Ipanema Technologies, is
strictly forbidden.
Ipanema, the Ipanema logo, Ipanema System, SALSA, ip|uniboss, ip|boss, ip|dashboard,
ip|reporter, ip|engine, nano|engine, virtual|engine, tele|engine, IMA, ip|agent, ip|sync, ip|true,
ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp, DWS, ip|export and smart|plan are trademarks of
Ipanema Technologies.
Any trademarks and trade names which may be used in this document refer to the entities which own
these trademarks and these trade names, or to their products.
Ipanema Technologies renounces all proprietary interest in trademarks and trade names other than its
own.
Copyright 2001/2014, Ipanema Technologies
All rights reserved
Contents
CONTENTS
INTRODUCTION ......................................................................... ..........
1. REVISIONS ......................................................................... ..........
2. LIST OF ASSOCIATED DOCUMENTS ............................... ..........
3. DOCUMENT ORGANIZATION ........................................... ..........
4. TERMS USED ..................................................................... ..........
1
1
4
4
5
CHAPTER 1 IPANEMA SYSTEM ............................................ ..........

1. OVERVIEW ......................................................................... ..........
1. 1. Autonomic Networking System ................................... ..........
1. 2. Ipanema features ........................................................ ..........
1. 3. Ipanema appliances, VMs and software agents ......... ..........
1. 4. Features availability .................................................... ..........
1. 5. Functional architecture ................................................ ..........
2. GENERAL PRINCIPLES ..................................................... ..........
2. 1. System deployment .................................................... ..........
2. 2. Communication between system elements ................ ..........
2. 3. Security ....................................................................... ..........
3. FEATURES DESCRIPTION ................................................ ..........
3. 1. Application Visibility (ip|true) ....................................... ..........
3. 2. Application Control (ip|fast) ......................................... ..........
3. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp) ........... ..........
3. 4. Dynamic WAN Selection (smart|path) ......................... ..........
3. 5. Network Rightsizing (smart|plan) ................................ ..........
3. 6. Tele-managed sites ..................................................... ..........
1-1
1-1
1-1
1-3
1-8
1-9
1-10
1-12
1-12
1-14
1-17
1-18
1-18
1-23
1-25
1-27
1-28
1-29
CHAPTER 2 UNIFIED ACCESS TO THE IPANEMA SYSTEM

(SALSA CLIENT) ................................................................... ..........
1. SALSA WEB PORTAL ......................................................... ..........
2. UNIFIED USER MANAGEMENT ........................................ ..........
3. SALSA URLs ....................................................................... ..........
4. LDAP AUTHENTICATION ................................................... ..........
5. VISTAPORTAL AND VPSE CONSIDERATIONS ................ ..........
5. 1. VistaPortal considerations ........................................... ..........
5. 2. VistaPortal SE considerations ..................................... ..........
2-1
2-1
2-3
2-4
2-4
2-5
2-5
2-5
CHAPTER 3 MANAGING DOMAINS, USERS AND LICENSES

(IP|UNIBOSS) ........................................................................ ..........
1. DOMAINS OVERVIEW ....................................................... ..........
2. ip|uniboss CLIENT .............................................................. ..........
2. 1. Connection to ip|uniboss ............................................. ..........
2. 2. ip|uniboss main window .............................................. ..........
3. IMPORTING A LICENSE .................................................... ..........
4. SYSTEM PROVISIONING .................................................. ..........
4. 1. Declare ip|boss servers ............................................... ..........
4. 2. Domains ...................................................................... ..........
4. 3. Radius ......................................................................... ..........
5. REPORTING PROVISIONING ............................................ ..........
5. 1. ip|reporter web portals (VF0 and VF4) ........................ ..........
5. 2. VistaMart (VF4 only) ................................................... ..........
5. 3. Server Group (VF4 only) ............................................. ..........
5. 4. IV Server ..................................................................... ..........
6. MANAGING USERS ........................................................... ..........
6. 1. System administration: Users ..................................... ..........
6. 2. System administration: User Groups .......................... ..........
6. 3. User credentials supplied in the URL .......................... ..........
6. 4. User name as an HTTP header .................................. ..........
3-1
3-1
3-2
3-2
3-3
3-8
3-9
3-9
3-11
3-19
3-21
3-22
3-24
3-26
3-27
3-29
3-30
3-35
3-38
3-39
October 2014
Ipanema Technologies
Contents
6. 5. External LDAP authentication ..................................... ..........

6. 6. External SAML authentication ..................................... ..........
7. SUPERVISION .................................................................... ..........
7. 1. Inventory ..................................................................... ..........
7. 2. Logs ............................................................................ ..........
7. 3. Issues .......................................................................... ..........
3-40
3-42
3-44
3-44
3-47
3-48
CHAPTER 4 CONFIGURING SERVICES (IP|BOSS) ............. ..........

1. CONFIGURATION OVERVIEW .......................................... ..........
2. ip|boss WEB CLIENT .......................................................... ..........
2. 1. Connection to ip|boss .................................................. ..........
2. 2. ip|boss main window ................................................... ..........
2. 3. ip|boss tool bar ............................................................ ..........
2. 4. ip|boss status zone ..................................................... ..........
2. 5. ip|boss table view ........................................................ ..........
2. 6. ip|boss creation form ................................................... ..........
3. ip|boss CLI CLIENT ............................................................. ..........
3. 1. CLI architecture ........................................................... ..........
3. 2. CLI language ............................................................... ..........
3. 3. Tabular input and output ............................................. ..........
4. OPERATING PROCEDURE ............................................... ..........
5. CREATE, OPEN, SAVE, UNDO A CONFIGURATION ........ ..........
5. 1. Create a new configuration ......................................... ..........
5. 2. Open a configuration ................................................... ..........
5. 3. Save a configuration ................................................... ..........
5. 4. Undo a configuration modification ............................... ..........
6. EXPORTING AND IMPORTING OBJECTS ........................ ..........
6. 1. Exporting objects ........................................................ ..........
6. 2. Importing objects ......................................................... ..........
7. SYSTEM PROVISIONING .................................................. ..........
7. 1. Configuring Coloring ................................................... ..........
7. 2. Configuring WAN Accesses ........................................ ..........
7. 3. Configuring ip|engines and tele|engines ..................... ..........
7. 4. Configuring Topology subnets ..................................... ..........
7. 5. Configuring ip|sync (time synchronization) ................. ..........
7. 6. Scripts ......................................................................... ..........
7. 7. Tools ............................................................................ ..........
7. 8. Configuring DWS (Tools / Advanced conf.) ................. ..........
8. APPLICATION PROVISIONING ......................................... ..........
8. 1. Configuring User subnets ........................................... ..........
8. 2. Configuring Types of service (TOS) ............................ ..........
8. 3. Configuring Applications ............................................. ..........
8. 4. Configuring QoS Profiles ............................................ ..........
8. 5. Configuring Application Groups (AGs) ........................ ..........
8. 6. Configuring LTL (Local Traffic Limiting) ....................... ..........
9. REPORTING ....................................................................... ..........
9. 1. Configuring MetaViews ............................................... ..........
9. 2. Configuring Reports .................................................... ..........
9. 3. Configuring Alarming .................................................. ..........
10. SUPERVISION OPTIONS ................................................. ..........
10. 1. Configuring Fault Management ................................. ..........
11. SYSTEM ADMINISTRATION ............................................ ..........
11. 1. Configuring Automatic reporting ................................ ..........
11. 2. Configuring Security .................................................. ..........
4-1
4-1
4-2
4-2
4-3
4-4
4-7
4-11
4-16
4-17
4-17
4-17
4-18
4-19
4-28
4-28
4-28
4-28
4-29
4-30
4-30
4-31
4-33
4-33
4-36
4-40
4-52
4-54
4-56
4-56
4-57
4-59
4-59
4-60
4-61
4-74
4-77
4-84
4-86
4-86
4-93
4-93
4-99
4-99
4-104
4-104
4-104
CHAPTER 5 IPANEMA SYSTEM SUPERVISION (IP|BOSS) . ..........

1. ip|boss MAIN WINDOW ...................................................... ..........
2. SUPERVISION .................................................................... ..........
2. 1. ip|engine status (monitoring ip|engines activity) ......... ..........
2. 2. Status Maps (monitoring ip|engines activity) ............... ..........
2. 3. Scripts ......................................................................... ..........
2. 4. Security (monitoring security certificate) ..................... ..........
5-1
5-1
5-2
5-2
5-12
5-14
5-16
October 2014
ii
Ipanema System
iii
3. SYSTEM PROVISIONING: TOOLS .................................... ..........

3. 1. Rebooting .................................................................... ..........
3. 2. ip|engine software upgrade ......................................... ..........
4. ip|boss LOGS ...................................................................... ..........
5. CONFIGURATION HISTORY .............................................. ..........
5-17
5-17
5-18
5-21
5-22
CHAPTER 6 USING IPANEMA SERVICES (IP|BOSS) .......... ..........

1. STARTING AND STOPPING A SESSION .......................... ..........
1. 1. Starting a session ....................................................... ..........
1. 2. Stopping a session ...................................................... ..........
2. DYNAMICALLY MODIFYING A SESSION ........................ ..........
2. 1. Update procedure ....................................................... ..........
2. 2. Transition .................................................................... ..........
3. SERVICE ACTIVATION ....................................................... ..........
3. 1. ip|true (measurement) ................................................. ..........
3. 2. ip|fast (Application Control) ......................................... ..........
3. 3. ip|coop (tele-cooperation) ........................................... ..........
3. 4. ip|xcomp (redundancy elimination) ............................. ..........
3. 5. ip|xtcp (TCP acceleration) ........................................... ..........
3. 6. ip|xapp (CIFS acceleration) ......................................... ..........
3. 7. smart|plan ................................................................... ..........
3. 8. IMA .............................................................................. ..........
4. HELP ................................................................................... ..........
6-1
6-1
6-1
6-2
6-3
6-5
6-5
6-6
6-6
6-8
6-10
6-12
6-14
6-16
6-17
6-18
6-19
CHAPTER 7 MONITORING (IP|DASHBOARD) ...................... ..........

1. CONNECTION .................................................................... ..........
2. GRAPHICAL USER INTERFACE ....................................... ..........
2. 1. ip|dashboard window, menus and views ..................... ..........
2. 2. Frames and timing ...................................................... ..........
2. 3. Reading ip|dashboard contents .................................. ..........
2. 4. Access to the reports .................................................. ..........
3. DOMAIN VIEW .................................................................... ..........
3. 1. Quality Summary ........................................................ ..........
3. 2. Activity Summary ........................................................ ..........
4. SITES VIEW ........................................................................ ..........
4. 1. Overview ..................................................................... ..........
4. 2. Sites ............................................................................ ..........
4. 3. Searching for Sites / Filtering the Sites ....................... ..........
4. 4. Downloading the data ................................................. ..........
5. FLOWS VIEW ..................................................................... ..........
5. 1. Overview ..................................................................... ..........
5. 2. Application flows ......................................................... ..........
5. 3. Real Time Graphs ....................................................... ..........
5. 4. Discovery .................................................................... ..........
6. SINGLE SITE VIEW ............................................................ ..........
6. 1. Quality Summary ........................................................ ..........
6. 2. Activity Summary ........................................................ ..........
6. 3. Throughput Summary per NAP ................................... ..........
6. 4. Application flows ......................................................... ..........
6. 5. Discovery .................................................................... ..........
7-1
7-1
7-3
7-3
7-5
7-7
7-9
7-10
7-10
7-12
7-13
7-13
7-14
7-15
7-15
7-16
7-16
7-17
7-35
7-39
7-40
7-40
7-41
7-42
7-43
7-45
CHAPTER 8 OPTIMIZING SSL (IP|DASHBOARD) ................ ..........

1. OVERVIEW ......................................................................... ..........
1. 1. Deployment ................................................................. ..........
1. 2. Applications ................................................................. ..........
1. 3. Principles .................................................................... ..........
2. CONFIGURATION .............................................................. ..........
2. 1. Configure domain-wise trusted proxy CA credentials . ..........
2. 2. Select SSL proxy enabled sites .................................. ..........
2. 3. Select optimization enabled SSL servers ................... ..........
8-1
8-1
8-1
8-1
8-2
8-3
8-3
8-5
8-7
October 2014
Contents
2. 4. Customize the SSL Proxy Certificate Trust Store ....... ..........

3. SECURITY AND LEGALS ................................................... ..........
3. 1. Security ....................................................................... ..........
3. 2. Legals ......................................................................... ..........
8-8
8-9
8-9
8-9
CHAPTER 9 REPORTING (IP|REPORTER) ........................... ..........

1. MIB ACCESS ...................................................................... ..........
1. 1. MIB .............................................................................. ..........
1. 2. SNMP .......................................................................... ..........
2. ip|reporter ............................................................................ ..........
2. 1. Ipanema Architecture .................................................. ..........
2. 2. Ipanemas ip|reporter architecture .............................. ..........
2. 3. Terms .......................................................................... ..........
2. 4. Starting the system ..................................................... ..........
2. 5. Reports Management ................................................. ..........
3. HOW TO READ THE REPORTS ........................................ ..........
3. 1. IVreport (VF0) ............................................................. ..........
3. 2. Web client (VF0) ......................................................... ..........
3. 3. Web client (VF4) ......................................................... ..........
3. 4. Dynamic reading of the reports ................................... ..........
3. 5. Definitions ................................................................... ..........
4. IPANEMA SYSTEM VISTAVIEWS ...................................... ..........
5. SLM (SERVICE LEVEL MONITORING) REPORTS ........... ..........
5. 1. is - slm - service level evolution .................................. ..........
5. 2. is - slm - site summary ................................................ ..........
5. 3. is - slm - application group summary .......................... ..........
5. 4. is - slm - application group summary per direction ...... ..........
5. 5. is - slm - application synthesis .................................... ..........
5. 6. is - slm - site synthesis ................................................ ..........
6. SLA (SERVICE LEVEL AGREEMENT) REPORTS ............ ..........
6. 1. is - sla - domain overview - graph ............................... ..........
6. 2. is - sla - domain overview - table ................................ ..........
6. 3. is - sla - domain - aqs summary .................................. ..........
6. 4. is - sla - domain - ag aqs summary ............................. ..........
6. 5. is - sla - domain - site aqs summary ........................... ..........
6. 6. is - sla - domain - mos summary ................................. ..........
6. 7. is - sla - site summary ................................................. ..........
6. 8. is - sla - site aqs summary .......................................... ..........
6. 9. is - sla - site mos summary ......................................... ..........
6. 10. is - sla - site exploitation ............................................ ..........
6. 11. is - sla - site customer ............................................... ..........
7. CAM (CLOUD APPLICATION MONITORING) REPORTS . ..........
7. 1. is - cam - clients overview ........................................... ..........
7. 2. is - cam - time evolution .............................................. ..........
8. AM (APPLICATION MONITORING) REPORTS ................. ..........
8. 1. is - am - site summary - tcp ......................................... ..........
8. 2. is - am - application group summary - tcp ................... ..........
8. 3. is - am - application group summary - per dir. - tcp ..... ..........
8. 4. is - am - application summary - tcp ............................. ..........
8. 5. is - am - application summary - per direction - tcp ...... ..........
8. 6. is - am - time evolution - tcp ........................................ ..........
9. PM (PERFORMANCE MONITORING) REPORTS ............. ..........
9. 1. is - pm - site summary ................................................. ..........
9. 2. is - pm - application group summary ........................... ..........
9. 3. is - pm - application group summary per direction ...... ..........
9. 4. is - pm - application summary ..................................... ..........
9. 5. is - pm - application summary per direction ................ ..........
9. 6. is - pm - traffic topology ............................................... ..........
9. 7. is - pm - time evolution ................................................ ..........
9. 8. is - pm - detailed per application, per app. group ........ ..........
9. 9. is - pm - top host application on volume ..................... ..........
9-1
9-1
9-1
9-1
9-2
9-2
9-3
9-5
9-7
9-17
9-25
9-25
9-26
9-28
9-33
9-34
9-36
9-43
9-43
9-45
9-47
9-49
9-51
9-55
9-58
9-58
9-60
9-62
9-63
9-63
9-64
9-66
9-67
9-67
9-68
9-70
9-72
9-72
9-76
9-78
9-78
9-80
9-82
9-84
9-86
9-88
9-90
9-90
9-92
9-94
9-96
9-98
9-100
9-103
9-105
9-107
October 2014
iv
Ipanema System
10. PM COMPRESSION REPORTS ....................................... ..........

10. 1. is - pm - compression evolution ................................ ..........
10. 2. is - pm - application group compression synthesis ... ..........
10. 3. is - pm - application compression synthesis .............. ..........
11. SSL OPTIMIZATION REPORT .......................................... ..........
11. 1. is - ssl optimization - time evolution ........................... ..........
12. ACC (ACCELERATION) REPORT .................................... ..........
12. 1. is - acc - acceleration evolution ................................. ..........
13. CIFS REPORT .................................................................. ..........
13. 1. is - cifs - time evolution ............................................. ..........
14. SAM (SERVICES ACTIVITY MONITORING) REPORTS . ..........
14. 1. is - sam - site summary ............................................. ..........
14. 2. is - sam - time evolution ............................................ ..........
15. VOIP REPORTS ............................................................... ..........
15. 1. is - voip - synthesis ................................................... ..........
15. 2. is - voip - time evolution ............................................ ..........
16. SA (SITE ANALYSIS) REPORTS ...................................... ..........
16. 1. is - sa - site summary ingress ................................... ..........
16. 2. is - sa - site summary egress .................................... ..........
16. 3. is - sa - site throughput ............................................. ..........
17. FI (FAULT ISOLATION) REPORTS ................................... ..........
17. 1. is - fi - availability - evolution ..................................... ..........
17. 2. is - fi - availability - overview ..................................... ..........
18. SP (SMART PLANNING) REPORTS ................................ ..........
18. 1. is - sp - profile ........................................................... ..........
18. 2. is - sp - synthesis ...................................................... ..........
19. EXPORTING THE REPORTS DATA WITH ip|export ....... ..........
19. 1. ip|export output files and directory ............................ ..........
19. 2. ip|export log file ......................................................... ..........
19. 3. ip|export command usage ......................................... ..........
19. 4. ip|export output file formats ....................................... ..........
9-109
9-109
9-111
9-114
9-117
9-117
9-119
9-119
9-121
9-121
9-123
9-123
9-125
9-128
9-129
9-131
9-133
9-133
9-135
9-137
9-139
9-139
9-142
9-144
9-144
9-146
9-148
9-148
9-149
9-149
9-150
CHAPTER 10 SOFTWARE LICENSE AGREEMENT ............... ..........

1. IPANEMA SOFTWARE LICENSE AGREEMENT ............... ..........
1. 1. Grant Right of Use ................................................... ..........
1. 2. Intellectual Property .................................................... ..........
1. 3. Term and Termination ................................................. ..........
1. 4. Warranty ...................................................................... ..........
1. 5. Liability ........................................................................ ..........
1. 6. Miscellaneous ............................................................. ..........
2. LICENCE DUTILISATION DU LOGICIEL IPANEMA
(FRENCH) ........................................................................... ..........
2. 1. Etendue des Droits Concds .................................... ..........
2. 2. Proprit Intellectuelle ................................................ ..........
2. 3. Dure .......................................................................... ..........
2. 4. Garantie ...................................................................... ..........
2. 5. Responsabilit ............................................................ ..........
2. 6. Dispositions Gnrales ............................................... ..........
10-1
10-1
10-1
10-1
10-2
10-2
10-2
10-3
CHAPTER 11 TECHNICAL SUPPORT
..................................... ..........
10-3
10-3
10-4
10-4
10-4
10-4
10-5
11-
October 2014
INTRODUCTION
1. REVISIONS
Index
Date of issue
Chapter/
section
concerned
Subject
Jan. 2001
All
Original
April 2001
All
in accordance with the V2.4 software version
Sep. 2001
All
Jan. 2002
All
in accordance with the V2.5.11 software version
March 2002
All
Aug. 2002
All
Oct. 2002
All
Jan. 2003
Chapters 2,
3, 4 and 8
Feb. 2003
Chapter 2
ip|reporter settings
April 2003
Chapter 2
About window
Oct. 2003
All
July 2004
All
April 2005
All
Nov. 2005
All
Nov. 2005
Chapter 2
ip|boss Solaris installation
April 2006
All
Aug. 2006
All
Oct. 2006
Chapter 2
Domain creation, ip|reporter Solaris installation,

ip|reporter web 2.2
Nov. 2006
Chapter 3
Alarming function
Feb. 2007
All
manual organization; ip|reporters portmapper port;

ip|reporter multi network interfaces server; Apache
web server configuration for ip|reporter web edition;
BW tracking principles; configuring ip|engines;
ip|engine alarms description; removal of a report
Nov. 2007
All
Jan. 2008
Chapters 2
and 7
ip|reporter web (no license key; user rights

definition); 7.3.2. How to read the reports; periodicity
of some reports (minor corrections)
April 2008
All
in accordance with the v5.0.0r8 software version
July 2008
Chapters 2
and 3
Solaris installation removed from this manual;

radius configuration
October 2014
Ipanema System
Oct. 2008
All
in accordance with the v5.0.0r12 software version
Dec. 2008
All
in accordance with the v5.1 software version
Jan. 2009
AA
Chapter 2
2.5.4. Install/Uninstall ip|reporter on Windows, 2.6.1.

Install ip|reporter web on Windows
March 2009
AB
All
May 2009
AC
All
Minor corrections: 1. 2. 3. 5, 3. 6. 1 and 7.1.2:

SNMP port; 2.5.6.1: InfoVista license key; 2.6.1.8:
Customizing VistaPortal SE; 4.5.3: ip|boss Java
client menu bar; 6.5.3: Helpdesk maps colors
New: 2.3.3 install ip|boss using the CLI; 3.9:
note on Inventory printing; 4.9.7. Tools; 4.9.8.
smart|path advanced parameters; 4.10.5.4: User
class sensitivity; 4.11.3.1: Alarm severity; 6.5.1: Link
supervision
June 2009
AD
Chapters 2, 9
2.1 JDK is not required any longer;

9.1 Technical Support contact information
Nov. 2009
AE
Chapters 2,
4, 7
2.8.2 software upgrade (FTP)

4.9.3 and 4.10.5.4 RAM-based and Disk-based
compression are replaced by Zero Delay and
Standard Redundancy Elimination (ZRE, SRE)
4.10.3.2 applications list
7. several report updates in version 5.2 had not
been reflected in the manual
Nov. 2009
AF
Chapters 2,
4, 6, 7
2.2.3 and 2.3.3 minor corrections

4.9 Export / Import objects
4.10.8 and 4.11.5.4 new smart|path parameter in
v5.2.2
6.5.2 freeze the view in the real time flows list
7.6.3, 7.6.4 and 7.6.5 three new SLA reports
March 2010
AG
All
May 2010
AH
Chapter 1
A bug in the documentation system, which replaced

chapter 1 by chapter 10, has been fixed.
Aug. 2010
AI
Chapters 1,
2, 4, 5 and 8
1.2.3.2 minor correction

2.7 and 8.16 (mainly) ip|export has been completely
redesigned
Dec. 2010
AJ
Chapter 8
8.8.11.1 minor correction
Aug. 2011
AK
All
Virtual ip|engines are now called tele|engines.

The optimization feature is now called QoS &
control.
2.5 reports_desc.impsys and VistaViews are now
automatically installed with ipreporter_setup.exe;
Solaris 9 is not supported any longer; Windows
2008 is supported
Chapter 2
Nov. 2011
AL
All

installation is now described in a separate manual
Dec. 2011
AM
All
Chapter 1 - Ipanema System was missing in rev. AL
March 2012
AN
All
in accordance with the v7.0.2 software version

major changes: User Classes are renamed
Application Groups; report pm top host application
on volume is restored
July 2012
AO
All
Sep. 2012
AP
All
suppression of the Undo button
October 2014
Dec. 2012
AQ
All
1.1.2
4.2.3
4.8.3
8.13
in accordance with the v7.1.4 software version

SALSA architecture updated
the Undo button has been put back in
applications list updated; description of the common
name (https attribute) improved
SEM reports are renamed SAM
Jan. 2013
AR
3.4.2.1
4.6.1
4.8.3.3
4.8.4
8.4
A Timezone is added to the Domain configuration

Export function updated
RTP/RTCP plugin configuration updated
Implicit max bandwidth = 500 x objective
minor corrections (reports availability on
tele-managed sites with IMA)
March 2013
AS
3.4.2.1, 7.2.1
Chapter 7
Chapter 8
More details on the time zone

More details on the throughput displayed in
ip|dashboard
SLA, CIFS and PM-compression reports updated
April 2013
AT
3.6.1
4.7.2
4.9.3.1
-
More details on User rights on the reports

Definition of the WAN access Network Report key
for DWS
More details on the syntax of the alarm rules in
ip|bosss Alarming function
June 2013
AU
4.8.3.2
List of recognized applications updated
July 2013
AV
all
In accordance with the v8.0 RC software version
Aug. 2013
AW
Chapter 1
The Introduction has been completely revised.
Sept. 2013
AX
Chapter 7
In accordance with the v8.0 GA software version
Oct. 2013
AY
5.2.1.2
ip|engine supervision details: minor correction xxx

Ipanema Software License Agreement
Oct. 2013
AZ
10
New Ipanema Software License Agreement
March 2014
BA
All
4.7.3
QoS & control is renamed Application Control.

New names for the WAN access attributes and
new fields for the multipath mode in the ip|engine
configuration window.
April 2014
BB
9.11
SSL optimization report added
June 2014
BC
All
In accordance with v8.1 RC software version
July 2014
BD
All
9.18
Minor correction on the Sites terminology

SP reports: monitored resources
Oct. 2014
BE
October 2014
In accordance with v8.1 GA software version
Ipanema System
2. LIST OF ASSOCIATED DOCUMENTS

The system installation on Windows is described in a separate document:
Ipanema System Installation Manual
For each range of ip|engine (nano, 10, 100 and 1000), there are two manuals:
Directives and Regulations Manual

ip|engine Directives, Regulations and Certificates.
Read the safety instructions before connecting an ip|engine to the sypply.
Configuration manual
Technical characteristics and ip|engines installation, configuration and set-up procedures;
troubleshooting. This manual is intended for ip|engines integrators, administrators and users.
3. DOCUMENT ORGANIZATION
This document contains 10 chapters:
Chapter 1 - Ipanema System: system overview.

Chapter 2 - Unified access to the Ipanema System (SALSA client): how to access a Domain
with the various components of the system.
Chapter 3 - Managing Domains, Users and Licenses (ip|uniboss): Domains and Users
creation and modification procedures, Licenses management.
Chapter 4 - Configuring Services (ip|boss): the different set-up and configuration procedures.
Chapter 5 - Ipanema System Supervision (ip|boss): system supervision procedures.
Chapter 6 - Using Ipanema Services (ip|boss): system exploitation procedures.
Chapter 7 - Monitoring (ip|dashboard): application monitoring.
Chapter 8 - Optimizing SSL (ip|dashboard): optimization service to the SSL encrypted flows.
Chapter 9 - Reporting (ip|reporter): description of the Ipanema reporting.
Chapter 10 - Software license agreement.
Chapter 11 - Technical support: description of the Ipanema Support.
October 2014
4. TERMS USED
AG:
Application Group.
Aggregated flow:
an aggregated flow groups together IP micro-flows sharing

given common characteristics. It is specified by a source
subnet, a destination subnet and, where appropriate, a
protocol, an application and a client/server direction and a TOS.
ANS:
Autonomic Networking System.
Applications Dictionary:
the Applications Dictionary contains a list of the applications

recognized by the system. The applications are identified by
protocol, a TCP or UDP port number, a type of Codec, a URL
for HTTP, a published application for Citrix...
Applications Group:
Group of Applications with a certain Criticality level and

a certain QoS Profile; contains key parameters for AQS
measurement and Application Control.
Application Quality Score:
Ipanema notation for the traffic Quality. From 0 (very bad) to

10 (very good). The notation is calculated according to the
expected behavior.
AQS:
Application Quality Score (see description above).
ASL:
Application Service Level.
BDP:
Bandwidth Delay Product.
Byte counting:
the system indicates the number of bytes in the IP packet,

including IP headers.
CIFS:
Common Internet File System, aka SMB (Server Message

Block).
CLI:
Command Line Interface.
Congestion:
state of a network resource in which the traffic incident on the

resource exceeds its output capacity over an interval of time.
CoS:
Class of Service.
CPE:
Customers Premises Equipment (network access equipment

located on the customers site. In the case of an IP network this
is usually an access router).
Delay variation:
Standard deviation of the delay on a given period.
DPI:
Deep Packet Inspection, the application recognition mechanism

used by Ipanema, based on the layer 7 syntax.
DSCP:
DiffServ Code Point.
DstPort:
Destination Port.
Datagram:
block of data transmitted on the packet switched network.
D/J/L:
Delay/Jitter/Loss.
Domain:
a Domain is composed of a set of ip|engines making and

exchanging observations and making measurements based on
these. ip|engines are configured and operated via the ip|boss
central software. All elements in a Domain must be connected
in the IP sense (each element must have an IP address that
can be routed on the network).
DWS:
Dynamic WAN Selection (feature provided by the smart|path

service).
October 2014
Ipanema System
Elementary observation:
measure of time, length, etc., performed by the ip|engine on

each measured packet.
Equipped site:
site with an ip|engine, a nano|engine or a virtual|engine.
Flow:
in the Ipanema system, we call a flow all the sessions of a

given application, from a given source to a given destination.
Fragmentation:
the process of division of a datagram into several fragments (IP

packets), to facilitate traffic flow on low-speed links for example.
GLASS:
GlobaL Autonomic Support System: ip|engine metrics aimed

at accelerating technical escalations.
GPS:
Global Positioning System (a positioning and synchronization

system based on a satellite constellation (~ 24) in medium
altitude orbit, covering practically the entire surface of the earth
and is highly accurate. It used to be used in early versions of
the Ipanema system).
Goodput:
Number of received bits per second above layer 4 (i.e., TCP

or UDP payload).
GUI:
Graphic User Interface.
HSRP:
Hot Standby Router Protocol (Cisco).
ICMP:
Internet Control Message Protocol.
IMA:
Ipanema Mobile Agent.
IP:
Internet Protocol.
IP micro-flow:
an IP micro-flow is specified by all packets identified by the

same IP source and destination address, the same protocol
and, where appropriate, the same TCP/UDP ports.
ip|agent:
Ipanema software running on Ipanema appliances (ip|engines

and nano|engines) and virtual appliances (virtual|engines);
by extension, we call ip|agent the software running on
Ipanema Mobile Agents (IMAs), although the latter do not run
all ip|agent services.
ip|agent services are ip|true, ip|fast, ip|xcomp, ip|xtcp,
ip|xapp, smart|path and smart|plan.
ip|boss:
component of the SALSA suite used to configure the Domains.
ip|coop:
tele|engines cooperative control (part of ip|fast).
ip|dashboard:
component of the SALSA suite allowing to monitor the traffic

(in reality the server is part of ip|boss server).
ip|engine:
Ipanema appliance that performs measurement, control,

compression, acceleration, etc., to provide Visibility, Application
Control and WAN Optimization.
ip|fast:
ip|agent providing Application Control.
ip|reporter:
component of the SALSA suite that generates the reports; it is

powered by InfoVista.
ip|true:
ip|agents measurement service, behind the Application

Visibility feature.
ip|uniboss:
component of the SALSA suite used to manage the Domains,

Users and Licenses.
ip|xapp:
ip|agent providing CIFS acceleration (part of the WAN

optimization feature).
ip|xcomp:
ip|agent providing Compression (SRE and ZRE part of the

WAN optimization feature).
October 2014
ip|xtcp:
ip|agent providing TCP acceleration (part of the WAN

optimization feature).
IPDR:
IP Data Records.
ISU:
Ipanema Software Unit.
ITP:
Ipanema Time Protocol.
Jitter:
standard deviation of the delay on a given period.
JRE:
Java Runtime Environment.
LAN:
Local Area Network (the same geographical site may have

several LANs interconnected by a router).
LAN-to-LAN:
used for the measurement from the LAN port of the source
ip|engine to the LAN port of the destination ip|engine;
applies to the throughput, Delay, Jitter and packet Loss. Also
abbreviated LAN (e.g. LAN-to-LAN Delay = LAN Delay).
LDAP:
Lightweight Directory Access Protocol, used for authentication

and authorization in SALSA.
LTL:
Local Traffic Limiting.
Measurement interface:
interface on the ip|engine giving access to the point of

measure.
Measurement ticket:
the measurement ticket groups together the elementary

observations made on an IP packet by an ip|engine.
MetaView:
Object we report on (Domain, Site, group of Sites, Application

Group, etc.), created in ip|boss. The reports aggregate data
on MetaViews, in ip|reporter.
MOS:
Mean Opinion Score (standard Measure of the Quality of a

Voice Call (notation between 0 (very bad) to 5 (very good),
normalized by the ITU-T (G.107)).
MRE:
Multi Redundancy Elimination (= SRE + ZRE; synonymous

with Compression).
nano|engine:
Ultra compact Ipanema appliance that performs measurement

and control, to provide Visibility and Application Control in small
Branch offices (no WAN Optimization, unlike ip|engines).
NAP:
Network Access Point.
OWD:
One Way Delay.
Packets:
series of binary elements organized in a predefined format

and transferred as a whole.
Packet counting:
the system indicates the number of datagrams observed.

It is insensitive to fragmentation by routers, whether this
fragmentation occurred in the Domain of Measure (between
ip|engines) or outside the Domain (before the first ip|engine).
Packet loss:
the system indicates the number of datagrams lost. It is

therefore insensitive to fragmentation by routers, whether this
fragmentation occurred in the Domain of Measure (between
ip|engines) or outside the Domain (before the first ip|engine).
PBR:
Policy Base Routing.
Physical site:
(Obsolete) old name for an Equipped site.
Point of measure:
place of traffic acquisition where measures are made.
QoE:
Quality of Experience (measured by the AQS).
October 2014
Ipanema System
QoS:
Quality of Service.
QoS Profile:
Set of parameters in ip|boss, which applies to an Application

Group. The parameters are: the traffic type (real time,
transactional or background), the bandwidth objective and
the maximum bandwidth (per session), followed by 6 quality
metrics (delay, jitter, loss, RTT, SRT and TCP retransmission)
with two thresholds each (objective maximum).
RADIUS:
Remote Authentication Dial-In User Service.
Router:
interconnection gateway between two IP networks.
Routing:
operation of determining the route to be taken through a

network by a data packet.
RTT:
Round Trip Time.
SALSA:
Scalable Application Level Service Architecture.
SAML:
Security Assertion Markup Language.
Sensitivity:
Application Group parameter, used for DWS.
SLA:
Service Level Agreement.
smart|path
ip|agent providing Dynamic WAN Selection.
smart|plan
ip|agents Network Rightsizing service
SNMP:
Simple Network Management Protocol.
SrcPort:
Source port.
SRE:
Standard Redundancy Elimination (AKA Disk-based

compression).
SRT:
Server Response Time.
SSL:
Secure Socket Layer.
TCP:
Transmission Control Protocol.
tele|engine:
Allows traffic on unequipped Sites to be measured and

controlled by the ip|engines of the remote Sites, thus providing
Application Visibility and Control without any appliance on
the local Site (branch office). tele|engines are configured in
ip|boss as physicalip|engines, checking a specific box. A
Site with a tele|engine is called a tele-managed Site.
Tele-managed Site:
Site with a tele|engine.
Ticket Record:
groups measurement tickets together for transmission between

ip|engines.
TOS:
Type Of Service.
TOS Dictionary:
the TOS Dictionary contains a list of TOS recognized by the

system. The TOS are identified by the field Type Of Service
in IP packet.
Traffic profile:
a description of the temporal properties of a traffic stream such

as rate and burst size.
Transfer delay:
the transfer delay of a packet between ip|engines is measured

when the last bit of the packet passes the measure points.
In the event of fragmentation of the datagram into several IP
packets, the measure is made when the last bit of the last
fragment passes.
Throughput:
Number of bits per second at the IP level.
October 2014
UC:
Unified Communications.
UDP:
User Data Protocol.
VF0 / VF4:
Vista Foundation 0 / 4 (InfoVista platforms provided with

ip|reporter).
Virtual ip|engine:
(Obsolete) old name for a tele|engine (< SALSA v6).
Virtual site:
(Obsolete) old name for a tele-managed Site.
virtual|engine:
Software image of an ip|engine, to be deployed on VMware

ESXi.
VoIP:
Voice over IP.
VPN:
Virtual Private Network.
VRF:
Virtual Routing and Forwarding.
WAN:
Wide Area Network (long distance network that allows data

exchange between remote sites).
WAN-to-WAN:
used for the measurement from the WAN port of the source
ip|engine to the WAN port of the destination ip|engine.
Applies to the throughput, Delay, Jitter and packet Loss. Also
abbreviated WAN (e.g. WAN-to-WAN Delay = WAN Delay).
LAN-to-LAN Delay = Delay generated by the source ip|engine,
if any + WAN-to-WAN Delay + Delay generated by the
destination ip|engine, so the LAN-to-LAN Delay includes (and
is higher than or equal to) the WAN-to-WAN Delay.
WFQ:
Weighted Fairness Queuing.
Wizard:
Way to create combinations of MetaViews and reports in

ip|boss Reports menu.
ZRE:
Zero delay Redundancy Elimination (AKA RAM-based

compression).
October 2014
CHAPTER 1. IPANEMA SYSTEM

Document organization
1. 1. OVERVIEW
1. 1. 1. Autonomic Networking System
Ipanemas self-learning and self-optimizing Autonomic Networking System (ANS) tightly
integrates all the features to guarantee the best application performance: Application Visibility,
Application Control, WAN Optimization, Dynamic WAN Selection and Network Rightsizing.
Easy to use and highly scalable, ANS addresses mid-size and thousands-sites companies. It also
addresses Service Providers with thousands of customers.
Based on the SALSA central management platform and on a family of appliances and software
agents, ANS fits from the smallest Branch Office to the largest Datacenter.
SALSAs centrally managed cooperative architecture
October 2014
1-1
Ipanema System
Ipanemas ANS is:
Autonomic:
It guarantees applications performances through global and distributed coordination
between Ipanema appliances and software agents,
it dynamically adapts to traffic and network changes thanks to a Sense and Respond"
mechanism (Sense: Real-time view of the network performances and users demand;
Respond: Dynamic and distributed computation with second-by-second optimal policies
enforcement),
full control is provided, in most cases (depending on the network architecture), with as
few as 10-20% of the sites equipped with physical appliances.
All-in-one:
All features are tightly coupled,
it optimizes all application flows: data transfers (FTP, CIFS...), interactive flows (ERPs,
Citrix...), real-time flows (VoIP, Videoconference...), etc.
Service Framework:
A unified management GUI is provided for all features,
the multi-tenant SALSA platform scales up to 10Ms users and 100Ks sites,
objective-based control enables Application SLAs and global WAN Governance.
1-2
October 2014
Ipanema System
1. 1. 2. Ipanema features
This section quickly describes Ipanema features (for more details see 1.3. Features description).
Application Visibility
Goal: understand application usage and performance over the entire network.
How: providing clear application performance KPIs (Application Quality Score or AQS and
MOS), high level consolidated reports, and very detailed information at the flow level.
October 2014
1-3
Ipanema System
Application Control
Goal: guarantee users experience by controlling each application flow in real-time, depending
on the network resources.
How: dynamically enforcing Application SLAs for each user thanks to a global and dynamic
approach, where the whole traffic matrix is taken into account in real time. Application Control
manages the application flows in the most efficient way, even in full-mesh and very large
networks.
Application Control
1-4
October 2014
Ipanema System
WAN Optimization
Goal: accelerate delay sensitive applications and reduce bandwidth consumption.

How: eliminating redundancy in the application flows (both at the packet level and data stream
level), and accelerating TCP segments, CIFS application, SSL flows, etc.
WAN Optimization
These features are tightly coupled to address all situations.
Tightly coupled features
October 2014
1-5
Ipanema System
Network Rightsizing:
Goal: align network sizing to budget and business requirements.

How: combining Application Visibility and Application Control data to determine sizing
options and their consequences; the results are displayed in easy-to-use reports.
Network Rightsizing
1-6
October 2014
Ipanema System
Dynamic WAN Selection:
Goal: guarantee application performance across hybrid [MPLS + Internet] networks, improve
business communication continuity, exploit large network capacity at low cost, benefit from
Internet immediacy and ubiquity, turn back-up lines into business lines, eliminate complex policy
based routing and unify the management of hybrid networks.
How: automatically and dynamically selecting the best path for each application flow across the
various networks.
DWS
October 2014
1-7
Ipanema System
1. 1. 3. Ipanema appliances, VMs and software agents

Ipanema features are performed by Ipanema appliances, virtual machines and software agents,
generally located at the interface between the enterprise network (LAN) and the access router to
the operator network (WAN).
There are two families of appliances: ip|engines and nano|engines, and two families of software
agents: virtual|engines and Ipanema Mobile Agents (IMAs).
Application Visibility and Application Control features are also available on sites that are
not equipped (no ip|engine, no nano|engine and no virtual|engine on the site), declaring
tele|engines on these sites.
ip|engines: hardware devices; various models are available, with different capacities
nano|engines: hardware ultra compact devices, for small Branch Offices

tele|engines: logical service delivered through the remote collaborating ip|agents
virtual|engines: virtual machines in .vmdk format
IMAs: software agents for Windows desktops

ip|agent is the software running on ip|engines, nano|engines and virtual|engines. IMAs run
some of ip|agents services (but we also call them ip|agents, by extension).
To provide the features described above, ip|agents run the following services:
for Application Visibility:

ip|true: measurement,
ip|sync: time synchronization,
for Application Control:

ip|fast: the Application Control service,
ip|coop: tele|engines cooperative control,
for WAN Optimization:

ip|xtcp: TCP acceleration,
ip|xcomp: compression (SRE and ZRE) + TCP acceleration,
ip|xapp: CIFS acceleration,
for Network Rightsizing:

smart|plan
for Dynamic WAN Selection:

smart|path.
1-8
October 2014
Ipanema System
1. 1. 4. Features availability
The table below summarizes the features provided by the different Ipanema appliances and virtual
machines, and on tele-managed sites:
ip|e
ax
ip|e
non-ax
nano|e
virtual|e
tele|e
ip|true
yes
yes
yes
yes, performed by
the remote ip|agents;
no D/J/L info
ip|fast
yes
yes
yes
yes, performed by the

remote ip|agents
no, except on hosts

running IMAs
yes
no, except on hosts

running IMAs
ip|xcomp
SRE
yes
no
ip|xcomp
ZRE
yes**
no
yes
no
ip|xtcp
yes**
no*
no*
no*
ip|xapp
yes***
no, except on hosts

running IMAs
yes***
no, except on hosts

running IMAs
smart|path
yes
yes
no
no
smart|plan
yes
yes
yes
no
Features availability
* ip|xtcp is a single-box sender-side technology, so traffic to a site with a nano|engine,
a virtual|engine or a tele|engine can be accelerated.
** except for ip|e 40so.
*** ip|xapp is a single-box client-side technology, so the ip|engine or virtual|engine
must be installed in the Branch Office (where the clients are). If it is not (sites with a
nano|engine or a tele|engine), the feature can still be delivered, thanks to IMA.
October 2014
1-9
Ipanema System
1. 1. 5. Functional architecture
SALSA (Scalable Application Level Service Architecture) is the Central Management Software; it
is composed of:
ip|uniboss software (one server): it ensures the creation and management of the Domains,
Unified User Management and Licenses management.
ip|boss software (one or several servers, depending on the number of Domains and their sizes;
it can be installed on the same server as ip|uniboss): it ensures system administration, system
configuration (system provisioning, application provisioning and reports provisioning), service
activation, real time monitoring (ip|dashboard), supervision, collect of the Correlation Records
generated by ip|agents every minute (according to the parameters), interface with ip|reporter
to create or delete reports (the main reports are automatically created).
ip|reporter software (one or several servers, depending on the number of Domains, the volume
of traffic and the number of reports; on very small networks less than 10 sites it can be
installed on the same server as ip|boss/ip|uniboss): it ensures the reporting function, polling
ip|boss to collect the raw data that it then consolidates it in many different dimensions, with
about 40 pre-defined report templates.
ip|reporter is powered by InfoVista and embeds an InfoVista run time licence; this run time
provides all user functions in local, remote or client/server mode or with an HTML interface with
VistaPortalSE.
InfoVista can be provided with two different VistaFoundation platforms: VF0
(provided to most Ipanema customers) and VF4 (provided for MSPs/NSPs or
customers with very large networks only). Only VF0 platform is described in this
document. For VF4 information, please refer to the relevant Technical notes.
ip|export, an optional module of ip|reporter, allows automatic and dynamic export of any data
from any reports in text, CSV or Excel formats. It is designed for seamless inter-operability
between network measurement systems and Business Support Services.
SALSA architecture
1-10
October 2014
Ipanema System
A SALSA unified portal gives access to ip|uniboss, ip|boss, ip|dashboard and ip|reporter web.
A Domain selector (drop-down list) allows selecting the Domain to be configured (with ip|boss) or
monitored (with ip|dashboard) prior to connecting.
SALSA unified portal

It can be accessed with a web browser at https://<ip|uniboss IP address>/salsa/.
October 2014
1-11
Ipanema System
1. 2. GENERAL PRINCIPLES
1. 2. 1. System deployment
A Domain is made up of a set of Ipanema appliances and virtual machines positioned at the
measurement or control points of a network, in the same LANs as the CPE routers.
Their ip|agent software measure, control, compress and accelerate the network traffic on the entire
network.
One Domain has to be created by logical entity, using ip|uniboss software. Once created, it is
managed by a dedicated ip|boss instance.
System deployment
ip|agents belonging to the same Domain cooperate (distributed intelligence), but do not interact
with other ip|agents belonging to other Domains.
To measure, control and accelerate flows on a site with no ip|agent (no appliance nor virtual
machine), the user can declare a tele|engine on that site (in the same way as they would declare
a real ip|engine, in ip|boss). To make this possible, ip|agents must be present at the other ends
of the flows (measurement, control and acceleration will be performed by the remote ip|agents
indeed reason why such a site is also called a tele-managed site).
1-12
October 2014
Ipanema System
ip|agents cooperation in a Domain (with tele-managed sites)

The system performs measurement, control, redundancy elimination and acceleration on the basis
of the observed traffic in the users private IP addressing plan.
Each ip|agent recognizes the local network (LAN) traffic transmitted to and received from the
long-distance network (WAN).
LANs have an IP address range expressed in the form a.b.c.d and a prefix, the length of which is
expressed by /p.
For correct system operation:
each ip|engine, nano|engine, and virtual|engine must have a fixed IP address,

the server running ip|boss must be accessible by all ip|engines, nano|engines and
virtual|engines (it is not necessary for IMAs). It must therefore have an IP address, but the
latter is not necessarily a fixed address, in theory (except if ip|reporter server is installed on
another station, which should be the case in most cases). The server is not necessarily on the
customer part of the network.
October 2014
1-13
Ipanema System
1. 2. 2. Communication between system elements

A Technical note, TN-0300164-02_Flow_matrix_SALSA_v<X>, shows all ports used
between all components of the Ipanema system.
1. 2. 2. 1. Communication between ip|agents

ip|agents exchange measurement and control information, among others.
To accomplish this, each ip|agent hosts a specific server reachable by all other ip|agents on
predetermined TCP and UDP ports.
An ip|agent also hosts a specific client that transmits measurement and control signals and
compressed data to the remote ip|agent servers. The source ports are dynamically selected by
the transmitting ip|agents.
Service
L4
Port
ip|true
TCP
19999
ip|fast
UDP
19999
ip|agent capacity advertising
TCP
19996
ip|xcomp SRE
ip|xcomp ZRE dictionary and control
TCP
19988
ip|xcomp ZRE compression tunnel
UDP
19988
ip|xcomp ZRE keep alive
UDP
19987
ip|xtcp
ip|xapp
ip|sync (ITP)
UDP
19995
Clustering
UDP
19997
Ports used between ip|agents
1-14
October 2014
Ipanema System
1. 2. 2. 2. Communication between ip|boss and ip|agents

There are three types of communication channels between ip|agents and ip|boss:
configuration and supervision,

polling of the measurement records (Correlation Records),
polling of the real-time graphs data.
Service
L4
Port
Usage
HTTPS
TCP
443
Configuration, supervision, collect of the Correlation

Records.
FTP
TCP
2021
Download ip|agent software (the FTP server is not

necessarily on ip|boss).
SSH
TCP
22
Remote connection on Ipanema appliances and virtual

machines (enabled by default). (The remote access is
not necessarily granted from ip|boss.)
Telnet
TCP
23
Remote connection on Ipanema appliances and virtual

machines (disabled by default). (The remote access is
not necessarily granted from ip|boss.)
Real-time
graphs
TCP
1999019993
Additional polling to provide a real-time view in

ip|dahsboard.
Ports used between ip|agents
Configuration and supervision channel
Each ip|engine, nano|engine and virtual|engine hosts an HTTPS server accessible by ip|boss
for configuration and supervision. This server is reached on TCP/443 destination port (default value;
another value can be configured on request).
If remote connections (SSH and/or Telnet) are to be established from ip|boss (not mandatory, but
very helpful), then ports 22 (SSH) and/or 23 (Telnet) are also used. (By default, SSH is enabled on
all ip|agents, and Telnet is disabled.)
If ip|boss is used as an FTP server to download ip|agent software, then ports TCP/20 and 21 are
also used (they are not otherwise; the FTP server can be on other devices, such as an external
server or even an ip|engine, for instance).
Periodic measurement collection channel
The HTTPS server embedded in ip|agents is also used by ip|boss to retrieve the measures (pull)
(same port and remark as above).
Real-time measurement polling channel
Real-time measures are sent by the ip|agents on a unidirectional TCP connection to a predefined
destination port (in the 1999019993 range by default; other ranges can be configured).
The TCP source port is dynamically selected (a fixed port can be configured) by the transmitting
ip|agent.
October 2014
1-15
Ipanema System
1. 2. 2. 3. Communication between ip|boss client and ip|boss server

Communications between ip|boss web client and ip|boss server use HTTPS (port TCP/443).
1. 2. 2. 4. Communication between ip|boss and ip|reporter

Two kinds of communication channels exist between ip|boss and ip|reporter:
1-16
configuration and supervision channel:

ip|boss supervises and configures the reporting system via the InfoVista interfaces. The used
TCP ports are dynamic by default, but they can be fixed by configuration. This channel allows
the reports creation and deletion according to the configuration and ip|reporters supervision
status.
collect channel (SNMP):
ip|boss houses an SNMP agent used by ip|reporter (InfoVista) in order to collect the
measurement data (pull mode). This SNMP agent is reachable via a UDP port configured for
each Domain in ip|uniboss.
October 2014
Ipanema System
1. 2. 3. Security
The Ipanema System provides robust security features (SSL, SSH, tools for key generation
and distribution, etc.) to protect the system against break-in and hostility threats. Authentication
mechanisms to access the different system elements, and between them, protect the system
against unauthorized accesses. Communication encryption between the system elements
protects the system against sniffing of configuration information or measurement results
exchanged between them.
1. 2. 3. 1. Appliances Access Control (Console and SSH)

Many security features regarding the access to Ipanema appliances, through the console or through
the network, are implemented. They are listed below (however access to a particular appliance is
limited to a very small number of cases):
console access is secured with full password management;

remote access is secured with the use of the SSH protocol (Telnet is also available, but for
security reasons it is disabled by default);
commands limitation: when remotely accessing an Ipanema appliance (or virtual machine), the
set of available user commands is carefully restricted to the minimum (device basic configuration
and troubleshooting, namely).
1. 2. 3. 2. Secured ip|boss ip|agents communications

SSL protocol is used to download the configuration file from ip|boss to all ip|agents, to monitor all
appliances and to collect the measurement data. Both authentication and encryption are used.
The Ipanema System allows three security levels:
First level (default mode):

The customer uses the default factory certificate. Communications are secured. Nevertheless,
as the certificate is not unique to the customer, the security level is not at its maximum.
Second level:
The customer defines their own certificate. This can be achieved either in ip|boss or using a
certificate generator. Certificate installation on ip|agents is managed from ip|boss and does
not require local access to the Ipanema appliances or virtual machines.
Communications are secured. Unauthorized people will not be able to enter the system nor to
read or interpret configuration or measurement data.
Third level:
The customer defines their own certificate and an SSL passphrase. This requires not only an
ip|boss certificate installation, but also to have local access to all ip|agents in order to setup
the passphrase configuration.
Communications are secured. Combination of certificate and local passphrase provides the
highest level of security.
Important reminder 80% of the security breaches are internal to companies.
October 2014
1-17
Ipanema System
1. 3. FEATURES DESCRIPTION
1. 3. 1. Application Visibility (ip|true)
The primary goal of Application Visibility is to understand application usage and performance
over the entire network.
To reach that goal, applications are classified in Application Groups (AGs), and each AG
has specific QoS performance objectives (nominal bandwidth per session and two thresholds
objective and maximum for one-way-delay, jitter, packets loss, RTT, SRT and TCP
retransmission ratio), thus allowing to check whether performance objectives are met or not, and
to calculate an Application Quality Score (AQS) accordingly.
Ipanema Application Visibility is:
comprehensive (see the list of metrics below),

highly accurate, relying on time synchronization from the network (thanks to ITP, Ipanema Time
Protocol),
very precise and non-intrusive: measurements are made on the actual data packets and not on
test packets nor simulated flows,
exhaustive: all IP packets are measured,
independent from the operator network access and core technology (measurements are made
at the IP layer),
confidential: the contents of user packets are not, at any time, stored, saved or even transmitted
between the different system components.
ip|true provides the following metrics:
the number of packets and bytes transmitted and received,

the number of sessions,
the following one-way metrics:
Delay,
Jitter,
packet Loss,
all three (called D/J/L) both:
ingress (from the LAN to the WAN) and
egress (from the WAN to the LAN),
and both:
between the LAN interfaces of the appliances (LAN-to-LAN metrics, simply called LAN)
and
between their WAN interfaces (WAN-to-WAN metrics, simply called WAN):
the following TCP metrics:

RTT (Round Trip Time),
SRT (Server Response Time),
TCP retransmission ratio,
1-18
October 2014
Ipanema System
the following composite metrics:

Voices MOS (Mean Opinion Score),
all flows AQS (Application Quality Score).
AQS
Individual measurements are aggregated and analyzed according to multiple criteria (source and
destination sites, source and destination subnets, Application Groups, applications, etc.). The
results are presented in the form of detailed flows lists, real-time graphs, charts, etc., and archived
with periodic aggregation (in hourly, daily, weekly and monthly reports). They are made available
for subsequent processing or reference, and can be used to generate alarms, analyze long-term
trends, forecast future traffic increase to estimate optimum network sizing, etc.
Users can specify their own aggregation criteria, thus taking into account their enterprise
organization (e.g. the different countries, departments, services, etc.).
The following system elements are involved:
ip|agents (ip|true): elementary observations, correlation, traffic classification,

ip|boss: configuration, polling of the Correlation Records (HTTPS), MIB update,
ip|reporter: polling of ip|boss MIB (SNMP), reports publishing and reports database
management.
1. 3. 1. 1. ip|agents elementary observations, correlation and classification

Each IP packet observed by an ip|agent undergoes a series of operations:
filtering of IP v4 packets,
classification and filtering of packets according to their types:
local traffic on the LAN,

ingress traffic (LAN to WAN traffic),
egress traffic (WAN to LAN traffic),
transit traffic.
correlation, to calculate the one-way metrics (Delay, Jitter and packet Loss), when both the
source and the destination of the flow are equipped with Ipanema appliances or virtual machines
(this condition is necessary); this operation is achieved in four steps:
1. when the packet is sent and crosses the upstream ip|agent, the latter calculates a
signature (hash) and stores it locally,
2. when the packet is received and crosses the downstream ip|agent, the latter
calculates a signature (the same one),
3. once a second, the downstream ip|agent sends its signatures back to the upstream
one, in a compact Ticket Record.
Ticket Records have an average length of 300 bytes and the overload they generate
is approximately 2% of the measured traffic (<< 2% on large sites, due to statistical
reasons the more the traffic, the less the overload).
4. the upstream ip|agent correlates the signatures it has calculated with the signatures it
has received from the downstream ip|agent (the two ip|agents must be synchronized),
October 2014
1-19
Ipanema System
Thanks to this correlation mechanism, the upstream ip|agent knows how many packets have
been received and when they were received, thus allowing it to calculate the flows D/J/L.
Correlation mechanism
traffic classification according to the multiple criteria:

by application: applications are recognized thanks to a syntax engine allowing layer 7
attributes to be taken into account, thus allowing to identify the vast majority of the user
applications,
by source and destination sites,
by source and destination subnets (according to the User subnets directory),
by TOS value (the "TOS" field of the IP header identifies the Type of Service; they can
be configured in the TOS dictionary),
etc. (the classification level can be determined by configuration),
Then ip|agents output measurement tickets (Correlation Records), when polled by ip|boss
Collector, every minute (or every 5 minutes on very large networks; this parameter Collect
is set at the Domain level in ip|uniboss).
(ip|boss will store the information in a MIB, depending on the created MetaViews (see the reports
configuration in ip|boss) and in ip|dashboards database, and ip|reporter will poll ip|bosss MIB
using SNMP to aggregate the information and generate the reports; see below.)
1-20
October 2014
Ipanema System
1. 3. 1. 2. Considerations on fragmentation
Transmitting large packets on the network can degrade the quality of service for applications,
particularly if access speed is low. IP protocol allows datagrams to be fragmented into several
packets (fragments). Fragmentation can be performed at different points, but is generally
performed:
by the access router (CPE) connected to a low-speed interface,

by an access or transit router in certain cases of congestion.
Fragments are not reassembled on the network or in the router, but by the end station.
To keep measures consistent without making assumptions on whether and where fragmentation
occurred (before or after the first ip|agent), the Ipanema system performs measurements on the
datagrams. This choice allows the classification mechanisms to operate correctly, even though port
numbers of the TCP/UDP protocol are present only in the first fragment of a datagram.
This choice is also consistent with applications behaviors. Indeed, the user application must wait
for the datagram to be reassembled before it is able to use the data it contains. It is therefore the
reception of the last fragment that is important.
A datagram is considered to be lost as soon as one or more of its fragments is lost. In this case,
the datagram is not delivered to the transport layer by the destination terminal.
1. 3. 1. 3. Time synchronization
ip|engines, nano|engines and virtual|engines synchronization on the Domain is used for
correlation (see above), hence for Delay/Jitter/Loss measurement (and measurement only:
control, redundancy elimination, etc., do not require synchronization).
There are two synchronization layers:
Time servers
they can be either ip|engines, virtual|engines, ip|boss or External NTP servers,

one is enough,
if several are used, they MUST deliver a consistent time between each other,
if an ip|engine is a Time Server, it will use its local ITP configuration.
Synchronization servers
they must be ip|engines or virtual|engines of the Domain,
they will not use their local reference, except in case of Time servers failure,
they share their clocks with their peers (all other synchronization servers).
The Synchronization servers take their timing from the Time server and issue it to the rest of the
Domains appliances and virtual machines.
Synchronization two-layer model
October 2014
1-21
Ipanema System
This two-layer model allows GPS-less yet precise synchronization across the whole Domain, out
of Domain synchronization and short term no time function (a Domain can be disconnected from
its Time server, thus improving resiliency).
1. 3. 1. 4. ip|boss: monitoring and SNMP Agent

ip|boss monitoring function and ip|dashboard client provide a real-time view of the performance
and activity of the observed traffic in the form of graphs.
Measures collected in the Correlation Records are stored in ip|dashboards database, thus
allowing real time monitoring of the traffic, and in ip|boss MIB, where they can be polled by
ip|reporter (or other devices), thus allowing any view (local, global, etc.), aggregating the data
according to multiple criteria (by sites, by countries, by applications, etc.).
1-22
October 2014
Ipanema System
1. 3. 2. Application Control (ip|fast)

End-to-end QoS depends on both network infrastructures (transmission lines, access lines, traffic
engineering policies) and user traffic.
Network bottlenecks result in congestions and, at times, limit optimum bandwidth to well below its
rated value. Transmitting more traffic will only result in increased transfer time and losses, thereby
degrading QoS and application "goodput".
The goal of the Application Control feature is to anticipate and avoid congestions, and to
guarantee the users experience by adjusting each application flow in real-time.
To reach that goal, Application Groups attributes include:
the business criticality of the application flow (top, high, medium or low),
the bandwidth objective (bandwidth requirements of the application flow, necessary and
sufficient to provide it with good quality),
the traffic type (real time, transactional or background),
compression and acceleration capabilities,
thus allowing to the controlling agent (ip|fast) to protect the business critical flows dynamically and
efficiently, also taking into account the demand in real time (measured by ip|true).
There is no need to set low-level, network or device-specific policy rules.
The utilization of these parameters by ip|fast can be summarized as follows:
business criticality: the higher the criticality of the flow, the more ip|fast will protect it;
bandwidth objective: bandwidth that ip|fast will try to provide to the application flow, even
when the available bandwidth is scarce; the higher the criticality of the flow, the more likely its
bandwidth objective will be met at all times;
traffic type: ip|fast will manage the priorities between the different queues depending on the
sensitivities of the flows to avoid Delay and Jitter on the sensitive ones, knowing that:
real time flows are sensitive to Delay and Jitter; examples: VoIP and Video conference,
transactional flows are sensitive to Delay (but not to Jitter); examples: Telnet, Citrix,
background flows are not sensitive at all; examples: file transfer, e-mail.
compression and acceleration capabilities: to know whether the flow can be compressed (with
ip|xcomp, see below) and/or accelerated (with ip|xtcp, see below).
Congestion anticipation and avoidance is performed by comparing the available bandwidth (or
network capacity) and the bandwidth used by all flows currently running (network usage).
The comparison is performed on the access links, ingress and egress, and possibly end-to-end
(namely if the available bandwidth between any pair of sites is not fix and guaranteed).
If the network usage reaches about 95% of the network capacity, then ip|fast triggers and starts
controlling the bandwidth allocation.
The network usage is known very precisely, thanks to ip|true who measures each and every
packet crossing the Ipanema appliance or virtual machine.
The network capacity is:
either fix (and defined in ip|boss, in the WAN access parameter),
or (if it varies) automatically and dynamically estimated by the Tracking function.
The Tracking function itself is activated in the WAN access window, where a maximum
and a minimum bandwidths can be defined:
if the minimum is set at a lower value than the maximum (min < max), then
the Tracking function will estimate the instantaneous bandwidth, at any moment,
between these two thresholds;
if the minimum is set at the same value as the maximum (min = max), then
the Tracking function is disabled, and the available bandwidth is considered as
constant.
It is also the Tracking function that anticipates and avoids end-to-end congestions.
October 2014
1-23
Ipanema System
ip|fast principles
ip|fast is completely transparent to the network (the CPE only performs IP routing
functions for network access) except when the Coloring function is used, in which
case the ToS field can be marked (see below).
ip|fast and CoS
If an operator offers different Classes of Service, assigning a CoS to the traffic becomes difficult. To
adapt to this constraint and allow full compatibility between Ipanemas traffic protection and the
operators policy, the Ipanema System can automatically color (or mark) the packets according
to the traffic Criticality and Type, using the ToS/DSCP field. The mode is Color-Blind (all packets
are treated as if they were uncolored: they are marked according to the selected coloring rule
regardless their initial color, if any).
Topology: how to control flows end-to-end, even in a full-mesh environment
From a topological point of view, as several access points may send data to the same destination
(and an access point may send data to several others), it can result in One-to-N or N-to-One type
congestions.
To solve the issue, ip|fast dynamically shares the global network available bandwidth to all active
sources, taking into account the traffic demand, network bottlenecks and N-to-N congestions.
This is made possible thanks to the permanent communication between ip|agents.
Summary
ip|fast can be summarized as follows:
it globally and dynamically controls bandwidth allocation between all access points,
it adapts QoS policies to current network performance and real user demand,
it selects, for each traffic flow, the right Class of Service in terms of performance,
based on:
1-24
the traffic requirements (criticality, bandwidth objectives),

the bandwidth demand,
the network performance.
October 2014
Ipanema System
1. 3. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp)

End-to-end quality of application flows vastly depends on the capacity of the links, and on
the end-to-end delays. WAN Optimization, that leverages the Application Control feature,
helps improving quality by accelerating delay sensitive applications and by reducing bandwidth
consumption.
To reach that goal, three services are used:
ip|xtcp: one-side TCP acceleration,

ip|xcomp: compression (or redundancy elimination) and TCP acceleration,
ip|xapp: CIFS acceleration.
1. 3. 3. 1. ip|xtcp
TCP was not designed for networks with a large BDP (Bandwidth-Delay Product, i.e. large RTT
and/or high available bandwidth) or with a significant Bit Error Rate:
the slow-start mechanism increases the latency of short transfers,

due to the BDP limitation, the TCP sessions cannot fully utilize the available bandwidth, and
error recovery is slow.
TCP acceleration (ip|xtcp service) overcomes these two limitations, using an ip|agent on the
sender side (single-side technology). To achieve that goal, it is tightly coupled with ip|fast:
ip|fast knows the available bandwidth precisely, so we do not need the (old) TCP mechanism
to discover it,
thanks to ip|fast, ip|xtcp is able to provide the flows with just the right amount of acceleration
(accelerating flows too much could create congestion!), still guarantying critical applications
protection.
It uses two mechanisms, independent from each other:
speed-up the slow start (fast start),

overcome the BDP limitation (over-bdp).
The key idea is, for each connection, to proactively enslave the TCP source rate to the ip|fast
computed rate for this connection.
1. 3. 3. 2. ip|xcomp
For many reasons, it can be difficult to increase the bandwidth of a link (cost, operator delay, etc.).
ip|xcomp overcomes this problem, by increasing the volume of traffic that can be sent on the
network. To achieve that goal, two different mechanisms are used:
SRE (Standard Redundancy Elimination):

Transparent mechanism that uses a TCP proxy and stores the redundant patterns, at the stream
level, on the ip|engines, virtual|engines or device hosting IMAs hard disks, and exchanges
small signatures instead, thus reducing bandwidth consumption.
SRE is particularly efficient to compress big flows such as large file transfers, for instance.
ZRE (Zero-delay Redundancy Elimination):
Mechanism that compresses the data, at the IP packet level, without buffering them (hence
its name, zero delay) and encapsulates the compressed data in UDP tunnels before sending
them (tunnels are automatically created).
ZRE is particularly efficient with delay-sensitive flows, and with flows that do not have large
redundant patterns (typically transactional applications).
The best mechanism is automatically selected for each flow, but it can also be forced by
configuration (in ip|boss), site by site and Application Group by Application Group.
ip|xcomp SRE also accelerates TCP, by using window scaling (RFC 1323) between the two
proxies.
ip|xcomp and ip|xtcp are mutually exclusive: when both are available, it is ip|xcomp that prevails
(ip|xcomp SRE also accelerates TCP anyway).
October 2014
1-25
Ipanema System
1. 3. 3. 3. ip|xapp
The ip|xapp service allows accelerating CIFS traffic.
CIFS stands for Common Internet File System, also known as SMB (Server Message Block). It is
a proprietary Network protocol, the most common use of which is sharing files on a LAN, but also,
due to Data Server Consolidation, over the WAN.
ip|xapp accelerates CIFS version (or Dialect) NT LM 0.12 (SMB1).
Deployment
CIFS Acceleration is a Client-side technology. So the typical deployment case uses ip|engines
installed near the CIFS clients, or IMAs on the hosts running them, therefore mainly in Branch
Offices.
CIFS acceleration and Redundancy elimination
ip|xapp and ip|xcomp are compatible. It is possible to compress accelerated CIFS traffic, both
with ZRE and SRE, in one, the other or both directions, depending on the Application Group CIFS
is matching, and on the local and remote sites compression/decompression capacities.
1-26
October 2014
Ipanema System
1. 3. 4. Dynamic WAN Selection (smart|path)

The goal of Dynamic WAN Selection (DWS) is to combine multiple physical networks (hybrid
networks, e.g. MPLS and Internet) into one unified logical network, maximizing both Quality of
Experience & business continuity.
To achieve that goal, smart|path:
automatically and dynamically selects the best traffic path, according to Application Groups and
WAN accesses configuration,
the Ipanema appliance handles the dynamic traffic conditioning according to the destination of
the flows.
This maximizes application performance, security and network usage based on:
network quality and availability,

application Performance SLAs,
sensitivity level of the information.
It maximizes combined networks efficiency:
network capacity,
network availability,
network performance.
Typical deployment cases:
single router with multiple interfaces,

several routers with one interface (for example HSRP clustering).
These cases can be combined in a same site or in a same network.
October 2014
1-27
Ipanema System
1. 3. 5. Network Rightsizing (smart|plan)

The bandwidth usage at a site does not reflect the actual users needs. Moreover, TCP uses as
much bandwidth as it can (TCP elasticity), and TCP does not make any difference between a non
critical FTP transfer and an ERP critical flow, for instance: although less critical, FTP will use more
bandwidth than the ERP.
As a consequence, usage based provisioning is always over-estimated:
usage based provisioning = over-provisioning
There is also a drawback in increasing the bandwidth at a site (apart from the cost): the more
available bandwidth, the less its usage matches the business needs of the company:
more bandwidth attracts useless traffic!
The Network Rightsizing feature, provided by an optional module of ip|reporter, allows aligning
network sizing to budget and business requirements, thus allowing companies to size their
networks at the best rather than over-provisioning them:
by taking the actual needs of the flows into account,

by eliminating security margins (tempest of the century syndrome),
by being insensitive to the topology.
It is based on the smart|plan service, that leverages ip|fast and provides ip|reporter with further
metrics, allowing it to produce very high added value yet easy-to-use reports, enabling a complete
analysis of the relationship between bandwidth (resource) and delivered service level (results) for
each network access.
Using this information, it is possible to immediately decide if the access link is under-provisioned
or over-provisioned in regard of the expected service level per applications business criticality.
The data generated by the smart|plan service is available throughout the Ipanema System
components. ip|boss makes them available through the SNMP interface, ip|reporter uses them
to generate the appropriate easy-to-use reports and ip|export can export them in text or Excel
format for post-processing.
Network Rightsizing report

To enable this feature on a site:
there must be an Ipanema appliance or virtual machine on the site,

ip|fast must be enabled,
the smart|plan option must be enabled.
Thanks to the smart planning feature, the Ipanema system allows the best usage of the network
capacity according to the performance objectives, by enabling the user to select the best
cost/performance compromise based on application service levels.
1-28
October 2014
Ipanema System
1. 3. 6. Tele-managed sites
tele|engines were introduced for easier customer acceptance, in case of hub-and-spoke traffic
matrix, where they allow Application Visibility and Application Control features on sites that
are not equipped (no ip|engine, no nano|engine and no virtual|engine on the site).
To make this possible, ip|agents must be present at the other ends of the flows (measurement,
control and acceleration will be performed by the remote ip|agents indeed reason why such
sites are called a tele-managed site).
Unlike a physically existing ip|agent, yet, a tele|engine does not measure one-way-delays,
jitter and loss rates, nor does it accelerate the traffic (but traffic to a tele-managed site can
be accelerated); other metrics such as throughput, number of sessions, RTT, SRT and TCP
retransmissions can be computed remotely, so they are available on tele-managed sites.
tele|engines are configured through ip|boss just the same way as existing physical appliances
(ip|engine menu). Then Application Control can classify and control the traffic from or toward
these sites, according to the rules defined in the Application Groups. Traffic conditioning functions
are automatically instantiated upon traffic recognition.
Typical deployment cases:
ip|engines, nano|engines or virtual|engines on central sites and sites with meshed traffic,
tele|engines for small Branch Offices and simple traffic pattern.
With ip|coop option, a group of remote ip|agents cooperate (RCG: Remote Coordination Group)
for each tele|engine, to do what a local ip|agent would have done, namely:
measure the traffic (ip|true),

detect congestions and control the flows (ip|fast).
The RCG is made of up to 8 ip|agents (on the 8 most active remote sites for each tele-managed
site) and is automatically and dynamically configured by ip|boss.
Thus, the contribution of each tele|engine can be precisely estimated so that congestion to and
from the remote site can be managed (as through a proxy).
tele|engines have some limitations, yet:
no Delay/Jitter/Loss measurement,
neither measurement nor control of shadow traffic (traffic between tele-managed sites),
end-to-end bandwidth Tracking is less efficient and less reactive,
no limitation of egress UDP traffic.
When ip|coop option is enabled, the number of tele|engines is controlled by ip|boss and defined
in the license file delivered to the customer. Without this option, the number is unlimited.
October 2014
1-29
CHAPTER 2. UNIFIED ACCESS TO THE

IPANEMA SYSTEM (SALSA CLIENT)
2. 1. SALSA WEB PORTAL

The SALSA Web Portal offers a single access point to all SALSA components: ip|uniboss,
ip|boss, ip|dashboard and ip|reporter, with a single URL entry point and a unique username
and password.
The URL to access SALSA Web Portal is
https://<ipanema_server>/salsa/
where ipanema_server is the server where ip|uniboss was installed. The User is prompted for
a login and password:
SALSA Web Portal login window

Default login and password are: administrator / admin.
October 2014
2-1
Ipanema System
Once logged in, the User accesses the SALSA portal:
SALSA portal
This page can contain (depending on the Users access rights):
2-2
the Domain selector: drop-down list allowing to choose the Domain to be configured (with
ip|boss) or monitored (with ip|dashboard) this selection is useless for ip|uniboss (as it
manages all Domains) and ip|reporter (as it allows browsing in all Domains depending on
the User rights with a folders structure playing the role of a Domain selector),
the welcome message for the selected Domain (it can be configured in ip|uniboss),
an ip|uniboss button, to open ip|uniboss client,
an ip|boss button, to open ip|boss client and configure the Domain selected in the Domain
selector,
an ip|dashboard button, to open ip|dashboard client and monitor the Domain selected in the
Domain selector,
an ip|reporter button, to open ip|reporter client and visualize the reports.
October 2014
Unified access to the Ipanema System (SALSA client)
2. 2. UNIFIED USER MANAGEMENT

Users can be:
either internal: authentication and authorization are performed by ip|uniboss internal LDAP,
or external: authentication is performed by an external LDAP or using the SAML service;
authorization is performed by ip|uniboss LDAP.
Users are configured using ip|uniboss GUI (see 3.6. MANAGING USERS).
When a User connects to the SALSA Web Portal:
1. The portal requests an authentication to the web browser,

2. The portal checks given username/password against the internal LDAP directory,
3. If the User is external, then their username/password are passed onto the external LDAP for
authentication,
4. Once the User is authenticated, either internally or externally, the portal retrieves their ACLs
from ip|uniboss LDAP and caches them in memory, as well as HTTP Authentication headers,
before redirecting the request to the appropriate web application given the current portal URL
request.
SALSA unified User management with the internal LDAP
Authentication can also be automatic (SSO), supplying the Users credentials in the
URL or passing the User name as an HTTP header, without authentication in that
case only permissions are checked, using the User name and group supplied in the
request headers. Refer to 3.6. MANAGING USERS to see how to configure SALSA
Apache server as required.
October 2014
2-3
Ipanema System
2. 3. SALSA URLS
All components of the Ipanema system (ip|uniboss, ip|boss, ip|dashboard and ip|reporter web)
can be accessed via SALSA unified client at this URL:
https://<ipanema_server>/salsa
It automatically redirects the User to the welcome page that contains the Domain selector
capability:
https://<ipanema_server>/salsa/salsa_portal/.
These components can also be accessed individually and directly at the following URLs (these
URLs are secured through LDAP-based authentication, therefore only unified users have access
to them; they are entry points for all SALSA components using SSO):
https://<ipanema_server>/salsa/...
ipuniboss_portal/: ip|uniboss portal,

<domain_name>/: selected Domain with ip|boss portal,
gui/<domain_name>/: selected Domain with ip|dashboard,
ipreporter_portal/<domain_name>/: selected Domains reports with ip|reporter
portal.
ip|uniboss and ip|boss CLI clients are available at the following URLs:
https://<ipanema_server>/ipuniboss_cli/: access to ip|uniboss CLI client,

https://<ipanema_server>/ipboss_cli/: access to ip|boss CLI client.
If authentication is external, whatever the method (LDAP or SAML) it is always possible to use
an internal URL to perform authentication using SALSA users only. Internal authentication is not
impacted by the different external services. To use it, simply replace salsa by internal in
SALSA URLs (https://<ipanema_server>/salsa/...):
https://<ipanema_server>/internal/...
2. 4. LDAP AUTHENTICATION
LDAP authentication is performed in the Apache httpd server using mod_authnz_ldap. The
configuration for the module is located in production/ip_boss/izpack/httpd_ldap.conf.
Upon successful authentication, HTTP headers are added to the request that is forwarded to the
Tomcat server through an AJP connection (the configuration of the mod_proxy_ajp module is
located here ). These headers (x-6307-is-*) contain the profile of the authenticated user: name,
accessible domains, and access rights to ip|boss, ip|uniboss, and ip|reporter web.
When forwarding to external users URLs, the front end portal is expected to fill the x-6307-is
headers to provide information about the user it has authenticated.
2-4
October 2014
Unified access to the Ipanema System (SALSA client)
2. 5. VISTAPORTAL AND VPSE CONSIDERATIONS

2. 5. 1. VistaPortal considerations
VistaPortal cannot deal with HTTP headers for authorizations. It uses ip|uniboss LDAP servers to
retrieve user permissions.
We have added a Tomcat valve that parses Ipanema HTTP headers coming from ip|uniboss
Apache server and puts them back in ip|uniboss LDAP server in order to always provide
authorizations to VistaPortal through our LDAP.
Then VistaPortal reads and maps the user permissions into properties that are used to filter Objects
like Domains, MetaViews, reports, and so on.
There is nothing particular to do for the valve installation; ip|reporter web installer is taking care
of installing and configuring the ipanema valve in the VistaPortal tomcat, the only parameters to
provide are ip|uniboss LDAP connection parameters during ip|reporter web installation.
The code of the Tomcat valve is located under ip_reporter/uum in the ip_reporter_web project
(VF_4 feature branch).
2. 5. 2. VistaPortal SE considerations
VistaPortalSE cannot deal with HTTP headers for authorizations. It uses internal files to manage
users (portalsesetup.xml, security.properties).
We have added a Tomcat valve that parses Ipanema HTTP headers coming from ip|uniboss
Apache server and maintains internal files model consistent with the Ipanema user permissions
and authorizations.
VistaPortalSE user internal representation is made by associating Users and InfoVista instances;
by this way it lets a user access to reports the Domains of which are located in different InfoVista
instances.
There is nothing particular to do for the valve installation; ip|reporter web installer is taking care
of installing and configuring the Ipanema valve in the VistaPortalSE tomcat, the only parameters
to provide are ip|uniboss LDAP connection parameters during ip|reporter web installation.
October 2014
2-5
CHAPTER 3. MANAGING DOMAINS, USERS

AND LICENSES (IP|UNIBOSS)
3. 1. DOMAINS OVERVIEW
After ip|uniboss and ip|boss servers installation, you have to create a Domain to use the system.
A Domain is a coherent set of elements:
ip|boss,
ip|engines.
The Domains are hermetic, an ip|engine of a Domain cannot dialog with an ip|engine
of another Domain. An ip|boss server can manage several Domains; one instance per
Domain should be created.
The creation of a Domain is done only on the server.
To create a Domain launch ip|uniboss web client (a CLI client is also available).
October 2014
3-1
Ipanema System
3. 2. IP|UNIBOSS CLIENT
3. 2. 1. Connection to ip|uniboss
To connect to ip|uniboss server, click on ip|uniboss button in SALSA client:
SALSA client
The selected Domain has no impact, as ip|uniboss gives access to all Domains
(according to the User rights).
3-2
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 2. 2. ip|uniboss main window
ip|uniboss main window (in this view, Domains already exist)

The main window is divided into 5 parts:
A title bar, with Ipanema Technologies logo; closes all open windows when you click on it.
A tool bar, on the left: it is composed of icons which give access to the different screens of the
software.
A menu bar, on the top: it is composed of five menus, File, Edit, Display, Actions and ?.
A tab bar, below the menu bar: it shows all the open windows and allows to select any of them
without needing to reload it from the tool bar. The active windows tab is highlighted in blue.
ip|uniboss client with two windows open
The working table, that is subdivided into two parts:

A tool bar, composed of icons which allow to read, create, clone, modify and delete
objects (Domains, etc.).
The list of created objects (Domains, etc.).
The buttons of the main tool bar are the following:

Update: updates the configuration; flashes when an update is necessary.
October 2014
3-3
Ipanema System
ip|boss servers: opens the ip|boss servers window.
Radius: opens the Radius window.
Domains: comes back to the Domains window.
Users: opens the Users window,
User Groups: opens the User Groups window,
Inventory: shows the inventory.
Log: shows the logged events.
Issues: shows the issues, when applicable.
ip|reporter web portals: opens the ip|reporter web portals window.
VistaMart: opens the VistaMart window.
Server Group: opens the Server Group window.
IV Server: opens the IV Server window..
About: shows information about ip|uniboss version and license information, and allows to
import a license.
Quit: quits ip|uniboss client.
3-4
October 2014
The buttons of the working tables are the following:

(consult): to consult an object (without modification capability),
(new): to create a new object,
(clone): to create an object from another one,
(modify): to modify one or more objects,
(delete): to delete one or more objects.
(search): to search object matching various criteria (see Edit > Search menu below),
(new filter): to filter the data (see View > Filter menu below),
(modify filter): to modify filters (see View > Filter menu below),
(sort by): to sort the data (see View > Sort menu below),
(choose columns): to choose the columns to display,
(save preferences): to save the view matching the filters, etc.; give the preferences a name
(Preference name) and select whether you want these to be your default view (checking the
Default preference box), the default view for mobiles (checking the Default preference for mobile
box), whether you want them to be accessible to other users (checking the Shared preference box)
and whether you want them to apply to this view only (checking the on this view radio button) or to
all views of the same type (checking the on views of the same type radio button); then a drop-down
list appears on the right (if no preference had been previously saved):
,
allowing selecting these preferences, other saved preferences, or displaying everything with no
filter (selecting All),
(delete preferences): to delete previously saved preferences.
The menus are the following:

File
New: to create a new object,

Quit: to quit ip|uniboss.
Window
Close All: to close all open tabs,

<Function>: to select the tab corresponding to the selected function.
Edit: you can select an object by clicking on its line. To select other objects, you have to click on
their lines while pressing the Ctrl key. The Edit/Select all allows to select all the objects on the list.
The Edit/Unselect all allows to unselect all the selected objects. In the status bar, the number of
selected objects and the total number of objects is shown.
Search: to search for objects; opens a dialog box which allows to find all the objects with an
attribute containing the specified text. The navigation between the found objects is made with
the menus Edit > Next and Edit > Previous.,
October 2014
3-5
Ipanema System
Next: to jump to the next found object,

Previous: to jump to the previous found object,
Select all: to select all the objects,
Unselect all: to unselect all the objects.
View
Sort: to sort objects; by clicking on the header of a column, you sort the list according to this
column (by clicking again on the column, you change the order ascending-descending). By
clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns.
These functions are also available with the menu Display/Sort.
Group by: to group objects by various criteria,
Filter: you can create some filters on the list which display only the filtered objects according to
the criteria. A simple filter works with only one field whereas an extended filter is a combination
of simple filters. When a filter is active, the number of displayed objects and the total number of
objects is written on the status bar.
New filter: to create a new simple filter,
Modify filter: to modify an existing filter,
Active filter: to activate or deactivate the selected filter.
Choose columns: to choose the columns to display,

Preferences:
Save: to save the active filter (and column display),
Delete: to delete a filter (and column display).
Actions: allows to make all the actions achieved through the corresponding buttons:
Consult,
Clone,
Modify,
Delete.
About: shows the software version and license information (the same as the About button).
In some tables (Domains, ip|boss servers, etc.), an LED on the left gives the objects operational
states; for the Domains, it can be:
green (Started),
grey (n/a: disabled),
amber (Starting),
red (the number of ISUs exceeds the total ISU credit),
small and dark (when the Domain has just been created, before an Update has been applied).
It can be displayed by moving the mouse upon it:
3-6
October 2014
Domains operational state
October 2014
3-7
Ipanema System
3. 3. IMPORTING A LICENSE
To create Domains, the license file license.ipmsys must be installed.
To get your license file, please contact the Ipanema Support service at the e-mail address
support@ipanematech.com or license@ipanematech.com.
In the Toolbar, select
About:
It shows the software version and license information (maximum number of Domains, total ISU
credits (Ipanema Software Units), maximum number of ip|engines and tele|engines, authorized
features, etc.):
About menu
The total number of ISUs (Ipanema Software Units) can be allocated in a flexible way accross
different Domains; refer to the Create a Domain section below.
To import a license, click on the Import button, browse your folders and select the proper license
file (license.ipmsys).
(The license file is copied:
In the directory uni_boss\conf:

if ip|uniboss and ip|boss are installed on separate servers: on ip|uniboss server, in
the directory ~\salsa\uniboss\server\domains\uni_boss\conf.
if both ip|uniboss and ip|boss are installed on the same server: on ip|uniboss / ip|boss
server, in the directory ~\salsa\ipboss\server\domains\uni_boss\conf.
3-8
In each Domains directory (if Domains were already existing, for example when upgrading
from a version to a new one): ~\salsa\ipboss\server\domains\<Domain>\conf (on
ip|boss server).)
October 2014
3. 4. SYSTEM PROVISIONING
The procedures in this section and in the following ones are all based on ip|uniboss web client.
3. 4. 1. Declare ip|boss servers

Before you can create a Domain, you first need to declare an ip|boss server.
Open the ip|boss servers table

The ip|boss servers table can be displayed by clicking on
Toolbar:
ip|boss servers in ip|uniboss
ip|boss servers table
Declare an ip|boss server

To declare a new ip|boss server, click on the New icon
in the ip|boss servers window. Only
the host name (or the IP address) needs to be entered, all other information (ip|boss version,
OS version and JRE version) will be polled from the server:
ip|boss server declaration window

You need to click on Validate or Apply:
The Ok button creates the object and closes the window.
The Apply button create the object and keeps the window open. This is useful when
you want to create several objects.
The Cancel button closes the window without creating an object. Use Cancel after an
Apply.
October 2014
3-9
Ipanema System
In the servers table, the LED on the left shows the compatibility status of the server; it can be:
green (Compatible) if the server is reachable and compatible with ip|boss; ip|boss
version, OS version and JRE version are polled and displayed:
Compatible ip|boss server
grey (Unreachable) if the server is not reachable,
small and dark (when the server has just been created, before an Update has
been applied: an Update
into account).
3-10
is mandatory for the changes to be saved and taken
October 2014
3. 4. 2. Domains
The Domains window is opened when you start ip|uniboss client.
If other windows have been opened and if the Domains window is not the active one, click on
the Domains tab.
If the Domains window has been closed, in the Toolbar, select
Domains.
3. 4. 2. 1. Create a Domain
Operating procedure table: service ip|reporter
An ip|boss server must be created first. Refer to the previous section.

A running license is required. Otherwise an error window is displayed when
committing a new Domain.
ip|uniboss Domains window
In the Domains window, click on the New button
A creation window opens where you can indicate your Domains characteristics:
October 2014
3-11
Ipanema System
Domain creation window, General tab
The fields with a legend in bold characters are mandatory.
3-12
October 2014
The General tab of the Domain creation window contains the following fields:
Name: to specify the name of the Domain (characters string),

Description: to give additional information, if needed,
Welcome message: to display a text below the selected Domain in SALSAs Domain selector,
ip|boss server
ip|boss server: to choose the server that will manage the Domain (from a drop-down list).
In display mode, ip|boss version, OS version, JRE version and the Compatibility
status are polled from the server and displayed:
Domain ISU
Allocated ISU: to specify the number of Ipanema Software Units that are needed on that
Domain. Each function requires a certain number of ISUs, that can be purchased from Ipanema
(a new license file is then provided; refer to the Import a license section above). The number
of consumed ISUs and available ISUs for each Domain is displayed in the Domains windows.
In display mode, the Credit ISUs (as a percentage of the total number of ISUs
accross all Domains), the Consumed ISUs (according to the activated services
and WAN accesses bandwidths) and the number of Available ISUs (= Allocated
Consumed) are computed and displayed:
Administrative state: to Enable or Disable the whole Domain

When a Domain is disabled, ip|boss services are stopped for this Domain. As a
consequence, there is no collect of the Correlation records and no data collection
in ip|dashboard or in the reports. ip|engines keep on running, yet (so there is no
impact on Application Control, redundancy elimination, acceleration, etc.)
Timezone: to choose the time zone for the Domain:

ip|reporters timing will be based on this value;
in ip|dashboard, it is possible to choose between this value (thus allowing the User
to align the timing in ip|dashboards graphs with that of ip|reporters reports) and the
local time zone (thus allowing the User to display the graphs with their local time).
Access port: port used by the client for that Domain (0 by default 0 stands for a dynamic
port).
Reversor enabled:: to enable the reversor for that Domain.
October 2014
3-13
Ipanema System
SNMP Parameters
This frame allows configuring the SNMP agent of ip|boss:
SNMP Port: to specify the port number of the SNMP agent,

Each Domain (on the same server) must use its own SNMP port, different from the
SNMP port of the other Domains.
SNMP IP Address: to specify the SNMP agent (ip|boss) to be polled by the SNMP Manager
(ip|reporter). By default, it is the same as ip|boss servers. You can specify a different one
in case of multiple interfaces on ip|boss, or a servers cluster (declare the clusters virtual IP
address).
Community name: to specify the community name (public by default).
ip|reporter parameters
This frame allows configuring ip|reporter in order to create/delete reports in InfoVista Server:
Mode: the version of InfoVistas VistaFoundation platform must be specified here: it can be VF0
or VF4, according to the version that was installed. If you dont have any ip|reporter server,
select Disabled.
The next field depends on the selected VistaFoundation platform:
If you are using VF0: IV Server allows to select an InfoVista from the drop-down list.
If the InfoVista server you want to use has not been created yet, you can create it from
this window, by clicking on the New button next to the selection box. Alternatively, you
can use the IV Server function in the Reporting provisioning menu (described below).
If you are using VF4: Group allows to select a servers Group from the drop-down list.
If the servers Group you want to use has not been created yet, you can create it from this
window, by clicking on the New button next to the selection box. Alternatively, you can
use the Server Group function in the Reporting provisioning menu (described below).
Logo URL: to customize the logo in the reports (one logo per Domain). The size of the logo
should not exceed 150 x 80 pixels; most common formats are supported (gif, jpg and png). This
logo will be visible only through a web access.
Tuning
This frame allows configuring the maximum number of Application Groups and User subnets,
the HTTP timeout and the data collection periods between ip|boss and ip|engines and between
ip|reporter and ip|boss, and used as the reporting polling period:
Maximum number of Application Groups: the administrator can limit the number of
Application Groups; -1 (default value) allows an infinite number,
Maximum number of User subnets: the administrator can limit the number of User subnets;
-1 (default value) allows an infinite number,
HTTP timeout: the timeout (in seconds) used on HTTP (or HTTPS) request; the time entered
must be consistent with the network (more than the max. RTT for the most distant ip|engine),
Supervision: the polling period of ip|engine updated status (default values should be used):
1 mn: ip|boss collects the supervision status every minute (default value),
5 mn: ip|boss collects the supervision status every 5 minutes,
15 mn: ip|boss collects the supervision status every 15 minutes.
Collect: the elementary period of the Correlation Records generation (packets collected during
the specified time) and collect period for ip|boss (default values should be used):
1 mn: ip|engines make a CR and are polled every minute (default value),
5 mn: ip|engines make a CR and are polled every 5 minutes,
15 mn: ip|engines make a CR and are polled every 15 minutes.
3-14
October 2014
This parameter is used for ip|dashboards real time flows updates and corresponds
to ip|boss alarms Trigger occurrences.
Short reporting: update period for clients of collector service (SNMP agent) for short period
reports (default values should be used):
1 mn: the SNMP data are updated by ip|boss every minute (default value),
5 mn: the SNMP data are updated by ip|boss every 5 minutes,
15 mn: the SNMP data are updated by ip|boss every quarter .
This parameter is used for some reports in Ipanema Libraries like Time Evolution,
Detailed per Application, Detailed per Application Group, ....
Long reporting: update period for clients of collector service (SNMP agent) for long period
reports (default values should be used):
5 mn: the SNMP data are updated by ip|boss every 5 minutes,
15 mn: the SNMP data are updated by ip|boss every quarter (default value).
This parameter is used for some reports in Ipanema Libraries such as dashboard,
Site Talker/Listener, Subnet Talker/Listener....
User management
The seventh and last frame allows enabling Remote Authentication Dial-In User Service accounting
for the Domain:
Radius Accounting: to enable (when the check box is enabled) or disable (when the check
box is disabled) RADIUS accounting.
To see the RADIUS parameters, please refer to the Create Radius servers section below.
October 2014
3-15
Ipanema System
The Storage tab allows setting the data lifetime in ip|dashboard: up to 3 days of per-minute data
(i.e. the last 72 hours, or 4320 minutes of measured traffic) can be stored in the database and
displayed.
Domain creation window, Storage tab
Per minute data lifetime (in hours, between 3 no history beyond the last 3 hours and 72):
number of hours of per minute data in all evolution quadrants, when the selected time span is
the minute (then they display 3 hours of per minute information),
Example: Throughput Evolution quadrant, with time span: min
Per minute application flows lifetime (in hours, between 0 no history and 72): number
of hours of per minute data in the flows lists, when the selected time span is the minute (then
they display values averaged over a minute),
Per hour data lifetime (in days, between 0 no hourly aggregation and 3): number of days
of aggregated data in all evolution quadrants, when the selected time span is the hour (then
they display 3 days of hourly aggregated information),
Example: Throughput Evolution quadrant, with time span: hour
3-16
Per hour application flows lifetime (in days, between 0 no hourly aggregation and 3):
number of days of per minute data in the flows lists, when the selected time span is the hour
(then they display values averaged over an hour),
October 2014
Disk size limit (in Bytes, KB, MB, GB, TB); syntax: the desired value followed by the prefix
multiplier (B, K, M, G or T) with no space (e.g. 500G): provided storage lifetimes are configured,
an additional Disk size limit can be set as a safety net. History does not go beyond the first of
the two limits being met (e.g., if the disk used meets the Disk size limit after 2 days, the new
data will replace the 2day old data, thus keeping 2 days of information only, even though the
Per hour lifetimes have been set to 3 days).
Whatever the configuration, data collection will stop if more than 90% of the physical
hard disk capacity is used.
Technical Notes can help you size the server resources (CPU, RAM, HD) depending
on various factors, such as the number of Domains, the number of Sites, data
lifetime, etc.
Default parameters
When migrating a Domain from SALSA v7 to SALSA v8, the default values are: 3, 0, 0, 0, which
is completely equivalent to what we had in SALSA v7 (no history and the time span could not
be set it was a minute as there was no hourly aggregation).
When creating a new Domain, the default values are: 3, 3, 3, 3 (3 hours of history in the flows
lists, hourly aggregation during 3 days).
When done, you need to click on Validate or Apply:
The Ok button creates the Domain and closes the window.

The Apply button creates the Domain and keeps the window open. This is useful when you
want to create several Domains.
The Cancel button closes the window without creating any Domain. Use Cancel after an Apply.
An Update is mandatory for the changes to be saved and taken into account: click on
the Update button
The Domains parameters can be read in the Domains window and in the Inventory window.
October 2014
3-17
Ipanema System
After a Domain creation (HMS in the example below) the following directory tree is created on
ip|boss server (by default in ~\salsa\ipboss\server\domains\):
3. 4. 2. 2. Move a Domain
Refer to the document DomainMove.pdf provided on the DVD-ROM, in the \doc directory.
3-18
October 2014
3. 4. 3. Radius
The Radius feature allows the user to:
Define several Radius servers,

Distinguish accounting servers from authentication servers,
Select the server selection algorithm.
The Radius configuration is common to all Domains. For each Domain, the Radius management
can be activated or not (refer to the Create a Domain section above).
If the Radius management is not activated, or if all declared Radius servers are unreachable, we
automatically fall back to the embedded ip|boss users management mode.
The Radius window can be displayed by clicking on
Radius in ip|uniboss Toolbar:
Radius window
This window contains two tabs: Configuration and Accounting servers.
Configuration
This tab allows to configure the RADIUS accounting parameters:
Retry: number of times the server will attempt to contact the Radius servers before falling down
to the embedded ip|boss users management mode; default value is 3;
Timeout: time interval in seconds to wait for the Radius server to respond before a timeout;
default value is 10 seconds;
Dead time: duration between two accesses to an unreachable Radius server (a server is
considered unreachable when the configured number of retries has been reached without
receiving a response within the specified timeout); value 0 means that a server is never
removed from the list of available servers; default value is 10 minutes;
Selection algorithm: allows to choose between a serial and a round-robin algorithm to select
the server, when there are several ones:
serial: the available servers are used one after the other, using the configured timeout
and retry. The order is based on the priority attribute: the lower priority value is taken
first.
round robin: the available servers are used randomly, using the configured timeout
and a retry set to 1. When all servers have been tried, a second loop is done, and so
on depending on the retry value. The order is based on the priority attribute: the lower
priority value is taken first.
Accounting servers
This tab allows to create, modify or delete Accounting servers.
October 2014
3-19
Ipanema System
Click on the New icon
in the Accounting tab to create a new Accounting server.
Accounting server creation window

The Accounting server creation window contains 5 fields:
3-20
Priority: value between 0 and 32767 used to define different priority levels between the different
servers, when there are several ones; the higher the value, the lower the priority; default value
is 10,
Name: name you want to give the server (50 characters max); names must be unique across
the servers dictionary,
Host name: IP address or host name of the server (50 characters max),
Port: port on which the server is listening to accounting requests (generally UDP/1646),
Shared secret: shared secret for Radius authentication; it must consist of 15 or fewer printable,
non space, ASCII characters; it should have the same qualifications as a well-chosen password.
October 2014
3. 5. REPORTING PROVISIONING
The Reporting provisioning menu contains four functions: ip|reporter web portals, VistaMart,
Server Group and IV Server.
It allows to configure the ip|reporter components, which differ according to InfoVista platform being
used (VistaFoundation 0 or VistaFoundation 4):
ip|reporters architecture with InfoVistas VF0
ip|reporters architecture with InfoVistas VF4
October 2014
3-21
Ipanema System
3. 5. 1. ip|reporter web portals (VF0 and VF4)

The ip|reporter web portals window can be displayed by clicking on
in ip|uniboss Toolbar:
ip|reporter web portals
ip|reporter web portals window

This window shows all created ip|reporter web portals in a table with 5 columns:
3-22
Host name (mandatory parameter),

Description: a short description can be written for each ip|reporter web portal (not
mandatory),
Mode: it can be either VF0 or VF4, according to the version of InfoVista platform being installed
(mandatory parameter),
Base URL: the URL extension to be used to reach the portal; default values are PortalSE with
VF0 and VPortal with VF4 (mandatory parameter),
HTTP Port: port being used, if defined (not mandatory).
October 2014
to create a new ip|reporter web portal.
ip|reporter web portal creation window

The 5 parameters in this window are described above.
October 2014
3-23
Ipanema System
3. 5. 2. VistaMart (VF4 only)

The VistaMart window can be displayed by clicking on
VistaMart in ip|uniboss Toolbar:
VistaMart window
This window shows all created VistaMart servers in a table with 7 columns:
A status LED, which can be:
green (Operational state = reachable),
red (Operational state = unreachable),
3-24
grey (when a new VistaMart server has been created but before the configuration
has been updated),
Host name,
Version: VistaMart version (this piece of information is polled from the server),
Description: description for the VistaMart server,
Port: port being used to access the VistaMart server,
Login: login to the VistaMart server,
ip|reporter web portal: ip|reporter web portal that runs the VistaPortal attached to the
VistaMart server.
October 2014
to create a new VistaMart server.
VistaMart creation window

The VistaMart creation window contains 7 fields:
Host name,
Description: a short description can be written for each VistaMart server,
Port: port being used to access the VistaMart server; default value is 11080,
Login: login to the VistaMart server; default login is vmar_operator,
Password and Confirm password: the password, if any, must be typed in twice,
ip|reporter web portal: the ip|reporter web portal that runs the VistaPortal attached to the
VistaMart server can be selected from a drop-down list. A new ip|reporter web portal can be
created using the New button next to the selection box. It opens the same creation window as
described in the previous section.
October 2014
3-25
Ipanema System
3. 5. 3. Server Group (VF4 only)

In InfoVista, a server belongs to a Group, and an Ipanema Domain is allocated to a Group. A Group
can be made of several servers, according to required capacity.
The Server Group window can be displayed by clicking on
Toolbar:
Server Group in ip|uniboss
Server Group window

This window shows all created Groups in a table with three columns:
Name: name of the Group (mandatory parameter),

VistaMart: VistaMart server that manages this Group (mandatory parameter),
Description: short description for that Group (not mandatory).
to create a new Group.
Group creation window

The three parameters in this window are described above.
3-26
October 2014
3. 5. 4. IV Server
The IV Server window can be displayed by clicking on
IV Server in ip|uniboss Toolbar:
IV Server window
This window shows all created IV Servers in a table with 12 columns:
Host name: IV Server host name,

Server Group (VF4 only): Group the IV Server belongs to,
Description: short description for the IV Server,
Viewer username (VF4 only): identifier used by VistaPortal SE to get connected to IV Server
(viewer by default),
Viewer password (VF4 only): password for the Viewer username on the IV Server (no password
by default for the viewer login),
Username: login to the IV Server (administrator by default),
Password: password for the Username on the IV Server (no password by default for the
administrator login),
ip|reporter web portal (VF0 only): ip|reporter web portal (VistaPortal SE server) connected
to IV Server.
Port mapper: port used by the services based on Remote Procedure Call (RPC) which do not
listen for requests on a well-known port, but rather pick an arbitrary port when initialized; they
then register this port with a Portmapper service running on the same machine. Default value
for IV Server is 1275.
Manager: TCP port configured in the IV Server for the manager service (0 for a dynamic port),
Collector: TCP port configured in the IV Server for the collector service (0 for a dynamic port),
Browser: TCP port configured in the IV Server for the browser service (0 for a dynamic port).
the 3 previous fields are optional (used in firewall environment).
to create a new IV Server.
This window contains two tabs, Basic and Advanced.
Basic contains the following parameters: Host name (mandatory), Server Group (VF4
only, mandatory), Description (not mandatory), Username (default value: administrator;
mandatory), Password (there is no password by default for the administrator login; not
mandatory) and ip|reporter web portal (VF0 only, not mandatory)
October 2014
3-27
Ipanema System
Advanced contains the following parameters: Viewer username (VF4 only, default value:
viewer; mandatory), Viewer password (VF4 only, not mandatory), Port mapper (default
value: 1275; mandatory), Manager (not mandatory), Collector (not mandatory), Browser (not
mandatory)
All these parameters are described above. There is one more field, at the top of the creation window,
to select the VistaFoundation version:
Mode: select either VF0 or VF4 with the radio buttons, according to InfoVistas platform version
being installed.
IV Server creation window (two tabs), with VF0 selected
IV Server creation window (two tabs), with VF4 selected
3-28
October 2014
3. 6. MANAGING USERS
UNIFIED USER MANAGEMENT
SALSA can be configured to enable different types of user accesses to its resources:
Internal or external:
internal:
authentication and authorization are performed by ip|unibosss internal LDAP; Users
only have to be declared in ip|uniboss (see 3.6.1.);
external:
authentication is performed by an external LDAP (see 3.6.5.) or using the SAML
service (see 3.6.6.);
authorization is performed by ip|unibosss LDAP, at the Users (see 3.6.1.)
and/or at the User Groups (see 3.6.2.) levels; when defined at both levels,
authorizations are merged.
If authentication is external, whatever the method (LDAP or SAML) it is
always possible to use an internal URL to perform authentication using
SALSA users only. Internal authentication is not impacted by the different
external services. To use it, simply replace salsa in SALSA portal URL
(https://<salsa_server>/salsa/salsa_portal/) by internal
(https://<salsa_server>/internal/salsa_portal/) this also applies
to all URLs used in the SALSA suite.
Manual or automatic:
manual:
users supply their credentials on logging in SALSA portal (no configuration is required
in SALSA this is the default);
automatic:
the users credentials can be supplied in the URL (see 3.6.3.) or the user name can
be passed as an HTTP header, without authentication only permissions are checked
using the user name and the group supplied in the request headers (see 3.6.4.).
The sections below describe how to configure SALSA to enable these different accesses to its
resources:
3.6.1.
3.6.2.
3.6.3.
3.6.4.
3.6.5.
3.6.6.
System administration: Users (ip|uniboss)

System administration: User Groups (ip|uniboss)
User credentials supplied in the URL
User name as an HTTP header
External LDAP authentication
External SAML authentication
October 2014
3-29
Ipanema System
3. 6. 1. System administration: Users

User access types to SALSA resources
To create internal Users, select System administration in the Toolbar, then
window is displayed:
Users. The Users
External Users can belong to User Groups (see the next section), in which case they
do not have to be created as (individual) Users with the procedure described here. If
they are defined at both levels, their authorizations are merged.
Users window
This window shows a table with the following columns:
Name: User name,

Groups: User Groups the User belong to,
Locale: shows the Users preferred language.
Tag: free field.
ip|uniboss rights: shows the Users rights on ip|uniboss (three levels: no access (blank), read
only or read/write),
Domains: shows the Domains the User can access (*: the User can access all Domains),
ip|boss access: shows whether the User has access to ip|boss or not (*),
ip|dashboard access: shows whether the User has access to ip|dashboard or not (*),
Discovery: shows whether the User can use the Discovery function or not (*),
Application Flows: shows whether the User has access to the Real-time Flows or not (*),
Real-time Graph: shows whether the User has access to the Real-time Graphs or not (*),
SSL Configuration: shows whether the User can configure SSL optimization (*),
iPhone access: shows whether the User has access to the Ipanema system via the ad hoc
iPhone software application or not (*),
ip|reporter access: shows whether the User has access to the reports or not (*),
(*): Access is granted when these columns display access, it is denied when they are blank.
3-30
October 2014
to create a new User:
User creation window
October 2014
3-31
Ipanema System
This window contains the following fields:
Name: User name,

Password and Confirm password: the password for the User must be typed in twice,
Groups: allows specifying which User Groups the User belongs to. Including Users in Groups
allows to authenticate them with external LDAPs (see the User Groups section below). When
a User belongs to several Groups, their rights are merged, with the higher rights of all Groups
(e.g. if a User belongs to a Group with read only rights on ip|boss for a Domain, and to another
Group with read and write rights on ip|boss for the same Domain, then they will get read and
write rights).
The left frame shows the User Groups the User does not belong to (all exiting groups
before any selection has been made),
the right frame shows the User Groups the User does belong to.
One can include the User in one or more User Groups by moving the Groups from one frame
to the other using the different arrows:
to move all Groups to the right frame
to move the Groups selected in the left frame to the right
(i.e. include the User in these Groups)
to move the Groups selected in the right frame to the left
(i.e. to exclude the User from these Groups)
to move all Groups to the left frame
(the User will not belong to any Group; they will not be authenticated
by any external LDAP, but by the embedded one only)
Locale: in the current version you can only select English,

Tag: free field.
The next 6 frames are totally identical to the 6 frames in the User Group creation window
(described in the next section), except that they allow defining the rights of individual
Users, instead of User Groups.
ip|uniboss
ip|uniboss rights: allows to give read only or read/write access to ip|uniboss (no access at
all by default).
domains
This frame allows restricting the User access on certain Domains only when they use ip|boss,
ip|dashboard or ip|reporter (this frame does not affect ip|uniboss, as ip|uniboss is the piece of
software that allows creating Domains so it shows them all):
All domains: if the box is checked , then the User is granted an access to all Domains; if not,
they are only granted an access to the Domains selected below,
Domains: allows specifying which Domains the User can access (greyed if the previous check
box has been selected).
The left frame shows the Domains the User can not access (all existing Domains before
any selection has been made),
the right frame shows the Domains the User can access.
One can grant the User access to one or more Domains by moving them from one frame to the
other:
Click All Domains above the left frame
3-32
October 2014
All Domains
to move all Domains to the right frame (the User will have access
to all Domains)
to move the Domains selected in the left frame to the right
(i.e. to grant the access to these Domains)
to move all Domains to the right frame
(it is equivalent to selecting the All domains box, but for the already
existing Domains only)
to move the Domains selected in the right frame to the left
(i.e. to deny the access to these Domains)
to move all Domains to the left frame
(the User will not have access to any Domain!)
ip|boss
ip|boss access: checking this box grants access to ip|boss; then the access levels must be
specified for each menu (below);
System administration, Service activation, Supervision, Reporting, Application
provisioning and System provisioning: if access is granted to ip|boss (above), one must
select the access level for each of the six ip|boss menus from the corresponding drop-down
list (read only or read/write; blank by default i.e. no access);
ip|dashboard
ip|dashboard access: checking this box grants access to ip|dashboards basic functions, i.e.
all views and functions except the Discovery, Real-time Flows, Real-time Graphs and SSL
configuration; access to these views and functions can be set independently, thanks to the
following check boxes:
Discovery, Application Flows and Real-time Graph: checking these boxes grants access to
the corresponding function and views;
SSL Configuration: checking this box allows the User to enter the SSL certificate necessary
to accelerate SSL traffic;
iPhone
iPhone access: checking this box grants access to the simplified dashboard thanks to the ad
hoc iPhone application.
ip|reporter
ip|reporter access: checking this box grants access to the reports; access rights can be defined
precisely thanks to the following filters (note that they are case sensitive):
MetaView: one can grant the User an access to the reports on certain MetaViews only.
Syntax in VF0:
* alone: any text string (default value)

.: any character
.* before or after a text: any text string before or after that text
|: OR logical operator
Examples:
Site: reports on all Sites (but on Sites only)
Domain|Site: Domain and Sites reports
Application Group.*Internet: reports on AGs containing Internet
October 2014
3-33
Ipanema System
Syntax in VF4:
*: any text string
Period: access to the reports can be per periods (hour, day, week, month).
*: grant an access to all four periods (default value)

hour, day, week, month: grant an access to the corresponding period
|: OR logical operator (VF0 only)
Example (in VF0): week|month grants an access to the weekly and monthly reports.
Report: one can give the User an access to certain reports only.
*: grant an access to all reports (default value)
|: OR logical operator (VF0 only)
Example (in VF0): slm|sla grants an access to the SLM and SLA reports only.
Note: combining the three previous filters allows defining the access rights very precisely. For
instance, one can grant an access to one report only. E.g., to grant access to SLM - Application
Synthesis monthly report, on Site HQ (mind the case sensitivity!):
MetaView: Site.*HQ
Period: month
Report: slm - application synthesis
Navigation mode (VF0 only): one can choose between three values:
All: the User can navigate in the Sites reports using either the Sites MetaViews folders
or the two Navigation hierarchical levels (called Folder and Subfolder in ip|engines
window),
No navigation: the User can navigate in the Sites reports using the Sites MetaViews
folders only (they cannot select Navigation and navigate using the two Navigation
hierarchical levels),
No Folder: the User can navigate in the Sites reports using the two Navigation
hierarchical levels only (they cannot select Folder and navigate using the MetaViews
folders, so they cannot access reports other than Sites reports the only ones that
are accessible through the Navigation menu).
Folder (VF0 only) and Subfolder (VF0 only): for Users who navigate using the Navigation
menu, one can specify which Folders and Subfolders (as defined in ip|engines creation window,
e.g.: Continents and Countries) they can access (the default is *, i.e. any string of characters).
Scope: one can give the User an access to
the public reports only (by selecting public),
or to the private reports only (by selecting private),
or to both the public and the private reports (by selecting All).
When a User is created, they have no access to any component, by default.
3-34
October 2014
3. 6. 2. System administration: User Groups

Users can be created in SALSAs internal LDAP (see the previous section), but it is also possible
to allow Users defined in an external LDAP to access SALSA by defining the User Groups they
belong to and the User rights for these groups (described here), and by enabling and configuring
the service. In this case, authentication is performed by an external LDAP (see 3.6.5.) or using the
SAML service (see 3.6.6.), and authorization is performed by SALSAs embedded LDAP.
External Users belonging to User Groups do not have to be created as (individual) Users
with the procedure described in the previous section. Yet, if they are defined at both
levels, their authorizations are merged.
User Groups. The User Groups window is displayed:
User Groups window

This window shows a table with 15 columns:
Name: User Group name,

Description,
All users: shows whether all Users belong to the Group or not,
Internal users: shows the internal Users (created in ip|unibosss embedded LDAP) belonging
to the Group,
External users: shows the external Users (created in external LDAPs) belonging to the Group,
ip|uniboss rights: shows the User Groups rights on ip|uniboss (three levels: no access
(blank), read only or read/write),
Domains: shows the Domains the Group can access (*: access to all Domains),
ip|boss access: shows whether the Group has an access to ip|boss or not (*),
ip|dashboard access: shows whether the Group has an access to ip|dashboard or not (*),
Discovery: shows whether the Group can use the Discovery function or not (*),
Application Flows: shows whether the Group has access to the Real-time Flows or not (*),
Real-time Graph: shows whether the Group has access to the Real-time Graphs or not (*),
SSL Configuration: shows whether the Group can configure SSL optimization (*),
iPhone access: shows whether the Group has an access to the Ipanema system via the ad
hoc iPhone software application or not (*),
ip|reporter access: shows whether the Group has an access to the reports or not (*),
(*): Access is granted when these columns display access, it is denied when they are blank.
October 2014
3-35
Ipanema System
to create a new User Group:
User Group creation window

This window contains the following fields:
Name: User Group name,

Description (optional field),
Users
All users: if this box is checked, all the Users will belong to that Group.
Internal users: allows specifying which internal Users (created in ip|unibosss embedded
LDAP) belong to that Group:
The left frame shows the internal Users who do not belong to that Group,
the right frame shows the internal Users who do belong to that Group.
One can include or more Users in the User Groups by moving the Users from one frame to the
other using the different arrows:
to move all internal users to the right frame
to move the internal users selected in the left frame to the right
(i.e. include them in the User Group)
to move the internal users selected in the right frame to the left
(i.e. to exclude them from the User Group)
to move all internal users to the left frame
(there will be no internal user in that Group)
External users: allows creating, modifying or deleting external Users (i.e. Users defined in
external LDAPs).
You can create an external user in the Group with the
opens, where you have to specify the User name:
3-36
New button. A pop-up window then
October 2014
New External User
The name you choose here must match the name of the User in the external LDAP:
on the User logging, if external, then their name will be passed onto the external
LDAP for authentication, prior to authorization according to their rights as defined in
ip|uniboss (either at the User level, or for the Groups they belong to).
External users can be modified or deleted with the ad hoc buttons (
Modify /
Delete).
These operations (creation, modification and deletion) only impact ip|uniboss

embedded LDAP (no User can be created in, modified or deleted from an external
LDAP via ip|uniboss menus).
The next 6 frames are totally identical to the 6 frames in the User creation window (described in the
previous section), except that they allow defining the rights of User Groups, instead of individual
Users. Please refer to 3.6.1. System administration: Users for detailed explanations.
ip|uniboss
domains
ip|boss
ip|dashboard
iPhone
ip|reporter
When a User Group is created, they have no access to any component, by default.
October 2014
3-37
Ipanema System
3. 6. 3. User credentials supplied in the URL

This service allows providing the credentials needed for authentication directly in the URL.
Authentication is automatic and SALSA login page is skipped.
Authentication is achieved using SALSA internal LDAP, and possibly an external LDAP, if
configured (see 3.6.5. External LDAP authentication). Authorizations for the user are computed
using information stored in the internal LDAP server.
This service is not compatible with the SAML service described in 3.6.6. External SAML
authentication.
3. 6. 3. 1. Enabling the service

The service is disabled by default. To enable it:
1. Edit the Apache configuration file apache/conf/extra/httpd-salsa-ipaas.conf;

2. Replace false by true in the SetEnvIf line:
SetEnvIf SERVER_PROTOCOL ".*" IPAAS_ENABLED=true;
3. Save the modifications and restart Apache.
3. 6. 3. 2. Using the service

To skip the login page, simply replace salsa by ipaas in the URL and provide the user credentials
using a dedicated query parameter: ip_auth.
The URL must be of the form: https://<salsa_server>/ipaas/.
ip_auth query parameter should be built as follows: ip_auth=<value> where
<value> is the concatenation of Basic%20 and base 64 encoding of the string
<user_name>:<plain_text_password>.
Base 64 encoding must be performed before calling the URL.
The resulting parameter string for a user administrator using password admin is:
ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg==
The resulting URL for this user to access SALSA portal is:
https://<salsa_server>/ipaas/salsa_portal
/?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg==
It is also possible to use this syntax with all components of the SALSA suite. For instance, to access
the reports of Domain ACME:
https://<salsa_server>/ipaas/ipreporter_portal/ACME
/?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg==
3-38
October 2014
3. 6. 4. User name as an HTTP header

This service allows skipping the login page and authentication phase, but it requires using a proxy
in front of SALSA Apache server. The user name must be supplied as an HTTP header and it is
used to compute the authorizations.

1. Edit the Apache configuration file apache/conf/extra/httpd-salsa-ext.conf;

2. Replace Off by On in the SalsaExtAuthn line:
SalsaExtAuthn On;
3. Uncomment the SalsaExtAuthnAllow line and specify the host name or the IP address
of your proxy server; example with a proxy on 172.1.1.1:
SalsaExtAuthnAllow from 172.1.1.1;
For the directive SalsaExtAuthnAllow, you can use all instead of the address
to disable the check on the proxy or any mask of the Apache allow directive
http://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html#allow
but be very careful if you use all, as this can be a security hole (any host providing
a correct HTTP header will be a trusted one!)

Your proxy should provide one or two headers when transmitting the requests to the SALSA
Apache server:
Header
Value
Status
Description
REMOTE_USER
User name
mandatory
The external authenticated user
x-6307-is-user-profile
User group name
optional
If provided, should match a

SALSA group name
The permissions are computed using the SALSA groups defined in ip|uniboss (see 3.6.2. System
administration: User Groups) that meet one of the following conditions:
the External users list contains the user name (supplied by the REMOTE_USER header),
the name is equal to the user group name (supplied by the x-6307-is-user-profile header).
All authorizations given to these groups are merged to determine the user permissions.
October 2014
3-39
Ipanema System
3. 6. 5. External LDAP authentication

This service allows authentication using an external LDAP.
Credentials supplied in the login page
previous section) are checked during
SALSAs internal LDAP, if the user is
check is performed, using the external
or in the URL (if the service has been activated, see the
the authentication phase. The first check is done using
not found or the password doesnt match then a second
LDAP.

1. Edit the Apache configuration file

apache/conf/extra/httpd-salsa-externalLDAPAlias.conf:
2. Modify the LDAP URL in the AuthLDAPURL line; the syntax is explained here:
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl;
3. Add the directives required to allow Apache communicating with your
LDAP
(AuthLDAPBindDN,
AuthLDAPBindPassword,
AuthLDAPCharsetConfig,
AuthLDAPCompareAsUser, AuthLDAPCompareDNOnServer, AuthLDAPDereferenceAliases,
AuthLDAPInitialBindAsUser,
AuthLDAPInitialBindPattern,
AuthLDAPSearchAsUser,
AuthLDAPUrl).
4. Save the modifications and close this configuration file.
5. Edit the Apache configuration file apache/conf/extra/httpd-salsa-authz.conf:
6. Add ldap-external at the end of the AuthFormProvider line;
7. Uncomment the SalsaAuthzExternalURL line and provide your LDAP URL (use the
same as provided in the httpd-salsa-externalLDAPAlias.conf file);
8. Uncomment other directives if needed to adapt the authorization module to your LDAP server.
In particular use the SalsaAuthzExternalGroupClass directive to specify the object class to
use to identify the groups in your LDAP and the SalsaAuthzExternalGroupAttribute directive
to specify attribute labels to use to identify the user members of groups;
Example with an active directory deployed on my-adserver with the base directory for the search
DC=mycompany,DC=local:
AuthLDAPURL "ldap://my-adserver/dc=mycompany,dc=local?sAMAccountName?
sub?(objectClass=user)" NONE
apache/conf/extra/httpd-salsa-externalLDAPAlias.conf file
AuthFormProvider ldap-internal ldap-external
SalsaAuthzExternalURL "ldap://my-adserver/dc=mycompany,dc=local?
sAMAccountName?sub?(objectClass=user)" NONE
SalsaAuthzExternalGroupClass group
SalsaAuthzExternalGroupAttribute member
apache/conf/extra/httpd-salsa-authz.conf file
if you use an active directory, you can speed up the authorization phase by
using the matching rule LDAP_MATCHING_RULE_IN_CHAIN to retrieve
groups of groups. In this case you must have the following lines in your
apache/conf/extra/httpd-salsa-authz.conf file:
SalsaAuthzExternalMaxSubGroupDepth 1
SalsaAuthzExternalGroupAttribute member:1.2.840.113556.1.4.1941:
3-40
October 2014

Use the login page or provide the credentials in the URL (if the service has been activated, see the
previous section).
During the authentication phase, credentials are checked using SALSAs internal LDAP; if the user
is not found or the password doesnt match then the credentials are checked a second time, using
the external LDAP.
If the second check (external LDAP) is successful then user groups are retrieved in the external
LDAP. This list of groups is completed with the SALSA groups defined in ip|uniboss (see 3.6.2.
System administration: User Groups) where the External users list contains the user name.
All authorizations given to these groups are merged to determine the user permissions.
October 2014
3-41
Ipanema System
3. 6. 6. External SAML authentication

This service allows authentication using an SAML server (Shibboleth Identity Provider or Microsoft
ADFS).
This service is not compatible with the user credentials supplied in the URL as described
in 3.6.3. User credentials supplied in the URL.

Three steps are necessary to enable SAML authentication:
1. Provide the identity provider (IdP) metadata to the service provider (SP),
2. Activate the SAML module in SALSA Apache server,
3. Provide the service provider (SP) metadata to the identity provider (IdP).
More information on SAML, SP and IdP can be found here:
https://wiki.shibboleth.net/confluence/display/SHIB2
/UnderstandingShibboleth
On Windows, Shibboleth SP is not installed, so you have to install it (it is supplied on SALSA
installation DVD-ROM). During installation, check "Run as 32-Bit". The installer registers a new
service called Shibboleth 2 Daemon (Default).
(On Linux, Shibboleth SP is installed with the SALSA web server package (by default in
/opt/salsa/shibboleth-sp) but it is not started, so you have to start it.)
Step 1: provide the identity provider (IdP) metadata to the service provider (SP)
One way to configure the Shibboleth SP is described here, but you can find all information at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
To begin, you must save the metadata of the IdP on the disk where the SP has been installed. If
you use Shibboleth IdP, metadata are available at this URL:
https://IdPHostname:IdPPort/idp/profile/Metadata/SAML
1. Edit shibboleth-sp\etc\shibboleth\shibboleth2.xml;
2. Remove the <InProcess> XML tag;
3. Change the entityID attribute located in the <ApplicationDefaults> XML tag to one
that is appropriate for your service. An https:// URL is recommended, ideally containing a logical
DNS hostname associated with your service that will not change over time as physical servers
do.
4. In the <Sessions> XML tag, change the handlerSSL attribute value to true;
5. In the same tag, change the cookieProps attribute value to ; path=/; secure;
6. Replace the <SSO> XML tag with <SSO entityID="IdP entityID">SAML2</SSO>,
where "IdP entityID" is the entityID available in the IdP metadata file;
7. After the <Errors> tag, add a <MetadataProvider> tag to reference the IdP metadata
file:
<MetadataProvider type="XML"
file="D:/absolute/path/idp-metadata.xml"/>;
8. Save changes to the XML and restart the Shibboleth 2 Daemon service.
Step 2: activate the SAML module in SALSA Apache server
3-42
1. In SALSA installation directory, edit the following configuration file:

apache\conf\extra\httpd-salsa-shibboleth.conf;
2. Uncomment the LoadModule line and save the file;
3. Update the Shibboleth SP path (Windows only).
4. Restart the SALSA Apache service.
October 2014
Step 3: provide the service provider (SP) metadata to the identity provider (IdP)
1. Save the SP metadata file available at the following URL and copy it on the computer where
the IdP is installed:
https://<salsa_server>/Shibboleth.sso/Metadata;
2. Configure the IdP to reference this file;
Steps 3. and 4. are only to be taken if you use Shibboleth IdP.
3. Copy the SP metadata file (salsasp-metadata.xml) in:
C:\Program Files (x86)\Internet2\Shib2IdP\metadata\.
4.
Edit
C:\Program Files (x86)\Internet2\Shib2IdP\conf\relyingparty.xml to add the following information in <metadata:MetadataProvider
id="ShibbolethMetadata" ...>:
<metadata:MetadataProvider id="salsa-SPMD"
xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource"
file="C:/Program Files (x86)/Internet2/Shib2Idp/metadata
/salsasp-metadata.xml"/>
</metadata:MetadataProvider>
5. Restart the IdP service ("Apache Tomcat").

You can now use the IdP login page to access all SALSA resources.
During the authentication phase, the credentials are checked using the SAML server; there is no
fallback on SALSA internal LDAP.
You can continue to access SALSA resources even if the SAML server is down or if you forgot
to add at least one SAML user in a SALSA group (in the External user list) by using the
internal path. All you have to do is to replace salsa in the URL by internal (example:
https://salsa_server/internal/ipuniboss_portal/; see the note at the beginning of
section 3.6.).
By default SAML attributes are not retrieved so we dont have the user group list. To determine user
permissions we retrieve the list of SALSA groups defined in ip|uniboss where the External users
list contains the user name. All authorizations given to these groups are merged to determine the
user permissions.
If the IdP server exposes user groups then you can configure the Shibboleth SP to use them:
You need to know the OID of the attribute exposed by the IdP server that contains the list of
user groups (replace ATTRIBUTE_OID in the next step by this OID);
Edit shibboleth-sp\etc\shibboleth\attribute-map.xml and add the following
information in the <Attributes> XML tag:
<Attribute name="urn:oid:ATTRIBUTE_OID" id="memberOf">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
Restart the Shibboleth SP service ("Shibboleth 2 Daemon").
This list of groups exposed by the IdP server is completed with the SALSA groups defined in
ip|uniboss where the External users list contains the user name. All authorizations given to these
groups are merged to determine the user permissions.
October 2014
3-43
Ipanema System
3. 7. SUPERVISION
The Supervision menu contains three functions: Inventory, Log and Issues.
3. 7. 1. Inventory
Inventory:
The Inventory window is displayed.
Inventory window
This window is made of two frames:
Domain inventory,
Topology inventory. This frame is contextual: if no Domain is selected in the previous frame,
it displays all Domains topologies; if one (or several) Domain(s) is (are) selected, it displays its
(their) topology(ies) only.
The
Print button prints all the columns of the selected Domain(s),
whereas the Action / Print menu prints the selected columns of all the Domains.
3-44
October 2014
3. 7. 1. 1. Domain inventory
This frame contains the following information:
Name: Name of the Domain

Enabled: Yes / No
ip|boss server: IP address of ip|boss server
Access port: port used by the client on that Domain (0 = dynamic)
SNMP agent (refer to the section Create a Domain above):
Port
Address
C.N.: Community Name
ip|reporter (refer to the section Create a Domain above):
Periods (refer to the section Create a Domain above):
Server
Manager port
Collector port
Browser port
Portmapper port
Supervision
Collect
Reporting short
Reporting long
User management (refer to the section Create a Domain above):

Radius: Yes / No
Domain services: shows if the following services are started (Yes) or not (No):
Number of: shows the number of the following objects, with their totals on the last line:
ip|true
ip|fast
ip|coop
ip|xcomp
ip|xtcp
ip|xapp
smart|plan
ip|reporter
ip|export
smart|path
ip|engines
tele|engines
Automatic MetaViews
On demand MetaViews
Automatic reports
On demand reports
Application Groups
Topology subnets
User subnets
Applications
Storage: shows the Domains storage configuration (please refer to the Storage tab of the
Domains configuration window):
October 2014
Disk size limit

Per minute data lifetime
Per minute rtf lifetime
Per hour data lifetime
Per hour rtf lifetime
3-45
Ipanema System
Per day data lifetime (unused in the current version will always show 0)
Per day rtf lifetime (unused in the current version will always show 0)
Reversor:
Enabled: Yes / No
3. 7. 1. 2. Topology inventory
This frame contains:
Domain name
ip|boss server
Appliance (software version, model and IP addresses are polled from the ip|engine; if it has
not been reachable, the field is blank):
WAN Access:
Total
Total
Total
Total
max ingress bandwidth

min ingress bandwidth
max egress bandwidth
min egress bandwidth
Domain: shows if the following services are started (Yes) or not (No) at the Domain level (in
ip|bosss Service Activation menu for most of them):
3-46
Name
Main public IP address
Main private IP address
Auxiliary public IP address
Auxiliary private IP address
LAN MAC address
Type: ip|engine or tele|engine
Enabled: Enabled (Yes) or disabled (No)
Software version
Hardware
Custom tag
ip|true: Yes / No
ip|fast: Yes / No
ip|xcomp compress: Yes / No
ip|xcomp uncompress: Yes / No
ip|xtcp: Yes / No
ip|xapp: Yes / No
smart|plan: Yes / No
smart|path: Yes / No
ip|true
ip|fast
ip|coop
ip|xcomp
ip|xtcp
ip|xapp
smart|plan
ip|reporter
ip|export
October 2014
3. 7. 2. Logs
Log:
ip|uniboss Log window is displayed:
ip|uniboss Log window

This window contains:
the list of system events (on ip|uniboss server) with a time stamping,
the list of connections/disconnections to/from ip|uniboss with a time stamping.
The events are sorted by antichronological order, by default (the latest event is the first in the list,
at the top of the first page), but you can sort them by chronological order by clicking on the column
header (Messages).
If the list is displayed on several pages, you can select which page you want to see by clicking on
the page number at the bottom of the window.
You can also use the following arrows to navigate:
: displays the previous page of logged events,
: displays the next page of logged events.
You can also click on a page number to jump to that page (the current page number is displayed
on the left, and underlined in the list of pages).
A field allows you to specify how many objects (events) per page you want to display (40 by default);
click on the Refresh button next to this field to apply a change:
October 2014
3-47
Ipanema System
3. 7. 3. Issues
display):
Issues, when applicable (the icon is greyed when there is no issue to
The Issues window is displayed:
ip|uniboss Log window

It contains a list of issues that may require a users action:
Possible issues for the Domains:
non
non
non
non
non
created Domains,
deleted Domains,
started Domains,
configured Domains,
reachable Domains.
Possible issues for ip|boss servers:

non configured servers,
non compatible servers,
non reachable servers.
As long as there is an issue, the Issues icon

issue to display, the icon is greyed.
3-48
in ip|uniboss tool bar blinks. When there is no
October 2014
CHAPTER 4. CONFIGURING SERVICES

(IP|BOSS)
4. 1. CONFIGURATION OVERVIEW
Once your Domain has been created (refer to the previous Chapter) and before starting
a measurement, Application Control or optimization session, you have to parameter your
configuration (one configuration per Domain).
This configuration uses:
general settings for all functions (measurement, Application Control, redundancy elimination,
acceleration and smart plan) ensuring:
configuration of the Domains ip|engines and tele|engines,
configuration of the topology subnets associated with the ip|engines and tele|engines,
selection of applications, TOS and User subnets assigned to the session, according
to the specific features of the traffic to be measured, controlled, compressed or
accelerated,
specific settings that depend on customers requests, for measurement, Application Control,
redundancy elimination and acceleration features:
WAN accesses characteristics settings,

Quality of Service (QoS profiles) settings,
Coloring settings,
Application Groups settings,
MetaViews settings.
These data are grouped in a configuration file in the directory

~\salsa\ipboss\server\domains\<Domain_name>\config
named:
__active__.ipmconf
Two clients are available:
a Web client through a Web browser,

a CLI client (Command Line Interface).
October 2014
4-1
Ipanema System
4. 2. IP|BOSS WEB CLIENT

4. 2. 1. Connection to ip|boss
To connect to ip|boss server from SALSA client, first select the Domain you want to configure from
the drop-down list, then click ip|boss button:
SALSA client
4-2
October 2014
Configuring services (ip|boss)
4. 2. 2. ip|boss main window

ip|boss graphical user interface is presented hereafter. It gives access to all features of the system.
ip|boss main window

ip|boss main window is divided into four parts:
A title bar with the logo of Ipanema Technologies; it closes all opened windows when you
click on it.
A tool bar, on the left: it is composed of menus and icons which give access to the different
functions of the software. It depends on the profile of the connected user.
A status bar, at the bottom: it gives the status and statistics on the system.
A working space (that displays the main image on login).
October 2014
4-3
Ipanema System
4. 2. 3. ip|boss tool bar

The content of the Tool bar depends on the profile of the connected User.
Toolbar
The buttons give a direct access to all functions of the system:
Global functions
Save/Update: saves/updates the configuration; flashes when an update is necessary,
Service activation: allows to activate all services:
global Start /Stop of ip|true (measurement) on the ip|engines,

global Start/Stop of ip|fast ( Application Control) on the ip|engines,
global Start/Stop of ip|xcomp (redundancy elimination) on the ip|engines,
global Start/Stop of ip|coop (tele-cooperation),
global Start/Stop of ip|xtcp (TCP acceleration),
global Start/Stop of ip|xapp (CIFS acceleration),
global Start/Stop of smart|plan (Smart planning reports),
global Start/Stop of IMA (Ipanema Mobile Agent).
Refresh: refreshes the view,
Undo: allows to undo last modifications,
Help: gives access to the online help,
ip|reporter: opens ip|reporter web portal to give access to the reports,
4-4
October 2014
About: shows ip|boss version and license information,

Quit: quits ip|boss client.
Automatic reporting: gives access to the Automatic reporting function,

Security: gives access to the security configuration.
ip|engines: configures the ip|engines,

Topology subnets: configures the topology subnets addresses,
WAN access: configures the WAN accesses,
Coloring: configures the coloring rules,
ip|sync: configures the time and synchronization servers,
Scripts: launch scripts,
Tools: starts the ip|engines management features:
software upgrade
reboot
security status
advanced configuration
User subnets: configures the User subnets addresses,

Applications: configures the applications,
TOS: configures the ToS values,
Application Groups: configures the Application Groups,
QoS Profiles: configures the QoS Profiles,
LTL: configures the limiting rules (LTL),
October 2014
4-5
Ipanema System
ip|engine status: shows the status of the ip|engines,

Status map: shows the status map of the ip|engines within a map,
Log: displays the log window,
Options: gives access to the different options (mail, SNMP trap) of the system,
Configuration history: gives access to the Configuration history.
MetaView: configures the MetaViews,

reports: configures the reports of ip|reporter,
Alarming: configures alarms.
4-6
October 2014
4. 2. 4. ip|boss status zone

Status on session start
The status zone gives instantaneous information on the state of the system.
It is one source of supervision information: in case of errors, the dedicated indicators are lighted
in red or amber. More details can be obtained by clicking on the LEDs.
Status zone
The status zone is made of four frames, showing the Domain name, LEDs and bargraphs.
Domain: <Domain_name>
Total throughput (Mbps)
gauge displaying the current total throughput measured by all

enabled ip|true agents of the Domain (left figure) over peak
throughput measured since the session start-up (right figure).
Active flows
gauge displaying the current active flows (one flow = all sessions
of a given application, from a given source to a given destination)
measured by all enabled ip|true agents of the Domain (left) over
the peak flows measured since the session start-up (right).
No Topology alarm
green if there is no Topology alarm (normal state),

red otherwise (please refer to the Supervision section).
ip|boss
This frame shows the state of the system with three colored LEDs:
Connection LED: shows the status of the connection between the client and the ip|boss server:
green
red
the server is unreachable; it can be due to a network connectivity issue

between ip|boss server and ip|boss client, or ip|boss server may be down
License LED: shows the license status:
green
red
the server is reachable
the license is respected

the license is not respected (the number of consumed ISUs exceeds the
total ISU credit)
Discovery LED: indicates when Discovery is in process:
grey
amber
October 2014
no Discovery agent is running

Discovery agents are running on one or more ip|engines
4-7
Ipanema System
ip|reporter
This frame shows the state of ip|reporter with two colored LEDs:
Server LED: shows the state of the ip|reporter server (InfoVista):
green
the InfoVistas services (manager, collector and browser) are operational
yellow
one of the InfoVistas services (manager or browser) is down

check the .../InfoVista/Essentials/log/manager.log log file
red
all InfoVistas services are down (or the server is unreachable)

check the .../InfoVista/Essentials/log/manager.log and collector.log log files
grey
ip|reporter is disabled in the Domains configuration,

or the ip|es on the Domain have not been enabled yet
Database LED: shows the state of the InfoVista Database:
green
yellow
grey
red
the InfoVistas database is operational

synchronization of InfoVistas database is running (temporary state)
error happened during last synchronization of InfoVistas database
no access to the reports description (in the reports_desc.ipmsys file in
~/salsa/ipboss/server/conf on ip|boss server),
or the reports description does not match the installed library (VistaViews
loaded from ip|reporter DVD-ROMs ivl directory)
ip|engine
This frame shows the status and activity of all ip|engines:
Reachable LED and bargraph: display the reachability status of all ip|engines:
green
red
grey
all ip|engines are reachable

some ip|es are unreachable; it can be due to a network connectivity issue
between ip|boss and ip|es (firewall, WAN link breakdown,ip|e off or failure)
the service is stopped, or the status is not available
displays the number of ip|es currently reachable (left) upon the total number
of ip|es activated (right).
Overload LED and bargraph: display the overload status of all ip|engines:
green
red
no ip|engine is overloaded
some ip|es are overloaded (the WAN throughput exceeds the capacity
of the hardware)
displays the number of ip|es currently overloaded (left) upon the total
number of ip|es reachable (right).
4-8
October 2014
Synchronized LED and bargraph: display the synchronization status of all ip|engines:
green
yellow
red
grey
service start-up and the server is OK (*); all ip|es are synchronized
the server is OK (*) but one or several ip|es are not synchronized
(synchronization in progress, temporary synchronization loss)
the server is down (*) and no ip|e is synchronized
service is switched off or the status is not available
displays the number of ip|es currently synchronized (left) upon the total
number of ip|es reachable (right).
(*) ITP case.
Measuring LED and bargraph: display the ip|true status of all ip|engines:
green
service start-up and all ip|true agents are operational
yellow
one or several ip|true agents are not operational (not configured yet,
configuration refused or failure)
red
none of the ip|true agents are operational (not configured yet, configuration
refused or failure)
grey

displays the number of ip|es currently measuring (ip|true agent running)
(left) upon the total number of ip|es activated (right).
Optimizing LED and bargraph: display the ip|fast status of all ip|engines:
green
service start-up and all enabled ip|fast agents are operational
yellow
one or several enabled ip|fast agents are not operational (not configured
yet, configuration refused or failure)
red
none of the enabled ip|fast agents are operational (not configured yet,
grey

displays the number of ip|es currently controlling the traffic (ip|fast agent
running) (left) upon the total number of measuring ip|es having ip|fast
activated (right).
October 2014
4-9
Ipanema System
Limiting LED and bargraph: indicates when a Local Traffic Limiting rule is active on an
ip|engine:
yellow
grey
a Local Traffic Limiting rule is active on one or several ip|es

no Local Traffic Limiting rule is active or the status is not available
displays the number of ip|es currently limiting the traffic (Local Traffic
Limiting rule active) (left) upon the total number of ip|es controlling the
traffic (right).
ip|xcomp LED and bargraph: display the ip|xcomp status of all ip|engines:
green
service start-up and all enabled (de)compressing agents are operational
yellow
one or several enabled (de)compressing agents are not operational (not

configured yet, configuration refused or failure)
red
none of the enabled (de)compressing agents are operational (not

configured yet, configuration refused or failure)
grey

displays the number of ip|es currently (de)compressing (ip|xcomp agent
running) (left) upon the total number of ip|es having ip|xcomp activated
(right).
ip|xtcp LED and bargraph: display the ip|xtcp status of all ip|engines:
green
service start-up and all enabled ip|xtcp agents are operational
yellow
one or several enabled ip|xtcp agents are not operational (not configured
red
none of the enabled ip|xtcp agents are operational (not configured yet,
grey

displays the number of ip|es currently accelerating TCP traffic (ip|xtcp
agent running) (left) upon the total number of ip|es having ip|xtcp activated
(right).
ip|xapp LED and bargraph: display the ip|xapp status of all ip|engines:
green
service start-up and all enabled ip|xapp agents are operational
yellow
one or several enabled ip|xapp agents are not operational (not configured
red
none of the enabled ip|xapp agents are operational (not configured yet,
grey

displays the number of ip|es currently accelerating CIFS traffic (ip|xapp
agent running) (left) upon the total number of ip|es having ip|xapp activated
(right).
4-10
October 2014
4. 2. 5. ip|boss table view
Typical window with a table view

A table view shows a list of objects. All the table views give:
A menu bar:
A tool bar with two parts:
A list of objects.
,
Selection: you can select an object in the list by clicking on its line. To select other objects, you
have to click on their lines while pressing the Alt key. To select an interval of objects, you select
the first then the last by clicking while pressing the Shift key. The Edit menu (see below) allows to
select/unselect all the objects on the list. In the status bar, the number of selected objects and the
total number of objects is shown.
Sort: you can sort the list according to one column by clicking on this columns header (by clicking
on the header a second time, you change the order ascending-descending). By clicking on several
columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also
available through the Display/Sort menu (see below).
October 2014
4-11
Ipanema System
The menu bar contains six menus:

The File menu allows to:
New: create an object,

Export: export the list of objects,
Import: import a list of objects (Import); this function is not available for all objects,
Quit: exit ip|boss.
The Window menu allows to:
Close All: close all open windows (tabs) within ip|boss,

<window name>: select another open window (the active window is marked with a tip).
The Edit menu allows to:
Search: open a contextual dialog box which allows finding all the objects with an attribute
containing the specified text. The first matching object is highlighted in the table below.
Navigation between the found objects is made with the Next / Previous buttons.
Search contextual dialog box
4-12
October 2014
Next: go to the next found object,

Previous: go to the previous found object,
Select all: select all objects,
Unselect all: unselect all objects.
The View menu allows to:
Sort: by clicking on the header of a column, you sort the list according to this column (by clicking
again on the column, you change the order ascending-descending). By clicking on several
columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are
also available with the menu View > Sort > Sort by.
Sort the data (by any field or combination of multiple fields; other features in the Sort menu are
Invert sort (global), Sort by status (global) and Invert sort by status (global)),
Sort dialog box
The Invert Sort (global) sub-menu allows inverting the sorting criteria.
The Sort by Status (global) and Invert Sort by Status (global) sub-menus allow sorting by
Status.
Group by: allows grouping the data by any criteria.
Filter: create filters on the list which display only the filtered objects according to the selected
criteria.
October 2014
4-13
Ipanema System
A radio button allows selecting the Filter type:

A Simple Filter works with only one field,
An Extended Filter is a combination of simple filters (using AND, OR, NOT logical
operators):
Extended filter
Select the filter criteria that you need and use the Add, Ok, Apply and Close buttons to perform
the corresponding actions.
The Modify filter and Active filter sub-menus allow modifying filters and activating/deactivating
them. When a filter is active, a tip is displayed before theActive filter sub-menu, and the
number of displayed objects and the total number of objects is written on the status bar. You
can activate/deactivate a filter by double-clicking on the icon of the status bar:
Active filter icon
Choose columns: choose the columns to display.

Preferences: save or delete the display mode (filters and selected columns). When you save
the preferences, give them a name (Preference name, e.g. my preferred view) and select
whether you want these to be your default view (checking the Default preference box), the
default view for mobiles (checking the Default preference for mobile box), whether you want
them to be accessible to other users (checking the Shared preference box) and whether you
want them to apply to this view only (checking the on this view radio button) or to all views of
the same type (checking the on views of the same type radio button); then a drop-down list
appears on the right (if no preference had been previously saved):
,
allowing selecting these preferences, other saved preferences, or displaying everything with no
filter (selecting All).
The Actions menu allows to Consult, Clone, Modify, Delete and Change the administrative state
of objects. The list of actions is the same as you get through the context menu of the list.
The ? menu gives access to the About menu.
4-14
October 2014
The tool bar contains the same icons for most windows:
(Consult): to consult an object (without modification capability),
(New): to create a new object,
(Clone): to create an object from another one,
(Modify): to modify one or more objects,
(Delete): to delete one or more objects,
(Change administrative state): to change the administrative state of one or more objects.
(Export): to export in a text file the content of a list.
(Import): to import the content of a list from a text file.
(Help): to go to the help page.
(search): to search objects matching various criteria (see Edit > Search menu above),
(new filter): to filter the data (see View > Filter menu above),
(modify filter): to modify filters (see View > Filter menu above),
(sort by): to sort the data (see View > Sort menu above),
(choose columns): to choose the columns to display,
(save preferences): to save the view matching the filters, etc. (see View > Preferences menu
above),
(delete preferences): to delete previously saved preferences.
October 2014
4-15
Ipanema System
4. 2. 6. ip|boss creation form
Typical creation form
4-16
): when you move the mouse on the icon, a message is displayed. In

Some fields have tips (
case of error, the field is displayed in red.
Some fields are related to other objects (example: WAN access).
The Ok button creates the object and closes the window.
The Apply button creates the object and keeps the window opened. This is useful when you
want to create several objects.
The Cancel button closes the window without creating any object.
October 2014
4. 3. IP|BOSS CLI CLIENT

For detailed information concerning ip|boss and ip|uniboss Command Line Interface
clients, please refer to the CLI Reference Manual.
4. 3. 1. CLI architecture
ip|boss and ip|uniboss have a specific GUI client each, that uses CORBA over SSL to
communicate with a dedicated client request handler (called the Leonardi connector because
of the underlying technology).
Quite similarly, there is a CLI client for ip|boss and a CLI client for ip|uniboss. They communicate
exclusively with their respective CLI connector using CORBA over SSL. The best image to illustrate
what the CLI clients and CLI connectors are is to compare the CLI clients to Telnet clients and the
CLI connectors to remote shell services.
The CLI client/server protocol relies on three verbs:
Login
Logout
Execute
The client and the server exchange version information prior to the login request. This allows either
side to adapt to an older peer.
In its current version, the ip|boss CLI connector forwards login and logout requests to the targeted
Domains Leonardi connector, besides establishing its own session information and setting up
a session specific command parser that will process execute requests. If no specific Domain is
targeted, the ip|boss CLI connector will use the naming service to get a list of all running Domains
and will connect to the first available Domain (in alphabetical order) the provided credentials are
valid for.
The ip|uniboss CLI connector will forward the login and logout requests to the ip|uniboss Leonardi
connector.
Once the session is established, the CLI client acts a transparent upstream pipe between the client
systems keyboard or input file and the CLI connector and a transparent downstream pipe between
the CLI connector and the client systems display or output file.
4. 3. 2. CLI language
The ip|boss Leonardi connector essentially maps a Domains configuration to a set of object
classes and objects within each class. The ip|uniboss Leonardi connector does the same at a
higher level, where Domains are objects in a class. (This is very much akin to tables and rows we
are used to in DBMSes such as Oracle for example.)
The CLI language builds on this paradigm. The language basics are the same for ip|boss CLI and
ip|uniboss CLI. The difference currently only lies in the underlying schema - names of tables and
columns.
A CLI script is a (possibly empty) list of statements. A statement is always terminated by a ";"
(semicolon) character. The semicolon is not a statement separator but a statement terminator. The
difference is important, particularly for parser robustness sake. Having the semicolon act as a
statement terminator and not anything else makes error recovery much easier: eat and discard
input until you see the next semicolon and try to parse more statements from there.
CLI statements currently fall into 2 categories:
Data Manipulation Language (DML)

Session Control Language (SCL)
CLI DML is very much akin to SQL DML.
October 2014
4-17
Ipanema System
With DML you can perform essentially 4 operations on objects:
Create ( or insert),
Modify ( or update),
Delete,
List ( or select).
But there are not only similarities, there are differences too. CLI DML statements act on one table
or object class at a time, there is no such thing as a join. Future releases of CLI will make it easy
to clone objects, just overriding a few columns with specific values. That is not easy in SQL.
CLI offers fine grained control over error handling and logging because it is mainly targeted at
procedure automation versus ad hoc queries.
For the same reason, CLI not only produces tabular output but can also use tabular input in
statements
4. 3. 3. Tabular input and output

CLI can be used for procedure automation in environments where the ipanema solution fits into a
bigger, centrally managed solution. This means that the primary databases are not inside ip|boss,
but somewhere outside, no matter the format.
As a consequence, it is important to make it easy to resynchronize the ipanema solution with
external databases. Hence the choice of a bulk operation centric approach.
With tabular input and output we simply mean that CLI produces output and accepts input such as:
name|public_ip_address|virtual
Out of domain|240.0.0.0|1
ipe_0001|10.1.1.1|0
ipe_0002|10.1.2.1|0
ipe_0003|10.1.3.1|0
ipe_0004|10.1.4.1|0
ipe_0005|10.1.5.1|0
That is easy to obtain from Excel and easy to feed into Excel, or any database (the | (pipe)
character can be changed to something else via a command line option, including the semicolon).
The CLI language has been designed with bulk operations in mind. Below is an example of a valid
statement that creates 5 ip|engines at a time:
CREATE ip_engine FROM STREAM
name|public_ip_address|virtual
ipe_0001|10.1.1.1|0
ipe_0002|10.1.2.1|0
ipe_0003|10.1.3.1|0
ipe_0004|10.1.4.1|0
ipe_0005|10.1.5.1|0
;
4-18
October 2014
4. 4. OPERATING PROCEDURE
The operating procedure consists of the following phases:
choosing a Domain,
creating a configuration or using an archived configuration, that is, specifying all ip|engines
and Domain settings (topology subnets, applications, Application Groups, Qos Profiles,
MetaViews....),
running a measurement, control, redundancy elimination or cooperative session, applied to the
Domain,
analyzing the results in real-time,
reporting configuration of measurement and Application Control (optional).
Table: operating procedure

The tables below show operations in their chronological order for a Domain.
October 2014
4-19
Ipanema System
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
Making configuration settings

Create a new configuration
Manual procedure
Start with an existing configuration
Manual procedure
Define automatic reporting

Automatic reporting
Configure operator coloring

characteristics
Coloring
Configure the WAN accesses
WAN access
Declare ip|engines of the

Domain
ip|engines
Declare the topology subnets associated with each

ip|engine
Topology Subnets
Define User subnets

User Subnets
Add, modify or remove TOS
in the dictionary
TOS
Add, modify or remove applications in the dictionary
Applications
Define QoS profiles

QoS profiles
Define Application Groups
Application Group
Define MetaViews
MetaView
Define reports
Reports
Define Alarming
Alarming
Save the configuration
Automatic procedure
(1) M = Mandatory, O = Optional, X = Applied
4-20
October 2014
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|true service: measurement

X
Start a session
Service activation, ip|engines: on

Enable ip|true, for all ip|engines

X
Analyze real-time flows

ip|dashboard
Modify the topology subnets
associated with each ip|engine
X
Topology Subnets
X
Modify aggregation rules:

TOS
TOS
Applications
Applications
User Subnets
User Subnets
Modify QoS profiles and Application Groups
X
QoS profiles
Application Group
Modify automatic reporting

Automatic reporting
X
Modify MetaView settings

MetaView
Modify reports
Reports
Modify Alarming settings

Alarming
Modify the session dynamically
Update
Disable ip|true, for all ip|engines
Service activation, ip|engines: off
Stop a session
October 2014
4-21
Ipanema System
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|fast service: Application Control

Enable ip|fast for all
ip|engines
Service activation, ip|fast: on
Disable ip|fast for all

ip|engines
Service activation, ip|fast: off
X
X
Start a session

Analyze real-time controlled
flows
Optimize flow management
by adjusting settings:
ip|engines, QoS profiles,
User subnets and AGs
X
ip|dashboard
X
ip|engines
X
QoS profiles
Application Group
User Subnets
X
Modify aggregation rules:

TOS
TOS
Applications
Applications
Modify coloring policies
characteristics
Modify the attached WAN
access
X
Coloring
X
WAN access
X
Create, modify, delete LTLs

LTL
Modify the session
dynamically
X
Update
X
Stop the session

4-22
October 2014
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|coop service: tele-cooperation

Enable ip|coop for all
ip|engines
Service activation, ip|coop: on
Disable ip|coop for all

ip|engines
Service activation, ip|coop: off
X
X
Start a session

X
Analyze real-time flows for

tele|engines
Modify the session
dynamically
ip|dashboard
X
Update
X
Stop the session

Service activation, ip|engine: off
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|xcomp service: redundancy elimination

Enable ip|xcomp for all
ip|engines
Service activation, ip|xomp: on
Disable ip|xcomp for all

ip|engines
Service activation, ip|xcomp: off
X
X
Start a session

Analyze real-time
compressed flows
X
ip|dashboard
Management by adjusting
redundancy elimination
settings: Application Group
Application Group
redundancy elimination
direction settings:
ip|engines
ip|engines
Modify the session

dynamically
X
Update
X
Stop the session

October 2014
4-23
Ipanema System
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|xtcp service: TCP acceleration

Enable ip|xtcp for all
ip|engines
Service activation, ip|xtcp: on
Disable ip|xtcp for all

ip|engines
Service activation, ip|xtcp: off
X
X
Start a session

Analyze real-time
accelerated flows
X
ip|dashboard
acceleration settings:
Application Group
Application Group
ip|engines
ip|engines
Modify the session

dynamically
X
Update
X
Stop the session

Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|xapp service: CIFS acceleration

Enable ip|xapp for all
ip|engines
Service activation, ip|xapp: on
Disable ip|xapp for all

ip|engines
Service activation, ip|xapp: off
X
X
Start a session

Analyze real-time
accelerated flows
ip|engines
Modify the session
dynamically
X
ip|dashboard
ip|engines
X
Update
X
Stop the session

4-24
October 2014
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
DWS
Start a session
Dynamic WAN Selection
settings: Application Group
Application Group
settings: WAN access
WAN access
settings: ip|engines
ip|engines
advanced parameters:
Tools
Tools
Modify the session

dynamically
X
Update
X
Stop the session

Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
smart|plan service
Enable smart|plan for all
ip|engines
Service activation, smart|plan: on
Disable smart|plan for all

ip|engines
Service activation, smart|plan: off
X
X
Start a session

ip|engines
Modify the session
dynamically
ip|engines
X
Update
X
Stop the session

October 2014
4-25
Ipanema System
Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
IMA service
Enable IMA for all ip|engines
Service activation, IMA: on
Disable IMA for all ip|engines
Service activation, IMA: off
X
X
Start a session

acceleration settings: ip|engines
ip|engines
X
Update
X
Stop the session

Operations to be
performed
Commands
ip|
true
ip|
fast
(1)
ip|sync service: Synchronization

Synchronization
ip| fast
(1)
ip|sync
Update
Operations to be
performed
Commands
ip|
true
Reporting
Define InfoVista server settings
Domain creation
Define automatic reporting

Automatic reporting
Define MetaView settings
MetaView
Define reports
Reports
4-26
October 2014
Operations to be
performed
Commands
ip|
true
ip| fast
(1)
ip|boss: management
Supervision management
settings (e-mail, SNMP trap)
Options
Log window
Log
Configuration history
Configuration history
Security configuration
Security
Certificate generation tab enerate the
keys and the certificates
Configuration tab hoose the encryption
algorithm
ip|engine status
ip|engine status
ip|engine status map
Security status
Tools, Status tab: displays the
security status of ip|engines
Discovering of applications,
subnets.....
ip|dashboard
Send results of script to
Ipanema support
Tools, Script tab
Upgrade ip|engines software
Tools, Software Upgrade tab
Reboot ip|engines
Tools, Reboot tab
Quit the application
File/Exit
October 2014
4-27
Ipanema System
4. 5. CREATE, OPEN, SAVE, UNDO A CONFIGURATION

The name of the configuration file is fix. This file is in the directory
~\salsa\ipboss\server\domains\<Domain_name>\config and its name
is __active__.ipmconf (double underscore before and after). It contains all the
configuration parameters of the Domain. During the start and the update, this file is
sent to the ip|engines.
4. 5. 1. Create a new configuration

Operating procedure table
To create a new configuration file from the default parameters, you must:
Stop the current configuration with the ip|boss client (GUI)

Quit the ip|boss client (GUI)
Stop ip|boss services in Windows control panel
In the directory ~\salsa\ipboss\server\domains\<Domain_name>\config, copy the
file __new__.ipmconf then name it __active__.ipmconf
Start ip|boss services in Windows control panel
Start the ip|boss client (GUI) and create your configuration for the Domain
4. 5. 2. Open a configuration
To work with an existing configuration file, you must:
Stop the current configuration with the ip|boss client

Quit the ip|boss client
Stop ip|boss services in Windows control panel
Copy your file <my_domain>.ipmconf and rename it __active__.ipmconf in the directory
~\ipboss\server\domains\<Domain_name>\config
Start ip|boss services in Windows control panel
Start the ip|boss client then start the session
4. 5. 3. Save a configuration
The configuration file of the Domain (__active__.ipmconf) is automatically applied and saved
on the following actions:
ip|engines activation (Service activation, ip|engines: on),
Update/Save
In case of necessity (for backup), you should make the backup of this file from your
server to the media of your choice (do not backup the file while an update is pending
on the ip|engines).
Important reminder it is advisable to backup your configuration file in a different directory than
that used for installation in order to avoid deleting files during subsequent install.
4-28
October 2014
4. 5. 4. Undo a configuration modification

The 50 last configuration modifications can be undone by clicking on
By choosing a configuration in the Undo table and clicking on

to the selected one is restored.
Undo in the Toolbar.

, the configuration previous
Undo table
If a modification has been carried out by another user in the interval, undo will not
operate.
October 2014
4-29
Ipanema System
4. 6. EXPORTING AND IMPORTING OBJECTS

4. 6. 1. Exporting objects
Most objects (Sites, Topology subnets, Application Groups, etc.) can be exported (they can also
be exported using ip|boss CLI client).
Not all of them can be imported via ip|boss web client. They can, however, using the
CLI client.
In the window containing the objects you want to export, click on the Export icon
File menu, then Export. The following window opens:
or select the
Export window
Select the attributes you want to export by pushing them to the right with the double
right-pointing arrow (objects will be exported with all their attributes) or with the single arrow to
the right (objects will be exported with the selected attributes only). One attribute at least must
be selected (otherwise, there would be no data to be exported, at all; in that case, all of them
are exported, as if the double arrow had been clicked).
if some objects were selected before using the Export function, an Export selection check
box allows exporting selection only, If no object was selected or if the Export selection box is
not checked, all objects are exported.
Click OK. A dialog box appears, allowing you to either open the result file (_exportXXX.res)
or save it.
The first line of the result file (wrapped in the example below) is the description of the fields present,
and the subsequent lines are the exported objects with the selected attributes:
@ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet
_prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state|
Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0
Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0
4-30
October 2014
4. 6. 2. Importing objects
The following objects can be created by importing them from a configuration file: Coloring rules,
WAN accesses, ip|engines and Topology subnets.
All objects can be imported using the CLI client.
An existing configuration file in raw format (.res) can be imported. The first line must be the
description of the fields (it is present if the file was made with an export, see the previous section),
and all the subsequent lines are the objects to be imported (some may be already existing).
In the example below, we will import the previously exported file, where we manually added a new
object on the last line:
@ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet
_prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state|
Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0
Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0
Lan_Montelimar|10.33.3.0|24|Site\Montelimar|0
In the ip|engines window, click on the Import icon

or select the File menu, then Import:
In the Import window, select the attributes to be imported and browse to the file where they
should be saved, then click Ok.
Import window
In the Import window that opens, you can choose which objects to display:
created (objects of the imported file not found in the actual configuration),
modified (objects different in the imported file and in the actual configuration),
deleted (objects of the actual configuration not found in the imported file),
unchanged (objects identical in the imported file and in the actual configuration).
(Only the created and modified objects are displayed by default.)

Click on Import all, or select the objects to import then click on Import selection.
October 2014
4-31
Ipanema System
Import window
The symbols before the objects indicate if they already exist (red cross) or if they are new
(new icon), etc. Hovering the mouse on these symbols allows reading their exact statuses in a
pop-up; clicking them adds or removes the object from the import file, depending on the case
(as indicated in the pop-ups text message).
A message tells you how many objects could be successfully imported; click on Ok.
Click on Ok in the Import window to commit the changes.

A message tells you how many objects could be successfully committed, and the imported
objects are added to the existing ones. Click on Ok.
If objects could not be created (already existing IP address for an ip|engine, for
example), an error message warns you.
4-32
October 2014
4. 7. SYSTEM PROVISIONING
4. 7. 1. Configuring Coloring
Operating procedure table: settings, ip|fast service
The Coloring Policy is used with Application Control. It is the capability to modify the TOS or DiffServ
field in the IP header with a new value according to the type and criticality of the packet.
The mode used is Color-Blind (in this mode, all packets are treated as if they were uncolored:
they are marked according to the selected coloring rule, regardless of their initial color).
ip|fast must be enabled.
In the System provisioning Toolbar, select
Coloring:
The Coloring window is displayed.
Coloring window
By clicking on the New button
, the creation window of a new coloring rule is displayed.
Coloring rule creation window (unspecified by default)
October 2014
4-33
Ipanema System
Coloring directory with TOS and DiffServ selections

This window defines the coloring policies to apply at the access to WAN (you can create as many
Colorings as you want). The coloring parameters specify the type of service, the TOS or DSCP
values function of the traffic type and criticality level. It comprises:
input fields:
Name: to identify the coloring policy (string of characters). By default , the name none is
defined associated with an unspecified service type. The name is used to identify the
Coloring policy,
Service type: to select the type of coloring policy to set-up. The service is selected from
a drop-down list. The values offered are:
TOS: the TOS field of the frame is set to the value specified by the Code point
setting. It then contains the value of the IP PRECEDENCE and the TOS specified
for the Class of Service,
DiffServ: "Differentiated Service" type service. The TOS field of the frame is
set at the value specified by the PHB Group (DSCP) setting, in accordance
with RFC 2474 (definition of the Differentiated Services Fields (DS Field) in the
IPv4 and IPv6 headers), RFC 2597 (Assured Forwarding PHB group), RFC 2598
(Express Forwarding PHB group)
unspecified: not specified,
a Coloring zone: to define or modify the coloring for type of Traffic and Criticality level:
PHB Group (DSCP): when DiffServ is the Service Type selected, the value for each
peer (type of Traffic and criticality level) is selected with drop-down list,
Precedence/TOS (b0b7): when ToS is the Service Type selected,
4-34
a display zone in the form of a table corresponding to the data previously entered.
October 2014
Type of traffic & Criticality level

Type of traffic
Real time
Service type
PHB
group
DSCP
value
TOS value
Top
Express
Forwarding
EF
101110
EF
101110
Medium
EF
101110
Low
EF
101110
AF11
001010
AF12
001100
Medium
AF21
010010
Low
AF22
010100
BE
000000
High
BE
000000
Medium
BE
000000
Low
BE
000000
Top
High
Background
ToS default
setting
Criticality
level
High
Transactional
DiffServ default setting
Top
Assured
Forwarding
Best Effort
Configuration: DiffServ and TOS default setting

By default, the coloring is named none and the Service Type is unspecified.
The entered values should correspond with the Class of Service of the Operator.
Coloring rules can also be created by importing them from a configuration file. Refer to
section Importing objects.
October 2014
4-35
Ipanema System
4. 7. 2. Configuring WAN Accesses

Operating procedure table: settings, ip|fast, DWS.
The WAN access describes the WAN line(s) connected to the CPE on the WAN side of an
ip|engine.
WAN access:
The WAN access window is displayed:
WAN access window
, the creation window of a new WAN access is displayed:
WAN access creation window
4-36
October 2014
This window contains the following input fields:
Name: character string used to identify the WAN access.

The same WAN access can be used on many different Sites. It is therefore advisable
to mention the type of link in its name (e.g.: MPLS..., ADSL...) and not the name
of a Site where it is used.
Ingress (LAN to WAN) max Bandwidth: maximum ingress throughput allocated at the WAN
interface of the CPE (in kbps),
Ingress (LAN to WAN) min Bandwidth: minimum ingress throughput that the tracking function
(see below) can track down (in kbps); if no value is entered, it is automatically set to half of the
max value,
Egress (WAN to LAN) max Bandwidth: maximum egress throughput allocated at the WAN
interface of the CPE (in kbps),
Egress (WAN to LAN) min Bandwidth: minimum egress throughput that the tracking function
(see below) can track down (in kbps); if no value is entered, it is automatically set to half of the
max value,
Coloring: selection, from a drop-down list, of the Coloring policy created in the Coloring
directory, to be applied. If there is no specific coloring (LS, Best effort), select "none". The
default is none.
Trust level: Routine or Business: in case of Dynamic WAN Selection (DWS), defines which type
of traffic is allowed to go through the Network Access Point (Routine and Business sensitivity
levels are also defined for each Application Group, where they are used in the path decision to
route traffic to a NAP with at least the same Trust Level).
Network Report key: this field allows ip|engines to be network aware in case of DWS: all WAN
accesses with the same Network Report key are attached to the same network, thus allowing
ip|engines to know which networks they have in common with the remote Sites (equipped or
tele-managed).
A WAN access which does not have the same Network Report key as the remote Site where
traffic is to be sent to (in the diagram below, the WAN access to Network 2 on ip|engine A, which
has to send traffic to B) will be classified as impossible, so the connectivity to this remote Site
via this WAN access will not even be tested (thus both simplifying the configuration and avoiding
errors for instance if a probing packet is forwarded to another WAN access).
Network Report key usage

In this diagram, ip|engine A can test connectivity and send traffic to B via Network 1 (where its
WAN access has Network Report key Net1), as B also has Network Report key Net1.
But A cannot send traffic to B via Network 2 (where its WAN access has Network Report key
Net2), because B does not have a Network Report key called Net2.
This field is optional, but its usage is highly recommended in case of DWS. If no Network Report
key is defined, the WAN accesses of the local Site will all be tested (with probing packets if
the remote Site is equipped, based on the received traffic if the remote Site is tele-managed),
regardless the existence of a link to the same network on the remote SIte.
The WAN access is a key parameter for Application Control, so it should be set very
carefully.
October 2014
4-37
Ipanema System
Bandwidth tracking
Congestion detection is key to know when and where to manage flows. Network available capacity
may also vary in time (DSL link, Frame Relay access, secondary link with a bandwidth different
from that of the primary link, etc.). The purpose of Bandwidth Tracking is to automatically and
dynamically estimate the available network capacity:
Bandwidth Tracking
Bandwidth tracking principles:
One independent BW tracker per potential congestion point.

Fast increase (real time), slow decrease (20 seconds steps; for example, it takes approximately
5 minutes to detect an HSRP switch from a 2 Mbps line to a 1 Mbps backup line).
Inputs:
Always: Usage profile (throughput) at potential congestion points.
When available: end-to-end QoS (delay, jitter, loss).
Output:
Available bandwidth for each potential congestion point.
ip|engines manage three potential congestion points between any pair of sites:
4-38
October 2014
Potential congestion points between any pair of sites

Bandwidth tracking activation:
By setting a minimum bandwidth lower than the maximum bandwidth, the tracking function will
automatically and dynamically estimate the actual value of the bandwidth between those two
values:
Bandwidth tracking activated (between 1000 and 2000 kbps)
A minimum of 0 is not recommended.
By setting a minimum bandwidth equal to the maximum bw, the tracking function will not execute:
Bandwidth tracking deactivated (constant bandwidth of 2000 kbps)
WAN accesses can also be created by importing them from a configuration file. Refer
to section Importing objects.
October 2014
4-39
Ipanema System
4. 7. 3. Configuring ip|engines and tele|engines

Operating procedure table, ip|fast, ip|xcomp, ip|xtcp, ip|xapp, IMA, smart|plan, DWS.
In this section, the term ip|engines also embraces tele|engines (unless otherwise
specified).
Indeed, a tele|engine (that is: there is no ip|engine installed on site) is created via the
ip|engine creation window, by simply checking the tele|engine box.
displayed:
ip|engines. The ip|engines list window is
ip|engines list window
ip|engines can be created as described below, or by importing them from a

configuration file. Refer to section Importing objects.
The number of ip|engines and tele|engines that can be created is limited by the
license. This number is displayed in the About window.

, the creation window of a new ip|engine is displayed. It contains
two tabs, General and Advanced:
4-40
October 2014
ip|engine creation window
October 2014
4-41
Ipanema System
The General tab contains five frames:

Site
Site name: character string used to identify the site the ip|engine belongs to (50 alphanumeric
characters max); if it is left blank, it is automatically filled in with the name of the ip|engine
(see below). Several ip|engines can belong to the same site (in case of clusters) so the Site
name does not have to be unique ; in this case, creating a report for the Site will automatically
create reports at the Site level (aggregating all the data from all ip|engines belonging to that
site) and on each individual ip|engine.
Local Internet Access: check the box if the Site provides an access to the Internet (avoids
having to use Out of Domain or to declare the 30 subnets of the Internet address space),
Reporting Hierarchy Folders and Tags
Folder: allows defining a first hierarchical level in the sites reports and in ip|dashboards flows
map,
Subfolder: allows defining a second hierarchical level in the sites reports and in ip|dashboards
flows map.
These two fields allow navigating in the reports (in ip|reporter) in two different ways:
The first browsing method does not use these two fields: by selecting Folders in
the drop-down list in ip|reporters main window, you can access the reports with the
following file system tree (4 hierarchical levels):
<Domain> / <type of MetaView> / <MetaView> / <time level, public/private>
As a consequence, in <Domain> / Sites, all sites are displayed together (sorted by
alphabetical order), without the possibility to sort them by geographical location for
instance:
ip|reporters Folders file system tree

The second browsing method allows to navigate in the sites reports with two additional
hierarchical levels, defined by these two fields: by selecting Navigation in the
drop-down list in ip|reporters main window, you can access the sites reports with the
following file system tree (two additional hierarchical levels):
<Domain> / Navigation / <Folder> / <Subfolder> / <MetaView> / <time level,
public/private>
(The <type of MetaView> level disappears, as this method is valid to access the
Sites reports only.)
thus allowing to easily find any site according to a two-layer classification (in the example
below, by continent first as defined in the field Folder and by country as defined
in the field Subfolder).
4-42
October 2014
The ip|engines created without filling those fields are grouped under the Unknown /
Unknown folder and subfolder names.
This method is very helpful on large networks, with hundreds or thousands of sites.
ip|reporters Navigation file system tree
Tags: free text field (250 characters max.)
ip|engine
Name: character string used to identify the ip|engine (50 alphanumeric characters max).
Several ip|engines can have the same Site name (in case of clusters of ip|engines on that
Site; see above). If it is left blank, it is automatically filled in with the IP address of the ip|engine.
Main public IP address: IP address of the ip|engine visible by ip|boss server for management
purposes (configuration, collection of the correlation records, supervision),
Main private IP address (if only the Main public address is declared, then the Main private
address is automatically allocated the same value): IP address of the ip|engine as it has been
locally configured (with the ipconfig command).
- In most cases (VPN, flat addressing, ...) only the Main public address is needed.
- In case of NAT, the two addresses must be different.
According to the MGT port being used or not, the Main addresses can be allocated to either the
LAN-to-WAN bridge (if the MGT port is not used in band management), or to the MGT port, if
used (out of band management):
October 2014
4-43
Ipanema System
In band mgt: Main IP address allocated to the LAN-to-WAN bridge
Out of band mgt: Main IP address allocated to the MGT port
IP addresses are not mandatory for a tele|engine.
4-44
Auxiliary public IP address (mandatory when the MGT port is used; must not be declared
otherwise): IP address of the ip|engine visible by other ip|engines for measurement (ip|true),
Application Control (ip|fast), redundancy elimination (ip|xcomp, signalling + tunnel), TCP
acceleration (ip|xtcp), CIFS acceleration (ip|xapp) and synchronization (ip|sync) purposes;
it allows for out of band management (using the Main address) but in band inter-ip|engines
messages (using the Auxiliary address),
October 2014
Auxiliary private IP address (option if only the Aux. public address is declared, then the
Aux. private address is automatically allocated the same value): IP address of the ip|engine as
it has been locally configured (with the ipconfig command) for the LAN-to-WAN bridge.
The Auxiliary addresses are allocated to the LAN-to-WAN bridge, when the MGT port is used (in
this case, the Main addresses are allocated to the MGT port). Refer to the second diagram above.
If no Auxiliary address is declared, the inter-ip|engines messages use the Main
address.
- In most cases (VPN, flat addressing, ...) only the Auxiliary public address is needed.
- In case of NAT, the two addresses must be different.
Report key: this field is optional. A report key field is used for SNMP and ip|reporter and
allows to define regrouping of ip|engines. An ip|engine belongs to only one regrouping.
For example, this field can be used to gather ip|engines according to:
a geographical criteria (all ip|engines in Europe, North America, Asia, Africa...).
the type of access line (all ip|engines with an access line at 64 kbps, 128 kbps, ....)
Auto-reporting: to allow (yes) or not (no) the reports created with the Automatic reporting
function to be added for this ip|engine. Refer to the Automatic reporting section.
tele|engine: check the box if there is no ip|engine on the Site (tele-managed site). A
tele|engine is characterized by an alias and an IP address; if no IP address is defined ip|boss
randomizes a virtual IP address with a 240.x.x.x prefix.
October 2014
4-45
Ipanema System
Network Access Point Configuration

This frame allows configuring the WAN access(es) on the Network Access Point(s); it contains the
Path Selection radio buttons and various input fields that depend on the selected Path Selection
method.
Path Selection allows enabling DWS (by selecting TOS or CPE; DWS must be allowed in the
license) or the multipath feature (by selecting L1 Transparent or L2 Transparent). To enable
these features, ip|fast must be checked in the Services frame (otherwise Path Selection can only
be Disabled). The green corners indicate the fields to be filled, depending on the methods.
Path Selection: Disabled (default value): disables DWS and the multipath features:
Path Selection: Disabled

It is typically the case of an ip|engine with 1 LAN connection, 1 WAN connection and 1 NAP
only (most basic configuration), or of an ip|engine with 2 LAN connections, 2 WAN connections
and 1 NAP:
Single LAN, Single WAN, Single NAP
Multi LAN, Multi WAN, Single NAP

It is the only option when ip|fast is not checked in the Services frame. So it also applies to an
ip|engine with 2 LAN connections, 2 WAN connections and 2 NAPs, but which is only measuring
the traffic (it will not measure the traffic NAP by NAP individually, but globally on the two NAPs):
Multi LAN, Multi WAN, Multi NAP measured as a Single one

Only one WAN access has to be configured (WAN access 1), corresponding to NAP 1 or to the
sum NAP 1 + NAP 2 in the diagrams above, and it has no attribute:
WAN access 1: name of the NAPs WAN access (mandatory).
4-46
October 2014
Make sure the throughput of the selected WAN access corresponds to the
actual throughput of the physical line, at layer 3. Should it not be the case,
congestions may not be detected, so ip|fast may not avoid them and may
not protect critical applications as expected.
Path Selection: TOS (ip|fast must be checked in the Services frame to allow selecting it):
allows configuring two or three WAN accesses for DWS, with their corresponding TOS values;
TOS values are chosen from a drop down list (xxxx01xx, xxxx10xx or xxxx11xx); the CPE router
has to be configured with the corresponding PBR rules, to route the packets accordingly:
Path Selection: TOS

It should be selected when DWS is used on a site with a layer 3 device between the ip|engine
and the two or three WAN routers (DWS TOS):
Single LAN, Single WAN, Multi NAP, DWS TOS
October 2014
4-47
Ipanema System
Path Selection: CPE (ip|fast must be checked in the Services frame to allow selecting it): allows
configuring two or three WAN accesses for DWS, with the IP addresses of the corresponding
CPE routers:
Path Selection: CPE

The ip|engine will send the traffic to the selected CPE routers in Ethernet frames changing the
routers MAC addresses depending on the selection. For this reason, there must be no layer
3 device between the ip|engine and the CPE routers (there can be either a layer 2 device, or
a direct connection; DWS then rewrites the MAC address of the CPE router, hence the other
name often given to that method, DWS MAC). This method is easier than DWS as there is no
need to configure PBR rules on any router.
Deployment cases:
Single LAN, Single WAN, Multi NAP, DWS MAC
Single LAN, Multi WAN, Multi NAP, DWS MAC
Multi LAN, Multi WAN, Multi NAP, DWS MAC
4-48
October 2014
Path Selection: L1 Transparent (ip|fast must be checked in the Services frame to allow
selecting it): allows configuring two WAN accesses, managed independently, without path
selection (neither dynamic no DWS nor static) no attribute (TOS or CPE) is required:
Path Selection: L1 Transparent

It should be selected when the ip|engine has two LAN connections and two WAN connections,
and is required to manage the two paths [LAN 1 WAN 1] and [LAN 2 WAN 2] independently
(hence the name: layer 1 transparent). No path selection is made by the ip|engine, at all (of
course DWS is not used):
Multi LAN, Multi WAN, Multi NAP, no path selection
Path Selection: L2 Transparent (ip|fast must be checked in the Services frame to allow
selecting it): allows configuring two or three WAN accesses with router-based path selection
(no DWS), with the IP addresses of the corresponding CPE routers:
Path Selection: L2 Transparent

It should be selected on sites with several WAN accesses, with no layer 3 device between
the ip|engine and the two or three WAN routers (there can be either a layer 2 device, or a
direct connection), and when the customer does not want to use DWS. Then the ip|engine
can manage the links individually, selecting the ones to use based on the LAN devices
default gateways (that they learn thanks to their MAC addresses hence the name: layer 2
transparent), without requiring an additional switch:
Multi LAN, Multi WAN, Multi NAP, path selection, no DWS
Single LAN, Multi WAN, Multi NAP, path selection, no DWS
October 2014
4-49
Ipanema System
Multi LAN, Multi WAN, Multi NAP, path selection, no DWS
The bandwidth is an important factor for Application Control: make sure all WAN
accesses are correctly configured.
Services
This frame allows defining the ip|engines capabilities. It contains the following check boxes:
Checking these boxes does not activate the corresponding services: it configures the
ip|engines to run them when they are activated in the Service activation window.
Administrative State: measurement service (ip|true) selection:

enable: ip|engine activated,
disable: ip|engine deactivated.
ip|fast: Application Control service selection, if checked;

Checking ip|fast on a tele|engine enables ip|coop for this tele-managed site.
To enable all the following services, ip|fast must be enabled (all of them leverage
ip|fast).
ip|xcomp compress: compression service selection, if checked (**);

ip|xcomp decompress: decompression service selection, if checked (**);
ip|xtcp: TCP acceleration service selection, if checked (*);
ip|xapp: CIFS acceleration service selection, if checked (**);
IMA: Ipanema Mobile Agent selection, if checked;
IMA service must be activated on both the IMA server side (i.e., on the ip|engine acting as an
IMA server) and the IMA client side (i.e., on the tele|engine or nano|engine or, possibly,
ip|engine configured on the site with IMA clients);
smart|plan: Smart Planning service selection, if checked (*);
* These services are not available for tele|engines.

** These services are available on tele-managed sites on PCs or laptops running IMA.
4-50
October 2014
Advanced tab
This tab contains two frames:
ip|engine creation window, Advanced tab
Redundancy Elimination Method
Zero Delay: ZRE is enabled.

Standard: SRE is enabled.
By default, both methods of redundancy elimination are enabled (when ip|xcomp is checked in
the Services frame in the General tab).
We do not recommend to change the default settings without advice from the Ipanema
Support.
Custom
Custom tag: free text field.
October 2014
4-51
Ipanema System
4. 7. 4. Configuring Topology subnets

Operating procedure table: settings, ip|true service
Topology subnets describe the network topology and are used by ip|engines, nano|engines and
virtual|engines to classify, measure and control the traffic.
They correspond to the IP subnets of all sites, equipped (sites with ip|engines, nano|engines or
virtual|engines) and tele-managed (sites with tele|engines).
Topology subnets on equipped sites are automatically discovered by the system, so they do not
have to be configured. Yet, they can be configured, if needed.
If Topology subnets that have been automatically discovered are also
configured, it is the configuration that prevails.
If the discovered Topology subnets and the configured Topology subnets do
not match, an alarm is raised (see 5.2.1.2. Single ip|engine status).
Topology subnets that are discovered are not displayed in the Topology
subnets window.
SA Site throughput report and the Discovery feature help check the
Topology subnets on equipped sites.
Topology subnets on tele-managed sites must be configured.

All Topology subnets must be configured. For instance, if 10.1.1.0/24 and
10.1.2.0/24 are present on site A (but 10.1.3.0/24 is on another site, B), then you
must configure two Topology Subnets on site A, one for 10.1.1.0/24 and one for
10.1.2.0/24 (but do not configure one global Topology Subnet instead (10.1.0.0/16),
as it would also include 10.1.3.0/24, which is in site B).
Topology Subnets:
The Topology Subnets list window is displayed.
Topology Subnets list window
4-52
October 2014
, the creation window of a new Topology subnet is displayed.
Configuring Topology subnets

It contains the following input fields:
Name: string of characters used to identify the Topology subnet (50 non extended ASCII
characters maximum),
Network prefix: Topology subnet prefix,
Prefix length: length of the prefix of the Topology subnet (value between 0 and 32),
Associated site: site this subnet belongs to, to be selected from a drop-down list.
Administrative State:
enable: Topology subnet taken into account,
disable: Topology subnet not taken into account.
Topology subnets can also be created by importing them from a configuration file. Refer
to section 4.6.2. Importing objects.
October 2014
4-53
Ipanema System
4. 7. 5. Configuring ip|sync (time synchronization)

Operating procedure table: ip|sync service
ip|sync is used for the time synchronization of the ip|engines through the network, and time
synchronization is used for delays measurements. An ip|engine is synchronized when the offset
with its source is less than 10 ms (by default; this value can be changed).
Time synchronization uses three levels:
A Time server, which can be an external clock reference (NTP) or an ip|engine of the Domain,
is used as the main synchronization source,
Synchronization servers, which are ip|engines of the Domain (use several for redundancy
reasons), get their synchronization from the Time server and propagate it to all the other
ip|engines of the Domain,
All other ip|engines of the Domain get their synchronization from the Synchronization servers
(without any out of Domain connection).
This architecture allows GPS-less Domains, out of Domain synchronization and short term no
time function (a Domain can be disconnected from its Time server, the Synchronization servers
will remain synchronized to each other, thus making higher resiliency).
Time servers
can be either ip|engines, ip|boss or External NTP servers,

must be delivering a consistent time between each other,
if an ip|engine is a Time Server, it will use its local ITP configuration.
if a Time server is an external NTP server, the ITP port must be tuned to 123 (Sentry
Tuning section in the __active__.ipmconf ip|boss configuration file).
Synchronization servers
must be Domain ip|engines,

will not use their local reference,
share their clocks with their peers (all other synchronization servers).
An ip|engine can be declared as both a time server and a synchronization server.
4-54
October 2014
Configuration
ip|sync:
The Time and Synchronization servers window is displayed.
Time and Synchronization servers window

Time server directory
Server: allows entering the IP address of an NTP server (several ones can be declared, but it
is not recommended); enter an address then click the + sign.
ip|engine: allows selecting an ip|engine as a time server (select one only).
Declare a Server or an ip|engine.
Select one or the other, do not select an NTP server and an ip|engine.
Synchronization server directory
ip|engine: allows selecting ip|engines as ITP servers (choose three or four, for redundancy
reasons).
the right frame displays the selected ITP servers for the Domain.
October 2014
4-55
Ipanema System
4. 7. 6. Scripts
Scripts are described in the SUPERVISION section: 5.2.3. Scripts.
4. 7. 7. Tools
The System provisioning toolbar provides a
Tools menu, with four functions:
Tools
They are described in the following sections:
4-56
Software upgrade: 5.3.2. ip|engine software upgrade.

Reboot: 5.3.1. Rebooting.
Security status: 5.2.4. Security.
Advanced configuration: 4.7.8. Configuring DWS.
October 2014
4. 7. 8. Configuring DWS (Tools / Advanced conf.)

Operating procedure table: DWS
DWS fully supports asymmetric routing. Path selection is based packet per packet, so a single
session can use several Ingress WAN accesses and several Egress WAN accesses. Yet, there
can be constrains (e.g. stateful firewalls) to:
always use the same Ingress WAN access,

always use the same Egress WAN access as Ingress WAN access (remote sites).
Tools, then the Advanced configuration tab.

DWS advanced configuration window is displayed:
DWS advanced configuration window

It contains three parameters:
These three parameters can be overwritten for each Application Group, thanks to the
Application Group configuration windows Advanced tab (refer to 4.10.5.4. Application
Groups advanced tab).
Sensitivity policiy: matching Application Groups sensitivities with WAN accesses Trust Levels
depends on a policy which can be changed here.
Sensitivity policies allows to choose between three policies:
- Preferred
(default):
A Business AG will be sent on a Business NAP,

a Routine AG will be sent on a Routine NAP
preferably, ...
... except when connectivity is down or when
Qos/BW criteria cannot be met.
There is a decision threshold based on QoS/BW
evaluation.
- Strict:

a Routine AG will be sent on a Routine NAP
(always).
If it is not possible, then no decision is made (the
traffic is bridged as is).
There is no possible backup.
- Backup:

a Routine AG will be sent on a Routine NAP, ...
... except when connectivity is down, in which case a
NAP with a different Trust level can be used.
October 2014
4-57
Ipanema System
- no:
both half-connections are independent (from DWS

perspective) and can use different NAPs.
(this value is called Free in the Application Group
Return path parameter)
- yes
(default):
always use the same Egress NAP as Ingress:

Ingress half-connection (SYN+ACK) will use the
observed NAP for the peer Egress half-connection
(SYN).
(this value is called As received in the Application
Group Return path parameter)
4-58
Return path:
NAP selection policy:
- Per Packet:
decision is made packet per packet (different packets

from a single session can use different paths).
note: this is not recommended on heterogeneous
networks
- Per Session
(default):
always use the same Ingress NAP (all following

packets of the same session will re-use the initially
chosen NAP)
October 2014
4. 8. APPLICATION PROVISIONING
4. 8. 1. Configuring User subnets
Operating procedure table: settings, ip|true service, ip|fast service
User Subnets can be used for Application Visibility and for Application Control, so as to identify
specific hosts, servers or subnets on which measurement, control or reporting is required. They can
be used as filters, once created, in the applications, Application Groups and MetaViews definitions.
User subnets are not mandatory. Create them only in case of specific subnets or hosts.
In the Application provisioning Toolbar, select
User subnets:
The User subnets list window is displayed (it is empty by default).

, the creation window of a new User subnet is displayed.
Configuring User subnets

It contains the following input fields and check boxes:
Name: string of characters used to identify the user subnet,

Network prefix: user subnet prefix,
Prefix length: length of the prefix of the user subnet,
Enable: user subnet taken into account,
Disable: user subnet not taken into account,
October 2014
4-59
Ipanema System
4. 8. 2. Configuring Types of service (TOS)

Operating procedure table: settings, ip|true service, ip|fast service
TOSs can be added to, removed from or modified in this dictionary. This dictionary is useful only
when the packets are colored by the source (IP-Phone for instance).
This dictionary can be used for measurement (ip|true) and Application Control (ip|fast).
TOS:
The Types Of Service window is displayed (it is empty by default).

, the creation window of a new TOS is displayed.
Configuring TOS
TOS that are not explicitly named in the dictionary are implicitly grouped into the Other category.
The TOS window contains the following input fields and click boxes:
Name: to identify a specific TOS value (string of characters),

Mode: to select TOS field mode of use:
TOS: specifies the Type of Service,
DSCP: specifies the "Code point" for a DiffServ type of service,
According to the selected mode (TOS or DSCP):

TOS/CP: 8 bits field, value: 0, 1, X (dont care),
DSCP: 6 bits field, value: 0, 1, X (dont care).
4-60
October 2014
4. 8. 3. Configuring Applications
Operating procedure table: settings, ip|true service , ip|fast service
A default applications dictionary is available for each configuration. Applications can be added to,
removed from or modified in this dictionary.
This dictionary is used by the ip|true and ip|fast functions.
Applications:
The applications window is displayed.
Applications window
The recognized protocols are displayed on the left, grouped by types,

The Applications dictionary is displayed on the right.
The Applications dictionary specifies the applications that are recognized.
4. 8. 3. 1. Application recognition
The Ipanema System recognizes application flows using the opening negotiations of the
client/server session conversation (SYN, SYN-ACK, ACK, i.e. layers 3 and 4 information), then it
checks the syntax of the application (layer 7 information) thanks to a syntax engine to uniquely
identify it without any possible error, regardless the ports being used; this also allows to classify
particular applications (such as Codecs, published application names, peer-to-peer applications,
URLs or URIs, etc.)
October 2014
4-61
Ipanema System
The ip|engines syntax engine uses DPI (deep packet inspection) to detect application signatures
data patterns that uniquely identify a particular application. (Mechanisms such as this are also
commonly used for virus recognition.) We are inspecting the start of the conversation (and only the
start) to detect these patterns to classify the applications.
It is also possible to declare applications on the ports being used (you have defined an application
as traffic on a specific port/server); in this case, it is the port number that prevails to regnosize the
application.
When an ip|engine has not observed this start of the conversation, or if the application cannot
be recognized thanks to its syntax or declared port number, it falls back to RFC1700 ("well known
ports" definition).
So the order of recognition of applications is as follows:
1) Declared Port (you have defined an application as traffic on a specific port/server)

2) Syntax engine (the Ipanema System uses its inbuilt application detection capabilities)
3) Well known port (RFC 1700)
Applications that are not recognized or enabled in the dictionary are implicitly grouped on their
lower layer protocol (e.g. TCP or UDP).
4. 8. 3. 2. Recognized applications, by alphabetical order

A
4-62
Adobe Connect
- (Unified Communications)
AIM Express
AIM Transfer
- (transferring and sharing)
Altiris
AOL Instant Messenger
Applejuice
- (peer-to-peer)
Ares
- (peer-to-peer)
Audiogalaxy
- (deprecated)
AVG
- (anti-virus)
AVG Updates_
- (specific TCP port number, in Transport Layer Protocols)
Avira
- (anti-virus)
BBC iPlayer
- (streaming)
BGP
Border Gateway Protocol (routing)
Bitdefender
- (anti-virus)
BitTorrent
- (peer-to-peer)
Cisco Unified
MeetingPlace
Cisco Unified
MeetingPlace_
Citrix
and Citrix published applications (thin client)
COTP
Connection Oriented Transfer Protocol (ISO) (Network

Services)
CUPS
Common Unix Printer System (transferring and sharing)
Dailymotion
HTTP web site (Cloud Protocols)
October 2014
DCERPC
Distributed Computing Environment Remote Procedure Call

(transferring and sharing)
DHCP
Dynamic Host Configuration Protocol (Network Services)
Diameter
- (AAA)
DICT
Dictionary Server Protocol (deprecated)
DIMP
Dynamic Internet Messaging Program (Mail Services)
DirectConnect
- (peer-to-peer)
DNS
Domain Name Service (Network Services)
DRDA
Distributed Relational Database Architecture
Edonkey
- (peer-to-peer)
EIGRP
Enhanced Interior Gateway Routing Protocol (Network

Services)
End Point Mapper
- (Application Services)
EtherIP
- (tunneling)
Exchange
= MAPI (mail services)
Facebook
Filetopia
- (peer-to-peer)
Flash
- (streaming)
Foxy
- (peer-to-peer)
FTP
File Transfer Protocol (transferring and sharing)
FTPS
Secure FTP (transferring and sharing)
F-Secure
- (anti-virus)
F-Secure Online
Backup_
G.711a
audio/PCMA; RTP/RTCP attribute (Unified Communications)
G.711u
audio/PCMU; RTP/RTCP attribute (Unified Communications)
G.723
audio/G723; RTP/RTCP attribute (Unified Communications)
G.729
audio/G729; RTP/RTCP attribute (Unified Communications)
GIOP
General Inter-ORB Protocol (Corba) (middleware)
GIOPS
Secure GIOP (middleware)
Gizmo
GNUnet
- (peer-to-peer)
Gnutella
- (peer-to-peer)
GoBoogy
- (peer-to-peer)
Google Apps
HTTPS web site (Cloud Protocols)
GooglePlus
GoToMeeting
GoToMeeting_
GRE
Generic Routing Encapsulation (tunneling)
October 2014
4-63
Ipanema System
J
K
4-64
GTP
GPRS Tunneling Protocol
H.225
H.245
HSRP
(Cisco) Hot Standby Router Protocol (Network Services)
HTTP
HyperText Transfer Protocol (Cloud protocols)
HTTP tunnel
- (tunnelling)
HTTPS
Secure HTTP (Cloud protocols)
IAX
iCall
IBM-DB2
- (database)
IBM Informix
- (database)
IBM Lotus Sametime
Icecast
- (streaming)
ICMP
Internet Control Message Protocol (Network Services)
ICQ
I seek you (deprecated)
Identification protocol
- (AAA)
IGMP
Internet Group Management Protocol (Network Services)
IMAP
Internet Message Access Protocol v4 (Mail services)
IMAPS
Secure IMAP (Mail services)
iMesh
- (peer-to-peer)
IPComp
IP Payload Compression Protocol (Transport Layer)
IPP
Internet Printing Protocol (transferring and sharing)
IPSec
IP Secure (tunneling)
IRC
Internet Relay Chat (Unified Communications)
IRCS
Secure IRC (Unified Communications)
ISAKMP
Internet Security Association and Key Management Protocol

(AAA)
Jabber
JetDirect
Kaspersky
- (anti-virus)
Kazaa
- (peer-to-peer)
Kerberos
- (AAA)
KuGou
- (peer-to-peer)
L2TP
Level 2 Tunneling Protocol (tunneling)
LDAP
Lightweight Directory Access Protocol (AAA)
LDAPS
Secure LDAP (AAA)
Linkedin
Load Balancing
- (deprecated)
October 2014
Lotus Notes
- (Mail services)
LPR
Line Printer Daemon (transferring and sharing)
Mainframe CFT
Manolito
- (peer-to-peer)
MAPI
MS Exchange Mail API (Mail services)
McAfee
- (anti-virus)
MCS
Multipoint Communication Service (deprecated)
MGCP
Media Gateway Control Protocol (Unified Communications)
Microsoft ActiveSync
Microsoft Office Groove
- (Application Services)
MMS
Microsoft Multimedia Streaming (Unified Communications)
MobiLink
- (database)
Mount
MPEG-TS
MS Communicator
MS SQL
= TDS (database)
MS Exchange
= MAPI (Mail services)
MSN
MSN Messenger (Unified Communications)
Mute
- (peer-to-peer)
MySQL
- (database)
Napster
- (deprecated)
NARP
NBMA Address Resolution Protocol (Network Services)
Netbios
- (Network Services)
Netflow
NFS
Network File System (transferring and sharing)
NLockMgr
Network Lock Manager (transferring and sharing)
NNTP
Network News Transport Protocol (Unified Communications)
NNTPS
Secure NNTP (Unified Communications)
NOD32
- (anti-virus)
Norton
- (anti-virus)
NSPI
Name Service Provider Interface (Application Services)
NTP
Network Time Protocol (Network Services)
OCSP
Online Certificate Status Protocol (AAA)
OpenFT
- (deprecated)
openVPN
- (tunnelling)
Oracle - SQL Net
Transparent Network Service (database)
OSPF
Open Short Path First (routing)
ooVoo
October 2014
4-65
Ipanema System
Q
R
4-66
PalTalk
Panda
- (anti-virus)
Pando
- (peer-to-peer)
PC Anywhere
- (thin client)
PIM
Protocol Independent Multicast (routing)
Pinterest
POP3
Post Office Protocol v3 (Mail services)
POP3S
Secure POP3 (Mail services)
Portmap
Port Mapper (Application Services)
Postgres
- (database)
PPP
Point-to-Point Protocol (tunneling)
PPTP
Point-to-Point Tunneling Protocol (tunneling)
Printer_ipp
= IPP (transferring and sharing)
Q.931
Quake
(game, deprecated)
RADIUS
Remote Authentication Dial-In User Service (AAA)
Radmin
- (Thin Client)
RDP
Remote Desktop Protocol (Windows Terminal Server) (thin

client)
RDT
Real Data Transfer (Unified Communications)
Remote Shell
- (thin client)
RFB
Remote Frame Buffer (VNC) (thin client)
RIP v1, v2, ng
Routing Information Protocol
RLogin
Remote Login (thin client)
RLP
Resource Location Protocol (Network Services)
RPC
Remote Procedure Call (middleware)
RQuota
RSH
= Remote Shell (thin client)
RStat
RSS
Rich Site Summary, often dubbed Really Simple Syndication

(Cloud Protocols)
RSVP
ReSerVation Protocol (Network Services)
RSync
Remote synchronous (transferring and sharing)
RTMP
Real-Time Messaging Protocol (Unified Communications)
RTP/RTCP
Real Time (Control) Protocol (Unified Communications)
RTSP
Real Time Streaming Protocol (Unified Communications)
RUsers
Salesforce
SAP
SAP AGs Enterprise Resource Planning (ERP) software
October 2014
SCTP
Stream Control Transmission Protocol (Transport layer

protocols)
SharePoint
Sharepoint 2010_
SHOUTcast
Siebel
- (Enterprise Applications)
Silverlight
- (streaming)
SIP
Session Initiation Protocol (Unified Communications)
Skinny Client Control

Protocol
Skype
SLP
Service Location Protocol; = SrvLoc (Application Services)
SMB
Server Message Block (Windows File Server) (transferring

and sharing)
SMTP
Simple Mail Transfer Protocol (Mail services)
SMTPS
Secure SMTP (Mail services)
SNMP
Simple Network Management Protocol (Network Services)
SOAP
Simple Object Access Protocol (middleware)
Socks
Sockets (tunneling)
SopCast
- (peer-to-peer)
Soulseek
- (peer-to-peer)
SrvLoc
Service Location Protocol (Application Services)
SSDP
Simple Service Discovery Protocol (Application Services)
SSH
Secure Shell (thin client)
SSL
Secure Socket Layer (Transport Layer)
STUN
Simple Traversal of UDP through NATs (tunnelling)
Sybase
- (database)
Sync
Syslog
T38
TCP
Transmission Control Protocol (Transport Layer)
TDS
Tabular Data Stream, or MS SQL (database)
Telnet
- (thin client)
TelnetS
Secure Telnet (thin client)
TFTP
Trivial File Transfer Protocol (transferring and sharing)
TIBCO-RV
TIBCO Rebdez-Vous protocol (Middleware)
TNVIP
- (thin client)
TrendMicro
- (anti-virus)
TrendMicro Updates_
October 2014
4-67
Ipanema System
Twitter
UCP
Universal Computer Protocol (Unified Communications)
UDP
User Datagram Protocol (Transport Layer)
URL
Uniform Resource Locator, as an HTTP attribute
uTP
see Torrent
VMWare
- (thin client)
VNC
= RFB (thin client)
Voddler
- (streaming)
VRRP
Virtual Router Redundancy Protocol (Network Services)
Webex
Webex_
WINMX
- (peer-to-peer)
WINS
X.11
(XWindows) (thin client)
XML-RPC
Remote Procedure Call using eXtensible Markup Language

(Cloud Protocols)
XoT
X.25 over TCP (tunneling)
Yahoo Messenger
YouTube
YPPasswd
Yellow Pages Password (AAA)
YPServ
Yellow Pages Server (AAA)
YPUpdate
Yellow Pages Update (transferring and sharing)
Torrent
- (peer-to-peer)
Recognized applications, by alphabetical order
4-68
October 2014
4. 8. 3. 3. Recognized applications, by type

Anti-Virus
AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, NOD32,

Norton, Panda, TrendMicro
Application Services
End Point Mapper, Microsoft Office Groove, NSPI, Port Mapper,

SrvLoc, SSDP
Authentication
Authorization
Accounting
Diameter, Identification Protocol, ISAKMP, Kerberos, LDAP, LDAPS,

OCSP, RADIUS, YPPasswd, YPServ
Cloud Protocols
HTTP (with specific recognition for Dailymotion, Facebook and

YouTube), HTTPS (with specific recognition for Google Apps,
GooglePlus, Linkedin, Pinterest, Salesforce and Twitter), RSS,
XML-RPC
Database
DRDA, IBM-DB2, IBM Informix, MobiLink, MySQL, Oracle, Postgres,

Sybase, TDS (= MS SQL)
Deprecated
Audiogalaxy, DICT, ICQ, Load Balancing, MCS, Napster, OpenFT,

Quake
Enterprise Apps
SAP, Siebel
Mail Services
DIMP, IMAP, IMAPS, Lotus Notes, MAPI (MS Exchange), POP3,

POP3S, SMTP, SMTPS
Middleware
GIOP, GIOPS, RPC, SOAP, TIBCO-RV
Network Services
COTP, DHCP, DNS, EIGRP, HSRP, ICMP, IGMP, NARP, Netbios,

Netflow, NTP, RLP, RSVP, SNMP, Syslog, T38, VRRP
Peer to Peer
Applejuice, Ares, BitTorrent, DirectConnect, Edonkey, Filetopia,

Foxy, GNUnet, Gnutella, GoBoogy, iMesh, Kazaa, KuGou, Manolito
(MP2P), Mute, Pando, SopCast, Soulseek, WINMX, Torrent (uTP)
Routing Protocols
BGP, OSPF, PIM, RIP v1, RIP v2, RIPng
Streaming
BBC iPlayer, Flash, Icecast, Silverlight, Voddler
Thin Client
Citrix (possibility to recognize Citrix published applications), PC

Anywhere, Radmin, RDP, Remote Shell, RFB (VNC), Rlogin, SSH,
Telnet, TelnetS, TNVIP, VMWare, X.11
Transferring and
Sharing
AIM Transfer, Altiris, CUPS, DCERPC, FTP, FTPS, IPP, JetDirect,

LPR, Mainframe CFT, Microsoft ActiveSync, Mount, NFS, NLockMgr,
RQuota, RStat, RSync, RUsers, SharePoint, SMB, Sync, TFTP,
WINS, YPUpdate
Transport Layer
Protocols
IPComp, SCTP, SSL, TCP (with specific recognition for AVG Antivirus
Updates, Cisco Unified MeetingPlace, F-Secure Online Backup,
GoToMeeting, Sharepoint 2010, TrendMicro Antivirus Updates and
Webex), UDP
Tunneling
EtherIP, GRE, GTP, HTTP tunnel, IPSec, L2TP, openVPN, PPP,

PPTP, Socks, STUN, XoT
Unified Communications
Adobe Connect, AIM Express, AOL Instant Messenger, Cisco Unified

MeetingPlace, Gizmo, GoToMeeting, H.225, H.245, IAX, IBM Lotus
Sametime, iCall, IRC, IRCS, Jabber, MGCP, MMS, MPEG-TS, MS
Communicator, MSN Messenger, NNTP, NNTPS, ooVoo, PalTalk,
Q.931, RDT, RTMP, RTP/RTCP (G.711a, G.711u, G.723, G.729),
RTSP, SHOUTcast, SIP, Skinny Client Control Protocol, Skype, UCP,
Webex, Yahoo Messenger. Dynamic Codecs (Audio and Video, such
as H.264, Speex, etc., by inspection of SIP signalling)
Recognized applications, by type
October 2014
4-69
Ipanema System
4. 8. 3. 4. Creating new applications

The system recognizes about 200 protocols (HTTP, ICMP, FTP, RTP/RTCP, H.225, SAP, Citrix,
Skype, VMware....; refer to the comprehensive list in the tables above).
New applications can be created, described by a protocol plus an attribute, possibly on certain
subnets or hosts specifically:
Applications that are not recognized by ip|engines, and not explicitly named and
enabled in ip|boss Applications dictionary are implicitly grouped on the lower layer
protocol (e.g. TCP or UDP).
, the creation window of a new application is displayed:
Creation of a standard application

The Application window contains the following input fields:
Name: character string used to identify the application,

Enable: application taken into account,
Disable: application not taken into account,
Protocol: protocol is to choose from a drop list,

Attribute: depends on the protocol; this field is enabled or not and allows the access to a list
or free fields,
for TCP or UDP: Port(s): port numbers as they appear in the Server port fields of
TCP/UDP headers (either source or destination). This field can contain several ports,
separated by a ;, or a range of ports, separated by a -.
4-70
October 2014
for HTTP: URL (www.ipanematech.com for example)

Do not start the URL by http://.
You can put a URL like *.ipanematech.* (see below).
Syntax:
?
a unique character
any character string (included empty)
shortest word (non empty, separated by spaces)
longest word (non empty, separated by spaces)
separator in a list
Examples:
www.google.fr
any URL of the site
www.google.*
all google incarnations (.fr, .com, .de .... )
www.google.*/*.gif
all .gif documents in any page of any google
*/*.gif
all .gif documents in any page of any server
Specific cases:
host/*
"any" URI
host/
empty URI
*/full/uri
"any" HOST
/full/uri
empty HOST
for HTTPS: Common Name (usually the FQDN (Fully Qualified Domain Name) of the
web site; it is displayed in the Certificate):
Example of HTTPS Certificate, with *.ipanematech.com as a CN
October 2014
4-71
Ipanema System
for Citrix: Application(s): name of published applications (Word, Excel for example)
when the applications are not multiplexed in the same TCP session.
for RTP/RTCP: Predefined codecs: name of an audio or video codec, to be selected
from a drop-down list with predefined codecs:
Predefined codecs
Codec: name of an audio or video codec, to be written with the following syntax:
audio/<audio codec name> or video/<video codec name> (for instance, to create
the speex codec, enter audio/speex).
To be able to recognize the dynamic codecs (as per RTP), SIP signalling
needs to be decoded, so SIP application recognition must be enabled.
For other protocols, no information is necessary. so there is no attribute.
User Subnets filter: this optional parameter can be used to identify an application by the IP
address of a server or client, or list of servers or clients (ex: SAP). It is possible to choose the
server or client from a drop-down list of the User subnets, or directly:
User Subnets List: choose the subnet or host in the list of User subnets to be associated
with the application by selecting them and pushing them to the right frame with the single
right arrow (selected User subnets only) or double right arrow (all User subnets),
Prefix/Length: set the subnet with the following notation X.X.X.X/Y where X.X.X.X is
the IP address and Y the length integer between 0 and 32; a list of IP addresses can be
configured (; separator).
C/S Side: specify if the application must be recognized on the server side or on the client
side (it is recognized on the Server side by default).
4-72
October 2014
4. 8. 3. 5. Order of recognition
When describing different applications using the same protocol (e.g. for HTTP: Intranet (=
intranet.company.com), Internet corporate (= *.company.com) and Internet (= the rest of http)),
place the more specific applications first (the Intranet, then Internet corporate in the example)
and the generic one after (the Internet), so that the specific ones can be recognized as such.
This ordering is achieved by selecting an application and by moving it up with the left blue arrow
(move up) if it is more specific than the one above it, or moving it down with the right blue
arrow (move down) if it is more generic than the one below it, and by repeating this for as many
applications as necessary until they are all sorted from the most specific one (at the top) to the
most generic one (at the bottom).
Moving applications to place the more specific ones above the more generic ones
October 2014
4-73
Ipanema System
4. 8. 4. Configuring QoS Profiles

Operating procedure table: settings, ip|true service , ip|fast service
This dictionary is used for measurement (ip|true) and for Application Control (ip|fast).
QoS profiles:
The QoS Profiles list window is displayed.
QoS Profiles list window

The settings made in this window enable to define the QoS objectives. A QoS objective associated
with an Application Group is used by the system to measure (ip|true) and control (ip|fast) the traffic
according to the application requirements.
4-74
October 2014
By clicking on the New icon
, the creation window of a new QoS Profile is displayed.
QoS Profiles window

This window contains the following input fields:
Name: to identify the QoS profile (character string),

Type: to characterize application flow type:
real-time: real-time flow (VoIP, video) sensible to delay, jitter and loss,
transactional: transactional flow (SAP, Telnet), sensible to delay,
background: other than those listed above,
Session B/W (kbps): to specify the bandwidth per session; the value is used by ip|fast,
Obj. (objective): nominal bandwidth per session (mandatory parameter).
The objective bandwidth per session is operational during congestion.
Max. (maximum): maximum bandwidth allowed per session (not mandatory).

If it is not defined, a value of 500 times the Objective is applied.
Most of the time, the limit remains the WAN access so the user can rarely
experience this parameter. It can only be observed when:
the customer declares a low objective (e.g. 20 kbps)
and the WAN access is large, with low activity (e.g. 100 Mbps available)
and there are only a few sessions (based on that QoS Profile) running at
that moment.
If it is defined, it always applies when ip|fast is enabled (i.e., even when there is
no congestion and when ip|fast does not control the bandwidth).
Delay (ms), Jitter (ms), Packet loss (%), SRT (server response time, ms), RTT (round trip
time, ms), TCP retrans. (%): to specify, for each flow, the Objective and Maximum values for
that QoS profile. These parameters are enabled or not by checking the boxes or not,
October 2014
4-75
Ipanema System
These information can be used by the Application Group reporting to control the QoS associated
with each Application Group.
all values <
< at least 1 value <
Obj.
Max.
< at least 1 value
acceptable
Correct
unacceptable
Interpretation of Obj. and Max. criteria for Delay, Jitter, Loss, SRT, RTT and TCP retrans.
Name
Type
Session
BW (kbps)
Delay
(ms)
Default
Bg
30-600
200-1000
File transfer
Bg
50-1000
Business
Tr
Thin client
Jitter
(ms)
Packet
Loss
(%)
RTT (ms)
TCP
retrans.
(%)
1-10
400-2000
1-10
500-1000
1-10
1000-2000
1-10
50-500
200-500
1-5
400-1000
1-5
Tr
40-400
100-500
1-5
200-1000
1-5
Mail
Bg
50-1000
500-2000
1-10
1000-4000
1-10
Net services
Bg
20-200
100-500
1-10
200-1000
1-10
Web
Tr
40-400
200-1000
1-10
400-2000
1-10
Voice
RT
90-120
100-200
Video stream.
RT
150-200
200-1000
400-2000
1-5
50-100
SRT
(ms)
0.2-1
1-5
Ex. of QoS Profiles (Bg: background, Tr: transactional, RT: real-time; in each column: obj.-max.)
4-76
October 2014
4. 8. 5. Configuring Application Groups (AGs)

Operating procedure table: , ip|true, ip|fast, ip|xcomp, ip|xtcp, DWS
Users specify high-level business objectives through Application Groups. The Customer traffic is
classified using a mix of the users applications and organization data. The Application Group
attributes include:
business criticality,
QoS performance objectives (nominal bandwidth per application session, delay, jitter, packet
loss, SRT, RTT and TCP retransmission),
the enabling of compression.
The users objectives are the only input to the system. There is no need to set low-level, network
and device specific policy rules.
The Ipanema System performs:
the configuration of high-level QoS objectives (ip|boss),

the specific reporting to AG (ip|engine, ip|reporter),
the control of the application flows in accordance with the AGs (ip|fast).
the compression of the flows in accordance with the AGs (ip|xcomp).
the TCP acceleration of the flows in accordance with the AGs (ip|xtcp).
the Dynamic WAN Selection for the flows in accordance with the AGs (DWS).
Application Groups are independent of ip|true, ip|fast, ip|xcomp, ip|xtcp, DWS and smart|plan
services.
Application Groups are given in a tree structure, each AG is characterized by:
a name,
filters to define the rules of traffic classification corresponding to the AG,
a criticality level to define the level of criticality associated to the application(s) in this AG,
a QoS profile that enables QoS objectives for the application(s) in this AG,
the capability to be compressed.
tjhe capability to be accelerated.
The position of the Application Groups in the tree structure is important, it determines
the classification of the packets. The classification is performed by running the structure
tree downwards. The packet is classified with the first applicable classification met.
Other, included the whole classifications, is at the end of the tree.
The configuration of the Application Groups is necessary for the good behavior of the Application
Control agent, ip|fast.
October 2014
4-77
Ipanema System
Application Groups:
The Application Group window is displayed:
Application Group window

4-78
An Application Groups zone which shows the tree of AGs,

A Properties zone which shows the configuration of the selected AG,
A table zone which summarizes all the AGs.
October 2014
, the creation window of an AG is displayed:
New Application Group window

A zone displaying the characteristics of the selected Application Group:
Name of the AG,

Business criticality: top, high, medium or low,
Compress: the compression capability for the flows belonging to the AG,
Accelerate: the TCP acceleration capability for the flows belonging to the AG,
QoS profile: the QoS profile that will apply to this AG (the QoS profile contains the Type
of traffic, the Bandwidth objective and maximum values, the D/J/L, RTT, SRT and TCP
retransmit objective and maximum values),
Sensitivity, Routine or Business: when the sites are connected through various
networks (e.g. MPLS and Internet), or use various Networks Access Points to the same
network, the Sensitivity is used in the path decision to route traffic to a NAP with at
least the same Trust Level (defined on the WAN accesses). The DWS option must be
activated in the license.
A zone with four tabs, to define filtering rules for traffic classification in the corresponding AG:
October 2014
Dictionary filters,
Subnet filters,
ip|engine filters,
Advanced.
4-79
Ipanema System
In this zone, the selection frames depend on the selected tab (see below).
the left frame shows a list of elements of the Dictionaries (Applications, ToS values),
Subnets (source and destination) or ip|engines (ingress and egress) as described in
the system and managed by ip|boss
the right frame shows the selected filters for the AG.
Select elements (you can select several ones simultaneously, using the SHIFT or CTRL keys)
and move them from one frame to the other thanks to the simple arrows, or move all elements
at a time using the double arrows.
A logical Or is applied for the different elements inside a filter (for example filter
Applications: HTTP or HTTPS).
A logical And is applied for the different types of filters (for example Applications:
HTTP or HTTPS and subnet-src=LAN-192).
4. 8. 5. 1. Dictionary filters tab
Dictionary filters tab

This tab contains two filters:
Application,
TOS.
This is the main tab to use. The others are optional, and lead to the creation of local
rules, so use them with care.
4-80
October 2014
4. 8. 5. 2. Subnet filters tab
Subnet filters tab

Sources: User subnets directory to be used as sources,

Destinations: User subnets directory to be used as destinations.
By selecting Subnets with this tab, you create local rules that will apply only to
those Subnets! Do this only if really needed. Otherwise, use global parameters only
(Dictionary filters).
4. 8. 5. 3. ip|engine filters tab
ip|engine filters tab

Ingress: ip|engines and tele|engines to be used as sources,

Egress: ip|engines and tele|engines to be used as destinations.
By selecting ip|engines with this tab, you create local rules that will apply only to
those ip|engines! Do this only if really needed. Otherwise, use global parameters only
(Dictionary filters).
October 2014
4-81
Ipanema System
4. 8. 5. 4. Advanced tab
Advanced tab
This tab contains two additional frames:
Redundancy Elimination Method
Zero Delay: ZRE is enabled.

Standard: SRE is enabled.
The two options appear only if Compress is checked.

By default:
If the type of traffic
in the selected QoS
profile is:
... then, by default:
Real time
both methods are disabled (real time traffic is not compressible,

usually),
Transactional
only the Zero Delay method is enabled (the Standard method can
create a small latency usually less than 5 ms),
Background
both methods are enabled.
We do not recommend to change the default settings without advice from the Ipanema
Support.
smart|path
This frame contains three parameters, that can be used to overwrite the global values set in the
System provisioning > Tools > Advanced configuration menu.
Please refer to 4.9.7. Configuring DWS (Tools / Advanced conf.) for a comprehensive
description of each parameter.
Sensitivity policy can take four values:

Default: the global Sensitivity policy parameter (in System provisioning > Tools >
Advanced configuration) will apply,
Preferred, Strict or Backup: overwrite the global value for the selected AG.
4-82
October 2014
Return path can take three values:

Default: the global Return path parameter (in System provisioning > Tools > Advanced
configuration) will apply, with the following correspondence:
As received for yes,
Free for no.
As received: overwrites the global Return path parameter (corresponds to yes) for
the selected AG,
Free: overwrites the global Return path parameter (corresponds to no) for the
selected AG.
NAP selection policy can take three values:

Default: the global Sticky choice parameter (in System provisioning > Tools > Advanced
configuration) will apply,
Per session: overwrites the global Sticky choice parameter with the Per session value
for the selected AG,
Per packet: overwrites the global Slave return parameter with the Per packet value
for the selected AG.
October 2014
4-83
Ipanema System
4. 8. 6. Configuring LTL (Local Traffic Limiting)

Operating procedure table: ip|fast service
The LTLs (Local Traffic Limiting) allow traffic limiting rules to be configured for each site, when
this is necessary. These rules take the enterprise organization, user subnets and the applications
implemented between these different entities into account. They are used by ip|fast (Application
Control).
These rules are defined for outgoing (LTL Ingress) or incoming (LTL Egress) traffic on the selected
site.
LTLs are used to:
limit the bandwidth used by the different networks of the departments, services (user subnets)
or applications according to specific criteria taking the following constraints into account:
source subnet,
remote subnet,
applications,
TOS/CP values.
Traffic Limiting is given in a tree structure, each LTL is characterized by:
a name,
filters to define the rules to classify the traffic corresponding to the LTL,
a limit on the bandwidth that can be used by the class.
The LTL rules are enabled only if ip|fast is activated on the ip|engine.
LTL.
The Local Traffic Limiting Tree window is displayed.
Local Traffic Limiting Tree window

This window contains an LTL tree structure per ip|engine.
4-84
October 2014
To create a new policy, select the ip|engine, the direction (ingress or egress), then by clicking on
the New icon
, the creation window of a new LTL is displayed:
Local Traffic Limiting window

This window contains the following input boxes:
Name: Name of the LTL policy,
Local Traffic Limiting
Maximum bandwidth (kbps): to specify the limit bandwidth for a LTL,

If the value 0 is specified, in this case all the traffic is dropped.
Limited: to enable or disable the limiting rule,
Filters
Filters allow specifying filtering rules for traffic that are associated with an LTL:
Source user subnet: to filter traffic according to source User subnet. It is selected from a
drop-down list corresponding to the "User subnets" directory,
Destination user subnet: to filter traffic according to destination User subnet. It is selected
from a drop-down list corresponding to the "User subnets" directory,
Application: to filter traffic according to application(s). It is selected from a drop-down list
corresponding to the "Applications" dictionary,
TOS/CP: to filter traffic according to the value of the TOS field. This value specified in the
"TOS/CP" dictionary, is selected from a drop-down list.
October 2014
4-85
Ipanema System
4. 9. REPORTING
The Reporting menu gives access to three functions: MetaView, reports and Alarming.
4. 9. 1. Configuring MetaViews
Operating procedure table: settings, service ip|true, service ip|reporter
The MetaViews are objects used to show the data according to your criteria (topology,
applications...) in order to be used by external reporting tools (including ip|reporter) and to
trigger logs, traps or e-mails when certain thresholds are surpassed (Alarming). The MIB will be
populated according the settings of the MetaViews.
MetaViews show information about the traffic or availability according to the following criteria:
In the Configuration tab:
a (list of) source site(s),

a (list of) source site(s) and a (list of) destination site(s),
a (list of) source ip|engine report key(s),
a (list of) source ip|engine report key(s) and a (list of) destination ip|e report key(s),
a (list of) source Network Access Point(s),
a (list of) source NAP(s) and a (list of) destination NAP(s),
a (list of) source WAN access report key(s),
a (list of) source WAN access report key(s) and a (list of) destination WAN access report
key(s),
In the User subnets tab:

a (list of) source user subnet(s),
a (list of) source user subnet(s) and a (list of) destination user subnet(s),
In the Traffic classification tab:

a (list of) application(s),
a (list of) Application Group(s),
a (list of) criticality(ies),
and any complex definition with the previous parameters, using several fields and, possibly,
several tabs.
For example, a MetaView can aggregate the data on the Domain (no filter), but another MetaView
could detail the behavior between 2 subnets and a particular application.
ip|reporter uses the MetaViews for the reports creation and data collection.
Two modes of MetaView creation are available:
unitary mode: allows to create MetaViews one by one with your own naming rules. This mode
can be used in order to create a troubleshooting MetaView with complex filters (for example a
destination site, a source site and a specific application),
wizard mode: allows to create a big number of MetaViews with automatic naming rules and
simple filter (for example: one MetaView for each user subnet of the Domain).
MetaViews for the Domain, for the Equipped sites, for the tele-managed sites and for the
Application Groups are automatically created by the system (as soon a new Domain,
a new Equipped site, a new tele-managed site or a new Application Group is created,
respectively).
The MetaView name is used by ip|reporter to name the instances of the reports.
4-86
October 2014
In the Reporting Toolbar, select
MetaView.
The MetaView window is displayed.
MetaView list window

This window contains the MetaView list created and the parameters for each one.
October 2014
4-87
Ipanema System
4. 9. 1. 1. MetaView creation in unitary mode

, the creation window is displayed
MetaView creation window
4-88
October 2014
The Name of the MetaView, used by ip|reporter to name the instances of the reports,
The Description: optional text field,
The Type: as this function is used to create a MetaView on demand, the field always displays
on demand.
A zone with three tabs:
Configuration,
User Subnets,
Traffic classification.
Each tab contains two frames:
the left frame shows a list of elements (Sites, ip|engines, Keys, User subnets, Applications,
AGs, etc.), as described in the system and managed by ip|boss,
the right frame shows the selected elements for the MetaView.
A logical Or is applied for the different elements inside a filter.
A logical And is applied for the different types of filters.
Select the elements you want to move and use the simple arrows to move them from one frame to
the other, or use the double arrows to move them all at a time.
"Configuration" Tab
This tab (screenshot above) comprises the filters which define the rules of traffic topologies
corresponding to the MetaView (from Site A to Site B, etc.). It contains the following areas:
Site A: displays the Sites list as described in the configuration,

Reminder: MetaViews for the Sites are automatically created by the system.
Site B: displays the Sites list as described in the directory,

Selecting Sites A1 and A2 in Site A and Sites B1 and B2 in Site B will show
the traffic between Sites [A1 or A2] and [B1 or B2]. This principle also applies to all
objects below.
ip|engine A: displays the ip|engines and tele|engines list as described in the configuration,
Reminder: MetaViews for the ip|engines are automatically created by the system.
ip|engine B: displays the ip|engines and tele|engines list as described in the directory,
Engine Report Key A: displays the ip|engine report key list as described in the configuration,
Engine Report Key B: displays the ip|engine report key list as described in the configuration,
WAN Access Id A: displays the Network Access Points list as described in the configuration,
WAN Access Id B: displays the Network Access Points list as described in the configuration,
WAN Access Report Key A: displays the WAN Access report key list as described in the
configuration,
WAN Access Report Key B: displays the WAN Access report key list as described in the
configuration,
October 2014
4-89
Ipanema System
"User Subnets" Tab
User Subnets Tab

This tab comprises the filters which define the rules of traffic topologies corresponding to the
MetaView (From User Subnet A to User Subnet B). It contains the following areas:
User Subnet A: displays the User subnets list as described in the configuration,
User Subnet B: displays the User subnets list as described in the configuration.
This list is available only if at least one subnet in User Subnet A is selected.
Traffic classification" Tab
Traffic classification Tab

This tab comprises the filters which define the rules of traffic classification corresponding to the
MetaView. It contains the following areas:
Application: displays the applications list as described in the configuration,

Application Group: displays the AGs list as described in the configuration,
Reminder: MetaViews for the Application Groups are automatically created by the
system.
4-90
Criticality: displays the criticality list as described in the configuration (from Top to Low).
October 2014
4. 9. 1. 2. MetaView creation in wizard mode

By clicking on the Wizard icon
, the multiple creation window of MetaViews is displayed.
Wizard MetaView window

A zone with three tabs:

Configuration,
User Subnets,
Traffic Classification.
Each tab contains two frames:
the left frame shows a list of elements (ip|engines, Keys, User Subnets, Application Groups,
etc.) as described in the system and managed by ip|boss,
the right frame shows the selected elements for the MetaViews.
Select the elements you want to move and use the simple arrows to move them from one frame to
the other, or use the double arrows to move them all at a time.
By selecting several elements in each list, the system will create the MetaViews
according to combinative selected criteria.
The wizard mode automatically manages the naming rules, depending on the selected elements.
October 2014
4-91
Ipanema System
"Configuration" Tab (see screenshot above)

This tab (screenshot above) comprises the filters which define the rules of traffic topologies
corresponding to the MetaViews (From/to Site A, from/to Key ). It contains the following areas:
Site: displays the Sites list as described in the configuration,

Reminder: MetaViews for the Sites are automatically created by the system.
ip|engine: displays the ip|engines and tele|engines list as described in the configuration,
Reminder: these MetaViews are automatically created by the system.
Key: displays the ip|engines report keys list as described in the configuration,
WAN Access id: displays the Network Access Points as described in the configuration,
Network report key: displays the WAN access report keys as described in the configuration.
"User subnets" Tab
User Subnets Tab

This tab comprises the filters which define the rules of traffic topologies corresponding to the
MetaView (From/to User Subnets). It contains the following area:
User Subnets: displays the User subnets list as described in the configuration.
"Traffic classification" Tab
Traffic classification Tab

This tab comprises the filters which define the rules of traffic classification corresponding to the
MetaViews. It contains the following areas:
4-92
Application: displays the applications list as described in the configuration,

Application Group: displays the Application Groups list as described in the configuration,
Reminder: Application Groups MetaViews are automatically created by the system.
Criticality: displays the criticality list as described in the configuration (from Top to Low).
October 2014
4. 9. 2. Configuring Reports
Refer to 9.2.5. Reports Management.
4. 9. 3. Configuring Alarming
Operating procedure table: settings, service ip|true
The Alarming feature uses the MetaViews for the alarms creation.
Alarming.
The Alarming window is displayed:
Alarming window
This window contains three frames:
Rule <Domain name>: the list of created rules on the Domain,

Alarm: the list of created alarms based on those rules,
Help: available metrics: the metrics and operators to be used in the rules.
An alarm is the instantiation of a rule (when does the alarm trigger/rearm?) on a MetaView (on what
objects - sites, Application Groups, etc. - does the rule apply?).
Creating an alarm is achieved in three steps:
creating a rule,
associating a rule to a MetaView,
activating logs and/or mails and/or traps on alarming events.
October 2014
4-93
Ipanema System
4. 9. 3. 1. Rule creation
in the Rule frame, the AlarmRule creation window is displayed:
AlarmRule creation window

This window contains an input zone with the following fields:
Name: name of the rule; it must be unique.

A Trigger frame, to define the rule that will trigger the alarm:
Trigger threshold: the threshold that will trigger the alarm,
Trigger occurrences: the number of consecutive collects (by default, 1 collect = 1
minute; refer to the section Create a Domain) that are necessary for this threshold to be
reached before triggering the alarm.
A Rearm frame, to define the rule that will rearm the alarm:
Rearm threshold: the threshold that will rearm the alarm,
Ream occurrences: the number of consecutive collects (by default, 1 collect = 1 minute)
that are necessary for this threshold to be reached before rearming the alarm.
Actions: 3 check boxes to activate (when the boxes are checked):

a Log
and/or a Mail
and/or a Trap
when an alarm triggers or rearms.

Severity: to choose the severity of the alarm:
Clear: establishment of a normal status,

Information: informational messages,
Warning: possible error or incident; e.g. good (but not excellent) quality (AQS < 9),
Minor: low-priority error or incident; e.g. average quality (AQS < 8.4),
Major: high-priority error or incident; e.g. poor quality (AQS < 7),
Critical: very high-priority error or incident; e.g. unacceptable quality (AQS < 5).
Description: text description of the alarm.
When a rule is created, an Identifier is automatically attributed to it by the system, that can be seen
in the Alarming window (Ident).
4-94
October 2014
Rules syntax
The description of a threshold must respect the following grammar:
exp ::= prefixexp
exp ::= number
exp ::= exp binop exp
exp ::= unop exp
prefixexp ::= var | ( exp )
Numbers can be integers or decimals. Examples: 0; 3; 3.14156; 10

Variables (var) represent the metrics. Naming rule: [<lan|wan>]_<ingress|egress>_metric.
Throughput (kbps). 6 metrics:
<lan|wan>_<ingress|egress>_throughput
lan_<ingress|egress>_goodput
Bandwidth (kbps). 2 metrics:
ingress_wan_access_ingress
egress_wan_access_egress
Number of sessions (per second). 2 metrics:
lan_<ingress|egress>_sessions
Delay (ms). 12 metrics:
<lan|wan>_<ingress|egress>_min_delay
<lan|wan>_<ingress|egress>_avg_delay
<lan|wan>_<ingress|egress>_max_delay
Jitter (ms). 4 metrics:
<lan|wan>_<ingress|egress>_jitter
Loss rate (%). 4 metrics:
<lan|wan>_<ingress|egress>_packet_loss
RTT (ms). 6 metrics:
<ingress|egress>_tcp_rtt_min
<ingress|egress>_tcp_rtt_avg
<ingress|egress>_tcp_rtt_max
SRT (ms). 6 metrics:
<ingress|egress>_tcp_srt_min
<ingress|egress>_tcp_srt_avg
<ingress|egress>_tcp_srt_max
TCP retransmission (%). 2 metrics:
<ingress|egress>_tcp_retransmit
Quality (AQS: 010, MOS: 15). 4 metrics:
<ingress|egress>_aqs
mos_<ingress|egress>
Available metrics (48)

Examples:
lan_ingress_packet_loss > 5: the LAN ingress loss rate is higher than 5%
wan_egress_throughput > 100: the WAN egress throughput is higher than 100 kbps
wan_ingress_throughput > 0.8 * ingress_wan_access_ingress: the ingress WAN
access is used at more than 80% of its capacity.
Binary and unary operators (binop and unop) consist of arithmetical, relational and logical
operators.
Arithmetical operators
+
addition
multiplication
modulo
subtraction
division
negation (unary)
Relational operators
==
equal to
<
less than
<=
less than or equal to
~=
different from
>
greater than
>=
greater than or equal to
Logical operators
and
or
not (unary)
Operators
October 2014
4-95
Ipanema System
Priorities between operators are (from low priority to high priority):
1.
2.
3.
4.
5.
6.
or
and
< > <= >= ~= ==
+*/%
not - (unary)
A rule is validated when committed; a mistake will trigger an Error message window.
4-96
October 2014
4. 9. 3. 2. Alarm creation in unitary mode

By clicking New
in the Alarm frame, the single Alarm creation window is displayed:
Single Alarm creation window

Rule: drop-down list, to choose the rule to apply.

MetaView: drop-down list, to choose the MetaView on which the rule will apply.
Administrative state: to enable or disable the selected rule on the selected MetaView.
4. 9. 3. 3. Alarm creation in wizard mode

This creation mode allows to create a package of alarms for several MetaViews. This mode could
be used in the initial creation step (instead of the unitary mode).
By clicking on the Wizard
displayed:
in the Alarm frame, the multiple creation window of Alarms is
Alarm creation Wizard window

a zone with multiple selection for the Alarm rules,

a zone with multiple selection for the MetaViews.
The first area (on the left) shows the list of elements (Alarm rules and MetaViews), the second
area (on the right) shows the selected elements.
Use the + and - signs to move the selected elements from the left to the right and from the right
to the left, respectively (or click Select All or Unselect All to move them all at a time).
October 2014
4-97
Ipanema System
By selecting several elements in each list, the system will create the Alarms according to
combinative selected criteria.
4. 9. 3. 4. Enabling logs/mails/traps
So that alarming events can be logged and/or sent by e-mail and/or trapped, according to the
selected Actions, Log and/or Mail and/or Trap must be enabled in the Options window (see
OPTIONS - FAULT MANAGEMENT below).
4. 9. 3. 5. Operation
Using the alarms triggered by ip|boss is achieved with external tools, according to the selected
Actions:
text editor or script for the logs,

e-mail client for the mails,
SNMP manager for the traps.
When an alarm is triggered or rearmed, the following information is available (in a log, an e-mail or
a trap):
the name of the Domain,

the rule identifiers (Ident and Name),
the MetaView (Ident and Name),
the ip|engine (Name and public IP address),
the rule with the value of the metrics; for example, if the rule wan_egress_throughput > 1000
triggered an alarm because its value is 2000, it is displayed like this: wan_egress_throughput
[2000] > 1000.
Alarms are sent by pair: trigger when the first threshold is reached, rearm when the second is.
In the logs and trap, one line is generated per alarm.

For the mail, only one mail is sent, containing all the alarms.
SNMP trap: example
4-98
October 2014
4. 10. SUPERVISION OPTIONS

4. 10. 1. Configuring Fault Management
In the Supervision Toolbar, select
Options.
The Options window is displayed:
Options window
This window contains three tabs:
Activation: specify how to manage the Supervision events and the Traffic alarming events.
Mail (e-mail): Supervision and/or Traffic alarming events can be mailed to a list of recipients
configured in ip|boss; it uses its own mailing command.
Trap (SNMP Trap): Fault management traps generated by ip|boss on Supervision and/or Traffic
alarming events are sent to configured SNMP managers.
It gives access to the fault management parameters.
October 2014
4-99
Ipanema System
You can manage the Supervision events. They consist of an alarm (log, mail or trap) in case of
system events like:
LicenseExpiration
ip|boss license expiration will occur
Start
ip|boss has been started
Stop
ip|boss has been stopped
Update
ip|boss has been updated
Upgrade
an ip|engine has received upgrade order
Reboot
an ip|engine has been rebooted
BeginOfDownStatus
an ip|engine is down
EndOfDownStatus
an ip|engine is up after a previous down status
BeginOfSynchronizationLoss
an ip|engine has lost its synchronization
EndOfSynchronizationLoss
an ip|engine is up after a previous synchronization loss
CertificateExpiration
ip|boss X509 certificate expiration will occur
RestartByRecover
ip|boss has been restarted by recover mode
IpReporterManagerIsDown
ip|reporter Manager service is down
IpReporterCollectorIsDown
ip|reporter Collector service is down
IpReporterBrowserIsDown
ip|reporter Browser service is down
IpReporterManagerIsUp
ip|reporter Manager service is up
IpReporterCollectorIsUp
ip|reporter Collector service is up
IpReporterBrowserIsDown
ip|reporter Browser service is down
IpReporterBrowserIsUp
ip|reporter Browser service is up
BeginOfNotReachableStatus
an ip|engine is physically down (network link is down)
EndOfNotReachableStatus
an ip|engine is physically up after a previous physical down status
MetaViewColors
the MetaView is green
BeginOfCompressDownStatus
an ip|engine has compression down
EndOfCompressDownStatus
an ip|engine has compression up
BeginOfUncompressDownStatus
an ip|engine has uncompression down
EndOfUncompressDownStatus
an ip|engine has uncompression up
BeginOfLanLinkDownStatus
an ip|engine has LAN interface down
EndOfLanLinkDownStatus
an ip|engine has LAN interface up
BeginOfWanLinkDownStatus
an ip|engine has WAN interface down
EndOfWanLinkDownStatus
an ip|engine has WAN interface up
Events (ip|engines are identified with Alias, IP Address and Domain name)
You can manage the Traffic alarming events. They consist of an alarm (log, mail or trap) in case
of an alarm triggered or rearmed (see CONFIGURING ALARMING above).
4-100
October 2014
The Options window contains three tabs:
4. 10. 1. 1. "Activation" tab
Activation tab
The tab contains three frames:
Log
Supervision events (see above):

Enable: to log the Supervision events in ip|boss log file,
Disable: not to log the Supervision events.
Traffic alarming events (see above):

Enable: to log the Alarming events in ip|boss log file,
Disable: not to log the Alarming events.
Mail
Supervision events:
Enable: to send e-mails on Supervision events,
Disable: not to send e-mails on Supervision events.
Traffic alarming events:

Enable: to send e-mails on Alarming events,
Disable: not to send e-mails on Alarming events.
Trap
Supervision events:
Enable: to trap the Supervision events,
Disable: not to trap the Supervision events.
October 2014
4-101
Ipanema System
Traffic alarming events:

Enable: to trap the Alarming events,
Disable: not to trap the Alarming events.
4. 10. 1. 2. "Mail" tab
Mail tab
This tab contains three fields:
Sender address: to define the sender e-mail address; must be enquired,

Outgoing mail server (SMTP): to define the outgoing mail server,
Recipients: to see the list of destinations (use the New button
to add some entries).
E-Mail: e-mail address of the destination.

An alarm message gives the following data:
Subject: ip|boss, the Origin (see table above) and the alarm type,
Alarm timestamp (time when alarm was detected),
description: optional comments on the alarm.
The Origin and Type fields are included in the subject of the mail. The Description field is included
into the body of the mail. The Field format is <Domain><Type><Origin><Events>.
Mail examples:
Object: HMS: ip|boss - OSS - Cold Start
Date: 26/03/02 13:42:42 Paris, Madrid
From: ipboss@ipanematech.com
To: support@ipanematech.com
ip|boss System has been started by DOC on 26/03/2002 at 13:43:47.
Conf file is: C:\program files\server\domains\HMS\config\__active__.ipmconf.
Object: HMS: ip|boss - OSS - Stop
To: support@ipanematech.com
ip|boss System and ip|engine have been stopped by DOC on 26/03/2002 at 13:45:11.
Object: HMS: ip|boss - ip|engine - End of ip|fast down status
To: support@Ipanematech.com
ip|fast is up on following ip|e on 26/03/2002 at 14:07:43: HQ (192.169.0.100)
4-102
October 2014
4. 10. 1. 3. "Trap" tab
Trap tab
This tab contains the following field:
Hostname: hostname or IP address of the SNMP manager (use the New button
entries).
October 2014
to add
4-103
Ipanema System
4. 11. SYSTEM ADMINISTRATION

4. 11. 1. Configuring Automatic reporting
Refer to 9.2.5. Reports Management.
4. 11. 2. Configuring Security

Ipanema System security features are based on SSL and SSH protocols, plus tools for key
generation and distribution. ip|boss to ip|engines communications are secured.
SSL protocol is used for downloading the configuration file from ip|boss to ip|engines,
monitoring of ip|engines by ip|boss and collecting the measurement data from ip|engines. Both
authentication and encryption are used. The HTTPS protocol is used for the exchanges.
Ipanema System allows for three different security levels to be implemented.
4. 11. 2. 1. First level (default mode)

The customer uses the default factory certificate (Qosmart). Communications are secured.
Nevertheless, as the certificate is not unique to the customer, the security level is not at its
maximum.
To start Ipanema System, just make the configuration and start the session.
4. 11. 2. 2. Second level

The customer defines his own certificate. This is done centrally from ip|boss or from a customers
certificate generator. Certificate installation on ip|engines is handled from ip|boss and does not
require a local access to the ip|engines.
Communications are secured. Unauthorized people will not be able to enter the system nor to read
and interpret configuration or measurement data.
Procedure
1. In the Toolbar, select

Security and go the Certificate generation tab.
2. Define the key/certificate name and its characteristics in the Certificate generation window.
The Validity Period parameter is displayed in the About window.
3. Select the tab Configuration.
4. Define the encryption (algorithm) in Configuration window. Click on OK.
5. The key/certificate file are recorded in the directory ~/ipboss/server/ domains/
<Domain_Name>/Security. It is recommended to make a backup on an external media.
6. The second level of security is taken into account. Several minutes are necessary to activate
it on the ip|engines.
7. The customer can see the ip|engines status by selecting Tools in the Toolbar tab Security
status .
4. 11. 2. 3. Third level

The customer defines his own certificate AND a passphrase. This requires not only an ip|boss
certificate installation, but also to have local access to all ip|engines in order to setup the
passphrase configuration.
Communications are secured. Combination of certificate and local passphrase provides for highest
level of security, provided that passphrase is properly managed.
Procedure
4-104
1. The procedure (steps 1 to 5) is similar to the procedure of the second level, except that the
customer selects and defines a passphrase in Security/Certificate Generation window.
October 2014
2. Configure the associated ip|engines. THE SAME PASSPHRASE MUST BE USED for the
ip|boss and the ip|engine to allow the SSL connections between ip|boss and ip|engine. This
passphrase should be configured on all ip|engines of the Domain.
3. Before using this command, check the system Administrator to obtain the same
passphrase as ip|boss.
Command usage:
sslpassphrase
usage: sslpassphrase set
sslpassphrase reset
Copyright (c) Ipanema Technologies 2000-2005
Set the passphrase:
sslpassphrase set
Enter old SSL passphrase:
Enter new SSL passphrase: *******************
Confirm new SSL passphrase: ******************
Passphrase has been changed
Do you want to restart HTTP Server with new passphrase now [y/n]?
y
4. 11. 2. 4. Configuring ip|boss-ip|engines security

Operating procedure table: Management
In the System administration Toolbar, select
Security.
The security of ip|boss-ip|engines communication is managed by ip|boss and is defined by:
the keys and certificates generation,

the algorithm (security level according to the laws) selection,
To secure these communications, the user:
step 1) defines the certificate name. Under this name, 4 files are generated:
the private key: <alias>.isk (Ipanema Server Key) in the Security directory
(~/ipboss/server/domains/<Domain Name>/Security). If a passphrase was provided,
the key has been encoded with the passphrase in the file,
The same passphrase should be also entered on all ip|engines of the
Domain.
the certificate: <alias>_isc.crt (Ipanema Server Certificate) in the Security directory

(~/ipboss/server/domains/<Domain Name>/Security) corresponding with the created
key,
the private key: <alias>.ick (Ipanema Client Key) in the Security directory
(~/ipboss/server/domains/<Domain Name>/Security),
the certificate signed by the key: <alias>_icc.crt (Ipanema Client Certificate) in the
Security directory (~/ipboss/server/domains/<Domain Name>/Security) corresponding
to the created key,
step 2) defines the algorithm (encoding mode or not) used for communication encryption
between ip|boss and ip|engines,
ip|boss adds the ip|engine certificate in the authorized certification list.
October 2014
4-105
Ipanema System
4. 11. 2. 4. 1. "Security certificates generation" tab

Security and go to the Security certificate generation tab.
The Security certificate generation is displayed.
Security certificate generation window

Certificate group box with the Name: name (without extension) of the key/certificate,
Key group box with:
the field Size: choice of the key size: 512, 1024 (by default), 2048,
the field Passphrase: to enter the passphrase (optional; check the box to enter it). The
selection displays the Security Generation dialog box.
If used, the same passphrase must be used for ip|boss and all the
ip|engines of the Domain.
4-106
October 2014
Identification group box with:
Country name (2 letter code)

State or province name (full name)
Locality name (eg. city)
Organization name (eg. company)
Organization unit name (eg. section)
Common name (eg. YOUR name)
Email address
Validity period (in month): choice of the validity period of the security certificate: 6, 12,
18 (by default), 24, always (until 2037)
All the fields should be fulfilled.
and command buttons:

Ok: to generate the private and public keys (Server and Client) with the associated
certificates Server and Client), recorded in files stored in the Security directory,
Close: to cancel any changes made,
Help.
4. 11. 2. 4. 2. "Configuration" tab

Security and go to the Configuration tab.
The Configuration window is displayed.
Configuration window
The configuration specifies to ip|boss which certificate of the Security directory to use and which
algorithm to associate in SSLv3 with RSA authentication. This window defines the encryption
applied to the communications.
The window contains:
Certificate group box with the Name: name (without extension) of the key/certificate to choose
in the drop-down list. With this name, ip|boss finds the .isk, .isc, .isk and .icc files.
Algorithm group box: click in the corresponding case (Selection) to select the encryption
algorithms to be applied between ip|boss and the ip|engines.
The algorithms are listed in security level order, NULL SHA is selected by default.
October 2014
4-107
CHAPTER 5. IPANEMA SYSTEM

SUPERVISION (IP|BOSS)
This chapter gives access to the system software application procedures: starting/closing
applications, ip|engines and security supervision, upgrading the software version, rebooting
ip|engines and launching scripts.
5. 1. IP|BOSS MAIN WINDOW

The Ipanema System supervision is accessible from ip|boss main window, through the status
zone and the Supervision menu, which gives access to more detailed information.
ip|boss main window (web client)

In case of an error, the concerned indicator light in the status zone at the bottom of the window is
displayed in amber or red. Please refer to 4.2.4. ip|boss status zone for a detailed desciption of
the indicators.
October 2014
5-1
Ipanema System
5. 2. SUPERVISION
5. 2. 1. ip|engine status (monitoring ip|engines activity)
ip|engine Status.
The ip|engine Status window is displayed.
ip|engine Status window
5. 2. 1. 1. ip|engine status window

The ip|engine Status window gives the following information on each ip|engine:
(Other columns can be added; please refer to the next section, ip|engine supervision details, to
see all existing fields.)
ip|engine: name of the ip|engine,

Status: administrative status of each ip|engine:
up: the ip|engine is operational,
down: the ip|engine is not operational:
down - unreachable: the system cannot see the ip|engine, it is periodically
interrogated,
down - not configured: the ip|engine can be seen, but it has not been
configured. Periodic attempts of reconfiguration are made,
down - not started: the ip|engine can be seen but has not started correctly. It
is periodically restarted,
Synchronized: time synchronization status:

yes: the ip|engine is synchronized,
no: the ip|engine is not synchronized,
Discovery: discovery status:

up: the discovery agent is running on the ip|engine,
nothing: no discovery agent is not running,
5-2
October 2014
Ipanema System supervision (ip|boss)
Application Control: Application Control status:

up: the Application Control service is operational for the ip|engine,
down: the Application Control service is not operational,
nothing: the Application Control service is not available,
Compression: compression status:

up: the compression service is operational for the ip|engine,
down: the compression service is not operational,
nothing: the compression service is not available for the ip|engine,
Decompression: decompression status:

up: the decompression service is operational for the ip|engine,
down: the decompression service is not operational,
nothing: the decompression service is not available for the ip|engine,
TCP acceleration: TCP acceleration status:

up: the TCP acceleration service is operational for the ip|engine,
down: the TCP acceleration service is not operational,
nothing: the TCP acceleration service is not available for the ip|engine,
Protocols acceleration: CIFS acceleration status:

up: the CIFS acceleration service is operational for the ip|engine,
down: the CIFS acceleration service is not operational,
nothing: the CIFS acceleration service is not available for the ip|engine,
Mobile Agents: IMA status:

up: the IMA service is operational for the ip|engine,
down: the IMA service is not operational,
nothing: the IMA service is not available for the ip|engine,
Interface(s) with error(s) detected: indicates whether errors were detected on the various
interfaces of the ip|engine; more details can be obtained for a given ip|engine, interface by
interface, in the single ip|engine status window (described below):
yes: errors were detected on some interfaces,
no: no error was detected, on any interface,
Overload: overload status:

yes: the ip|engine is overloaded, the WAN traffic exceeds the ip|engine specifications
(see the ip|engine characteristics),
no: the ip|engine is not overloaded,
CPU (%): ip|engine load average during the last collect period,
Topology warnings: number of warnings related to the topology; a warning is raised each time
an abnormal event is detected between any two sites during the last polling period, regardless
the number of impacted hosts; the 20 first concerned hosts are displayed in the message; refer
to the Single ip|engine status windows third tab (described below) for more details.
Its possible to modify the columns displayed by the menu View/Choose columns.
October 2014
5-3
Ipanema System
5. 2. 1. 2. Single ip|engine status

By selecting an ip|engines line in the ip|engine status window (see the note below) and clicking
the Consult icon, or by double clicking on a line, the selected ip|engines Status window is
displayed.
To select an ip|engines line, click on the line, but not on the ip|engines name this
would open the corresponding ip|engines configuration window.
This window is made of four tabs and provides the following information for the selected ip|engine:
General tab:
Single ip|engine status window, first tab
ip|engine: name of the ip|engine,

Status: administrative status of the ip|engine :
up: the ip|engine is operational,
down: the ip|engine is not operational:
down - unreachable: the system cannot see the ip|engine, it is periodically
interrogated,
down - not configured: the ip|engine can be seen, but it has not been configured.
Periodic attempts of reconfiguration are made,
down - not started: the ip|engine can be seen but has not started correctly. It is
periodically restarted,
Overload: overload status:

yes: the ip|engine is overloaded, the WAN traffic exceeds the ip|engine specifications
(see the ip|engine characteristics),
no: the ip|engine is not overloaded (normal state),
5-4
CPU (%): ip|engine load average during the last collect period,
Version: ip|agent software version and type release of the ip|engine,
Serial Number: ip|engines Serial Number,
Overload (diagnostics): it should normally read Normal; otherwise the ip|engine is overloaded.
October 2014
Services tab: this tab contains 7 frames:
Single ip|engine status window, second tab
October 2014
5-5
Ipanema System
Synchronization
Synchronized:
yes: the ip|engine is synchronized (normal state),
no: the ip|engine is not synchronized,
Source: synchronization source:

network: time synchronization is acquired via the network, thanks to ITP (Ipanema Time
Protocol),
Server:
name or IP address of the synchronization server,
n/a: not available,
Offset (ms): estimated synchronization offset from ITP server (time difference between
synchronizing and synchronized units); by default, an ip|engine is synchronized when the
offset is less than 10 ms,
Delay (ms): average round trip delay between the ip|engine and its ITP server,
Frequency (ppm): local oscillator free running frequency difference with the synchronization
source,
Synchronization (diagnostics): there is no diagnostic message by ip|sync to date.
Discovery: discovery status:

nothing: no discovery agent is running on the ip|engine,
yes: a discovery agent is running on the ip|engine,
Measure (diagnostics): last diagnostic message by ip|true (Alarm in the real-time flows list is
at yes is any):
nothing: no diagnostic message by ip|true (normal state),

OutOfTicket: there are no more up tickets,
OutOfBuffer: the driver is overloaded,
WanOverload: the packets received by the ip|engine on its WAN interface are more
than it is capable of handling,
TooManyFlow: the maximum number of sessions has been reached (depends on the
ip|engine range),
PktOverload: Ethernet RX overrun,
CPUOverload: CPU overrun,
LanIntfDown: the LAN interface of the ip|engine is down,
WanIntfDown: the WAN interface of the ip|engine is down
OutOfAppCnx: the maximum number of sessions of the application recognition syntax
engine has been reached.
Discovery (diagnostics): there is no diagnostic message for the Discovery function to date.
ip|fast
Application Control: ip|fast status:

nothing: ip|fast is not available,
up: ip|fast is operational for the ip|engine,
down: ip|fast is not operational,
Application Control (diagnostics): last diagnostic message by ip|fast (Alarm in the real-time
flows list is at yes, if any):
nothing: no diagnostic message by ip|fast (normal state),
ip|fast unreachable from ip|true: ip|fast is not working (transitory state),
ip|engine set in parallel mode: ip|fast was started on an ip|engine set in parallel mode,
5-6
October 2014
current state is xxxx (where xxxx can be Initial, Configuring, Configured, Stopping,
Resetting or Unknown): ip|fast has not been started while it should have been; ip|true
tries to start it until it succeeds (transitory state).
ip|xcomp
Compression: ip|xcomp compression status:

nothing: ip|xcomp compression service is not available,
up: the compression service is operational for the ip|engine,
down: the compression service is not operational,
Decompression: ip|xcomp decompression status:

nothing: ip|xcomp decompression service is not available,
up: the decompression service is operational for the ip|engine,
down: the decompression service is not operational,
Compression (diagnostics): state and size of the hard disk drive,

Decompression (diagnostics): there is no diagnostic message by ip|xcomp decompress to
date,
ip|xtcp
TCP acceleration: ip|xtcp status:

nothing: ip|xtcp is not available,
up: ip|xtcp is operational for the ip|engine,
down: ip|xtcp is not operational,
TCP acceleration (diagnostics): diagnostic messages by ip|xtcp,
ip|xapp
Protocols acceleration: ip|xapp status:

nothing: ip|xapp is not available,
up: ip|xapp is operational for the ip|engine,
down: ip|xapp is not operational,
Protocols acceleration (diagnostics): diagnostic messages by ip|xapp,
Ipanema Mobile Agent
Mobile Agent: IMA status:

nothing: IMA is not available,
up: IMA is operational for the ip|engine,
down: IMA is not operational,
Detected IMA Clients: number of IMA clients detected by the ip|engine,

Active IMA Clients: number of active IMA clients on the ip|engine,
IMA Server Tokens Used: number of tokens used on the ip|engine (that acts as IMA server),
IMA Server Tokens Allocated: number of tokens allocated on the ip|engine (that acts as IMA
server).
October 2014
5-7
Ipanema System
Alarms tab:
Single ip|engine status window, third tab

Topology subnets on equipped sites are automatically discovered by the system (hosts are
claimed by the first ip|engine that sees the ACK or the SYN+ACK packets of TCP sessions),
but they can also be configured. If the discovered Topology subnets and the configured ones
do not match, then a mismatch alarm is raised. An alarm is also raised when the discovered
Topology subnets change as compared to the previously discovered ones (migration alarm).
In either case, an alarm is raised when a potentially abnormal event is detected between a
pair of sites during the last polling period, regardless the number of impacted hosts; the 20 first
concerned hosts are displayed.
(The role of Topology Subnet and how to configure them is described in section 4.7.4.)
Type: mismatch or migration (see above).

Description: there are 5 messages for mismatch alarms and 3 messages for migration alarms;
[MIS] stands for IPBOSS_TOPO_SUPERVISION_EVENT_CLS_MISMATCH,
[MIG] stands for IPBOSS_TOPO_SUPERVISION_EVENT_CLS_MIGRATION;
all messages are ended by _DESCRIPTION (not displayed below):
[MIS]_WRONG_TAG: hosts configured on an equipped site claimed by another
equipped site.
[MIS]_UNEXPECTED_TAG: hosts configured on a tele-managed site claimed by an
equipped site.
[MIS]_WRONG_UNKNOWN_TAG: hosts configured on an equipped site claimed by an
unknown site*.
[MIS]_UNEXPECTED_UNKNOWN_TAG: hosts configured on a tele-managed site
claimed by an unknown site.
[MISMATCH]_MISSING_TAG: hosts configured on an equipped site not properly
claimed.
[MIG]: hosts previously discovered by an equipped site claimed by another equipped
site.
[MIG]_UNKNOWN_TAG: hosts previously discovered by an equipped site claimed by
an unknown site*.
[MIG]_MISSING_TAG: hosts previously discovered by an equipped site not properly
claimed.
* A site is unknown typically when the ip|engine that claimed the hosts belongs to another
Domain, which happens when the traffic crosses several Domains (so it can be normal).
Expected site:
for a mismatch alarm: configured site;
for a migration alarm: site previously discovered.
Discovered site:
for a mismatch alarm: discovered site;
for a migration alarm: latest discovered site.
5-8
Hosts: list of 20 first hosts concerned by the alarm.
October 2014
All alarms above have two main root causes:
either the situation is normal (e.g. traffic crossing several Domains, see above); configuring the
Topology subnets manually can clear the alarm in most cases,
or there is an error in the configuration: check the concerned hosts, check the topology and fix
the configuration.
Interfaces tab:
Single ip|engine status window, third tab
Deployment mode:
Unknown: the deployment mode is not provided by the ip|engine, which is the case
when its software version is earlier than v8,
Parallel: the ip|engine is installed in parallel mode,
Dual parallel: the ip|engine is installed in parallel mode on two ports,
Serial: the ip|engine is installed in serial mode,
Multi-wan: the ip|engine is directly connected to several WAN routers (but it only has
one LAN connection),
Multi-path: the ip|engine has several LAN connections (it is possibly directly connected
to several WAN routers too),
Redirection GRE: virtual|engine redirecting the traffic via a GRE tunnel,
Redirection L2: virtual|engine redirecting the traffic via a Layer 2 connection.
Bypass function ability:

Unknown: the bypass function ability is not provided by the ip|engine, which is the case
when its software version is earlier than v8,
Enabled: the ip|engine shall bypass the traffic in case of failure (e.g. power failure),
Disabled: the ip|engine is configured not to bypass the traffic in case of failure (for
instance on a site with two links and HSRP, so as to stop the traffic on a link with an
ip|engine in failure in bypass mode the traffic would still go through the same link,
but without Visibility, Control, Optimization etc., whereas by disabling this feature and
stopping the traffic, HSRP shall reroute it to the second link, where it shall be measured,
controlled, optimized, etc., by the second ip|engine),
Unsupported: the bypass function is not supported by the ip|engine (it depends on its
hardware).
Copy Lan to Wan function:

Unknown: the Lan to Wan function state is not provided by the ip|engine, which is the
case when its software version is earlier than v8,
Enabled: the ip|engine is configured to copy the state of its LAN port to its corresponding
WAN port,
Disabled: the ip|engine shall not copy the state of its LAN port to its corresponding WAN
port,
Unsupported: the Copy Lan to Wan function is not supported by the ip|engine (it
depends on its hardware).
October 2014
5-9
Ipanema System
Interfaces Status list table, with the following fields:

Name: name of the interface (lan0, wan0, etc.); the name is displayed in red in case of
errors on the interface,
Type:
--: the type of interface is not provided by the ip|engine, which is the case when
its software version is earlier than v8,
Lan: LAN interface,
Wan: WAN interface, or EXT interface used as a WAN interface,
Management: MGT interface,
Asymmetric routing: interface used to connect to the other ip|engine of a cluster
with asymmetric routing (ASR function),
not used: interface not currently used; other fields describing the interfaces state
are greyed out.
Settings: Ethernet configuration of the interface:
auto, 10HD, 10FD, 100HD, 100FD or 1000FD,
Status:
up: Ethernet interface is in link Up state,
down: Ethernet interface is in link Down state; it is a normal state for an unused
interface (see Type above); if the interface is used, it is an alarm (displayed in
red in that case),
Current Mode: current mode of the Ethernet interface (it should be compatible with the
Settings field):
10HD, 10FD, 100HD, 100FD or 1000FD,
Received packets: number of packets received on the interface,

Received bytes: number of bytes received on the interface,
Sent packets: number of packets sent on the interface,
Sent bytes: number of bytes sent on the interface,
Collisions: number of collisions on the interface (in amber if different from 0),
Errors: number of frame errors on the interface (in red if different from 0).
The counters show the delta between two polls (every minute by default), and not
cumulative values.
if the ip|engine is connected in parallel mode, only the LAN counters are significant.
5-10
October 2014
5. 2. 1. 3. Downloading monitoring data (GLASS)

The
icon in the ip|engine status windows allows downloading monitoring data called GLASS
(GlobaL Autonomic Support System) and aimed at accelerating technical escalations.
Downloading monitoring data
Select one or several ip|engines,
Click
,
Choose to open or save the zip file containing the monitoring data we recommend you to
save it,
Send the zip file to Ipanema Support.
The zip file is called <ipengine_name>.zip (in case a single ip|engine was selected) or
ipe_monitoring.zip (in case several ip|engines were selected) and it contains the following
folders:
config: contains the configuration made in ip|boss and sent to the ip|engines of the Domain;
<ipengine_name> (one folder per ip|engine): contains CSV files with the GLASS metrics.
October 2014
5-11
Ipanema System
5. 2. 2. Status Maps (monitoring ip|engines activity)

Supervision maps.
The ip|engine Supervision Maps window is displayed.
ip|engine Supervision Maps window

The supervision maps show in a glance the behavior of all ip|engines. These graphical views use
squares with a size depending on the ip|engine model (depending on their hardware capabilities),
and a color depending on the supervision status.
At each collect from the ip|engines, the map is refreshed.
the map itself, with a square for each ip|engine, the size depends on the ip|engine hardware
model, and a color in order to give a quick synthetic view of the supervision status:
Red: when Status is down (ip|engine not reachable), or when one of the following
functions: Measurement, Application Control, Compression, Decompression,
Acceleration is down, not started, not configured or not updated (after three trials
of update),
Yellow: when not Synchronized, and/or Overloaded and/or Updating (update of
configuration running),
Green: all status are OK (Status, Measurement (always); Application Control,
Compression, Decompression and Acceleration, if enabled; Synchronization (always)).
: to consult the global supervision status,
: to export in a text file the list of supervision status,
: to consult the detailed supervision status (refer to the supervision details above),
5-12
and
: unused,
: to show the help.
October 2014
By moving the mouse on a square, a contextual text shows the supervision status (see screenshot
above):
ip|engine: host name,

Model: ip|engine range,
Status: reachability of ip|engine,
Measure: status of ip|true function,
Application Control: status of ip|fast function,
Compression: status of ip|xcomp function for compression,
Decompression: status of ip|xcomp function for decompression,
TCP acceleration: status of ip|xtcp function,
Protocols acceleration: status of ip|xapp function,
Mobile Agents: status of IMA function,
Discovery: status of discovery function,
Synchronization: status of ip|sync function.
Overload: status of ip|engine usage, if overload the ip|engine WAN throughput exceeds the
specification of the hardware.
October 2014
5-13
Ipanema System
5. 2. 3. Scripts
This function is to be used with the Ipanema Technologies Support.
In the System provisioning toolbar, select
Scripts.
Scripts window
The window comprises the following input fields:
ip|engine: list of all ip|engines of the Domain,

Script: list of the available scripts. These scripts are in the directory ~/ipboss/server/scripts
Commands buttons:
(Select all): selects all the ip|engines,

(Launch): to launch the script on all the selected ip|engines. A confirmation window
is displayed: click OK. Depending on the number of selected ip|engines, a message can
appear: This can take a long time... .
(Refresh): refreshes the view.
(Help): opens a contextual Help window.
The Execution script result frame displays the scripts being launched, and allows downloading
and deleting them:
Result table fields:

Date: when the scripts were launched,
Script: name of the scripts that were launched,
ip|engine(s): ip|engines that ran the script.
5-14
October 2014
Commands buttons:
(Select all): selects all the scripts results,
(Delete): delete the selected scripts results (the data will be deleted from the
server),.
(Download script result): allows downloading a zip file with the selected scripts
results and other information (see below),
The zip file that can be downloaded is called ExecutionScriptResult.zip and has the following
structure:
root: one<yymmdd-hhmm> folder by selected script result, where yymmdd-hhmm are the date
and time when the scripts were launched.
The root folder has three subfolders, containing five files:
ipboss:
__active__.ipmconf: ip|bosss current configuration
ip_boss_00<X>.log: ip|bosss log file
ipengines:
<alias> <ip|es IP address>.ipmres: script result in itself
script:
<script name>.ipmscp: launched script (encrypted file)
ipengine.txt: list of dumped ip|engines (alias+@ip)
The user can send this zip file (by E-mail or FTP) to Ipanema Technologies support
(support@ipanematech.com).
All this information can also be found on ip|boss server (until it is deleted) here:
~/salsa/ipboss/server/domains/<domain_name>/temp/Ipanema-dump/<yymmdd-hhmm>.
Different script files are available. The main ones are :
default.ipmscp: dumps all information in the ip|engine, reserved for the support,
flows.ipmscp: dumps all flows in the ip|engine,
ipconfig.ipmscp: dumps information about the IP and Ethernet settings of the ip|engine,
check iptrue.ipmscp: dumps information about ip|true, reserved for the support,
check ipfast.ipmscp: dumps information about ip|fast, reserved for the support,
check ipxcomp.ipmscp: dumps information about ip|xcomp, reserved for the support,
check itp.ipmscp: dumps information about ip|sync synchronization, reserved for the support,
restart iptrue.ipmscp: restarts ip|true agent, reserved for the support,
restart ipfast.ipmscp: restarts ip|fast agent, reserved for the support,
restart ipxcomp.ipmscp: restarts ip|xcomp agent, reserved for the support,
restart itp.ipmscp: restarts ip|sync agent, reserved for the support,
process.ipmscp: dumps information about the process running, reserved for the support.
October 2014
5-15
Ipanema System
5. 2. 4. Security (monitoring security certificate)

Tools and go to the Security status tab.
The Security status is displayed:
Security status window

The name of the certificate used by ip|boss is displayed in the blue bar.
to check the name of the
Select ip|engines in the list below and click on the Status button
certificate that they use. (You can select all ip|engines simultaneously with the Select all button
).
The certificates used by ip|boss and by the ip|engines should be the same.
(The certificate is created in ip|boss with the System administration > Security menu.)
5-16
October 2014
5. 3. SYSTEM PROVISIONING: TOOLS

5. 3. 1. Rebooting
Tools and go to the Reboot tab.
The Reboot window is displayed:
Reboot window
the list of ip|engines,

the following command buttons:
(Select all): selects all the ip|engines,
(Reboot): all the selected ip|engines receive a reboot order.
(Help): opens a contextual Help window.
October 2014
5-17
Ipanema System
5. 3. 2. ip|engine software upgrade

ip|engines software (ip|agent) can be upgraded from the system manager ip|boss, or directly
from the ip|engines themselves. In the first case, an FTP server reachable by both ip|boss and
the ip|engines is mandatory; in the second case (direct upgrade from the ip|engines), the FTP
server only needs to be reachable by the ip|engines to be upgraded.
In ip|boss System provisioning toolbar, select
Tools and go to the Software upgrade tab.
The Software upgrade window is displayed:
Software upgrade window

the list of ip|engines to be upgraded (left frame),

the list of ip|agent software versions (right frame).
The procedure is as follows:
1. At opening, the list of ip|engines in the configuration is displayed in the left frame. The
Version column is not filled in. Select some ip|engines (or all with the Select all button
and click on the Status button
selected ip|engines.
The statuses can be:
to see the actual software versions and statuses of the
upgraded: the ip|engine has the software release which is described in the field version,
download scheduled: the ip|engine will be upgraded, the scheduled Begin hour is
not passed,
install scheduled: the ip|engine is upgrading, the scheduled End hour is not passed,
error occurred: possible reason of failure:
No Space left for file: no more space on ip|engine to download the file,
Cant connect to server (check address/routes): FTP server is unreachable,
Access to server denied (check login/password): login/pw problem on FTP
server,
File not found: xxxxxxx: the file is not in the right directory on FTP server or the
directory is wrong,
Error while downloading: the connection between FTP server and the ip|engine
is broken,
No disk space left for file: no more space to uncompress the software package.
5-18
October 2014
2. In the right frame, clisk on the Get catalog button

FTP server that contains the catalog:
. A new window opens, to specify the
It contains the following fields:

FTP server (ip|boss access): IP address of the FTP server reachable by ip|boss
(ip|boss reads the ip|agent versions present on the FTP server),
FTP server (ip|engine access): IP address of the FTP server reachable by ip|engines
(ip|engines will download the new ip|agent version from that FTP server); it can be
different from the previous address in case of NATting ,
Directory: the FTP server directory containing the ip|agent software files,
Login: user name to use to get the files,
Password: password of the user,
The list of ip|agent software versions on the FTP server is displayed.
This table is made of two columns:
ip|agent version: list of the available software versions,
Current version compatibility: shows the compatibility with the running version of
ip|boss (compatible or not compatible).
3. Select the ip|engines to be upgraded in the left frame and the ip|agent software version in
the right frame, and click on the Upgrade button
A message confirms that the selected ip|engines have received the upgrade order.
allows to cancel the upgrade request. Cancelling an upgrade is possible
A Cancel button
before or during the FTP download of the new version of ip|agent, but before the ip|engine
has started swapping.
October 2014
5-19
Ipanema System
4. A scheduling window opens, that allows scheduling the upgrade (during the night for
example), or launch it immediately by clicking on Ok without specifying any date or time:
This window is made of the following fields:

Start time: enter the start date and time for upgrade (this must be a future date, not the
current date). The Start time corresponds to the date when the downloading ip|engine
from the FTP server will be started. The chronological sequence of downloads is
managed automatically by the system,
End time: enter the end date and time of the upgrade (this must be a future date, not
the current date). The End time corresponds to the date when ip|engines downloading
will end and reboot for the new version to be applied,
Mode:
Differential: download only files necessary to upgrade the current version to the
new version,
Total: download all files.
Click on Ok when done. The restart of ip|engines after upgrade is automatically performed at
the date/time specified by the "End time" field.
If the Start time and End time fields are empty, the upgrade starts immediately on the selected
ip|engines.
5. Check that the upgrade has been completed correctly by selecting the concerned ip|engines
and by clicking on the Status button
5-20
October 2014
5. 4. IP|BOSS LOGS
Log.
The Log window is displayed.
Log window
the list of Supervision events (on ip|engines, ip|boss server and ip|reporter server) with a
time stamping, in Syslog format,
the list of Traffic alarming events (on MetaViews) with a time stamping (only if it has been
activated in Options / Activation).
October 2014
5-21
Ipanema System
5. 5. CONFIGURATION HISTORY
Configuration history.
The Configuration history window is displayed. It contains the list of all configurations saved
with, for each one, the modification date, the name of the User who made the modifications and
the modified section(s) in the configuration file.
To read a configuration in the right pane, click its name:
Configuration history window

To compare two configurations (make a diff), select them (click the first one, then click the second
one with the Control key pressed) and click the Diff icon
lines:
. The right pane displays the modified
Comparison between two configurations
5-22
The top frame shows the modifications, with the Previous line and the Modified line (in the
example above, the Previous line is empty because an object was created),
the bottom frame shows them in the two configuration files they belong to; two blue arrows allow
jumping from one modification to the next one (down arrow) or to the previous one (up arrow).
October 2014
CHAPTER 6. USING IPANEMA SERVICES

(IP|BOSS)
To run a measurement or Application Control session, you must start ip|boss.
For more information, refer to table "Operating procedure".
A session can be started or stopped whatever the service used - ip|true (measurement), ip|fast
(Application Control), ip|coop (tele-cooperation), ip|xcomp (redundancy elimination), ip|xtcp
(TCP acceleration), ip|xapp (CIFS acceleration) and smart|plan (smart planning reports).
6. 1. STARTING AND STOPPING A SESSION

6. 1. 1. Starting a session
Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp, DWS,
smart|plan, IMA.
From the Toolbar, select
Service activation.
In the Service activation window that opens, select ip|engines: on:
The start of a session of measurement, control, compression or acceleration begins by a check of

the configuration. In case of error, ip|boss shows a warning.
Check that the indicator lights in the Main window turn green (after a few seconds), refer to ip|boss
status zone description for information on the meaning of indicator lights that remain amber or red.
When a session starts, ip|true (measurement) is automatically activated on the
ip|engines of the Domain.
October 2014
6-1
Ipanema System
in case of failure of ip|boss or of the server, at the next start of ip|boss, the session
will be on the same state (automatic restart if it was started, or stop if it was stopped).
6. 1. 2. Stopping a session
Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp , ip|xtcp, ip|xapp, DWS,
smart|plan, IMA.
A session can be stopped on the ip|engines by the Toolbar,
Service activation.
In the Service activation windows that opens, select ip|engines: off:
Stopping a session will stop all functions of the system (ip|true (measurement), ip|fast,
ip|xcomp, ip|coop, ip|xtcp, ip|xapp, DWS, smart|plan).
Check that the indicator lights on the status zone turn to black.
6-2
October 2014
Using Ipanema services (ip|boss)
6. 2. DYNAMICALLY MODIFYING A SESSION

The user can dynamically modify some current session settings without stopping the system.
The table below lists the ip|boss system components and services that are accessible with the
current configuration running, where:
A: means that the modifications made by a user of the service are automatically applied,
U: means that the user has to use Update to apply the modifications made.
Table Dynamically modifying a session: ip|true service, ip|fast service, ip|xcomp service,
ip|coop service, ip|xtcp service, ip|xapp service.
Components
Dynamic
Services
Other
Manager
System
System
Administration
System
provisioning
October 2014
Login
Login/User Settings
Update
Help
User
Automatic reporting
Security/Generation
Security/Configuration
ip|engines
Topology Subnets
WAN access
Coloring
ip|sync
Tools/Software
upgrade
Tools/Reboot
Tools/Script
Tools/Security status
Not available with the system

shut down
None cannot be suppressed
6-3
Ipanema System
Components
Service activation
Supervision
Application
provisioning
Reporting
Dynamic
Services
Other
Enable ip|engines
start the session
Disable ip|engines
stop the session
Enable ip|fast
Disable ip|fast
Enable ip|xcomp
Disable ip|xcomp
Enable ip|coop
Disable ip|coop
Enable ip|xtcp
Disable ip|xtcp
Enable ip|xapp
Disable ip|xapp
ip|engines status
Supervision map
Log
Options/Activation
Options/Mail
Options/Trap
User subnets
Applications
TOS
Application Group
other cannot be suppressed
QoS profile
Default cannot be suppressed
Local Traffic Limiting
MetaView
ip|reporter
Alarming
Whether for a Start or an Update, the configuration is checked to inform the user that resources
(Domains and services) are referenced even though they are not configured in the directories or
dictionaries. As long as the check is not OK, no Start or Update operation can be performed on
ip|engines. The check operation accepts configurations with empty dictionaries or directories.
6-4
October 2014
6. 2. 1. Update procedure
Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp , DWS,
smart|plan, IMA, ip|sync.
Update.
The Update option performs the following steps:
checks the configuration,

archives the old configuration (__active__.ipmconf.bak) with its date and time and user
in the file name (__active__.<YYYYMMDDhhmmss>.<User>.undo.ipmconf; the 50 most
recent archives are kept),
saves the current configuration (__active__.ipmconf) as the old configuration
(__active__.ipmconf.bak),
saves the new configuration as the current configuration (__active__.ipmconf),
releases the locked resources (during an edit of it),
applies the new configuration to each ip|engine with an immediate application request.
applies the new configuration to ip|reporter (if some reporting modifications were made).
If some ip|engines do not apply the new configuration, ip|boss automatically reconfigures these
ip|engines. The status indicator is yellow and shows either:
not configured: some ip|engines refuse the new configuration,

not updated: some ip|engines have received the new configuration, but refused it.
ip|boss systematically sends a complete configuration file to the ip|engines of the Domain.
6. 2. 2. Transition
In the ip|engines reconfiguration phase, some ip|engines must measure, control and compress
on the basis of different configurations. In addition, as an SNMP agent must take the new
configuration into account (after Update), it may receive measurement results for the previous
configuration. Different problems can arise:
an application dictionary entry is suppressed,

a TOS dictionary entry is suppressed,
an ip|engine directory entry is suppressed,
a subnet directory entry is suppressed.
For suppressed dictionary entries, reports on the previous configuration (i.e. with old aggregate
application or TOS values) are automatically classified in other by ip|boss. There is no retroactive
effect on measurement data that may have been saved in ip|reporter.
For suppressed subnet directory entries, reports on the previous configuration (i.e. with old subnet
values) are automatically rejected by ip|boss.
For suppressed ip|engine directory entries, reports on the previous configuration (i.e. with old
ip|engine values) are automatically rejected by ip|boss.
For suppressed ip|engine directory entries, the ip|engines that have disappeared are stopped.
However, the stop signal may not reach the ip|engines concerned after 10 attempts spaced out
over the recovery interval configured in the system, the stop operation is abandoned by the
manager and the user is informed.
October 2014
6-5
Ipanema System
6. 3. SERVICE ACTIVATION
6. 3. 1. ip|true (measurement)
Operating procedure table: ip|engines Enabled, ip|engines Disabled
Stopping ip|true will stop all other functions of the system (ip|fast, ip|xcomp, ip|coop,
ip|xtcp, ip|xapp, DWS, smart|plan). Refer to the section Stopping a session.
The measurement mechanisms are designed to measure precisely all flows crossing the
ip|engines and to provide comprehensive metrics (volume and quality).
ip|true is enabled, if:
Administrative stare: enable is checked in the ip|engines creation window (Services frame):
ip|engine creation window, Services frame

(The display window shows a green tip in front of the line:)
ip|engines display window
6-6
ip|engines are enabled in the Service activation window

session):
(refer to the section Starting a
October 2014
Service activation window

Modifying quality (AQS) measurement settings
Depending on the results obtained, you can modify some settings. To access the options, refer to
the table Dynamically modifying a session. The settings you may need to modify are:
Applications
User Subnets
QoS profiles
MetaViews
Application Groups
Reports
TOS
October 2014
6-7
Ipanema System
6. 3. 2. ip|fast (Application Control)

Operating procedure table: Application Control Enabled, Application Control Disabled
The Application Control mechanisms are designed to find the best compromises to reach QoS
objectives and take express customer requirements into account:
QoS objectives are expressed in terms of "physical" constraints (delay, jitter, loss rate, etc.),
customer policies are expressed in terms of classes, defining relative traffic criticality.
ip|fast is enabled, if:
ip|fast is enabled in the license file,

ip|fast is checked in the ip|engines creation window ( Services frame):
(The ip|engines display window shows yes in the optimization column.)

the Application Groups have been configured,
not mandatory, the Coloring offered by the operator has been configured (only for a network
with Classes of Service),
ip|engines have been started (Service activation window, ip|engines: on),
Application Control is activated in the Service activation window:
ip|fast: on:

At this stage, Application Control is performed according to the specified QoS objectives.
6-8
October 2014
Modifying Application Control settings

Depending on the results obtained, you can modify some settings. To access the dictionaries, see
the table Dynamically modifying a session. The settings you may need to modify are:
Applications
User Subnets
QoS profiles
LTL
Application Groups
Coloring
TOS
WAN access
October 2014
6-9
Ipanema System
6. 3. 3. ip|coop (tele-cooperation)
Operating procedure table: tele-cooperation Enabled, tele-cooperation Disabled
The tele-cooperation mechanisms are designed to control the traffic on tele-managed sites as
efficiently as possible. To achieve this, a remote coordination group (RCG), that contains the main
sources of traffic to that site, is automatically and dynamically configured by ip|boss; the RCG can
contain up to 8 ip|engines. Each tele|engine has its own RCG.
ip|coop is enabled, if:
ip|coop is enabled in the license file,

ip|fast is checked in the ip|engines creation window ( Services frame):

(The ip|engines display window shows yes in the optimization column.)
If ip|fast is not checked for a tele|engine, the traffic on that site will be controlled
anyway (as long as ip|fast is enabled globally), as it is the remote ip|engines which
actually do it, but without ip|coop (that is, without the remote ip|engines cooperating
to control the site with the tele|engines).

Application Control has been started (Service activation window, ip|fast: on),
ip|coop is activated in the Service activation window:
ip|coop: on.
6-10
October 2014
If ip|coop is not enabled, tele|engines will still measure and control the traffic, with the
following restrictions:
measurement: the traffic will be measured and reported exactly the same,
control: the traffic will be controlled with no Remote Coordination Group, each
ip|engine managing the flows to and from the unequipped sites (tele|engines) on
its own, without coordination with the other ip|engines communicating with this site.
Modifying tele-cooperation settings

There are no settings that are specific to ip|coop (table Modifying a session dynamically).
October 2014
6-11
Ipanema System
6. 3. 4. ip|xcomp (redundancy elimination)

Operating procedure table: compression Enabled, compression Disabled
The redundancy elimination mechanisms are designed to use as much bandwidth as possible, but
still taking the Application Control parameters into account.
ip|xcomp is enabled, if:
ip|xcomp is enabled in the license file,

ip|xcomp compress and/or ip|xcomp decompress is/are checked in the ip|engines window
(Services frame ip|fast must be checked first):
(The ip|engines display window shows yes in the compress and/or decompress columns.)
the Application Groups have been configured (Compress must be checked),
Application Group creation window

compression is activated in the
6-12
Service activation window: ip|xcomp: on:
October 2014

At this stage, compression is performed according to the Application Group set up.
Modifying redundancy elimination settings
Depending on the results obtained, you can modify some settings. To access the dictionaries, see
the table Modifying a session dynamically. The settings you may need to modify are:
ip|engines
October 2014
Application Groups
6-13
Ipanema System
6. 3. 5. ip|xtcp (TCP acceleration)

Operating procedure table: TCP acceleration Enabled, TCP acceleration Disabled
The TCP acceleration mechanisms are designed to accelerate the traffic between sites with a high
RTT and/or a high available bandwidth.
ip|xtcp is enabled, if:
ip|xtcp is enabled in the license file,

ip|xtcp is checked in the ip|engines creation window (Services frame ip|fast must be
checked first):
the Application Groups have been configured (Accelerate must be checked):
Application Group creation window

TCP acceleration is activated in the Service activation window:
6-14
ip|xtcp: on:
October 2014

Modifying acceleration settings
Depending on the results obtained, you can modify some settings. To access to the dictionaries,
see the table Modifying a session dynamically. The setting you may need to modify is:
ip|engines
October 2014
Application Groups
6-15
Ipanema System
6. 3. 6. ip|xapp (CIFS acceleration)

Operating procedure table: CIFS acceleration Enabled, CIFS acceleration Disabled
The CIFS acceleration mechanisms are designed to accelerate CIFS traffic between sites with a
high RTT and/or a high available bandwidth.
ip|xapp is enabled, if:
ip|xapp is enabled in the license file,

ip|xapp is checked in the ip|engines creation window (Services frame ip|fast must be
checked first):

CIFS acceleration is activated in the Service activation window:
ip|xapp: on:

Modifying acceleration settings
Depending on the results obtained, you can modify some settings. To access to the dictionaries,
see the table Modifying a session dynamically. The setting you may need to modify is:
ip|engines
6-16
October 2014
6. 3. 7. smart|plan
Operating procedure table: Smart Planning Enabled, Smart Planning Disabled
Ipanema Technologies Smart planning reports provide easy-to-use data for Capacity Planning
optimization. smart|plan generates very high added value data enabling a complete analysis
for each network access of the relationship between Traffic (resource) and delivered service
level (results). Using this automatically generated data, it is immediately possible to identify if the
access link is under-provisioned or over-provisioned in regard of the expected service level per
applications business criticality.
smart|plan is enabled, if:
smart|plan is enabled in the license file,

smart|plan is checked in the ip|engines creation window (Services frame ip|fast must be
checked first):

smart|plan is activated in the Service activation window:
smart|plan: on:
October 2014
6-17
Ipanema System
6. 3. 8. IMA
Operating procedure table: IMA Enabled, IMA Disabled
Ipanema Mobile Agent is a SoftWOC (Software WAN Optimization Controller), more precisely a
software agent for Windows desktops and laptops, which provides SRE compression and CIFS
acceleration services to nomad users and small offices on non-equipped (or tele-managed) sites
and sites equipped with a nano|engine.
It works in server-client mode, where an ip|engine (ip|e 140ax or above) plays the role of IMA
server and IMA software installed on the users desktop or laptop is an IMA client.
IMAs detection, configuration and activation are fully automatic.
IMA service is enabled, if:
IMA is enabled in the license file,

IMA is checked on the IMA server (ip|engine creation window ip|fast must be checked
first) and on the tele|engine or nano|engine (or, possibly, ip|engine) configured on the site
with IMA clients.
If the IP address of the users desktop or laptop running anIMA client does not belong to any
allocated Topology subnet, it is Out of Domain; for this user to benefit from IMA service, IMA
must be enabled on Out of Domain tele|engine.
IMA checkbox in the ip|engine / tele|engine creation window

IMA is activated in the Service activation window:
IMA: on:
6-18
October 2014
6. 4. HELP
Help:
The Help window is displayed.
Help window
This window contains the documentation of Ipanema System.
October 2014
6-19
CHAPTER 7. MONITORING
(IP|DASHBOARD)
This chapter describes ip|dashboard capabilities.
7. 1. CONNECTION
To connect to ip|dashboard from the SALSA client, first select the Domain you want to monitor,
then click on the ip|dashboard button:
SALSA client
October 2014
7-1
Ipanema System
ip|dashboard main window then opens:
ip|dashboard main window
7-2
October 2014
Monitoring (ip|dashboard)
7. 2. GRAPHICAL USER INTERFACE

7. 2. 1. ip|dashboard window, menus and views
ip|dashboard window is made of three parts:
1. the top bar,

2. the menu and view bar, and
3. the main space:
ip|dashboard main window

ip|dashboard version is displayed at the bottom of the window.
7. 2. 1. 1. The top bar

The top bar shows:
the Ipanema logo,

a Quick search text box, which allows searching for the Sites containing the typed string;
for instance, typing ara in our example displays Caracas, Maracaibo, Paracatu and Santa
Barbara:
Quick search
the User who is logged in (Connected as),

the Domain where the User is connected to (Domain),
a Quit button,
a Local Time drop-down list, which allows the User to display the data with:
either the Local time zone
or the Domain time zone (as configured in ip|uniboss), thus allowing them to align the
timing in ip|dashboards graphs with that of ip|reporters reports.
October 2014
7-3
Ipanema System
7. 2. 1. 2. The menu and view bar

The menu and view bar shows:
two main menus:

Dashboard: to monitor the network flows (explained here),
Configuration: to configure SSL optimization (explained in Chapter 8),
and, when Dashboard is selected, several views (the active view is displayed with a blue title):
<Domain_name>: allows displaying Domain-level information;

Sites (<number>): shows the list of Sites with their links usage and quality;
Flows (<number>): shows the list of flows at the Domain level;
<Site_name> (only displayed when the User clicks on a Site name or bar in one of the
previous views): allows seeing more details for the selected Site; several Site views can
be open simultaneously no one is open when the User first connects. A Site view can
be closed by clicking on the white cross next to its name: .
7. 2. 1. 3. The main space

The main space shows the different views:
<Domain_name>, with two frames:
<Domain> - Quality Summary
<Domain> - Activity Summary
Sites (<number>), with two frames (<number> is the number of Sites currently configured):
Overview
Sites
Flows (<number>), with two frames (<number> is the number of Flows measured during the
last polling period):
Overview
Application flows
<Site_name>, with up to five frames, depending on the User rights:
<Site> - Quality Summary
<Site> - Activity Summary
<Site> - Throughput Summary per NAP
<Site> - Application flows
<Site> - Discovery
You can open them by clicking on their names in the view bar. A Site view has to be opened first
by clicking on the Site name or bar in the Domain or Sites views.
7-4
October 2014
7. 2. 2. Frames and timing

The frames in the different views can be expanded or collapsed by clicking on their headers (grey
bars).
Example of a Site view with one frame expanded and all other frames collapsed
The first frame header of each view (at the top of the main space, just below the menu and view
bar) contains, after the name of the frame:
first frame header, below the menu and view bar
a tooltip
(Domain and individual Site views): shows additional information:
Site tooltip
October 2014
7-5
Ipanema System
a date and time area

: allows searching historical data (up to the
last 4320 minutes of data), by clicking on this area and scrolling in the past in the pop-up calendar
that opens;
a drop-down list (previous screenshot): allows choosing the time span:
min: evolution quadrants display 3 hours of per minute* information, and the user can
scroll in the past; the flows list displays values averaged over a minute*,
All views (unless freezed) are automatically refreshed every minute*.
* The period can also be 5 or 15 minutes, if the Collect period has been set to
5 or 15 minutes respectively (see the Domains parameters in ip|uniboss).
hour: evolution quadrants display up to 3 days of hourly aggregated information; the
flows list displays values averaged over an hour;
All views (unless freezed) are automatically refreshed every hour.
Example: Throughput Evolution quadrant, with time span: hour
The lifetime of the data and the ability to aggregate hourly data depend on the
storage parameters in ip|uniboss Domain window.
a button to set the date and time to Now and unfreeze the view (the view is frozen when a date
and time have been selected; the button is greyed when clicked);
a
or
button, in the Domain and Site views, allowing an easy and
contextual access to the reports (see Access to the reports below).
button, providing a contextual access to this very manual.

The first frame header is always visible (when scrolling down a view that is higher than
the window height, the first frame header moves up with the rest of the view until it hits
the top of the windows, then it stays there):
First frame header
7-6
October 2014
7. 2. 3. Reading ip|dashboard contents

ip|dashboard displays bar graphs, historical graphs, pie charts, cord diagrams and tables.
The exact values of the various curves, fields, etc., can be read precisely:
Bar graphs and pie charts
You can read the exact values on a bar graph or on a pie chart, by rolling over them with your
mouse. A small pop-up then appears with the name on the field and its value:
Reading graphs and pies exact values
You can access a Site view by clicking on its bar in a bar graph.
You can access the Flows view filtered out to match an Application Group by clicking this AG
in a bar graph or in a pie chart. For instance, clicking on VideoStreaming in the Application
Groups by AQS graph in the Domain view shows the flows belonging to the VideoStreaming
AG:
Filtering the flows list by clicking on a graph (1)
Filtering the flows list by clicking on a graph (2)
October 2014
7-7
Ipanema System
Historical graphs
You can read the exact values on historical graphs by rolling over them with your mouse. A
vertical bar then appears on the graph, with a pop-up indicating the exact time and the exact
values of each curve at this time; the same vertical bar and pop-up also appear in the other
historical graphs of the view, thus allowing a synchronized navigation and reading of all graphs:
Reading various historical graphs exact values at the same time
You can change the time (of the entire page) by clicking anywhere in these graphs; the time
then changes to the clicked moment.
You can highlight any curve by rolling over its legend, and you can hide or show it by clicking
its legend. In the example below, we just show the Top and High traffic, highlighting the High
curve.
Playing with the legend
7-8
You can export any graph, both in PNG and CSV formats, by right-clicking it.
October 2014
7. 2. 4. Access to the reports

From the Domain and Site views, one can access the corresponding reports thanks to the reports
buttons
or
at the right of the first frame header at the top.
To access the reports, click on the icon to display the reports list; for example:
October 2014
7-9
Ipanema System
7. 3. DOMAIN VIEW
Dashboard views
The Domain view shows two frames:
<Domain> - Quality Summary
<Domain> - Activity Summary
7. 3. 1. Quality Summary
This frame shows four graphs with the following information:
Domain - Quality Summary
AQS Evolution
Historical graph showing the evolution of the AQS for all flows, and for the Top, High, Medium and
Low flows, on the whole Domain. The covered period and the granularity of the data depend on
the time span (see Frames and timing above): it can be three hours of per-minute information, if
the time span is the minute (then the user can scroll the past hours with the horizontal scroll bar at
the bottom of the graph), or it can be the last three days of hourly averaged information, if the time
span is the hour.
Site Overview
Pie chart showing the number of Sites (and the percentage of the total that they represent):
7-10
with an AQS higher or equal to 9 (in green),

with an AQS between 6 and 9 (in yellow),
with an AQS lower than 6 (in red),
where the AQS could not be computed (none, in grey).
October 2014
Application Groups by AQS
Bar graph showing the Top 10 Application Groups (i.e. the 10 AGs with the best quality) sorted
by decreasing quality (the best AG of the Domain is displayed in the first bar on the left), with
their AQS values displayed both as a number (between 0 and 10 with two decimals) and as a
colored bar (the height of the bar indicates the value on the vertical axis and the color can take
any hue between green (AQS = 10) and red (AQS = 0)).
By clicking on Worst 10 at the top of the bar graph, the 10 worst Application Groups are
displayed, sorted by increasing quality (the worst AG of the Domain is displayed in the first bar
on the left), with their AQS values.
Sites by AQS
This bar graph shows the Top 10 Sites (i.e. the 10 Sites with the best quality) sorted by
decreasing quality (the best Site of the Domain is displayed in the first bar on the left), with
their AQS values displayed both as a number (between 0 and 10 with two decimals) and as a
colored bar (the height of the bar indicates the value on the vertical axis and the color can take
any hue between green (AQS = 10) and red (AQS = 0)).
By clicking on Worst 10 at the top of the bar graph, the 10 worst Sites are displayed, sorted
by increasing quality (the worst Site of the Domain is displayed in the first bar on the left), with
their AQS values.
By clicking on a bar, a new window opens and shows detailed information for the selected Site.
October 2014
7-11
Ipanema System
7. 3. 2. Activity Summary
This frame shows two graphs with the following information:
Domain - Activity Summary
Throughput Evolution
Historical graph showing the evolution of the WAN throughput for the Top, High, Medium and Low
flows (or any combination of these, according to the selection in the legend by default, it shows
all of them, i.e. the total WAN throughput), on the whole Domain. The covered period and the
granularity of the data depend on the time span (see Frames and timing above): it can be three
hours of per-minute information, if the time span is the minute (then the user can scroll the past
hours with the horizontal scroll bar at the bottom of the graph), or it can be the last three days of
hourly averaged information, if the time span is the hour.
Top by volume
Pie chart showing the names and volumes of the top 10:
7-12
Application Groups in volume (by clicking Top 10 Application Groups at the top of the graph;
this is the default view),
Sites in volume of outgoing traffic (by clicking Top 10 Sites (LAN => WAN)),
Sites in volume of incoming traffic (by clicking Top 10 Sites (WAN => LAN)).
October 2014
7. 4. SITES VIEW
Dashboard views
The Sites view gives access to the following information:
In the view bar, the total number of Sites currently configured on the Domain is displayed into
parenthesis (in the screenshot below: 100).
Overview
Sites
7. 4. 1. Overview
Sites - Overview
AQS Evolution
Low flows, on all the Sites of the Domain, i.e. for the whole Domain: it is identical to the AQS
Evolution graph described in the previous section (please refer to that section for more details).
flows on all the Sites of the Domain, i.e. for the whole Domain: it is identical to the Throughput
Evolution graph described in the previous section (please refer to that section for more details).
October 2014
7-13
Ipanema System
7. 4. 2. Sites
This frame shows, for all Sites of the Domain, the following information:
Sites - Sites
Site: name of the Site; by clicking on that name, a new window opens with more details on the
selected Site.
The Sites links usage and quality with, for each direction (LAN => WAN and WAN => LAN), the
following fields:
link size: WAN access throughput, as declared in ip|boss (max BW),
link usage: usage of the link, displayed both as a percentage of the link size and as a
bar, the size of which is proportional to the usage,
AQS: quality of the link, displayed both as an AQS value (between 0 and 10) and as a
color (between green (AQS = 10) and red (AQS = 0)).
The Sites Application Groups volume and quality, sorted by Criticality levels (Top, High,
Medium, Low), with each square color representing the quality of the corresponding Application
Group (in the same column) for the corresponding link (on the same line); it can take any hue
between green (AQS = 10) and red (AQS = 0).
you can read the exact values by hovering your mouse on the squares;
clicking on a square opens a new window for the corresponding Site, where it filters the
flows in the Sites Real Time Flows list (see below) according to the selected Application
Group: thanks to this features, you can immediately access the details of any Application
Group for any Site.
This view is automatically refreshed every minute (or every 5 or 15 minutes, according to the collect
period see the Domains parameters in ip|uniboss).
7-14
October 2014
7. 4. 3. Searching for Sites / Filtering the Sites

At the top of the frame, one can use the text field to filter the Sites with their tags (corresponding to
the fields Folder, Subfolder or Tag in the ip|engines creation window), or use the button next
to this text field to open a map where the sites can be filtered by clicking their tags:
Filtering the Sites thanks to their tags

In this map, the size of the names is a representation of the size of the Sites, and their colors
represent their quality the exact AQS can be displayed by hovering the mouse on the names.
If several names are selected, they will all be displayed and applied in the filter. They can be cleared
by clicking the Clear button, applied by clicking the OK button or cancelled by clicking the Cancel
button.
7. 4. 4. Downloading the data

It is possible to download a zipped CSV file containing all the sites information displayed in this
frame, or to open it, with the Download button:
Downloading the data
October 2014
7-15
Ipanema System
7. 5. FLOWS VIEW
Dashboard views Application flows in the Site view
Operating procedure table: ip|true service, ip|fast service, ip|xcomp service, ip|coop service,
ip|xtcp service, ip|xapp service.
The Flows view shows two frames:
Overview
Application flows
In the view bar, the total number of flows currently running on the Domain is displayed into
parenthesis (in the screenshot below: 3366).
In the Ipanema system, we call a flow all the sessions of a given application, from a
given source to a given destination.
7. 5. 1. Overview
Flows - Overview
AQS Evolution
Low flows, on all the flows of the Domain, i.e. for the whole Domain: it is identical to the AQS
Evolution graph described in the Domain view section above (please refer to that section for more
details).
flows for all the flows of the Domain, i.e. for the whole Domain: it is identical to the Throughput
Evolution graph described in the Domain view section above (please refer to that section for more
details).
7-16
October 2014
7. 5. 2. Application flows
The top of the view contains four filters (see 7.5.2.1) and the rest of the view shows:
either the detailed flows list (by default; see 7.5.2.2)

or a flows map (chord diagram; see 7.5.2.3).
One can toggle between the two views with the
button.
In either case, the information displayed matches the selected filters (all flows on the Domain if no
filter was selected).
Flows - Application flows
7. 5. 2. 1. Filters
It is possible to filter the flows by AQS, moving the two cursors of the AQS filter at the top of the
frame (e.g. to see the bad flows only (AQS <5), as in the example below):
AQS filter
As in the Sites view described above, a text field allows filtering the flows with the Sites tags
(corresponding to the fields Folder, Subfolder or Tag in the ip|engines creation window), a
button opens a map where the flows can be filtered by clicking these tags, and a
button allows downloading or opening a zipped CSV file containing all the flows information
displayed in this frame.
October 2014
7-17
Ipanema System
Below that, the
Application flows frame has four filters:
Local Sites,
Remote Sites,
Application Groups,
Applications
with, for each of them:
their names (first column),

their LAN-to-LAN throughput (LAN column)
and their WAN-to-WAN throughput (WAN column).
Flow filters
Applying a filter
The flows in the chord diagram and in the detailed flows list can be filtered out by clicking on any
filter or any combination of filters.
One can select several filters in a column by maintaining the CTRL key pressed during the selection.
To select all filters between line A and line Z, select line A, press the SHIFT key and select line Z
while maintaining the SHIFT key pressed.
Several filters from several columns can be applied simultaneously.
To remove the filters, click the first line (ALL; this is the default view).
Interactions between filters
When a filter is applied, the two others are automatically updated accordingly. For instance, if FTP
is selected in the Application Groups filter, the Applications filter table will only show the applications
belonging to that Group (ALL shows the total throughput for that Group too), and the throughputs
displayed in the Remote Sites filter correspond to the throughput for that Group only.
Sorting the data in the filters
It is possible to sort the data in these filters by clicking on the column headers: click once to sort
the data incrementally (an up arrow
data decrementally (
then appears next to the header), click twice to sort the
).
(ALL shows all flows with the total values, and it always appears at the top of the filter tables,
whatever the sorting criteria.)
7-18
October 2014
Example where only MailCollaborative between Roma and Paris are shown in the flows list
October 2014
7-19
Ipanema System
7. 5. 2. 2. Detailed flows list

The Detailed flows list shows a table with each active flow displayed on a separate line. A flow
becomes active and is displayed in the window as soon as a packet belonging to it is detected
during the session.
One can toggle between this view and the flows map with the
/
are different representations of the same data, with the same filters applied.
button. Both views
Flows - Application flows

The table contains the following columns:
The same metrics are displayed in the reports, with the same definitions. Yet, in the
reports, other metrics are also calculated and other symbols are also used: you can
find their definitions in 9.3.5 Definitions.
Topology
Local Site
name of the selected ip|engine
Local User
Subnet
name of the User subnet on the local Site (this field is empty if the local IP
address does not belong to any User subnet defined on the Site)
Local User
Subnet
name of the User subnet on the local Site (this field is empty if the local IP
address does not belong to any User subnet defined on the Site)
direction of the flow:
outgoing (the local Site is the source)
incoming (the local Site is the destination)
7-20
Remote Site
name of the remote ip|engine (where the flow is going to or coming from)
Remote User
Subnet
name of the remote User subnet
October 2014
AQS
Application Quality Score of the flow: score between 0 (extremely bad quality) and 10 (excellent
quality), displayed with two decimals.
The color of the field also represents the quality, with the following meaning:
Excellent, Very good, etc., are only a typical
interpretation of the AQS with typical parameters
it may vary according to the users sensibility and
according to the QoS profile parameters.
When the AQS is not good, the parameters (delay, jitter, loss, etc.) that triggered an average
or a bad quality are also highlighted with the same color, so that one can easily find which
parameters objectives were not met (yellow) or which parameters maximum values were
exceeded (red).
100 is a reserved value used when the AQS cannot be computed.
The quality of a flow cannot be computed when ALL three following conditions are met:
it is a real time flow (the bandwidth is not a criteria) or the bandwidth objective of the flow is
not met (the quality is measured thanks to the other parameters),
the flow is not qualified (D/J/L cannot be measured),
the flow runs over UDP (RTT, TCP retransmission and SRT cannot be measured either) or
those parameters are not activated in the QoS profile.
Classification
Application
Group
name of the Application Group where the flow is classified
Application
name of the application
Criticality
criticality level of the flow (Top, High, Medium or Low)
Sens.
sensitivity of the Application Group (Routine or Business this is a DWS

parameter)
LAN
Thr. (kbps)
October 2014
Thr.: LAN-to-LAN throughput (number of bits per second sent at the IP layer)
Good: LAN-to-LAN goodput (number of useful bits received at the application
layer i.e. payload of the TCP and UDP packets received on the downstream
side; retransmitted, out of sequence and lost packets are not counted).
Throughput vs Goodput, example:
7-21
Ipanema System
Sess.
number of sessions, represented by the averaged activity for the duration of

the Correlation Record (by default: T = 1 minute).
For example, 1 session running during T plus 1 session running during half this
period of time will give 1 + 0.5 = 1.5 session.
A session is identified by the following parameters:
for TCP or UDP: source address, destination address, protocol (TCP or

UDP), source port and destination port.
for others protocols over IP (for example ICMP): source address, destination
address, protocol.
Loss (%)
LAN-to-LAN loss rate (measured between the LAN port of the source ip|engine
and the LAN port of the destination ip|engine)
Delay (ms)
LAN-to-LAN one-way-delay (in ms) measured between the LAN port of the
source ip|engine and the LAN port of the destination ip|engine
Min: minimum LAN-to-LAN one-way-delay
Avg: average LAN-to-LAN one-way-delay
Max: maximum LAN-to-LAN one-way-delay
Jitter (ms)
LAN-to-LAN jitter (delay variation measured between the LAN port of the
source ip|engine and the LAN port of the destination ip|engine)
WAN
Thr. (kbps)
WAN-to-WAN throughput (number of bits per second sent at the IP layer)
Loss (%)
WAN-to-WAN loss rate (measured between the WAN port of the source
ip|engine and the WAN port of the destination ip|engine)
Delay (ms)
WAN-to-WAN one-way-delay (in ms) measured between the WAN port of the
source ip|engine and the WAN port of the destination ip|engine
Min: minimum WAN-to-WAN one-way-delay
Avg: average WAN-to-WAN one-way-delay
Max: maximum WAN-to-WAN one-way-delay
Jitter (ms)
WAN-to-WAN jitter (delay variation measured between the WAN port of the
source ip|engine and the WAN port of the destination ip|engine)
Comp
Ratio
7-22
compression ratio for the flow (when applicable)
October 2014
TCP
SRT (ms)
The Server Response Time measures the delay (in ms) between the last
packet sent by the client during a request (PSH) and the emission of the
acknowledgement to the first packet received from the server (ACK).
When an ip|engine is installed on the client side, it measures this response
time and reports it to ip|boss; otherwise, it is the ip|engine installed on the
server side which does it (and the measurement is made between the reception
of the PSH and the reception of the ACK).
If the same ip|engine does not see the two ways of the TCP connection
(in case of a cluster with asymmetric routing), the SRT will not be measured
unless the two ip|engines of the cluster are connected together and the ASR
feature is configured.
Min: shortest Server Response Time

Avg: average Server Response Time
Max: longest Server Response Time
RTT (ms)
The Round Trip Time measures the time of establishment of a TCP connection
(3way handshake: SYN, SYN+ACK, ACK), that is: the delay (in ms) between
the emission of the SYN and the emission of the ACK.
When an ip|engine is installed on the client side, it measures this RTT and
reports it to ip|boss; otherwise, it is the ip|engine installed on the server side
which does it (and the measurement is made between the reception of the
SYN and the reception of the ACK).
If the same ip|engine does not see the two ways of the TCP connection
(in case of a cluster with asymmetric routing), the RTT will not be measured
unless the two ip|engines of the cluster are connected together and the ASR
feature is configured.
Min: shortest Round Trip Time

Avg: average Round Trip Time
Max: longest Round Trip Time
Ret. (%)
percentage of TCP retransmissions

Flags
Comp.
compression status: Yes if the flow is compressed, No otherwise
Accu.
accuracy of the current measurement: High is the flow is qualified, Low

otherwise
Al.
this field indicates, when at yes, the presence of an alarm on the ip|engine.
Check its status for further information. In case of alarm, the correlation records
are ignored.
October 2014
7-23
Ipanema System
TOS / DSCP
name of the TOS / DSCP value used to recognize the application, when applicable
This table is refreshed about every minute (according to the ip|engine collect period option).
The same metrics are used in the reports, with the same definitions. Yet, in the
reports, other metrics and symbols are also used: you can find their definitions in 8.3.5
Definitions.
7-24
October 2014
7. 5. 2. 3. Flows map
The flows map is a dynamic and interactive chord diagram of the flows.
/
One can toggle between this view and the Detailed flows list with the
views are different representations of the same data, with the same filters applied.
button. Both
Flows map
It displays the flows matrix with a hierarchical structure:
1. Folders (e.g. continents*),
2. Subfolders (e.g. countries*),
3. Sites (e.g. called by the name of the cities),
4. NAPs (in case the Site has several NAPs, when the DWS feature is used).
* Folders and Subfolders are defined in the ip|engines creation window. For instance (as in the
example above), they can be used to sort the Sites continent by continent (Folders = continents),
then country by country (Subfolders = countries).
October 2014
7-25
Ipanema System
It is possible to zoom in and zoom out these four levels:
zoom in by clicking on the arcs or on their names (in the example below: Europe > France >
Paris); the cursor shows a down arrow:
displayed when one zooms in;
; the zoom level is represented by external arcs,
zoom out by clicking on the external arcs; the cursor shows an up arrow:
Zooming in the flows map

Hovering the mouse on any arc (without clicking down) shows the flows between that arc and the
others only (instead of the whole matrix between all pairs of arcs) (see below).
The colors of the flows and their extremities indicate the quality (between green (AQS = 10) and
red (AQS = 0)). The color is strong for the flows, pale for the extremities. The exact AQS of both
the flows and their extremities can be displayed by hovering the mouse on these objects.
There is a maximum number of flows that can be displayed simultaneously (a diagram
showing thousands of flows would be unreadable anyway, so it would be completely
helpless). If this maximum number is exceeded, the map is replaced by a message
telling you that there are too many groups to display, and that you should refine your
filter: use the filters to concentrate on the flows you want to see.
Flows map with too much zoom and too many chords displayed
When the map is opened, it shows the Folders level (e.g. the flows between continents). Out of
Domain is displayed on its own, indicated by an arrow.
7-26
October 2014
Hovering the mouse on an extremity hide the traffic between the other extremities and displays this
extremitys details (volume and quality) in a pop-up. Here for instance, we show the traffic between
Asia and the rest of the world:
Flows map, showing the traffic flows of one extremity
October 2014
7-27
Ipanema System
Clicking on an extremity or on its name (e.g. Asia) allows zooming in this extremity (e.g. continent),
breaking it up into the next level (here: countries). So here for instance, we are zooming into Asia to
see the traffic between each Asian country and the rest of the world (still displayed as continents):
Flows map, zooming from a continent (folder) into its countries (subfolders)
7-28
October 2014
It is possible to zoom in again, from a country (subfolder) to its Sites...
Flows map, zooming from country (subfolder) to its Sites

... and from a Site to its NAPs (when there are several NAPs on the Site).
Use the Reset button to reset the view.
October 2014
7-29
Ipanema System
The three switches at the top left of the diagram allow changing some display settings: LAN=>WAN
/ WAN=> LAN, Per link usage / Per throughput and Traffic only / All groups.
By default, the three switches are in the LAN=>WAN, Per link usage and Traffic only positions:
Flows map, with the three switches in their default positions
The [LAN=>WAN / WAN=> LAN] switch allows changing the direction of the flows displayed.
[Per link usage / Per throughput] allows showing traffic chords with a size proportional to:
the links (Per link usage); arc = available bandwidth; chords = traffic; in the example
above, we can see that in South America, about a third of the bandwidth is used (we
can read the exact percentage by hovering the mouse on the arcs);
the throughput (Per throughput); arc = sum of the chords = total traffic: the traffic is
displayed independently of the available bandwidth.
Flows map, displaying the link usage (Per link usage)
7-30
[Traffic only / All groups] allows displaying extremities with traffic matching the filters only (Traffic
only) or all the groups where traffic is also present (but without matching the selected filters).
October 2014
The three switches can be combined to display the desired information. Here for instance, we want
to see the traffic from Las Vegas to Sao Paulo (LAN=>WAN), as a proportion of the links on these
Sites (Per link usage), showing the other links as well (All groups), so that we can see what the
traffic from Las Vegas to Sao Paulo represents on the whole Domain (i.e. also displaying the other
Sites of the Domain):
Flows map, displaying the link usage between two Sites, on the whole Domain
October 2014
7-31
Ipanema System
By removing the Remote Sites filter, we can now see, on the same diagram, the traffic from Las
Vegas to all remote sites (with the one between Las Vegas and Sao Paulo highlighted):
Flows map, displaying the link usage between a Site and all the remote ones, on the whole
Domain
At any level of the map, clicking on a chord opens the flows list, automatically filtered out to display
the flows corresponding to the selected chord.
7-32
October 2014
Exporting the maps

Right-clicking the map, a contextual menu allows exporting it, either as a graph (PNG format) or
as raw data (CSV format):
Exporting the application flows map

The frame that opens has two tabs:
Chart, allowing to download the map as a PNG image:
Downloading a maps image

Three check boxes allow displaying or hiding the Borders, the Date and Time and the Title.
October 2014
7-33
Ipanema System
Data, allowing to download the map as CSV data:
Downloading the maps data
In either case, use the

button to download the data. Depending on the Operating
System being used, a menu appears, allowing to either save the data on disk or to open the data
with the ad hoc software program.
7-34
October 2014
7. 5. 3. Real Time Graphs

From any flow in the Detailed flows list described above, one can open a Real Time Graph, which
is a 12minute window showing the evolution of the above metrics with additional polling every 10
seconds. Up to four graphs can be open on a Domain, simultaneously.
To access the Real Time Graphs, right click on a flow and select Start Real Time Graph:
Flows contextual menu
Pop-up windows must not be blocked in your web browser.
Real Time Graph

A Real Time Graph is empty when it starts. You can see some data after 10 to 20 seconds.
October 2014
7-35
Ipanema System
The graph window contains four tabs, and each tab is made of 4 graphs, displayed simultaneously:
Tab
Graphs
What is shown
OVERVIEW
Avg. Delay (ms)
LAN-TO-LAN (in blue) and WAN-TO-WAN (in

orange) average delays
Packet loss (%)

orange) packet losses
Avg. sessions
Average number of sessions
Throughput (kbps)

orange) Throughputs
Delay (ms)
LAN-TO-LAN maximum (in red), average (in blue)

and minimum (in green) delays
Packet loss (%)
LAN-TO-LAN packet loss
Jitter (ms)
LAN-TO-LAN jitter
Throughput (kbps)
LAN-TO-LAN layer 3 (in blue) and layer 4 (in green)

throughputs
Delay (ms)
WAN-TO-WAN maximum (in red), average (in blue)

and minimum (in green) delays
Packet loss (%)
WAN-TO-WAN packet loss
Jitter (ms)
WAN-TO-WAN jitter
Throughput (kbps)
WAN-TO-WAN layer 3 throughput
SRT (ms)
Maximum (in red), average (in blue) and minimum

(in green) Server Response Time
RTT (ms)
Maximum (in red), average (in blue) and minimum

(in green) Round Trip Time
Retransmission (%)
TCP retransmissions
Throughput (kbps)
Layer 3 (in blue) and layer 4 (in green) TCP

throughputs
LAN
WAN
TCP
In case of control and/or compression, the differences between LAN and WAN values
can be very different.
If the upstream or downstream ip|engine is not synchronized, or if the flow is between
and equipped site and a tele-managed site, then the delay, jitter and packet loss are not
measured.
7-36
October 2014
Exporting the graphs

Right-clicking any graph, a contextual menu allows exporting it, either as a graph (PNG format) or
as raw data (CSV format):
Exporting the Real Time Graphs

The frame that opens has two tabs:
Chart, allowing to download the graph as a PNG image:
Downloading a graphs image

Three check boxes allow displaying or hiding the Borders, the Date and Time and the Title.
October 2014
7-37
Ipanema System
Data, allowing to download the graph as CSV data:
Downloading the graphs data
In either case, use the

button to download the data. Depending on the Operating
System being used, a menu appears, allowing to either save the data on disk or to open the data
with the ad hoc software program.
7-38
October 2014
7. 5. 4. Discovery
From any flow in the flows list described above (7.5.1), one can open a Discovery agent, which
polls additional information on the selected ip|engine.
To access the Discovery function, right click on a flow and select Start Discovery:
Flows contextual menu

It open a Single Site view for the selected Local Site, with the Discovery frame open with the
corresponding filters automatically set. Please refer to the next section for its description.
October 2014
7-39
Ipanema System
7. 6. SINGLE SITE VIEW

Dashboard views
A Site view can be opened for any Site by clicking on its name or bar in the previous views (Domain
or Sites). It gives access to the following frames:
<Site> - Quality Summary
<Site> - Activity Summary
<Site> - Throughput Summary per NAP
<Site> - Application flows
<Site> - Discovery
7. 6. 1. Quality Summary
Site - Quality Summary
AQS Evolution
Low flows, on the selected Site. It is similar to the AQS Evolution graph described in the Domain
view section above, but at the Site level (please refer to that section for more details).
Application Groups by AQS
7-40
This bar graph shows the Top 10 Application Groups (i.e. the 10 Application Groups with the
best quality) sorted by decreasing quality (the best Application Group of the Site is displayed in
the first bar on the left), with their AQS values displayed both as a number (between 0 and 10
with two decimals) and as a colored bar (the height of the bar indicates the value on the vertical
axis and its color can take any hue between green (AQS = 10) and red (AQS = 0)).
By clicking on Worst 10 at the top of the bar graph, the 10 worst Application Groups are
displayed, sorted by increasing quality (the worst Application Group of the Site is displayed in
the first bar on the left), with their AQS values.
October 2014
7. 6. 2. Activity Summary
This frame shows four graphs with the following information:
Site - Activity Summary
Top Application Groups by volume

This pie chart shows the following information, with their names and volumes:
top 10 AGs in volume of outgoing traffic (by clicking Top 10 Application Groups (LAN =>
WAN) at the top of the graph),
top 10 AGs in volume of incoming traffic (by clicking Top 10 Application Groups (WAN =>
LAN) at the top of the graph),
Clicking on an Application Group in the chart automatically filters the traffic for that Application
Group in the Real Time Flows frame below (see below).
Top Remote Sites by volume
This pie chart shows the following information, with their names and volumes:
top 10 Remote Sites in volume of traffic sent to these Sites (by clicking Top 10 Remote Sites
(LAN => WAN) at the top of the graph),
top 10 Remote Sites in volume of traffic received from these Sites (by clicking Top 10 Remote
Sites (WAN => LAN) at the top of the graph),
LAN => WAN Throughput Evolution Per Criticality
This historical graph shows the evolution of the WAN throughput of the outgoing traffic, by criticality
level (Top/High/Medium/Low).
WAN => LAN Throughput Evolution Per Criticality
This historical graph shows the evolution of the WAN throughput of the incoming traffic, by criticality
level (Top/High/Medium/Low).
October 2014
7-41
Ipanema System
7. 6. 3. Throughput Summary per NAP

Site - Throughput Summary per NAP
<Site_name>-<NAP_number> - LAN => WAN Throughput Evolution

This historical graph shows:
the ingress bandwidth of the Site (B/w, dotted black line), corresponding to the Ingress max.
B/W in the WAN access configuration window,
the evolution of the ingress LAN-to-LAN throughput (measured on the LAN interface of the
ip|engine, LAN, in blue and in the background),
the evolution of the ingress WAN-to-WAN throughput (measured on the WAN interface of the
ip|engine, WAN, in orange and in the foreground),
As the WAN-to-WAN throughput is displayed in front of the LAN-to-LAN throughput,

when both are equal (i.e., when the traffic is not compressed), only the WAN-to-WAN
throughput (orange area) is visible. It can be hidden by clicking WAN in the legend,
thus revealing the LAN-to-LAN throughput (blue area) behind it (LAN-to-LAN
throughput can also be hidden, by clicking LAN in the legend).
When the LAN-to-LAN throughput is higher than the WAN-to-WAN throughput (i.e.,
when the traffic is compressed), the blue area above the orange area corresponds
to the bandwidth saved thanks to compression (difference between LAN-to-LAN
throughput and WAN-to-WAN throughput).
<Site_name>-<NAP_number> - WAN => LAN Throughput Evolution

This historical graph shows:
the egress bandwidth of the Site (B/w, dotted black line), corresponding to the Egress max.
B/W in the WAN access configuration window,
the evolution of the egress LAN-to-LAN throughput (measured on the LAN interface of the
ip|engine, LAN, in blue and in the background),
the evolution of the egress WAN-to-WAN throughput (measured on the WAN interface of the
ip|engine, WAN, in orange and in the foreground),
Same remarks as above.
The two same graphs are displayed for each NAP.
7-42
October 2014
7. 6. 4. Application flows
This frame shows the same information as described above (7.5 Flows view), but for the selected
Site as the Local Site (so the Local Sites filter is not necessary here, reason why there are three
filter frames instead of four). Please refer to that section.
It may not be visible for some Users, depending on their rights (as defined in
ip|uniboss).
Site - Application flows, Detail
October 2014
7-43
Ipanema System
Site - Application flows, Map
7-44
October 2014
7. 6. 5. Discovery
This frame allows polling more information from an ip|engine.
It may not be visible for some Users, depending on their rights (as defined in
ip|uniboss).
Site - Discovery
The Discovery function consists in creating a Discovery agent for the selected ip|engine (one
agent maximum per ip|engine) to collect additional data (as compared to the data already collected
and displayed in the Real Time Flows list see above).
To use the Discovery function:
1.
2.
3.
2.
Set the ad hoc filters (see 7.6.5.1),

Start the Discovery agent (see 7.6.5.2),
Check the results (see 7.6.5.3),
Stop the Discovery agent (see 7.6.5.2).
7. 6. 5. 1. Filters
The flows can be filtered according to multiple criteria, using the 5 drop-down lists and 2 check
boxes surrounding the network diagram:
Template: three templates can be used to filter:

Out of local subnets: (= out of local config) packets crossing the ip|engine, but where
neither the source IP address nor the destination IP address belong to one of its Topology
subnets (this traffic is called in Transit); these flows are not measured individually by the
ip|engine; instead, only their global volume is measured and reported (i.e., these flows
are not present in the Real Time Flows list nor in any report, except in the Site Analysis
reports, which show the volume of Transit traffic).
Unrecognized Application: packets belonging to applications which are not recognized
by the ip|engines syntax engine, which were not declared in ip|boss and which do not
use well-know ports,
Out of Domain: sent packets with a destination IP address which does not belong to a
declared Topology subnet, or received packets with a source IP address which does not
belong to a declared Topology subnet (in either case, these packets will match Out of
Domain Topology subnet which is in the system by default, so it does not have to be
declared , 0.0.0.0/0).
October 2014
7-45
Ipanema System
Local User Subnet: to filter the data using a User subnet declared in ip|boss for the local Site,
An Out of Local Config. check box allows, if checked, to display the traffic which does
not belong to the local configuration only (see Out of local subnets above)
Remote User Subnet: to filter the data using a User subnet declared in ip|boss for a remote
Site,
Remote Site: to filter the data using a User subnet declared in ip|boss for a remote Site,
Application: to filter the data according to one application,
An Out of config check box, allows, if checked, to discover the port number used by
the unrecognized applications (see above).
7. 6. 5. 2. Start/stop a Discovery agent

A Discovery agent can be started or stopped with the
<Site> - Discovery frame header:
and
buttons at the right of the
Start/Stop Discovery agents
If the Start button is greyed

and the Stop button is visible
, it means that a
Discovery agent is running on the ip|engine. Discovery agents consume resources,
and they are not meant to run permanently. So when you have found what you were
looking for thanks to a Discovery agent, do not forget to stop it.
The indicator LED Discovery in ip|boss main window turns amber when a Discovery
agent is running.
7. 6. 5. 3. Result table
According to the configuration rules this Discovery agent will collect the following data and send
them to ip|boss:
Local IP
local IP address
Remote IP
remote IP address
Application
name of the application, displayed as follows:
when the application is recognized: A (b), where A is the name

declared in ip|boss and b is the application recognized by the syntax
engine:
for a standard application (e.g. FTP) it reads: FTP (ftp),
for an application with a specific declaration in ip|boss (e.g.
Ping_X is declared as follows: protocol: ICMP; User subnet: X),
it reads: Ping_X (icmp)
for an application which is not recognized by the ip|engine
syntax engine, but which is declared in ip|boss, it reads:
<Application_name> (unknown)
7-46
when the application is not recognized (it is not recognized by the

ip|engine and it has not been declared in ip|boss), it displays the layer
4 protocol and the port number.
LAN => WAN Packets
number of ingress packets
LAN => WAN Bytes
number of ingress bytes
LAN => WAN Sessions
number of ingress sessions
October 2014
WAN => LAN Packets
number of egress packets
WAN => LAN Bytes
number of egress bytes
WAN => LAN Sessions
number of egress sessions
percentage of traffic that each line represents over the total, in terms
of LAN=>WAN Packets, LAN=>WAN Bytes, LAN=>WAN Sessions,
WAN=>LAN Packets, WAN=>LAN Bytes or WAN=>LAN Sessions,
according to the Sort by choice
Discovery result table
The counters are cleared at each start of a Discovery agent.
The result can be downloaded in CSV format by clicking on the

the <Site> - Discovery frame header.
button at the right of
Display settings
The results can be displayed in different ways, thanks to 6 drop-down lists below the network
diagram:
Local IP:
Detail: the local IP addresses are displayed (so different local IP addresses will always
be displayed on different lines),
Group: the local IP addresses are not displayed (and all flows with the same remote IP
address and same application will be merged on one line, even if they have different
local IP addresses).
Remote IP:
Detail: the remote IP addresses are displayed (so different remote IP addresses will
always be displayed on different lines),
Group: the remote IP addresses are not displayed (and all flows with the same local IP
address and same application will be merged on one line, even if they have different
remote IP addresses).
Application:
Detail: the application names are displayed (so different applications will always be
displayed on different lines),
Group: the application names are not displayed (and all flows with the same local IP
address and same remote IP address will be merged on one line, even if different
applications are running between these two addresses).
Top:
20: shows the 20 most significant results (in Packets, Bytes or Sessions, according to
the field used to sort the data),
50: shows the 50 most significant results,
100: shows the 100 most significant results.
Sort by: it is possible to sort the data according to the number of:
LAN => WAN

LAN => WAN
LAN => WAN
WAN => LAN
WAN => LAN
WAN => LAN
Bytes,
Packets,
Sessions,
Bytes,
Packets,
Sessions.
It is also possible to sort the data by clicking on the column headers.
October 2014
7-47
Ipanema System
Period:
10 s: the results are refreshed every 10 seconds,
1 mn: the results are refreshed every minute,
5 mn: the results are refreshed every 5 minutes.
7-48
October 2014
CHAPTER 8. OPTIMIZING SSL

(IP|DASHBOARD)
This chapter describes the SSL optimization feature.
8. 1. OVERVIEW
The SSL Optimization feature is actually an enabler for applying any Ipanema optimization service
to the SSL encrypted flows (the main optimization service being ip|xcomp SRE).
8. 1. 1. Deployment
SSL Optimization can apply wherever there are SRE-capable appliances (i.e. ip|engines ax
models) deployed on the flows path, on both sides of the WAN (branch-side and datacenter-side).
8. 1. 2. Applications
SSL Optimization applies on any application over SSL. This includes (but is not limited to):
443 HTTPS (HTTP over SSL),

636 LDAPS (LDAP over SSL),
992 TelnetS (Telnet over SSL),
993 IMAPS (IMAP over SSL),
994 IRCS (IRC over SSL),
995 POP3S (POP3 over SSL),
5061 SIPS (SIP over SSL).
SSL Optimization does not apply on applications that are not over SSL (whatever is over IPSec,
encrypted MAPI, encrypted SMBv2, SSH ).
October 2014
8-1
Ipanema System
8. 1. 3. Principles
The datacenter-side ip|engine acts as an SSL proxy and intercepts the SSL handshake between
the client and the server.
SSL proxy
The SSL proxy re-signs server certificates on the fly, using a proxy CA certificate that is provided
by the end-user company IT. Therefore, it is not the original certificate that the client application
(e.g. HTTPS browser) presents, rather a clone of this certificate, issued by the SSL proxy and
signed with the proxy CA certificate.
SSL certificate
Once the security parameters are negotiated on both sides of the proxy connection (client-to-proxy
and proxy-to-server), the session keys are sent over a secure encrypted tunnel to the branch-side
ip|engine.
Exchanging the session key

Then both ip|engines can decrypt and re-encrypt the flows, hence enabling any optimization
service to work on the decrypted traffic.
Optimizing SSL encrypted flows
8-2
October 2014
Optimizing SSL (ip|dashboard)
8. 2. CONFIGURATION
Enabling SSL optimization requires a simple fourstep configuration process in ip|dashboard SSL
configuration page:
ip|dashboard SSL configuration page
1. Configure domain-wise trusted proxy CA credentials (see 8.2.1.);

2. Select SSL proxy enabled sites (see 8.2.2.);
3. Select optimization enabled SSL servers (see 8.2.3.);
4. (optional) Customize the SSL Proxy Certificate Trust Store (see 8.2.4.).
8. 2. 1. Configure domain-wise trusted proxy CA credentials

To configure domain-wise trusted proxy CA credentials (certificate and private key), open the
Certificate Authority frame (by clicking on the frame header; for more information on
ip|dashboard GUI, please refer to section 7.2.):
Certificate Authority frame
October 2014
8-3
Ipanema System
From there you can:
either import a Certificate existing in your IT environment, by clicking the Import button:
Import a Certificate
If the Proxy CA Private key you import is encrypted with a passphrase, this
passphrase must also be provided to the ip|engines belonging to SSL proxy
enabled Sites. Please refer to the ip|engines installation manuals.
or generate a Certificate, by clicking the Generate button (then you should export it to your IT
trust-store, using the Export button):
Generate a Certificate
The following fields can be specified (bold characters: mandatory; standard characters:
optional):
Common name (CN),
Passphrase (has to be entered twice, if used): to be used if you want the Proxy CA
Private key to be encrypted with a passphrase, to raise the security level of SSL
Optimization (see 8.3. SECURITY AND LEGALS).
In that case, the passphrase must also be provided to the ip|engines
belonging to SSL proxy enabled Sites. Please refer to the ip|engines
installation manuals.
Expiration date,
Organizational Unit (OU),
Organization (O),
Country (C),
State (ST),
Locality (L).
In either case, the proxy CA certificates must be in your workstations trust-store.
8-4
October 2014
8. 2. 2. Select SSL proxy enabled sites

The
SSL Proxy and SSL Server frame allows selecting the SSL proxy enabled sites and
SSL servers.
The left part of the frame allows selecting the SSL proxies:
SSL proxy
Click Add,
Select the Sites you want to enable and push them to the right with the single arrow pointing
to the right (second icon; the double arrow first icon can be used to select all Sites in a
single click),
Select Activated in the SSL Optimization drop-down list;
Click Ok.
Then the selected Sites appear with a green LED in the Status column.
All ip|engines that belong to these Sites (and only those) will be able to proxy SSL flows.
All sites where your enabled SSL servers are hosted should be on that list.
In case you want to optimize traffic to the cloud, the site where your gateway is hosted should be
in there, too.
It is also possible to select Sites you do not want to be SSL proxies, by doing the same
as above, but selecting Desactivated in the SSL Optimization drop-down list. These
Sites appear with a grey LED in the Status column.
October 2014
8-5
Ipanema System
You can select the declared Sites (activated or deactivated) by clicking the checkboxes before their
names, or by using the selection menu:
Selection menu
The following operations can be performed for the selected Sites:
their statuses can be displayed with the Show status button:
SSL status
8-6
they can be activated with the Activate button,

they can be deactivated with the Deactivate button,
they can be removed with the Remove button.
October 2014
8. 2. 3. Select optimization enabled SSL servers

The right part of the SSL Proxy and SSL Server frame allows providing the list of SSL optimization
enabled servers:
SSL server
Click Add,
Enter:
either the SSL servers IP v4 address, followed by the port number if needed (example:
1.1.1.1:123),
or the SSL servers common name (example: *.ipanematech.*),
Select Activated in the SSL Optimization drop-down list;

Click Ok.
All flows to these servers can be deciphered and optimized by the ip|engine before being
re-ciphered and forwarded.
It is also possible to select SSL servers you do not want to decipher nor optimize,
by doing the same as above, but selecting Desactivated in the SSL Optimization
drop-down list.
October 2014
8-7
Ipanema System
8. 2. 4. Customize the SSL Proxy Certificate Trust Store

The
SSL Proxy Certificate Trust Store frame allows customizing the SSL Proxy Certificate
Trust Store.
It is configured with a set of standard institutional certificates by default . You can add your own
corporate CA certificates, and/or remove all those you do not need.
SSL Proxy Certificate Trust Store

This frame contains three windows, accessible with three tabs:
8-8
Current Domain Custom Trust Store, where you can import Trusted Certificates, activate
them, deactivate them and remove them,
Default Trust Store, that shows the list of standard institutional certificates; they can be
activated or deactivated;
Current Domain Trust Store Summary, that displays a summary of the current Domain Trust
Store.
October 2014
8. 3. SECURITY AND LEGALS

8. 3. 1. Security
To enable the SSL proxy, it is required to provide it with the proxy CA certificate and the associated
private key. Such security elements practically enable the SSL proxy to transparently inspect and
decrypt any SSL flow on the network. Therefore, it is required that the system enforces drastic
protection of these security elements.
Proxy CA Certificate, Private key and passphrase

The Proxy CA certificate and private key are stored on ip|boss server and distributed by ip|boss
to all authorized ip|engines; to prevent any third party actor (carrier, provider) from using these
files (hence being able to proxy and inspect SSL encrypted flows in the Domain), the user can
encrypt the private key with a secret passphrase that only the customer knows (see 8.2.1.).
This optional Proxy CA private key passphrase, if used, must be entered in all ip|engines that are
required to act as SSL proxies (datacenter-side sites). It must and can only be entered by a specific
user, which is the end-users IT. Please refer to the ip|engines installation manuals.
8. 3. 2. Legals
Ipanemas SSL proxy cryptographic functions rely on the standard open-source OpenSSL toolkit.
The OpenSSL cryptographic libraries are used unmodified in order to take full advantage of the
standard. OpenSSL toolkit has been approved by the US Department of Commerce for export as
a mass-market encryption product with >64 bit encryption. It is on the end-users responsibility to
ensure that using this library is also permitted without restriction in their local country.
It is also on the end-users ITs responsibility to make sure that the SSL flows inspection is used
respectfully of the current local legal policies and the company collaborators privacy.
October 2014
8-9
CHAPTER 9. REPORTING (IP|REPORTER)

This chapter describes capabilities for communication with external systems via an SNMP agent.
This function allows measures to be archived on an external system, whether they are optimized
or not.
The data available via the MIB depend on the MetaViews configured in the system.
9. 1. MIB ACCESS
9. 1. 1. MIB
The description file is available in the directory of ip|boss:
~/salsa/ipboss/server/interface/ipanema-technologies.mib
~/salsa/ipboss/server/interface/ipanema-technologies-notifications.mib
9. 1. 2. SNMP
Measures can be used via a MIB access thanks to an SNMP agent included in the ip|boss software.
The UDP port used by this agent must be configured, Domain per Domain (a different port must
be declared for each Domain), in ip|uniboss.
Access to the agent is read-only with SNMPv2c protocol. The Community name is public (default
value, can be configured by user).
The SNMP agent instantiates the system and SNMP groups as well as a private MIB.
The SNMP agent is updated every Short reporting period (as defined in the Domain configuration
see chapter 3).
October 2014
9-1
Ipanema System
9. 2. IP|REPORTER
This section describes the reporting system, ip|reporter, made by Ipanema Technologies.
9. 2. 1. Ipanema Architecture
The Ipanema solution architecture is composed of the following system elements:
ip|boss is the centralized management software for the Ipanema performance management
system which runs on a standard Solaris or Windows platform. Through the ip|boss, business
objectives are communicated to ip|engines and measurement data are collected.
ip|engines are software/hardware appliances that automatically measure and control

network and application performance. Using the business objectives defined by the company,
ip|engines work together as a real-time system to measure network performance and
utilization, and to manage application service levels.
ip|reporter is a full-service report generating utility. It provides a global view of service levels
for each application, as well as detailed, metrics based reports for problem diagnostics.
The ip|reporter is a reporting tool powered by InfoVista and based on OEM agreement.
InfoVista can operate with real-time data or deferred-time data. Real time, such as SNMP data,
is retrieved from the ip|boss at regular intervals by polling the resource and requesting it for
specific information about the behavior of the resource. These data give up to date information
about IS behavior.
Deferred-time data is external to the SNMP world. It has its source in existing log files (a web
site log file, for example) or databases. It is batch-loaded onto the InfoVista server as some time
after it was generated. InfoVista uses these data to calculate Indicators in the same way as it
handles real time data. And, in fact, when the data is displayed on a report, the origin of the
resource data is totally transparent to the user.
9-2
SNMP (System MIB) Collect of measurement. Interfaced with SNMP agent of ip|boss.
October 2014
Reporting (ip|reporter)
9. 2. 2. Ipanemas ip|reporter architecture

Ipanema Technologies ip|reporter is the easy to use report generating component of Ipanemas
service level management system. Using information gathered from ip|engines performance
measurement and control appliances, and aggregated by the ip|boss management software,
ip|reporter generates sophisticated reports showing network performance and utilization. These
reports summarize real-time as well as historic data that an enterprise can use to appropriately
size a network, thus reducing WAN operating costs significantly, while improving or maintaining
application performance levels. ip|reporter includes embedded report generation software which
handles all user interface functions.
Ipanemas ip|reporter is powered by InfoVista. ip|reporter can be purchased without InfoVista
software, if an enterprise already owns the software package. ip|reporter should run on a dedicated
server.
According to InfoVistas platform being used, Vista-Foundation 0 (VF0) or Vista-Foundation 4 (VF4),
there are two different possible architectures.
ip|reporter architecture with InfoVistas VF0 platform

ip|reporter runs in client/server mode. The server processes (InfoVista) collect data from
ip|boss SNMP agent. The rich client (IVreport) is the GUI (graphical user interface) that allows
to show the reports.
The reports can also be visualized through a web client, using VistaPortal SEs web server (refer
to section ip|reporter web edition).
October 2014
9-3
Ipanema System

The VistaFoundation 4 is an ensemble of InfoVista products working in conjunction with each
other in a N-tier architecture:

Administration: VistaCockpit provides a centralized view of the distributed system and
thus helps to maintain a coherent configuration over the life time of the project. From the
Cockpit console, an administrator can configure components in a homogeneous fashion,
debug the system, and automate the administrators tasks (such as debugging data,
InfoVista Server backup, etc.)
Consolidation: this layer consists of just one product, VistaMart, which models the
service, provisions InfoVista Servers accordingly (load balancing between the servers),
and stores the collected data that subsequently go to the presentation layer in an Oracle
database; this is where the configuration and the dashboard data are stored. VistaMart
controls groups of InfoVista servers, which can spread over different systems.
Data collection: InfoVista servers use SNMP to obtain the data from ip|boss SNMP
agent, store the collected data in ObjectStore databases and and push them to
VistaMart using HTTP. This is where the real time reports are stored.
Presentation: the collected data are presented to Users in VistaPortal in pages that
form together a management dashboard. Alerts show up directly in VistaPortal, and you
can obtain real-time data by drilling-down from higher-level summary reports.
All components connecting to InfoVista servers (i.e. VistaMart and VistaPortal) must use the
Port Mapper (default port 1275). See the InfoVista Server Administration Guide for complete
connection details.
9-4
October 2014
9. 2. 3. Terms
9. 2. 3. 1. The Instance
Each monitored resource in the network is represented by an Instance object (equivalent to a
MetaView in ip|boss) . An Instance can represent any logical or physical element in the network
such as an ip|engine source, an ip|engine destination, a subnet source, a subnet destination, an
application, a Key A, a Key B, an Application Group, a criticality.
The Instance consists of values and identify and characterize the resource (for example, the alias
for an application). These characteristics are called Property and the values assigned to them are
called Property Values.
The data is displayed on a Graph. The Instance is mapped to the Graph via a report.
9. 2. 3. 2. The Vista
You create each Instance object from a template object called the Vista. The Vista indicates which
Properties each Instance should have. You can create any number of Instances from the same
Vista. In this way, you define each type of equipment only once and when you create Instances of
this equipment, you simply supply the values of the Properties.
InfoVista is installed with a number of standard, pre-configured Vistas which allow you to get up
and running immediately.
For example:
the Vista IpNode has the Property ip (IP Address).
the Vista SNMP node has the Properties snmprd (SNMP community read) and snmpwr (SNMP
community write).
Rules can be defined to create relationships between Vistas. They are not immediately
visible in the object model but they are exploited by several Vistas you use. For example,
one of the standard Rules states that All Routers are SNMP nodes. The result is that
the Vista Router automatically inherits all the Properties of the Vista SNMP node as
well as its own intrinsic Properties.
9. 2. 3. 3. The Indicator
An Indicator is a measurement. It tells us something about the operation of a resource. Examples
are data traffic or quality of service. InfoVista calculates the values of Indicators from the source
data, which it collects from the monitored resource.
Standard, pre-configured Indicators exist for the most common situations that you encounter (and
for some of the more difficult ones, too).
9. 2. 3. 4. The Report
An InfoVista report shows one or more Graphs and possibly some decorative text or bitmaps. Each
Graph shows the values of a set of Indicators for a set of Instances (the monitored resources).
9. 2. 3. 5. The Report Template

Each Report is derived from a template object called the Report Template. The Report Template
represents a typical report layout. It does not contain data, it just shows the Graphs that are used
and the visual layout of the report.
The same template can be used by any number of Reports. You can therefore define a typical
report template once, and each time you create a report from this template, your work is reduced
to specifying which Instances the report will monitor.
InfoVista is installed with a number of standard, pre-configured Report Templates.
October 2014
9-5
Ipanema System
Typical Report Template names:
Short/Long reporting: SNMP agent polling period.

Display Rate: The time interval between two consecutive values of an Indicator. Each Report
Template may be provided with several different display rates (select from the list: hourly, daily,
weekly and monthly).
Time Span: The time period over which the Graph must display data. The Time Span value is
not subject to any limitations, though typically it is set to a simple multiple of the display rate.
For example, if the display rate is 1 day and the time span is set to 1 week, the graph is scaled
to display 7 consecutive Indicator values.
Life Time: The Life Time is one of the factors used by the system to calculate and reserve the
necessary buffer space for storing the Indicator values. When the data becomes older than this
Life Time it is considered to be obsolete and is gradually purged from the system.
Hourly: Specifies that the display period is one hour.
Ingress: name of the ip|engine upstream of the flow (from LAN to WAN).
Egress: name of the ip|engine downstream of the flow (from WAN to LAN).
9. 2. 3. 6. The Report Folders

A Report Folder is a list of Reports. The Reports in a folder may be derived from different Report
Templates. The folder provides a way of grouping the Reports together:
either to simplify readability in the object tree
or to provide common access rights to a number of Reports.
You can also create sub-folders, if necessary, to organize your working environment.
9. 2. 3. 7. Libraries
A Library (supplied by InfoVista or third parties, or created by you) is used to group together objects
such as Vistas, Indicators, etc. in order to obtain logical units.
9-6
October 2014
9. 2. 4. Starting the system

9. 2. 4. 1. Starting the server application
Normally, the InfoVista server is started automatically, after installation, and each system reboot.
A message such as:
Manager/Collector server not found
Manager service
Collector service
or
Client-Server communication failure
Browser service
Which may be displayed after trying to connect to a server, means that the InfoVista
server has not started correctly. If you have a problem, refer to chapter 1 section
Troubleshooting.
October 2014
9-7
Ipanema System
9. 2. 4. 2. Starting IVreport rich client application (VF0)
Windows
In the Windows Task bar, click on Start/Programs/InfoVista/IVreport.
Starting IVreport
Unix
The InfoVista software is installed in:

/opt/InfoVista/Essentials/bin (Solaris)
(The path should be included in the PATH variable)
To start the client, execute:
./ivreport &
9-8
October 2014
After startup, the Connection dialog box is displayed. Enter the parameters requested and click on
OK.
Startup window
InfoVista Server Connection
Server name: Name of the system running the InfoVista server or IP address. If the server is on
the same machine as the client application, leave this field blank or put the loop back address
(127.0.0.1).
Several instances of InfoVista can be installed on the same server. In this case the
syntax is the following: <instance_name>@x.x.x.x (where x.x.x.x is the IP address
of InfoVista server).
In a firewall environment, the endpoints for Manager, Collector and
Browser services can be fix. In this case the syntax is the following:
x.x.x.x:ManagerPort:CollectorPort:BrowserPort (where x.x.x.x is the IP address of
InfoVista server). The endpoints ports can be setup using ip|reporter rich client
(IVreport):
October 2014
9-9
Ipanema System
InfoVista Endpoint Setup
9-10
User name: Enter administrator.

Password: The default value is blank. To reconnect to the same server or to another server,
select the command File/Connect to Server in the InfoVista Main window.
October 2014
9. 2. 4. 3. IVreport main window (VF0)

After connection, the InfoVista Main window is displayed. The left-hand panel displays the objects
of the InfoVista model in the form of a tree structure.
InfoVista Main window

The root of the tree (at the top) is the InfoVista server system. If the name of the server is local,
this means that the server is on the same system as the client application.
or a
Nodes in the tree are indicated by a

expanded. It may contain subfolders. A
.A
indicates that the branch has not been
indicates that the node is already expanded.
Click a
Click a
Click a branch or object name to select the item.
Double-click the name of an object to open the Property sheet or List view window of the object
(shortcut for Edit/Open).
October 2014
node to expand the branch.

node to collapse the branch.
9-11
Ipanema System
The right-hand pane of the window displays the list of sub-objects of the object that is currently
selected in the object tree.
Click the square symbol
in front of an object to display the next level of sub-object.
Double-click an object name to open the Property sheet of the object (shortcut for Edit/Open).
The tool bar contains buttons which provide shortcuts for the more frequently used menu
commands.
Create a new object of the selected type (shortcut for Edit/Add).
Copy the selected object to the clipboard (shortcut for Edit/Copy).
Paste an object from the clipboard (shortcut for Edit/Paste)
Delete the selected object (shortcut for Edit/ Delete).
Open the Property sheet of the selected object (shortcut for Edit/Open).
Find objects by name or description (shortcut for Edit/Find).
Schedule report-related actions (shortcut for Reports/Schedule)
Create a new report with the Instant Report wizard (shortcut for
Reports/Instant Report).
Filter reports based on specified criteria (shortcut for Reports/Filter).
9-12
October 2014
9. 2. 4. 4. IVreports Report Viewer (VF0)

Use the viewer to view or print a Report. This paragraph describes the manipulation of the Report
viewer.
Report viewer
Report/Periodical Refresh/Stop
Report/Periodical Refresh/Start
The report template is configured to update the data display in function of the display rate value.
While the report is running, inhibit Periodical Refresh (click the

and wait a few minutes. Note
that the data in the reports stops being updated and the Report Reference Time, displayed at the
top right of the viewer also becomes fixed. The reference time indicates the timestamp of the last
data sample displayed in the Report (in other words, the timestamp of the last update of data).
After a few minutes, enable Periodical Refresh again (click the button). You will see the data
updated immediately, one new point on the Traffic graph for every period you wait. You also see
the reference time updated to display the current time again.
Graph/Refresh/Data if a graph is selected.
File/Print While a Report is open, you can print it with this command. The report is printed
on your systems default printer.
Edit/Copy
Graph/Properties if a graph is selected
Toggle Information Mode (not in a menu) When depressed, displays a tool tip over graphic
objects, indicating the Metric name, Vista name and acquisition rates, time span and the objects
Description attribute.
October 2014
9-13
Ipanema System
Reference Time slider
Use the reference Time slider to adjust the reference time of the report:
either drag the slider
or click on the arrow buttons
or click on the time or date, edit with the keyboard and press Enter to validate
click on the latest button

to set the reference time to the current date and time (equivalent
to dragging the slider all the way to the right)
For more information, please refer to the InfoVista Reference Manual.
9-14
October 2014
9. 2. 4. 5. ip|reporter web client (VF0 and VF4)

To access ip|reporter web, click the ip|reporter button in SALSA web client:
SALSA web client
The Domain selected in theSALSA web client has no impact, as once in ip|reporter,
you will be able to select the reports on any Domain you have an access to (according
to you User rights).
If you are connected on a Domain with ip|boss (and if you accesses it via SALSA), you can open
ip|reporter web by selecting the
ip|reporter web button in ip|boss toolbar.
Different accesses can be defined with different user rights (unlike for the users of IVreport (VF0),
who always have access to all the reports managed by the server). Refer to the Technical note
TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf.
Two different windows can be displayed, according to the VistaFoundation being installed, VF0 or
VF4:
October 2014
9-15
Ipanema System
ip|reporter web client with VF0
9-16
October 2014
9. 2. 5. Reports Management
Operating procedure table: settings (automatic reporting), settings (define reports), service ip|true
(automatic reporting), service ip|true (modify reports), service reporting (automatic reporting),
service reporting (define reports)
The reports are managed in the ip|boss interface, thanks to the Reports and Automatic reporting
tools.
ip|boss manages the Instances creation and deletion in InfoVista according to the configuration
parameters.
ip|boss is the reference for the reports and Instances for infovista. If some reports described in
ip|boss configuration file are not present in InfoVista database, then ip|boss creates the missing
reports. On the opposite, if some reports exist (for the Domain) in InfoVista database and not in
ip|boss configuration, then ip|boss deletes them.
ip|reporter uses the MetaViews for the reports creation and filling.
Three modes of reports creation are available:
Reports, unitary mode: one report is created on one MetaView. This mode is to use to add a
specific report on a specific MetaView, or to create some reports that cannot be created in the
Wizard mode.
Reports, Wizard mode: several reports can be created on several MetaViews in one operation.
For example: two given reports on all User subnets.
Automatic reporting: reports are automatically created for the Domain, for all Equipped sites, for
all tele-managed sites or for all Application Groups, and will be added automatically when new
Domains, new Equipped sites, new tele-managed sites or new Application Groups are created.
October 2014
9-17
Ipanema System
9. 2. 5. 1. Automatic reporting
This tool allows creating reports for the Domain, for all Equipped sites, for all tele-managed sites
and for all Application Groups.
The selected reports are automatically added for existing Equipped sites*, tele-managed sites* and
Application Groups, and will be automatically added when new Equipped sites*, new tele-managed
sites* or new Application Groups are created.
* For the sites (equipped or tele-managed), the selected reports are created only if
Auto-reporting is at yes in the ip|engine parameters.
In the System administration Toolbar, select
Automatic reporting.
The Automatic reporting window is displayed.
Automatic reporting window

This window contains four tabs:
9-18
Domain,
Equipped sites,
Tele-managed sites,
Application Groups.
October 2014

within any tab, the automatic report creation window is displayed
(Domain, Equipped sites, tele-managed sites or Application Groups automatic reports creation
window, according to the selected tab):
Domain automatic reports creation window

This window contains an input zone with the following field:
Report template: drop-down list of available report templates, to choose the reports attached
to the selected tab.
four click boxes allow to define which time aggregation can be created for the report:
Hour,
Day,
Week,
Month.
a check box that allows defining the level of confidentiality for the report:
Public (unchecked by default):
when checked, the reports are stored in the hour / day / week / month
folders in IVreport, and an access to the reports can be given to all users using
the web client;
otherwise, the reports are stored in the hour private / day private
/ week private / month private folders in IVreport, and the
access to the reports can be restricted, for the users using the
web client, to authorized users only (refer to the Technical note
TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
October 2014
9-19
Ipanema System
9. 2. 5. 2. Reports creation in unitary mode

Reports. The Reports window is displayed:
Reports window
This window contains the list of reports created on each instance with the specific parameters.
, the report creation window is displayed.
reports creation window

MetaView: drop-down list of MetaViews, to choose the MetaView on which the reports will be
created.
Report template: drop-down list of available report templates, to choose the reports attached
to the selected MetaView.
4 check boxes allow to define which time aggregation can be created for the report:Hour, Day,
Week and Month
a check box that allows to define the level of confidentiality for the report:
Public (unclicked by default):
when clicked, the reports are stored in the hour / day / week / month folders
in IVreport, and an access to the reports can be given to all users using the web
client;
9-20
October 2014
9. 2. 5. 3. Reports creation in wizard mode

This creation mode allows to create a big number of reports. It allows to create a package of reports
for several MetaViews. This mode could be used in the initial creation step.
Reports.
The Reports window is displayed:
Reports window
By clicking on the Wizard icon
, the multiple creation window of Reports is displayed.
Reports Wizard window
October 2014
9-21
Ipanema System
a zone with multiple selection for the MetaViews,

a zone with multiple selection for the Report template . The list is modified according to the
type of MetaView selected.
4 check boxes, that allow to define which time aggregation can be created for the report:
Hour,
Day,
Week,
Month.
a check box that allows to define the level of confidentiality for the report:
Public (unchecked by default):
when checked, the reports are stored in the hour / day / week / month
folders in IVreport, and an access to the reports can be given to all users using
the web client;
The left frame shows the list of elements (MetaViews and Report templates) as described in the
system and managed by ip|boss; the right frame shows the selected elements.
Select the elements you want to move (you can select several ones using the SHIFT or CTRL
keys), then use the simple arrows to move them from one frame to the other, or use the double
arrows to move them all at a time.
By selecting several elements in each list, the system will create the reports according to
combinative selected criteria.
9. 2. 5. 4. Reports Deletion
To delete some reports in the InfoVista database, just suppress the reports in the list accessible by
Reports. After the validation of the deletion and update of the configuration, the reports are
definitively deleted, the reports and their data cannot be accessed anymore.
It is possible to suppress several reports by selection with the keyboard.
Another way to remove the reports is by clicking on the icon
reports is displayed.
, the multiple deletion window of
If the reports were created with the Automatic reporting function

, they will be
automatically re-created after deletion, so they must be deleted with this funciton (be
aware that suppressing a report with this function will impact all the concerned objects
ip|engines or Application Groups).
9-22
October 2014
9. 2. 5. 5. Update in InfoVista
After creation or deletion of reports, click on the flashing Update button
in order to update
the InfoVista Database with ip|boss configuration. After you have confirmed you want to update
the configuration in ip|reporter, this step is identified by the ip|reporter Database LED (in ip|boss
status zone) in amber during the synchronization (this can last several minutes, or several hours if
you created a large number of reports at a time).
Warning before configuration update
ip|reporter Database LED during database update
9. 2. 5. 6. Force synchronize
If InfoVista suffers a Database synchronization problem, it is possible to force the synchronization
using Reports menu Actions / Force synchronize.
This function should not be used under normal circumstances. Use it only in case
of synchronization problem. A synchronization problem can be checked in the
logs, and thanks to the Database LED above (grey: an error happened during last
synchronization; red: error in the reports description; amber is a normal color during
synchronization, but it should be a temporary state: if the LED remains amber for an
abnormaly long time, this can also be due to a synchronization problem).
Reports Force synchronize menu

As this can last several minutes, or several hours if you created a large number of reports, a warning
message is displayed. Click Yes to confirm you want to force synchronization, No if you want to
abort:
Warning before forced synchronization
October 2014
9-23
Ipanema System
9. 2. 5. 7. Default reports
The following reports are created (with the Automatic reporting function) by default (S stands for
Equipped site, T stands for tele-managed site):
Report
Domain
SLM - Site Synthesis
SLM - Application Synthesis
AG
X
X
X
SLM - Site Summary (per dir.)

SLM - AG Summary
PM - Site Summary
PM - AG Summary (per dir.)
PM - Detailed per AG
PM - Detailed per Application
PM - Detailed per App. - Top
PM - Time Evolution
AM - Site Summary - TCP

AM - Time evolution - TCP
SA - Site Throughput
SA - Site Summary (ingress/egress)
FI - Availability Overview
FI - Availability Evolution
Default reports
9-24
October 2014
9. 3. HOW TO READ THE REPORTS

Reports can be read either using IVreport (InfoVista rich client, VF0) or InfoVista web client (VF0
and VF4).
9. 3. 1. IVreport (VF0)
To open a report using IVreport, launch IVreport (default login / password are administrator /
(no password)), open the Reports tab, open the following folders: Report folders / <Domain>
/ <MetaView> / <Level of aggregation, level of confidentiality>, then double-click on the reports
name.
If the Public click box was clicked on the reports creation, it can be found in the hour / day
/ week / month folders;
otherwise, it can be found in the hour private / day private / week private / month private
folders.
Reports directory structure in IVreport
October 2014
9-25
Ipanema System
9. 3. 2. Web client (VF0)

Using the web client, the directory structure is similar, but users may not have an access to all
reports (for example, the access may be limited to the Public reports only), according to their rights
(refer to the Technical note TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
ip|reporter web client

There are two ways to navigate in the reports:
by selecting Folders in the drop-down list in ip|reporters main window, you can access the
reports with the following file system tree (4 hierarchical levels):
<Domain> / <type of MetaView> / <MetaView> / <time level, public/private>
ip|reporters Folders file system tree
9-26
October 2014
The second browsing method allows to navigate in the sites reports with two additional
hierarchical levels, defined by the ip|engines Navigation fields Folder name for level 1 and
Folder name for level 2: by selecting Navigation in the drop-down list in ip|reporters main
window, you can access the sites reports with the following file system tree (6 hierarchical
levels):
<Domain> / Navigation / <Folder name for level 1> / <Folder name for level 2> /
<MetaView> / <time level, public/private>
(the <type of MetaView> level disappears, as this method is valid to access the sites reports
only).
This method is very helpful on larges networks, with hundreds or thousands of sites.
In the example below, Folder name for level 1 was used to group sites per continents, and
Folder name for level 2 was used to group sites per countries. The ip|engines created without
filling those fields are grouped under the Unknown folder name:
ip|reporters Navigation file system tree
October 2014
9-27
Ipanema System
9. 3. 3. Web client (VF4)

The web client, with VistaFoundation 4, shows two levels of reports:
all the reports available with VF0 are also available (they are called real time reports hereafter),
and there are new high level reports displayed in the main web page (they are called Service
Level Overview reports).

The window contains five frames:
Time Navigator,
Navigation,
Service Level Overview,
and two frames in Reports.
The Time Navigator frame shows the date and time, and allows to browse the selected reports in
the past.
9-28
October 2014
To access a report, first select the MetaView or group of MetaViews in the Navigation frame (click
on the
before a branch to expand the navigation tree,
to collapse a branch):
Selecting MetaViews in the Navigation frame
October 2014
9-29
Ipanema System
The Service Level Overview report corresponding to the selected MetaView(s) is displayed in the
Service Level Overview frame:
Selecting the periodicity in the Navigation frame
For a Site or a list of Sites, this report shows, for each site:
the name of the MetaView (<Domain name> x Site:<name of the Site>),
the AQS per criticality level (Top, High, Medium and Low) with color bars; the colors
indicate the AQS (from red = 0 to green = 10), and one can read the exact value of the
AQS by moving the mouse over the bars,
the ingress (LAN => WAN) and egress (WAN => LAN) WAN accesses utilization (in
percentage of the WAN accesses throughputs) and the WAN accesses throughputs (as
defined in ip|boss); the utilization bars are blue between 0 and 70% of utilization, yellow
between 70 and 90% of utilization, and red above 90% of utilization; the percentage of
utilization can be read by moving the mouse over the bars,
For an Application Group or a list of Application Groups, this report shows, for each Application
Group:
the name of the MetaView (<Domain name> x Application Group:<name of the
Application Group>),
the AQS of the Application Groups with color bars; the colors indicate the AQS (from red
= 0 to green = 10), and one can read the exact value of the AQS by moving the mouse
over the bars,
the ingress (LAN => WAN) and egress (WAN => LAN) throughputs, both on the LAN
interfaces of the ip|engines and on their WAN interfaces,
the number of sessions.
9-30
October 2014
A second type of Service Level Overview reports is available by selecting the Evolution tab, at
the top of the window:
Evolution tab
It shows four frames:
the
the
the
the
volume per Criticality level,

AQS per Criticality level,
ingress (LAN => WAN) throughput,
egress (WAN => LAN) throughput.
for the selected MetaViews.

Select the Overview tab to come back to the previous view (Service Level Overview frame).
October 2014
9-31
Ipanema System
To access the real time reports, once the MetaViews have been selected in the Navigation frame,
select the periodicity in the Reports frame:
Selecting the periodicity in the Reports frame

The names of the available reports for the selected MetaViews and periodicity are diplayed in a
second frame in Reports, called Name:

To open the real time reports displayed in this frame, double click on their names or right click and
select Instant report:

The real time reports open in a new window. They are explained in the following sections.
9-32
October 2014
9. 3. 4. Dynamic reading of the reports

The reports show graphs and tables:
Report example
The graphs show the history of the values.

Click on the graphs (IVreport) or move your mouse on them (web client) to read detailed values
in a popup.
The values in the tables are measured over the last display period.
Click successively on any column header to sort the table by increasing or decreasing values.
On the client you can use the time slider (IVreport) or specify the date and time (both clients) to see
the previous values of each indicator. This presents you with a historical view of each resource
for any moment during the lifetime of the report.
October 2014
9-33
Ipanema System
9. 3. 5. Definitions
Here is a definition of the symbols and specific metrics that are used in the reports (for the definitions
of the standard metrics, such as AQS, Delay, Jitter, packet Loss, RTT, SRT, TCP retransmission,
etc.), please refer to 7.5.2.2 Detailed flows list):
=>
Represents the LAN => WAN - or ingress - direction,
<=
Represents the WAN => LAN - or egress - direction.
Session
A session is identified:
For TCP or UDP by the following parameters: source IP address,

destination IP address, protocol (TCP or UDP), source port and
destination port.
For other protocols over IP (for example: ICMP) by the following
parameters: source IP address, destination IP address, protocol.
Qualified
(sessions,
throughput,
goodput)
Traffic between synchronized ip|engines; delay, jitter and packet loss

are measured.
Non qualified
or Unqualified
(throughput,
goodput, sessions)
Traffic between non synchronized ip|engines, or (more frequently)

between an ip|engine and atele|engine; delay, jitter and packet loss
cannot be measured.
MOS
(1 to 5)
9-34
October 2014
Overactivity
(%)
Percentage of time when the Right Size (computed by Smart planning) is

higher than the WAN access for Top and High traffic.
Evolution
(Volume, Quality,
Activity)
(++/+/0/-/- -)
Evolution, according to the following symbols, as compared to the

average value over the 3 last periods (3 hours, 3 days, 3 weeks or 3
months, according to the time scale of the report):
++: the metric has increased a lot (by more than +20%),
+: the metric has slightly increased (between +5 and +20%),
o: the metric is stable (between 5% and +5%),
- : the metric has slightly decreased (between 5 and 20%),
- -: the metric has decreased a lot (by more than 20%).
Default reports
Color Management
October 2014
9-35
Ipanema System
9. 4. IPANEMA SYSTEM VISTAVIEWS

The following sections (8.5, etc.) correspond to each VistaView, and each section is further divided
into sub-sections (8.5.1, etc.) that correspond to each report template.
A report sub-section includes an overview of the report features, a graphical representation of the
report, a detailed description of the report, and finally a suggested way of using the report.
Ipanema VistaViews
Some of these VistaViews are available only if you have purchased the corresponding
options and if they are enabled in the license file.
VistaViews are used to collect all information by querying ip|boss SNMP agent. They work in pairs:
9-36
<Report family> (e.g.: VoIP): contain the metrics and Indicators for this family;
<Report family - en> (e.g.: VoIP - en): Report Templates used to display these metrics.
October 2014
The statistics generated by the different functions are available throughout the whole Ipanema
System:
ip|boss aggregates the data gathered from ip|engines measurement, Application Control,
redundancy elimination and acceleration functions, and makes them available through the
SNMP interface.
ip|dashboard uses uses them to generate the appropriate helpdesk tables and graphs, that
provide real-time analysis for each Site and each network access.
ip|reporter uses them to generate the appropriate easy-to-use reports, that provide historical
analysis for each Site, each network access and each Application Group.
All reports can be created with ip|boss using the single or the wizard mode (unless otherwise
specified).
The reports on the Domain, on Equipped or tele-managed sites (i.e.: equipped or tele-managed
Sites), and on Application Groups can also be created with the Automatic reporting tool.
The available periodicity levels for the reports are the following (unless otherwise specified):
Hourly,
Daily,
Weekly,
Monthly.
The Ipanema System library contains the following report templates, with the following
abbreviations being used:
in What is measured: App: Application; Crit: Criticality; D/J/L: Delay/Jitter/Loss; Ses: number
of sessions; Thput: Throughput; Gput: Goodput; (un)qual: (un)qualified; AG: Application Group;
Vol: volume; evol: evolution
in Filters:
D: Domain;
S: Equipped site;
T: tele-managed site;
K: report Keys;
S: User Subnets;
G: Application Groups;
A: Applications;
C: Criticality
Legend in the Filters:

X: the report is available for MetaViews that contain this object.
Example: is - slm - site summary is available on the Domain.
L: the report is available for MetaViews that contain a list of this object.
Ex.: is - slm - site synthesis is not available on a single Equipped site, but it is if the
MetaView contains a list of Equipped sites.
o: the report is available for MetaViews that contain this object, but only if the MetaView
also contains objects with an X.
Ex.: is - slm - application group summary per direction is not available on an Application
Group, but it is if the MetaView is a combination of an Equipped site AND an Application
Group.
October 2014
9-37
Ipanema System
SLM (Service Level Monitoring)

Report template
(is - slm -)
What is measured
service level
evolution
AQS, qual. and unqual. ses., Thput, Gput
site summary
AQS, D/J/L, RTT, SRT, TCP retrans.,

ses., Thput.
ag summary
AQS, D/J/L, RTT, SRT, TCP retrans.,

ses., Thput.
ag summary per
direction
Filters
D S
app. synthesis
Vol. & AQS evol. per crit., Ingress &

Egress Thput, vol. & vol. evol. per AG,
AQS & AQS evol. per AG, vol. per app.
(top 10), site activity, global evol.
site synthesis
Vol. & AQS evol. per crit., Total Thput,

vol. & vol. evol. per site, AQS & AQS
evol. per site.
G A
G A
SLA (Service Level Agreement)
9-38
Report template
(is - sla -)
What is measured
Filters
domain overview graph
AQS per AG, AQS per site, over activity

per site
domain overview table
Vol., AQS, MOS, over activity per AG,

per site
domain - aqs
summary
AQS, over activity per AG, per site
domain - ag aqs
summary
AQS, over activity per AG
domain - site aqs

summary
AQS, over activity per site
domain - mos
summary
MOS, over activity per AG, per site
site summary
AQS, MOS, over activity per AG
site aqs summary
AQS, over activity per AG
site mos summary
MOS, over activity per AG
site exploitation
AQS, MOS, vol., ses., over activity
site customer
AQS, MOS, vol., ses., over activity
D S
October 2014
CAM (Cloud Application Monitoring)

Report template
(is - cam -)
What is measured
clients overview
time evolution
Filters
D S
G A
Users, Transactions, Transac. Time,

Server delay, Transac./s, Transac. size,
Transac. efficiency
Users, Transaction Time, ses./s,

Transac./s, Transac. efficiency
D S
G A
AM (Application Monitoring)
Report template
(is - am -)
What is measured
site summary - tcp
SRT, RTT, Packet retrans., Thput, ses.
ag summary - tcp
Filters
ag summary - per
direction - tcp
application
summary - tcp
app. summary - per

dir. - tcp
time evolution - tcp
October 2014
9-39
Ipanema System
PM (Performance Monitoring)
Report template
(is - pm -)
What is measured
site summary
ag summary
ag sum. per dir
Filters
D S
G A
WAN-WAN & LAN-LAN Delay, Loss,

Thput; ses.
D/J/L; RTT/SRT/TCP retrans.; total

Thput, sessions, packet size
app. summary
app. sum. per dir
D S
G A
traffic topology
Total & qual. traffic, Traffic profile

(kbps/%time), packet%/delay, Thput per
site, ingress & egress
time evolution
D/J/L, Thput, ses.
detailed per ag
Throughput
detailed per app. top

detailed per app.
top host app on
vol.
Host (IP address), app., vol., ses.

This report does not appear
in the hour, day, week and
month folders, but in the
default folder.
PM (Performance Monitoring) Compression

Report template
(is - pm -)
What is measured
compression
evolution
Total LAN Thput. (without compr.), total

WAN Thput (with compr.), compressed
Thput, saved Thput.
compression
synthesis - ag
For each AG and each way: compressed,

saved, total LAN, total compressible and
total compressed volumes; compr. factor
and ratio
compression
synthesis application
Filters
ip|reporters wizard mode is not available for these reports.
9-40
October 2014
SSL Optimization
Report template
(is - ssl
optimization -)
What is measured
time evolution
SSL LAN Thput. (without compr.),

SSL WAN Thput (with compr.), SSL
Optimization Eligible sessions, SSL
Optimized sessions.
Filters
D S
X
G A
ACC (TCP acceleration)

Report template
(is - acc -)
What is measured
acceleration
evolution
Compr., TCP & Acceleration factors, nb

of new & current sessions
Filters
D S
G A
D S
G A
D S
G A
G A
CIFS (CIFS acceleration)

Report template
(is - cifs -)
What is measured
time evolution
Thput, CIFS verbosity, Acceleration

factor, nb of active sessions
Filters
X
SAM (Services Activity Monitoring)

Report template
(is - sam -)
What is measured
Filters
site summary
ingress & egress Application Control

Activity, Duration, Evolution, Compr.
ratio, saved bw; CIFS avg and max
active ses.
time evolution
ingress & egress Application Control

Activity and Duration, Compr. ratio and
saved bw, CIFS active ses. and acc.
factor
Report template
(is - VoIP -)
What is measured
Filters
T
synthesis
MOS distribution
time evolution
MOS, D/J/L, sessions
VoIP
October 2014
D S
9-41
Ipanema System
SA (Site Analysis)
Report template
(is - sa -)
What is measured
Filters
site summary
ingress
Thput: To physical ip|e, No correlation, To

virtual ip|e (= tele|e), To Out of Domain,
Transit, Other, Locally rerouted, Non
IPv4 WAN, Ignored LAN
site summary
egress
Thput: From physical ip|e, No correlation,

From virtual ip|e (= tele|e), From Out of
Domain, Transit, Other, Locally rerouted,
Non IPv4 WAN, Ignored LAN
site throughput
Thput: IPv4, Apple Talk, IPX, SNA, IPv6,

Ignored LAN. IPv4 Thr.: To/From physical
ip|e, No correlation, To/From virtual
ip|e (= tele|e), To/From Out of Domain,
Transit, Other, Locally rerouted
D S
G A
G A
G A
FI (Fault Isolation)
Report template
(is - fi -)
What is measured
availability evolution
Status down, Status up, synchro. loss,

highest CPU load, WAN overload
Filters
D S
availability overview
K
X
With ip|reporter, FI reports can only be created using the unitary mode.
SP (Smart planning)
Report template
(is - sp -)
What is measured
profile
Throughput, Right Size
synthesis
Current, trend 3 months, trend 1 year
Filters
D S
X
X
This report is only available on

a daily basis.
9-42
October 2014
9. 5. SLM (SERVICE LEVEL MONITORING) REPORTS

9. 5. 1. is - slm - service level evolution
Service Level Monitoring Table
Service Level Monitoring - service level evolution
October 2014
9-43
Ipanema System
What can it do?

Monitored resource
This template is available for the following MetaViews:

A Domain .
A Site or a list of sites.
A Key or a list of keys.
A Subnet or a list of subnets,
An Application or a list of applications,
An Application Group or a list of AGs,
A Criticality or a list of criticality levels.
AQS, number of sessions (qualified and unqualified), throughput
(qualified and unqualified), goodput (qualified and unqualified).
From data collected every Short reporting period.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs present the following information:

AQS graph
This graph represents the evolution of the AQS over the period of time.
Sessions graph
This graph represents the evolution of the number of sessions over the period of time:
number of qualified sessions,

number of unqualified sessions (the top of the curve (that sits above the Qualified sessions)
indicates the total sessions (qualified + unqualified)).
Throughput graph
This graph represents the evolution of the Throughput over the period of time:
9-44
Throughput: the surface indicates the non qualified throughput only, whereas the top of the curve
(that sits above the Qualified throughput) indicates the total throughput (qualified + unqualified)
Qualified throughput
Goodput: the surface indicates the non qualified goodput only, whereas the top of the curve
(that sits above the Qualified goodput) indicates the total goodput (qualified + unqualified)
Qualified goodput
October 2014
9. 5. 2. is - slm - site summary

Service Level Monitoring - site summary

What can it do?
Monitored resource

A Domain ,
A Site or a list of sites,
A Key or a list of keys,
An Application Group or a list of AGs,
AQS, delay, jitter, packet loss, RTT, SRT, TCP retrans., sessions,
throughput.
From data collected every Long reporting period.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
9-45
Ipanema System
The table
The table presents the following information (note: for color and symbol explanation see the Color
Management picture in Definitions):
Site
Name of the Site (ip|engine).
Average AQS
Weighted average (in volume) of the ingress AQS and egress AQS of
the site.
In the following columns,
=> represents the LAN => WAN - or ingress - direction,

<= represents the WAN => LAN - or egress - direction.
AQS
Application Quality Score of the site for one direction.
D/J/L
Symbolic representation of the quality of Delay, Jitter and packet Loss of

the measured applications:
+: the measured metric is good (i.e., it meets its objective),

0: the measured metric is average (i.e., it is between its objective and
maximum),
: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics objective and maximum values are defined in the QoS
profiles associated to the Application Groups containing the measured
applications.)
RTT/SRT/Retrans
Symbolic representation of the quality of RTT, SRT and TCP

retransmission of the measured applications:

maximum),
applications.)
9-46
Average sessions
Average number of sessions per second.
Average
throughput
(kbps)
Average number of kbits per second at IP level (on ip|engines and/or

tele|engines).
October 2014
9. 5. 3. is - slm - application group summary

Service Level Monitoring - application group summary

What can it do?
Monitored resource

A Domain .
An Application Group or a list of Application Groups,
throughput.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table
The table present the following information (note: for color and symbol explanation see the Color
Application
Group
Name of the Application Group.
Criticality
Criticality level of the Application Group.
AQS
Application Quality Score of the Application Group.
October 2014
9-47
Ipanema System
D/J/L


maximum),
applications.)
RTT/SRT/Retrans


maximum),
applications.)
9-48
Average sessions
Average number of sessions per second for ingress and egress directions.
Average
throughput
(kbps)
Average number of kbits per second at IP level for ingress and egress
directions.
October 2014
9. 5. 4. is - slm - application group summary per direction

Service Level Monitoring - application group summary per direction

What can it do?
Monitored resource
A Domain.
Per Application or a list of applications.
Per Application Group or a list of Application Groups.
Per Criticality or a list of criticality levels.


What is measured
How it is measured
A Subnet or a list of subnets.

throughput (kbps).
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
9-49
Ipanema System
The table
The table presents the following information (note: for color and symbol explanation see the Color
Application
Group
Criticality
Criticality level of the Application Group.
Average AQS
Weighted average (in volume) of the ingress AQS and egress AQS.

AQS
Application Quality Score of the Application Group for one direction.
D/J/L


maximum),
applications.)
RTT/SRT/Retrans


maximum),
applications.)
9-50
Average sessions
Average number of sessions per second for ingress and egress directions.
Average
throughput
(kbps)
Average number of kbits per second at IP level for ingress and egress
directions.
October 2014
9. 5. 5. is - slm - application synthesis

Service Level Monitoring - application synthesis
October 2014
9-51
Ipanema System
What can it do?

Monitored resource

A Domain.
An Application or a list of applications.
An Application Group or a list of Application Groups.
Volume evolution per criticality, Quality evolution, Ingress
throughput, Egress throughput, Volume per Application Group
(percentage MB, evolution), Quality per Application Group (AQS,
evolution), Volume per application (Top 10), site activity, global
evolution.
What is measured
How it is measured
Volume evolution and Quality evolution graphs

Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
24 hours
1 week
5 weeks
12 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
LAN->WAN throughput and WAN->LAN throughput graphs

Type of report
Hourly
Daily
Weekly
Monthly
Display rate
15 minutes
15 minutes
1 hour
4 hours
Time Span
2 hours
2 days
2 weeks
2 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Group Volume, application volume Top 10, site activity and global evolution
Tables
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hours
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
The graphs present the following informations:
Volume Evolution (GB) graph
This graph shows the volume evolution on the last 24 hours, 7 days, 5 weeks or 12 months
according to the periodicity level by criticality.
9-52
October 2014
Quality Evolution (%) graph

This graph represents quality evolution on the last 24 hours, 7 days, 5 weeks or 12 months
according to the periodicity level in percentage of volume with different colors:
%
%
%
%
green volume
yellow volume
red volume
grey volume when quality cannot be computed
LAN => WAN throughput (kbps) graph

This graph shows the ingress throughput evolution on the last 2 hours, 2 days, 2 weeks or 2 months
according to the periodicity level, for the following indicators: average throughput and maximum
throughput.
Average (Throughput)
Number of Kbits per second at layer 3 level during a display rate.
Max (Peak throughput)
The peak throughput curve displays the maximum encountered value during a display rate.
WAN => LAN throughput (kbps) graph

This graph shows the egress throughput evolution on the last 2 hours, 2 days, 2 weeks or 2 months
according to the periodicity level, for the following indicators: average throughput and maximum
throughput.
Number of kbits per second at layer 3 level during a display rate.
The peak throughput curve displays the maximum encountered value during a display rate.
For LAN => WAN throughput (kbps) and WAN => LAN throughput (kbps), the
average and maximum throughputs are calculated on the following periods:
Average (throughput)
Periodicity
Maximum (Peak throughput)
Hour
15 minutes
15 minutes
Day
15 minutes
15 minutes
Week
1 hour
15 minutes
Month
4 hours
15 minutes
The tables
The tables present the following information:
Application Group table
Application
Group
Criticality
Criticality level according to the Application Group name.
Volume (%)
Percentage of total volume used by the Application Group.
Volume (MB)
Volume used by the Application Group in Mega bytes.
Volume Evolution
(++/+/0/-/- -)
Volume evolution for the 3 last periodicity levels.
AQS (0 to 10)
Application Quality Score.
Quality Evolution
(++/+/0/-/- -)
Quality evolution for the 3 last periodicity levels.
October 2014
9-53
Ipanema System
Application TOP 10 table

Application
Name of the Application.
Application
Group
Application Group name corresponding to the application classification.
Volume (%)
Percentage of total volume used by the Application.
Site Activity table
9-54
Site activity
This indicator displays the percentage of time when traffic was measured.
Evolution
(++/+/0/-/- -)
Availability evolution for the 3 last periodicity levels.
October 2014
9. 5. 6. is - slm - site synthesis

Service Level Monitoring- site synthesis

What can it do?
Monitored resource

A Domain.
A list of Sites.
A list of Keys.
A list of Subnets.
Volume evolution per criticality, Quality evolution, Total throughput,
Volume per site (percentage, MB, evolution), Quality per site (AQS,
evolution)
What is measured
How it is measured
October 2014
9-55
Ipanema System
Volume evolution and Quality evolution graphs

Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
24 hours
1 week
5 weeks
12 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Throughput graph
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
15 minutes
15 minutes
1 hour
4 hours
Time Span
2 hours
2 days
2 weeks
2 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Site table
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hours
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
The graphs present the following informations:
Volume Evolution (GB) graph
This graph shows the volume evolution on the last 24 hours, 7 days, 5 weeks or 12 months
according to the periodicity level by criticality.
Quality Evolution (%) graph
This graph represents quality evolution on the last 24 hours, 7 days, 5 weeks or 12 months
according to the periodicity level in percentage of volume with different colors:
%
%
%
%
green volume
yellow volume
red volume
grey volume when quality cannot be computed
Throughput (kbps) graph

This graph shows the total throughput evolution (ingress + egress) on the last 2 hours, 2 days, 2
weeks or 2 months according to the periodicity level, for the following indicators: average throughput
and maximum throughput.
9-56
Number of kbits per second at layer 3 level during a display period.
The peak throughput curve displays the maximum encountered value during a display period.
October 2014
For the Throughput (kbps), average and maximum throughput are calculated on the
following periods:
Periodicity
Average (throughput)
Maximum (Peak throughput)
Hour
15 minutes
15 minutes
Day
15 minutes
15 minutes
Week
1 hour
15 minutes
Month
4 hours
15 minutes
The table
The Site table presents the following information:
Site
Volume (%)
Percentage of total volume used by the site.
Volume (MB)
Volume used by the site in Mega bytes.
Volume Evolution
(++/+/0/-/- -)
Volume evolution for the 3 last periodicity levels.
AQS (0 to 10)
Application Quality Score of the sites.
Quality Evolution
(++/+/0/-/- -)
Quality evolution for the 3 last periodicity levels.
October 2014
9-57
Ipanema System
9. 6. SLA (SERVICE LEVEL AGREEMENT) REPORTS

9. 6. 1. is - sla - domain overview - graph
Service Level Agreement Table
Service Level Agreement - Domain

What can it do?
Monitored resource

A Domain .
AQS per critical Application Group (Top and High), AQS per site for
critical Application Groups, Over activity per site (%).
What is measured
How it is measured
9-58
October 2014
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Used to display in a graph an overall view of the service level agreement supplied by the network.
Presents the following information:
Application Group graph
This graph represents the AQS during no over activity, per critical Application Group (Top and
High).
Site graph
This graph represents the AQS during no over activity of the 10 worst Sites, for the critical
Application Groups (Top and High).
Over activity per site (%) graph
This graph represents the percentage of time when the Right Size (computed by Smart planning)
is higher than the WAN access for Top and High traffic.
October 2014
9-59
Ipanema System
9. 6. 2. is - sla - domain overview - table

Service Level Agreement - Domain - overview

What can it do?
Monitored resource

A Domain .
Volume, AQS, MOS, Over activity per critical Application Group
(Top and High), per site for critical Application Groups.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables
9-60
Application
Group
Criticality
Criticality of the Application Group (Top and High only).
Volume (%)
Percentage of volume represented by the Application Group.
AQS
Application Quality Score during no over-activity.
MOS
Mean Opinion Score during no over-activity.
Overactivity (%)

October 2014
Site
Name of the Site.
Volume (%)
Percentage of volume represented by the Site for the critical Application

Groups (Top and High).
AQS
MOS
Overactivity (%)

October 2014
9-61
Ipanema System
9. 6. 3. is - sla - domain - aqs summary

Service Level Agreement - Domain - AQS summary

What can it do?
Monitored resource

A Domain .
AQS, Over activity per critical Application Group (Top and High),
per site for critical Application Groups.
What is measured
How it is measured
9-62
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014
The tables
Application
Group
Criticality
Overactivity (%)

AQS > 5.0 (%)
Percentage of time when qualified AQS > 5.0 during no over-activity.
AQS > 7.0 (%)
AQS > 8.0 (%)
AQS > 9.0 (%)
AQS > 9.5 (%)
AQS > 9.8 (%)
AQS > 9.9 (%)
AQS = 10 (%)
Percentage of time when qualified AQS = 10 during no over-activity.
Site
Name of the Site.
Overactivity (%)

AQS > 5.0 (%)
AQS > 7.0 (%)
AQS > 8.0 (%)
AQS > 9.0 (%)
AQS > 9.5 (%)
AQS > 9.8 (%)
AQS > 9.9 (%)
AQS = 10 (%)
9. 6. 4. is - sla - domain - ag aqs summary

The report is a part of is - sla - domain - aqs summary described above: it shows its first table
(Application Group).
9. 6. 5. is - sla - domain - site aqs summary

The report is a part of is - sla - domain - aqs summary described above: it shows its second table
(Site).
October 2014
9-63
Ipanema System
9. 6. 6. is - sla - domain - mos summary

Service Level Agreement - Domain - MOS summary

What can it do?
Monitored resource

A Domain .
MOS, Over activity per critical Application Group (Top and High),
per site for critical Application Groups.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables
9-64
Application
Group
Criticality
Overactivity (%)

MOS > 2.6 (%)
Percentage of time when MOS > 2.6 during no over-activity.
MOS > 3.1 (%)
MOS > 3.6 (%)
MOS > 4.0 (%)
October 2014
MOS > 4.3 (%)
MOS > 4.4 (%)
Site
Name of the Site.
Overactivity (%)

MOS > 2.6 (%)
MOS > 3.1 (%)
MOS > 3.6 (%)
MOS > 4.0 (%)
MOS > 4.3 (%)
MOS > 4.4 (%)
October 2014
9-65
Ipanema System
9. 6. 7. is - sla - site summary

Service Level Agreement - Site summary

What can it do?
Monitored resource

An Equipped site .
AQS, MOS, Over activity per critical Application Group (Top and
High).
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables
9-66
% of time with qualified AQS > value
Application
Group
Criticality
Overactivity (%)

October 2014
AQS > 5.0 (%)
AQS > 7.0 (%)
AQS > 8.0 (%)
AQS > 9.0 (%)
AQS > 9.5 (%)
AQS > 9.8 (%)
AQS > 9.9 (%)
AQS = 10 (%)
% of time with qualified MOS > value
Application
Group
Criticality
Overactivity (%)

MOS > 2.6 (%)
MOS > 3.1 (%)
MOS > 3.6 (%)
MOS > 4.0 (%)
MOS > 4.3 (%)
MOS > 4.4 (%)
9. 6. 8. is - sla - site aqs summary

The report is a part of is - sla - site summary described above: it shows its first table (% of time
with qualified AQS > value).
9. 6. 9. is - sla - site mos summary

The report is a part of is - sla - site summary described above: it shows its second table (% of
time with qualified MOS > value).
October 2014
9-67
Ipanema System
9. 6. 10. is - sla - site exploitation

Service Level Agreement - site exploitation
9-68
October 2014
What can it do?

Monitored resource
What is measured

AQS, MOS, Volume, Sessions density, Over activity.
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
AQS graph
This graph represents the Application Quality Score during no over activity, per critical Application
Group (Top and High).
MOS graph
This graph represents the Mean Opinion Score during no over-activity, per Application Group.
Volume (MBytes) graph
This graph represents the volume of data (MBytes) exchanged by each critical Application Group
(Top and High) and for all non critical ones (Medium and Low).
Session density graph
This graph represents the number of sessions for each critical Application Group (Top and High)
and for all non critical ones (Medium and Low).
Overactivity (%) graph
October 2014
9-69
Ipanema System
9. 6. 11. is - sla - site customer

Service Level Agreement - site customer
9-70
October 2014
What can it do?

Monitored resource
What is measured

AQS, MOS, Volume, Sessions, Over activity
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
AQS graph
This graph represents the Application Quality Score during no over activity, per critical Application
Group (Top and High).
MOS graph
This graph represents the Mean Opinion Score during no over-activity, per Application Group.
Volume (MBytes) graph
This graph represents the volume of data (MBytes) exchanged by each critical Application Group
(Top and High) and for all non critical ones (Low and Medium).
Session density graph
This graph represents the number of sessions for each critical Application Group (Top and High)
and for all non critical ones (Low and Medium).
Overactivity (%) graph
The table
The table presents the following information:
Application
Group
Criticality
AQS
MOS
Overactivity (%)

Volume (%)
Percentage of volume represented by the Application Group.
October 2014
9-71
Ipanema System
9. 7. CAM (CLOUD APPLICATION MONITORING) REPORTS

9. 7. 1. is - cam - clients overview
Cloud Application Monitoring Table
Cloud Application Monitoring - Clients Overview
9-72
October 2014
What can it do?

Monitored resource
A Domain.
This template really makes sense for Applications and
Application Groups.
What is measured
How it is measured
Number of Users (1 User = 1 IP address), Number of Transactions

(1 Transaction = 1 PUSH packet sent by a client), Transaction Time,
Server delay, Number of Transactions per second, Transaction
size, Transaction efficiency.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The pie chart

The pie chart is used to display the number of Users per Site.
The horizontal bar graphs
The horizontal bar graphs are used to display the Transaction times per Sites breakdown into three
metrics:
Request time,
Response time (should be renamed Server delay in the next software release),
Transaction time (should be renamed Response time in the next software release).
These three metrics are illustrated below (with their new names):
October 2014
9-73
Ipanema System
The Transaction efficiency (in kbps) is defined as the Transaction size (in KB) divided by
Transaction time (in ms) (multiplied by 8,192 to get the result in kbps).
Note that for the same Transaction, the 3 steps Request / Server delay / Response can
vary a lot, according to whether a proxy is used or not (and to its position, when used):
This does not matter, from the Users perspective (the response time that they get is
the same in either case and so is the Transaction efficiency).
Another consequence of proxies can be a difference in the number of Users: as 1 User
= 1 IP address (= 1 device in fact), if theres a proxy on the LAN side of the ip|engine,
the latter will only see 1 User (In a VPN, the ip|engine generally sits behind the
proxy).
9-74
October 2014
The vertical table

The vertical table is used to display the following indicators concerning the Domain traffic:
Users
Number of Users (1 User = 1 IP address).
Max Users
Maximum number of Users measured during the period.
New sessions/s
Number of new TCP sessions established per second.
Transactions/s
Number of transactions per second (one TCP session can be made up of

multiple transactions).
Response time
(ms)
Server delay (this metric should be renamed Server delay in the next
software release).
Transaction time
(ms)
Transaction time (refer to the schemes above).
Transaction size
(KB)
Average number of kilo bytes per transaction.
Transaction
efficiency (kbps)
Transaction size (in KB) divided by Transaction time (in ms) multiplied
by 8,192 (to get the result in kbps).
The vertical bar graphs

The vertical bar graph is used to display the Response time (to be renamed Server delay in the
next software release) breakdown per range of delays.
The horizontal table
The horizontal table is used to display the following indicators concerning the Sites traffic (same
information as in the vertical table above, but Site by Site):
Site
Name of the Site.
Users
Number of Users (1 User = 1 IP address).
Max Users
Maximum number of Users measured during the period.
New sessions/s
Number of new TCP sessions established per second.
Transactions/s
Number of transactions per second (one TCP session can be made up of

multiple transactions).
Response time
(ms)
Server delay (this metric should be renamed Server delay in the next
software release).
Transaction time
(ms)
Transaction time (refer to the schemes above).
Transaction size
(KB)
Average number of kilo bytes per transaction.
Transaction
efficiency (kbps)
Transaction size (in KB) divided by Transaction time (in ms) multiplied
by 8,192 (to get the result in kbps).
October 2014
9-75
Ipanema System
9. 7. 2. is - cam - time evolution

Cloud Application Monitoring Table
Cloud Application Monitoring - Time evolution
9-76
October 2014
What can it do?

Monitored resource
A Domain.
This template really makes sense for Applications and
Application Groups.
What is measured
How it is measured
Number of Users (1 User = 1 IP address), Transaction Time,

Number of Sessions and Number of Transactions (1 Transaction =
1 PUSH packet sent by a client), Transaction efficiency.
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Users graph
This graph represents the number of Users.
Transaction Time (ms) graph
This graph represents the average Transaction Time (in ms) with its breakdown:
Request time (in ms),

Response time (in ms; should be renamed Server delay in the next software release),
Transaction time (in ms; should be renamed Response time in the next software release).
Sessions and Transactions graph

This graph represents the number of Sessions and the number of Transactions per second (1
Transaction = 1 PUSH packet sent by a client).
Transaction efficiency (in kbps) graph
This graph represents Transaction efficiency (in kbps) Transaction efficiency = Transaction size
(in KB) divided by Transaction time (in ms) multiplied by 8,192 (to get the result in kbps).
October 2014
9-77
Ipanema System
9. 8. AM (APPLICATION MONITORING) REPORTS

9. 8. 1. is - am - site summary - tcp
Application Monitoring Table
Application Monitoring - Site Summary - TCP

What can it do?
Monitored resource

A Domain.
Packet retransmission, SRT, RTT, Non TCP sessions, TCP
sessions, Goodput, Non TCP Throughput, TCP Throughput.
What is measured
How it is measured
9-78
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014
The table
The table is used to display the following indicators concerning the Site traffic:
Site
Name of the Site.


Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non-TCP sessions per second.
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4 level.
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
9-79
Ipanema System
9. 8. 2. is - am - application group summary - tcp

Application monitoring Table
Application Monitoring - application group summary - TCP

What can it do?
Monitored resource

A Domain.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Groups table

Used to display in a table the following indicators concerning the Application Group traffic.
Application
Group

9-80

Packet retrans.
SRT
RTT
Non-TCP sess.
October 2014
TCP sess.
Goodput
Number of kbits per second at layer 4.
Non-TCP Thput
TCP Thput
October 2014
9-81
Ipanema System
9. 8. 3. is - am - application group summary - per dir. - tcp

Application Monitoring - application group Summary - per direction - TCP

What can it do?
Monitored resource

What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Groups table

Application
Group

9-82

Packet retrans.
SRT
RTT
Non-TCP sess.
Number of non TCP sessions per second.
TCP sess.
Goodput
October 2014
Non-TCP Thput
TCP Thput
October 2014
9-83
Ipanema System
9. 8. 4. is - am - application summary - tcp

Application Monitoring - Application Summary - TCP

What can it do?
Monitored resource

A Domain.
What is measured
How it is measured
9-84
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014
Application table
Used to display in a table the following indicators concerning the Application traffic.
Application


Packet retrans.
SRT
RTT
Non-TCP sess.
TCP sess.
Goodput
Non-TCP Thput
TCP Thput
October 2014
9-85
Ipanema System
9. 8. 5. is - am - application summary - per direction - tcp

Application Monitoring - Application Summary - per direction - TCP

What can it do?
Monitored resource

What is measured
How it is measured
9-86
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014
Application table
Used to display in a table the following indicators concerning the Application traffic.
Application


Packet retrans.
SRT
RTT
Non-TCP sess.
TCP sess.
Goodput
Non-TCP Thput
TCP Thput
October 2014
9-87
Ipanema System
9. 8. 6. is - am - time evolution - tcp

Application Monitoring - time evolution - tcp
9-88
October 2014
What can it do?

Monitored resource

A Domain.
SRT, RTT, packet retransmission, Throughput (TCP and non TCP),
Goodput (TCP), sessions.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
SRT (ms) graph
This graph represents the average Server response time (in ms).
RTT (ms) graph
This graph represents the average Round trip time (in ms).
Packet retransmission graph
This graph represents the percentage of retransmitted TCP segments.
Throughput graph
This graph represents:
TCP: the number of TCP segments per second (in kbps, measured at IP level) (dark blue).
non TCP: the number of non TCP segments per second (in kbps) measured at IP level) (light
blue).
Goodput: the number of kbits per second at layer 4 level (green).
Peak: the maximum encountered value during a display period (red).
Sessions graph
TCP: the number of TCP sessions per second (dark green).

non TCP: the number of non TCP sessions per second (light green).
October 2014
9-89
Ipanema System
9. 9. PM (PERFORMANCE MONITORING) REPORTS

9. 9. 1. is - pm - site summary
Performance Monitoring Table
Performance Monitoring - site summary

What can it do?
Monitored resource

A Domain.
LAN-to-LAN and WAN-to-WAN average delay, packet loss and
throughput, total sessions.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Site table
Used to display in a table the following indicators concerning the Site traffic.
9-90
October 2014
Site
Name of the Site.


LAN average
delay (ms)
LAN-to-LAN average delay of packets (in ms).
WAN average
delay (ms)
WAN-to-WAN average delay of packets (in ms).
LAN packet loss

(%)
Percentage of IP packets lost between the LAN interfaces of the

ip|engines.
WAN packet loss

(%)
Percentage of IP packets lost between the WAN interfaces of the

ip|engines.
LAN total
throughput
(kbps)
Number of kbits per second at the IP level measured on the LAN interface
of the ip|engine.
WAN total
throughput
(kbps)
Number of kbits per second at the IP level measured on the WAN

interface of the ip|engine.
Total sessions
Total number of sessions (on ip|engines and/or tele|engines).
October 2014
9-91
Ipanema System
9. 9. 2. is - pm - application group summary

Performance Monitoring - application group summary

What can it do?
Monitored resource

A Domain.
Total sessions, total throughput, packet size, delay, jitter, packet
loss, packet retransmission, SRT, RTT
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers

9-92
Application
Group
Total sessions
Total number of sessions (on ip|engines and/or tele|engines) for ingress

and egress directions.
Total throughput
(kbps)
Total number of kbits per second at IP level (on ip|engines and/or

tele|engines) for ingress and egress directions.
Packet size
(bytes)
Average packet size in bytes (on ip|engines and/or tele|engines) for

ingress and egress directions.
October 2014
Delay (ms)
Average delay of packets (in ms) for ingress and egress directions.
Jitter (ms)
Delay variation (in ms) for ingress and egress directions.
Packet loss (%)
Percentage of lost IP packets for ingress and egress directions.
Packet retrans.
(%)
Percentage of retransmitted TCP segments for ingress and egress

directions.
SRT (ms)
Average Server Response Time (in ms).
RTT (ms)
Average Round Trip Time (in ms).
October 2014
9-93
Ipanema System
9. 9. 3. is - pm - application group summary per direction

Performance Monitoring - application group summary per direction

What can it do?
Monitored resource
A Domain.


What is measured
How it is measured
9-94

Delay, jitter, packet loss, qualified packet size, qualified sessions,
total throughput, total packet size, total sessions, qualified
throughput
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014

Application
Group


Delay (ms)
Average delay of packets (in ms).
Jitter (ms)
Delay variation (in ms).
Packet loss (%)
Percentage of lost IP packets.
Packet retrans.
(%)
SRT (ms)
RTT (ms)
Packet size
(bytes)
Average packet size in bytes (on ip|engines and/or tele|engines).
Total sess.
Total Thput
(kbps)
(Total throughput) Total number of kbits per second at IP level (on

ip|engines and/or tele|engines).
October 2014
9-95
Ipanema System
9. 9. 4. is - pm - application summary
Performance Monitoring - Application summary

What can it do?
Monitored resource

A Domain.
Total sessions, total throughput, packet size, delay, jitter, packet
loss, packet retransmission; SRT, RTT
What is measured
How it is measured
9-96
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014

Used to display in a table the following indicators concerning the Application Group traffic:
Application
Total sessions
Total number of sessions (on ip|engines and/or tele|engines) for ingress

and egress directions.
Total throughput
(kbps)

tele|engines) for ingress and egress directions.
Packet size
(bytes)
Average packet size in bytes (on ip|engines and/or tele|engines) for

ingress and egress directions.
Delay (ms)
Average delay of packets (in ms) for ingress and egress directions.
Jitter (ms)
Delay variation (in ms) for ingress and egress directions.
Packet loss (%)
Percentage of lost IP packet for ingress and egress directions.
Packet retrans.
(%)
Percentage of retransmitted TCP segments for ingress and egress

directions.
SRT (ms)
RTT (ms)
October 2014
9-97
Ipanema System
9. 9. 5. is - pm - application summary per direction

Performance Monitoring - application summary per direction

What can it do?
Monitored resource
A Domain.


What is measured
How it is measured
9-98

Delay, jitter, packet loss, packet retransmission, SRT, RTT, packet
size, total sessions, total throughput
October 2014
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers

Application
Criticality
Criticality level according to the Application Group name associated to

the application.

Delay (ms)
Average delay of packets (in ms).
Jitter (ms)
Delay variation (in ms).
Packet loss (%)
Percentage of lost IP packets.
Packet retrans.
(%)
SRT (ms)
RTT (ms)
Packet size
(bytes)
Average packet size in bytes (on ip|engines and/or tele|engines).
Total sessions
Total throughput
(kbps)

tele|engines).
October 2014
9-99
Ipanema System
9. 9. 6. is - pm - traffic topology
Performance Monitoring - traffic topology
9-100
October 2014
What can it do?

Monitored resource

A Domain.
Total traffic, qualified traffic, Traffic profile (kbps/%time),
packet%/delay threshold, sites and their ingress and egress
throughputs.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The Tables
Total traffic table
Used to display in a table the following indicators concerning the ip|engine traffic or the Domain
traffic:
Packet size
Average packet size (in bytes).
Sessions
Number of sessions during a display period.
Throughput
Average throughput during a display period (kbps).
Volume
Total number of bytes (in MBytes).
Qualified traffic table

Average delay
Average delay of total packets between ip|engines (in ms).
Jitter
Average delay variation (in ms).
Packet loss
Percentage of lost IP packets during a display period.
Packets size
Average packet size (in bytes).
Sessions
Number of qualified sessions during a display period.
Throughput
Number of qualified bits per second at IP level (kbps).
Volume
Total of number of qualified bytes during a display period (in MB).
The graphs
Traffic profile (kbps / % time) graph
October 2014
9-101
Ipanema System
Maximum bandwidth reached during the Time percentage:

10
Bandwidth reached during 90% of time during the display period.
30
50
67
80
90
95
98
99
100
Peak rate reached during the display period.

This representation is very useful to get a view of the bandwidth usage.
Case 1: If all values are about the same at 100 kbps this means that during time
throughput is constant and always very close to 100 kbps. If the line is a leased line
of 512 kbps, then this line is over dimensioned and can be reduced at least down to
256 kbps.
Case 2: On the other hand, let us suppose that values are almost all equal to zero
except the 100 value which is very close to 450 kbps: that means the line is used 1%
of the time. We should check the reason of this peak usage.
This representation is useful because it is still meaningful when observed over a long
period of time. A time evolution representation could have masked the bursty behavior
of the line in case 2.
Packet % / Delay threshold (ms) graph

This graph shows the packet delay distribution:
<10
Percentage of packets that had a latency (delay) under 10 ms.
<20
Percentage of packets that had a latency (delay) between 10 and 20 ms.
<50
<100
<200
<500
<1000
<2000
Sites table
9-102
Site
List of sites communicating with the resource monitored

in this report.
Throughput ratio LAN=>WAN (%)
The Throughput ratio from this site to the resource

monitored in this report, in percentage.
Throughput ratio WAN=>LAN (%)
The Throughput ratio from the resource monitored in

this report to this site, in percentage.
October 2014
9. 9. 7. is - pm - time evolution
Performance Monitoring - time evolution
October 2014
9-103
Ipanema System
What can it do?

Monitored resource
What is measured
A Domain.
Delay, jitter, packet loss, throughput, number of sessions.
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Delay (ms), Jitter (ms) graph
LAN average delay: the average LAN-to-LAN delay of total packets (in ms) (Blue).
WAN average delay: the average WAN-to-WAN delay of total packets (in ms) (Orange).
LAN jitter: the average LAN-to-LAN delay variation (in ms) (Light blue).
WAN Jitter: the average WAN-to-WAN delay variation (in ms) (Purple).
Packet loss (%) graph

LAN packet loss : the percentage of lost IP packets between the LAN interfaces of the
ip|engines (Red).
WAN packet loss : the percentage of lost IP packets between the WAN interfaces of the
ip|engines (Pink).
Peak Throughput graph

LAN peak throughput: the maximum encountered LAN-to-LAN throughput during a display
period (Blue).
WAN peak throughput: the maximum encountered WAN-to-WAN throughput during a display
period (Orange).
LAN Throughput graph

Throughput: the number of kbits per second at layer 3 level (light blue).
Goodput: the number of kbits per second above layer 4 level (light green).
Qualified throughput: the number of qualified kbits per second at layer 3 level (dark Blue).
Qualified goodput: the number of qualified kbits per second above layer 4 level (dark green).
Sessions graph: this graph represents the number of sessions per second.
9-104
October 2014
9. 9. 8. is - pm - detailed per application, per app. group

A group of reports is used to display the throughput of the flows grouped by application and
Application Group.
The following reports are included in this group:
is - pm - detailed per application group

Layer 3 throughput distribution for flows by Application Group in ingress and egress directions.
is - pm - detailed per application - top
Layer 3 throughput distribution for flows by type of application in ingress and egress directions.
is - pm - detailed per application
Layer 3 throughput distribution for flows by type of application in ingress and egress directions.
Performance Monitoring-detailed per application
October 2014
9-105
Ipanema System
What can they do?

Monitored resource
These templates are available for the following MetaViews:
What is measured
A Domain.
Throughput.
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graph
The Throughput graph represents the layer 3 throughput distribution for the flows per application
or Application Group in kbps.
9-106
October 2014
9. 9. 9. is - pm - top host application on volume

Performance Monitoring - Top host application on volume

What can it do?
Monitored resource
A Site.
What is measured
Host, application, volume, sessions.
How it is measured
From data collected every minute.
This report does not appear in the hour, day, week and month folders, but in the default
folder. Hour, Day, Week, Month must NOT be selected when creating it with ip|reporter.
Type of report
Default
Display Rate
1 minute
Time Span
1 minute
Life Time
1 week
Audience
Network analysts
Reports creation
The user specifies the filters to create a MetaView then instantiates a report template on the
MetaView. There are the following filters:
A Site.
This report consumes a lot of CPU on the server, and should not be instantiated on
more than 10 sites. As a consequence, it should not be Instantiated by default, but only
when really needed.
Create it with ip|reporter only (do not use the Automatic reporting tool).
The table
Talkers: List of hosts on the site sending data to the other sites (upstream from the
flow).
Listeners: List of hosts on the site receiving data from the other sites (downstream from
the flow).
October 2014
9-107
Ipanema System
a session is identified:
For TCP or UDP by the following parameters: source address, destination address,
protocol TCP or UDP, source port and destination port.
For other protocols over IP (for example: ICMP) by the following parameters: source
address, destination address, protocol.
The number of sessions represents the average session activity for the duration of
Correlation Record (by default: T = 1 minute). For example, 2 sessions running during
T plus 3 sessions running during half this period of time will give 3.5 sessions (2 x 1 +
3 x 0.5).
These values are measured over the last display rate. Click successively on any column header to
sort the table by increasing or decreasing values. On the report you can use the time slider to see
the previous values of each indicator. Using the slider presents you with a historical view of each
resource for any moment during the lifetime of the report.
Top host application on volume table
Used to display in a table the following indicators concerning the Top Host application sorted by
maximum volume used.
The Top Host application is limited to 10 hosts for each way.
9-108
Host Talkers
IP address of the talker host on the Site (ip|engine).
Application
Talkers
Application name used by the talker host.
Volume (KB)
Talkers
Volume of traffic sent by the talkers host in KBytes.
Sessions Talkers
Number of sessions per second generated by the talker host.
Host Listeners
IP address of the listener host on the Site (ip|engine).
Application
Listeners
Application name used by the listener host.
Volume (KB)
Listeners
Volume of traffic received by the listener host in KBytes.
Sessions
Listeners
Number of sessions per second generated by the listener host.
October 2014
9. 10. PM COMPRESSION REPORTS

9. 10. 1. is - pm - compression evolution
Compression Table
Compression Evolution
October 2014
9-109
Ipanema System
What can it do?

Monitored resource

A Domain.
Total LAN throughput (without compression), total WAN throughput
(with compression), compressed throughput, saved bandwidth.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Ingress Throughput (compress) graph:
Total LAN (blue curve): total throughput (in kbps) before compression, on the LAN interface of
the ip|engine.
Total WAN (red curve): total throughput (in kbps) after compression, on the WAN interface of
the ip|engine for all flows (compressed and non-compressed flows).
Compressed WAN (orange surface): throughput of the compressed flows (flows classified in
Application Groups enabled for compression and going to decompressing ip|engines) on the
WAN interface of the ip|engine.
Compressible LAN (blue surface): throughput of the compressible flows on the LAN interface
of the ip|engine, which are not sent to the WAN that is, bandwidth saved on the compressed
flows.
Egress Throughput (decompress) graph
9-110
Total LAN (blue curve): total throughput (in kbps) after decompression, on the LAN interface of
the ip|engine.
Total WAN (red curve): total throughput (in kbps) before decompression, on the WAN interface
of the ip|engine for all flows (compressed and non-compressed flows).
Compressed WAN (orange surface): throughput of the decompressed flows (flows classified
in Application Groups enabled for compression and coming from compressing ip|engines).
Compressible LAN (blue surface): throughput of the compressible flows on the LAN interface
of the ip|engine, which were not sent across the WAN that is, bandwidth saved on the
decompressed flows.
October 2014
9. 10. 2. is - pm - application group compression synthesis

Compression Table
Application Group compression synthesis
October 2014
9-111
Ipanema System
What can it do?

Monitored resource

A Domain.
Volume per Application Group (compressed, saved), LAN input,
Comp. input, Comp. output, Comp. factor, Comp. ratio.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Ingress Volume (compress) graph:
Compressed WAN (orange surface; in MB): for each Application Group, the total compressed
volume (flows classified in Application Groups enabled for compression and going to
decompressing ip|engines) in MB for the ingress way.
Compressible LAN (blue surface; in MB): for each Application Group, throughput of the
compressible flows on the LAN interface of the ip|engine, which are not sent to the WAN
that is, bandwidth saved on the compressed flows in MB for ingress way.
Egress Volume (decompress) graph:
9-112
Compressed WAN (orange surface; in MB): for each Application Group, the total
decompressed volume (flows classified in Application Groups enabled for compression and
coming from compressing ip|engines) in MB for the egress way.
Compressible LAN (blue surface; in MB): for each Application Group, throughput of the
compressible flows on the LAN interface of the ip|engine, which were not sent across the
WAN that is, bandwidth saved on the decompressed flows in MB for egress way.
October 2014
The tables
Ingress Volume (compress) and Egress Volume (decompress) by Application Group table
Used to display for each Application Group, for all traffic in ingress and egress directions, the
volume (in MB) before and after compression, and the compression ratio.
In each column of the table,

LAN Volume (MB)
For each Application Group, the total volume of flows in MB (compressed

and non-compressed flows); this volume is measured on the LAN
interface of the ip|engine.
Comp. input (MB)
For each Application Group, the total compressible volume (flows

classified in Application Groups enabled for compression and going to
decompressing ip|engines (/ coming from compressing ip|engines) in
MB before compression (/ after decompression)); this volume is measured
on the LAN interface of the ip|engine.
Comp. output
(MB)
For each Application Group, the total (de)compressed volume (flows

classified in Application Groups enabled for compression and going to
decompressing ip|engines (/ coming from compressing ip|engines) in
MB before compression (/ after decompression)); this volume is measured
on the WAN interface of the ip|engine.
Comp. factor
For each Application Group, the compression factor is calculated by the

formula: Comp. input / Comp. output; it should always be 1.
Comp. ratio (%)
For each Application Group, the compression ratio represents the

percentage of compression and is calculated by the formula: (Comp. input
Comp. output) / Comp. input x 100; it should always be [0100[%.
Totals table
Used to display the total of volume for all traffic in the ingress and egress directions, the volume
(in MB) before and after compression, and the compression ratio. For the parameters see the
explanation in the table above.
October 2014
9-113
Ipanema System
9. 10. 3. is - pm - application compression synthesis

Compression Table
Application compression synthesis
9-114
October 2014
What can it do?

Monitored resource

A Domain.
Volume per application (compressed, saved), LAN input, Comp.
input, Comp. output, Comp. factor, Comp. ratio.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Ingress Volume (compress) graph:
Compressed WAN (orange surface; in MB): for each Application, the total compressed volume
(flows classified in Application Groups enabled for compression and going to decompressing
ip|engines) in MB for the ingress way.
Compressible LAN (blue surface; in MB): for each Application, throughput of the compressible
flows on the LAN interface of the ip|engine, which are not sent to the WAN that is, bandwidth
saved on the compressed flows in MB for ingress way.
Egress Volume (decompress) graph
Compressed WAN (orange surface; in MB): for each Application, the total decompressed
volume (flows classified in Application Groups enabled for compression and coming from
compressing ip|engines) in MB for the egress way.
Compressible LAN (blue surface; in MB): for each Application, throughput of the compressible
flows on the LAN interface of the ip|engine, which were not sent across the WAN that is,
bandwidth saved on the decompressed flows in MB for egress way.
October 2014
9-115
Ipanema System
The tables
Ingress Volume (compress) and Egress Volume (decompress) by Application table
Used to display for each Application, for all traffic in ingress and egress directions, the volume (in
MB) before and after compression, and the compression ratio.
In each column of the table,

LAN Volume (MB)
For each Application, the total volume of flows in MB (compressed and

non-compressed flows); this volume is measured on the LAN interface
of the ip|engine.
Comp. input (MB)
For each Application, the total compressible volume (flows classified in

Application Groups enabled for compression and going to decompressing
ip|engines (/ coming from compressing ip|engines) in MB before
compression (/ after decompression)); this volume is measured on the
LAN interface of the ip|engine.
Comp. output
(MB)
For each Application, the total (de)compressed volume (flows classified in

Application Groups enabled for compression and going to decompressing
ip|engines (/ coming from compressing ip|engines) in MB before
compression (/ after decompression)); this volume is measured on the
WAN interface of the ip|engine.
Comp. factor
For each Application, the compression factor is calculated by the formula:

Comp. input / Comp. output; it should always be 1.
Comp. ratio (%)
For each Application, the compression ratio represents the percentage of

compression and is calculated by the formula: (Comp. input Comp.
output) / Comp. input x 100; it should always be [0100[%.
Totals table
Used to display the total of volume for all traffic in the ingress and egress directions, the volume
(in MB) before and after compression, and the compression ratio. For the parameters see the
explanation in the table above.
9-116
October 2014
9. 11. SSL OPTIMIZATION REPORT

9. 11. 1. is - ssl optimization - time evolution
SSL Optimization Table
Time Evolution
What can it do?
Monitored resource

A Domain.
An Equipped site or a list of Equipped sites.
SSL LAN Thput. (without compression), SSL WAN Thput (with
compression), SSL Optimization Eligible sessions, SSL Optimized
sessions.
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
October 2014
9-117
Ipanema System
Life Time
24 hours
7 days
Audience
Network analysts
5 weeks
12 months
Executive officers
The graphs
Compress graph:
Compressible SSL LAN (kbps) (blue area): SSL throughput before compression, measured
Compressed SSL WAN (kbps) (orange area): SSL throughput after compression, measured
SSL Optimization Eligible (sessions) (green curve): number of eligible sessions for SSL
optimization.
SSL Optimized (sessions) (brown curve): number of SSL optimized sessions.
Decompress graph:
9-118
Compressible SSL LAN (kbps) (blue area): SSL throughput before decompression, measured
Compressed SSL WAN (kbps) (orange area): SSL throughput after decompression, measured
SSL Optimization Eligible (sessions) (green curve): number of eligible sessions for SSL
optimization.
SSL Optimized (sessions) (brown curve): number of SSL optimized sessions.
October 2014
9. 12. ACC (ACCELERATION) REPORT

9. 12. 1. is - acc - acceleration evolution
Acceleration Table
Acceleration Evolution
What can it do?
Monitored resource

A Domain.
MRE factor, Acceleration factors, number of new sessions, number
of active sessions
What is measured
How it is measured
October 2014
9-119
Ipanema System
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Acceleration Factors graphs:
MRE factor(Multiple Redundancy Elimination): compressible volume (measured on the LAN

interface of the ip|engine, before compression) / compressed volume (measured on the WAN
interface of the ip|engine, after compression).
Acceleration factor: the response time that would have been measured without TCP
acceleration (computed with the following hypotheses: TCP window size equal to 64 Kbytes
and MSS equal to 1400 bytes) / Response time of the accelerated sessions.
Accelerated session:
9-120
Number of new sessions: number of new sessions.

Number of active sessions: number of active sessions.
October 2014
9. 13. CIFS REPORT

9. 13. 1. is - cifs - time evolution
CIFS acceleration Table
CIFS - Time evolution
October 2014
9-121
Ipanema System
What can it do?

Monitored resource

A Domain.
CIFS throughput, CIFS verbosity, Acceleration factor, number of
active sessions
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Throughputs graph:
locally served from the cache (blue surface, in kbps): volume of CIFS data locally served from
the ip|engines cache per time unit that is, bandwidth saved thanks to CIFS acceleration.
from server across the WAN (orange surface): CIFS data actually sent across the WAN.
Requests graphs:
from client (blue curve): number of SMB messages sent by clients.

to server (red curve): number of SMB messages sent to servers (SMB messages sent by clients
but not sent to servers are those responded locally by the ip|engine; the ratio between the two
is used to calculate the acceleration factor).
Acceleration factor graph: number of SMB messages sent by clients divided by the number of
SMB messages sent to servers.
Active Sessions graph: number of CIFS active and accelerated sessions.
9-122
October 2014
9. 14. SAM (SERVICES ACTIVITY MONITORING) REPORTS

9. 14. 1. is - sam - site summary
Services Activity Monitoring Table
Services Activity Monitoring - Site summary

What can it do?
Monitored resource
A Domain.
This template cannot be created with the Automatic
reporting function for tele-managed Sites.
What is measured
How it is measured
LAN => WAN and WAN => LAN Application Control Activity,
Duration and Evolution, Compression ratio and Saved bandwidth;
CIFS average and maximum active sessions
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
9-123
Ipanema System
Site table
Used to display in a table the following indicators concerning the Sites traffic.
Site
TRAFFIC CONTROL
LAN => WAN
Activity (%)
Percentage of time when the Application Control feature had to kick in to

avoid congestion and protect the critical traffic emitted on all NAPs of the
Site, in the LAN => WAN direction.
LAN => WAN

Duration (sec)
Number of seconds when the Application Control feature had to kick in to

Site, in the LAN => WAN direction.
LAN => WAN

Evolution
(++/+/o/-/--)
Evolution of the Application Control Activity in the LAN => WAN direction.
WAN => LAN

Activity (%)
Percentage of time when the Application Control feature had to kick in to

Site, in the WAN => LAN direction.
WAN => LAN

Duration (sec)
Number of seconds when the Application Control feature had to kick in to

Site, in the WAN => LAN direction.
WAN => LAN

Evolution
(++/+/o/-/--)
Evolution of the Application Control Activity in the WAN => LAN direction.
If there are several NAPs on a Site, the metrics are aggregated for all of them. So, for
instance, on a Site with two NAPs, one permanently congested in the LAN => WAN
direction (3600 seconds per hour) and the second one never congested (0 second),
the LAN => WAN Duration will be 3600 seconds (in an hourly report), but the LAN
=> WAN Activity will be 50% only.
COMPRESSION
LAN => WAN
Comp. ratio (%)
Compression ratio for the emitted traffic (in the LAN => WAN direction).
LAN => WAN

Saved bandwidth
(kbps)
LAN => WAN Bandwidth saved thanks to Compression (= LAN-to-LAN

ingress throughput WAN-to-WAN ingress throughput).
WAN => LAN

Decomp. ratio (%)
Decompression ratio for the received traffic (in the WAN => LAN direction).
WAN => LAN

Saved bandwidth
(kbps)
WAN => LAN Bandwidth saved thanks to Decompression (= LAN-to-LAN

egress throughput WAN-to-WAN egress throughput).
ACCELERATION
9-124
CIFS Active
Sessions
(Average)
Average number of CIFS accelerated sessions.
CIFS Active
Sessions (Max)
Maximum number of CIFS accelerated sessions.
October 2014
9. 14. 2. is - sam - time evolution

Services Activity Monitoring Table
Services Activity Monitoring - Time evolution
October 2014
9-125
Ipanema System
What can it do?

Monitored resource

A Domain.
LAN => WAN and WAN => LAN Application Control Activity and
Duration, Compression ratio and Saved bandwidth, CIFS Active
Sessions and Acceleration factor
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Application Control Service graphs:
LAN => WAN Consolidated Congestion Control Activity (%): percentage of time when the
Application Control feature had to kick in to avoid congestion and protect the critical traffic
emitted on all NAPs of the Site, in the LAN => WAN direction.
WAN => LAN Consolidated Congestion Control Activity (%): percentage of time when the
Application Control feature had to kick in to avoid congestion and protect the critical traffic
emitted on all NAPs of the Site, in the WAN => LAN direction.
LAN => WAN Consolidated Congestion Control Duration (sec): number of seconds when
the Application Control feature had to kick in to avoid congestion and protect the critical traffic
emitted on all NAPs of the Site, in the LAN => WAN direction.
WAN => LAN Consolidated Congestion Control Duration (sec): number of seconds when
the Application Control feature had to kick in to avoid congestion and protect the critical traffic
emitted on all NAPs of the Site, in the WAN => LAN direction.
If there are several NAPs on a Site, the metrics are aggregated for all of them. So, for
instance, on a Site with two NAPs, one permanently congested in the LAN => WAN
direction (60 seconds per minute) and the second one never congested (0 second), the
LAN => WAN Duration will be 60 seconds during a given minute (in an hourly report),
but the LAN => WAN Activity will be 50% only.
ip|fast end-to-end activity is not considered.
Compression Service graphs:
Consolidated Compression Ratio (%): compression ratio for the emitted traffic.
Consolidated Decompression Ratio (%): decompression ratio for the received traffic.
LAN => WAN Consolidated Saved Bandwidth (kbps): bandwidth saved thanks to
compression, ingress (= ingress LAN-to-LAN throughput ingress WAN-to-WAN throughput).
WAN => LAN Consolidated Saved Bandwidth (kbps): bandwidth saved thanks to
compression, egress (= egress LAN-to-LAN throughput egress WAN-to-WAN throughput).
CIFS Acceleration Service graphs:
9-126
Consolidated CIFS Active Sessions: number of CIFS active and accelerated sessions.
October 2014
Consolidated CIFS Acceleration factor: CIFS acceleration factor (= number of SMB

messages sent by clients divided by the number of SMB messages sent to servers).
October 2014
9-127
Ipanema System
9. 15. VOIP REPORTS

Ipanema Technologies VoIP reports provide easy-to-use data for Voice over IP. Using information
gathered from ip|engines performance measurement function, then aggregated by the ip|boss
central management software, VoIP reports generate for Voice over IP per Codec specific metrics
like the MOS (Mean Opinion Score).
MOS definition
The data generated by the VoIP module is available throughout the whole Ipanema System.
ip|boss makes them available through the SNMP interface, ip|reporter uses them to generate
the appropriate easy to use reports.
9-128
October 2014
9. 15. 1. is - voip - synthesis

VoIP Table
VoIP Synthesis
What can it do?
Monitored resource
What is measured
A Domain .
MOS distribution ingress and egress direction per Codec
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
MOS distribution graph
MOS range reached in percentage of Time.
October 2014
9-129
Ipanema System
[1,3]
MOS between 1 and 3 in percentage of time during the display period.
[3,3.5]
MOS between 3 and 3.5 in percentage of time during the display period.
[3.5,4]
MOS between 3.5 and 4 in percentage of time during the display period.
[4,4.5]
MOS between 4 and 4.5 in percentage of time during the display period.
[4.5,5]
MOS between 4.5 and 5 in percentage of time during the display period.
This representation is very useful to get a view of Voice over IP quality.
MOS example
9-130
October 2014
9. 15. 2. is - voip - time evolution

VoIP Table
VoIP Time Evolution
October 2014
9-131
Ipanema System
What can it do?

Monitored resource

A Domain.
MOS, delay, jitter, packet loss, sessions for ingress and egress
direction
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
MOS graph:
Maximum MOS: the maximum MOS (Red) per Codec.

Average MOS: the average MOS (Blue) per Codec.
Minimum MOS: the minimum MOS (Green) per Codec.
Jitter: the average delay variation (in ms) (Yellow).
Delay (ms), Jitter (ms) graph:
Delay (ms): the average delay (in ms) (Blue) per Codec.
Jitter: the average delay variation (in ms) (Yellow) per Codec.
Packet loss (%) graph

This graph represents the percentage of lost IP packets between ip|engines per Codec.
Sessions graph:
9-132
Sessions: the number of sessions per second in direction of tele|engines (light blue).
Qualified sessions: the number of qualified sessions per second (between ip|engines) (dark
Blue).
Peak sessions: the peak sessions curve displays maximum encountered value during a display
rate.
October 2014
9. 16. SA (SITE ANALYSIS) REPORTS

This chapter is divided into sections that correspond to each report template. A report description
includes an overview of the report features, a graphical representation of the report, a detailed
description of the report, and finally a suggested way of using the report.
9. 16. 1. is - sa - site summary ingress

Site Analysis Table
Site Analysis - site summary ingress

What can it do?
Monitored resource
What is measured
A Domain.
A list of Sites.
A Key or a list of Keys.
Throughput to (physical) ip|engines, no correlation, to (virtual)
tele|engines, to Out of Domain, transit, other, locally rerouted, Non
IPv4 WAN, ignored LAN
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table
Used to display for ip|engines (in the Domain, list of sites, list of keys) the information concerning
the following indicators:
Site
Name of the Site.
To physical ipe
(kbps)
Ingress throughput in kbps to equipped sites.
No correlation
(kbps)
Ingress throughput in kbps with No correlation, if the throughput is a

major part of the total traffic it may be a configuration error in the subnet,
or some flows are not seen end to end between ip|engines.
To Virtual ipe
(kbps)
Ingress throughput in kbps to tele-managed sites.
To out of Domain
(kbps)
Ingress throughput in kbps to subnet 0.0.0.0/0 (Out Of Domain subnet).
October 2014
9-133
Ipanema System
9-134
Transit (kbps)
Ingress throughput in kbps for transit flows.
Other (kbps)
Ingress throughput in kbps for Other traffic; in fact Other traffic contains
Multicast traffic, Broadcast traffic, local traffic.
Locally rerouted
(kbps)
Ingress throughput in kbps for rerouted traffic.
Non ipv4 WAN

(kbps)
Ingress throughput in kbps for non IPv4 traffic (Apple Talk, IPX, SNA,
IPv6).
Ignored LAN
(kbps)
Ingress throughput in kbps for Ignored LAN traffic (BPDU, Spanning

tree, loopback, ARP frames...).
October 2014
9. 16. 2. is - sa - site summary egress

Site Analysis Table
Site Analysis - site summary egress

What can it do?
Monitored resource
What is measured
A Domain.
A list of Sites.
Throughput from (physical) ip|engines, no correlation, from (virtual)
tele|engines, from Out of Domain, transit, other, locally rerouted,
Non IPv4 WAN, ignored LAN
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table
Used to display for ip|engines (in the Domain, list of sites, list of keys) the information concerning
the following indicators:
Site
To physical ipe
(kbps)
Egress throughput in kbps to equipped sites.
No correlation
(kbps)
Egress throughput in kbps with No correlation; if the throughput is a

major part of the total traffic may be a configuration error in the subnet, or
some flows are not seen end to end between ip|engines.
To Virtual ipe
(kbps)
Egress throughput in kbps to tele-managed sites.
To out of Domain
(kbps)
Egress throughput in kbps to subnet 0.0.0.0/0 (Out Of Domain subnet).
Transit (kbps)
Egress throughput in kbps for transit flows.
Other (kbps)
Egress throughput in kbps for Other traffic; in fact Other traffic contains
Multicast traffic, Broadcast traffic, local traffic.
Locally rerouted
(kbps)
Egress throughput in kbps for rerouted traffic.
October 2014
9-135
Ipanema System
9-136
Non ipv4 WAN

(kbps)
Egress throughput in kbps for non IPv4 traffic (Apple Talk, IPX, SNA,
IPv6).
Ignored LAN
(kbps)
Egress throughput in kbps for Ignored LAN traffic (BPDU, Spanning

tree, loopback, ARP frames...).
October 2014
9. 16. 3. is - sa - site throughput

Site Analysis Table
Site Analysis - site throughput

What can it do?
Monitored resource
What is measured
How it is measured
This template is available for the following MetaView:

An Equipped site.
Ethernet throughput: IPv4, Apple Talk, IPX, SNA, IPv6, ignored
LAN.
IPv4 throughput: to/from (physical) ip|engines, no correlation,
to/from (virtual) tele|engines, to/from Out of Domain, transit, other,
locally rerouted, Non IPv4 WAN
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
9-137
Ipanema System
The graphs
Used to display for each ip|engine the information concerning the following indicators:
Ethernet-Throughput (kbps) graphs:
IPv4 (kbps): Ingress or egress throughput in kbps for IPv4 traffic.

Apple Talk (kbps): Ingress or egress throughput in kbps for Apple Talk traffic..
IPX (kbps): Ingress or egress throughput in kbps for IPX traffic.
SNA (kbps): Ingress or egress throughput in kbps for SNA traffic.
IPV6 (kbps): Ingress or egress throughput in kbps for IPv6 traffic.
Ignored LAN (kbps): Ingress or egress throughput in kbps for Ignored LAN traffic (BPDU,
Spanning tree, loopback, ARP frames...).
IPv4 -Throughput (kbps) graphs:
9-138
To physical ipe (kbps): Ingress or egress throughput in kbps to equipped sites.

No correlation (kbps): Ingress or egress throughput in kbps with No correlation, if the
throughput is a major part of the total traffic may be a configuration error in the subnet, or some
flows are not seen end to end between ip|engines.
To Virtual ipe (kbps): Ingress or egress throughput in kbps to tele-managed sites.
To out of Domain (kbps): Ingress or egress throughput in kbps to subnet 0.0.0.0/0 (Out Of
Domain subnet).
Transit (kbps): Ingress or egress throughput in kbps for transit flows.
Other (kbps): Ingress or egress throughput in kbps for Other traffic, in fact Other traffic
contains Multicast traffic, Broadcast traffic, local traffic.
Locally rerouted (kbps): Ingress or egress throughput in kbps for rerouted traffic.
October 2014
9. 17. FI (FAULT ISOLATION) REPORTS

9. 17. 1. is - fi - availability - evolution
Fault Isolation Table
Fault Isolation - availability - evolution
October 2014
9-139
Ipanema System
What can it do?

Monitored resource

A Domain.
Status down, Status up, synchronization loss, highest CPU load,
WAN overload (%).
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs
Used to display for ip|engines the information concerning the following indicators:
Status Down graph
This graph represents the Unavailability status of the ip|engine seen by the management system:
100%: All ip|engines detected as unavailable.

xx %: the percentage of ip|engines detected as unavailable.
0%: No ip|engine detected as unavailable.
Status Up graph
This graph represents the Availability status of the ip|engine seen by the management system:
100%: All ip|engines detected as available.

xx %: the percentage of ip|engines detected as available.
0%: No ip|engine detected as unavailable.
Synchronization loss graph

This graph represents the Synchronization loss status of the ip|engine:
100%: All ip|engines not synchronized.

xx %: percentage of ip|engines detected as not synchronized.
0%: All ip|engines synchronized.
Highest CPU load graph

This graph represents the highest CPU load of all ip|engines in percent if the reports is instantiated
on a list of ip|engines, or CPU load of the selected ip|engine in percent if the report is instantiated
on a single ip|engine.
WAN Overload graph
This graph represents the Overload status of the ip|engine (the WAN throughput exceeds the
capacity of the ip|engine):
9-140
100%: All ip|engines overloaded.

xx %: percentage of ip|engines detected as overload.
0%: no overloaded ip|engine.
October 2014
The availability and/or unavailability is linked to the managers ability to reach an

ip|engine in the Domain.
October 2014
9-141
Ipanema System
9. 17. 2. is - fi - availability - overview

Fault Isolation Table
Fault Isolation - Availability - Overview

What can it do?
Monitored resource
This template is available for the following MetaView:

A Domain .
Site, Status down (%), Status up (%), synchronized (%), highest
CPU load, WAN overload (%).
What is measured
How it is measured
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table
Used to display for each ip|engine the information concerning the following indicators:
Site
Down Status (%)
Unavailability status of the ip|engine seen by the management system.
Up Status (%)
Availability status of the ip|engine seen by the management system.
9-142
100%: the ip|engine is detected as unavailable during a whole display

period.
xx %: the percentage of time during which the ip|engine is detected as
unavailable during a display period.
0%: the ip|engine is not detected as unavailable during a display
period.
100%: the ip|engine is detected as available during a whole display

period.
available during a display period.
0%: the ip|engine is not detected as available during a display period.
October 2014
Synchronization
loss (%)
Synchronization status of the ip|engine.
100%: the ip|engine is not synchronized during a display period.

not synchronized during a display period.
0%: the ip|engine is synchronized during a whole display period.
Highest CPU load
Highest CPU load of ip|engines in percent if the reports is instantiated on

a list of ip|engines, or CPU load of an ip|engine in percent if the report is
instantiated on a single ip|engine, during a display period.
WAN Overload
(%)
Overload status of the ip|engine (the WAN throughput exceeds the

capacity of the ip|engine)
100%: the ip|engine is overloaded during a whole display period.

overload during a display period.
0%: the ip|engine not overloaded during a display period.
The availability and/or unavailability is linked to the managers ability to reach an

ip|engine in the Domain.
October 2014
9-143
Ipanema System
9. 18. SP (SMART PLANNING) REPORTS

9. 18. 1. is - sp - profile
Smart planning Table
Smart planning Profile

What can it do?
Monitored resource
What is measured
An Equipped site with a single appliance,

plus, if the site has several WAN accesses: each WAN access;
Throughput (kbps), Right Size (kbps)
How it is measured
9-144
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
October 2014
The graphs
Used to display, for each site (ip|engine) in the Domain, for all traffic in the ingress and egress
direction, the throughput (in kbps) and right size (in kbps), by criticality level (top, high, medium
and low) per percentage of time.
The bargraph top shows the bandwidth for top critical flows.
The bargraph high shows the bandwidth for top and high critical flows.
The bargraph medium shows the bandwidth for top, high and medium critical flows.
The bargraph low shows the bandwidth for top, high, medium and low critical flows.
On a flow per flow basis, smart|plan takes into account the traffic demand (the per-session
objective bandwidth, as set in corresponding Application Group), the actual network usage
(from measurement function) and the existence, or not, of local or distant congestions (from the
Application Control function). Flows elasticity is also estimated and taken into account.
Then smart|plan aggregates this data according to access and criticality, and produces the
following information:
the actual traffic usage (what has been exchanged on the network) per percentage of time;
the right size value (estimated access size to match objectives, including correction for
end-to-end congestions and flows elasticity) per percentage of time.
smart|plan generates two metrics:
The actual usage Throughput (in kbps) is carried out by the measurement module of the
Ipanema System. The original data produced is processed to be aggregated by criticality level
and by access.
The access right size Right Size (in kbps) presents for the site per criticality refined estimate
of the necessary access bandwidth to match the service level according to the percentage of
time, taking into account the flow matrix, end-to-end congestions as well as characteristics of
the flows. Depending on actual traffic nature and congestion status, it can be equal to or smaller
than the traffic demand.
October 2014
9-145
Ipanema System
9. 18. 2. is - sp - synthesis
Smart planning Table
Smart planning Synthesis
9-146
October 2014
What can it do?

Monitored resource

A Domain.
A list of sites equipped with a single appliance.
Throughput (kbps), Estimated bandwidth for the next 3 months
(kbps), Estimated bandwidth for the next year (kbps)
What is measured
How it is measured
Type of report
Daily
Display rate
1 day
Time Span
1 day
Life Time
1 day
Audience
Executive officers
The tables
A table is provided per each level of criticality you want to take into account (top; top and high; top,
high and medium; top, high, medium and low that is, all the traffic).
Used to display for each site (ip|engine) in the Domain, per selected level of criticality for all traffic
in the ingress and egress directions, the throughput (in kbps), and the trends for the next 3 months
and for the next year per percentile of time. For sites with multiple WAN accesses, it displays the
information both at the WAN access level (for each individual WAN link) and at the site level (all
WAN links, consolidated).
For each criticality level, two tables are provided:
The bandwidth and its trends for the next 3 months and next year,
The right size and its trends for the next 3 months and next year,
On a flow per flow basis, smart|plan takes into account the traffic demand (the per-session
bandwidth objective, as set in corresponding Application Group), the actual network usage
(measured by ip|true) and the presence of local or remote congestions (controlled by ip|fast).
Flows elasticity is also estimated and taken into account.
Then smart|plan aggregates these data according to access and criticality, and produces the
following information:
actual usage Throughput (in kbps): what has been exchanged on the network as a
percentage of time, aggregated by criticality level, by WAN access and by site;
estimated Throughput (in kbps): estimated WAN access size necessary to match objectives,
including correction for congestions and flows elasticity, for the next 3 months (according to the
network activity of the past 3 months) and for the next year (according to the network activity of
the past year), as a percentage of time.
October 2014
9-147
Ipanema System
9. 19. EXPORTING THE REPORTS DATA WITH IP|EXPORT

Installation: please refer to the System installation manual.
The goal of ip|export is to automate scheduled data exports from InfoVista Server Database.
The process exports values from specified sets of existing indicators and instances and produces
outputs files on a given regular period.
All expected parameters by the process are given in input as an XML configuration file, which
contains a list of tasks. Each task describes an export action with filter expressions on Domain,
MediaView, Indicator names and many other parameters such as the type of output files, field
separator, schedule period, etc. (Please refer to ip|export configuration below.)
Reports displaying the requested indicators must by running at all time to allow ip|export to export
them.
9. 19. 1. ip|export output files and directory

All output files are stored in the directory indicated in ip|export XML configuration files <export>
block. If "sliptbydomain=true" then output files are classified under subdirectories that correspond
to their domain names.
All files are stored in this directory, so there are three things the user should do:
create the given output directory (ip|export process will not create it automatically),
make sure that the disk space is always enough to store the new output files,
clean or move old output files (ip|export process will not clean them automatically).
Output files are named with the following naming convention:
<taskname>_<epochtime>.<ext>" if "splitbyparams=false", or
<taskname>_<params>_<epochtime>.<ext>" if "splitbyparams=true".
where:
9-148
taskname:
name of the task as described in the XML configuration file
params:
if "splitbyparams=true", then one file per detected parameter is generated.

If more than one parameter is returned, they are concatenated with the
underscore "_" character. If no parameter is returned then the filename is
identical to the first expression. (optional)
epochtime:
GMT(UTC) date and time of the beginning of the analyzed period in number
of seconds since January 1st 1970.
ext:
file extension depending on the output file format as described in the XML
configuration file (txt, csv, xls or xml).
October 2014
9. 19. 2. ip|export log file

ip|export produces a historical log of all actions, warnings or failures that occur. This log file is
named "ipm_export.log", located in the temporary directory (Windows: %TEMP%, Solaris: $TMP).
The format of the log file is as fiollows:
DateTime | Type | Description
where:
DateTime:
GMT(UTC) date and time with the following format: %Y/%m/%d-%H:%M:%S
Type:
Message type; it can take one of the following values:
Description:
INFO: for an informative message

WARN: for a warning message
ERROR: for an error message
FATAL: for an unexpected error causing program to stop
DEBUG: for debug message if debugging has been activated
A description (characters string)
9. 19. 3. ip|export command usage

The ipm_export command syntax is as follows:
ipm_export [-config file <filename>] [-verbose]
ipm_export -help|?
ipm_export -version
where:
-configfile:
set the configuration file; by default it is looking for "ipm_export.xml
-verbose:
enable the verbose mode (disabled by default)
-version:
display current version number
-help|?:
print this help usage
October 2014
9-149
Ipanema System
9. 19. 4. ip|export output file formats

The possible output formats are text (.txt), csv, Excel (.xls) and eXtended Markup Language (.xml),
as described in the XML configuration file, for each task.
For text files, the field separator can be set in the XML configuration file; by default the pipe (|) is
used.
For all output formats, the columns order is always as follows:
datetime:
date and time with the specified given format; if no format is provided then it
uses the raw Epoch time (number of seconds since January 1st 1970)
domain:
name of the domain (if "splitbydomain=true" then this column does not appear)
(optional)
metaview:
name of the MetaView.
indicator
name of the Indicator; if a rename entry is found for the indicator then the
new indicator name is used
params:
parameters separated with comma (if "splitbyparams=true" then this column

does not appear) (optional)
value:
value computed by the InfoVista Server
Examples
Example of text file
2010/05/04 15:00:00|default|Site: Paris|ingress throughput L3 - L4 - qualified||1340

2010/05/04 15:00:00|default|Site: Paris|ingress throughput L3 - L4 - unqualified||0
2010/05/04 15:00:00|default|Site: Paris|ingress throughput L4 - qualified||26660
2010/05/04 15:00:00|default|Site: Paris|ingress throughput L4 - unqualified||0
....
Example of csv file
2010/05/04 15:00:00;default;Site: Paris;ingress throughput L3 - L4 - qualified;;1340

2010/05/04 15:00:00;default;Site: Paris;ingress throughput L3 - L4 - unqualified;;0
2010/05/04 15:00:00;default;Site: Paris;ingress throughput L4 - qualified;;26660
2010/05/04 15:00:00;default;Site: Paris;ingress throughput L4 - unqualified;;0
...
9-150
October 2014
Example of xml file
<?xml version="1.0"?>
<data>
<slot>
<datetime>2010/05/04 15:00:00</datetime>
<domain>default</domain>
<metaview>Site: Paris</metaview>
<indicator> ingress throughput L3 - L4 <params></params>
value>1340</value>
</slot>
<slot>
value>0</value>
</slot>
<slot>
value>26660</value>
</slot>
<slot>
value>0</value>
</slot>
...
</data>
qualified </indicator>
unqualified</indicator>
Example of xls file

A
E F
2010/05/04 default
15:00:00
Site: Paris
ingress throughput L3 - L4 - qualified
1340
2010/05/04 default
15:00:00
Site: Paris
ingress throughput L3 - L4 - unqualified
2010/05/04 default
15:00:00
Site: Paris
ingress throughput L4 - qualified
26660
2010/05/04 default
15:00:00
Site: Paris
ingress throughput L4 - unqualified
2010/05/04 default
14:59:00
Site: Paris
ingress throughput L3 - L4 - qualified
1340
2010/05/04 default
14:59:00
Site: Paris
ingress throughput L3 - L4 - unqualified
2010/05/04 default
14:59:00
Site: Paris
ingress throughput L4 - qualified
26660
...
...
...
... ...
October 2014
...
9-151
CHAPTER 10. SOFTWARE LICENSE

AGREEMENT
10. 1. IPANEMA SOFTWARE LICENSE AGREEMENT

Important - Please read carefully this license agreement (the License) before continuing. By
installing and using the Software (as defined below), you accept all the terms and conditions of
this License.
To use the Ipanema software modules (the Software) part of the Ipanemas Autonomic
Networking System (Ipanema System), the End User must be granted a License directly by
Ipanema Technologies SA (Ipanema) or through a duly authorized partner (the Partner). This
License is defined by the following terms:
10. 1. 1. Grant Right of Use

1. Ipanema grants to the End User (the Licensee) a non-exclusive and non-transferable right of
use of the Software under the following terms and provided the payment of the fees.
2. The right of use is restricted to the use of the Software for the exclusive purpose of installation
and operation of the Ipanema System in accordance with the recommendations and instructions of
Ipanema, issued in any form including the Ipanema technical documentation (the Documentation).
3. According to Software modules, the right of use is associated either with either a specific Ipanema
System configuration or by a certain number of ISUs (Ipanema Software Units) as described
in the commercial proposal or the contract. The right to use Software modules bound to ISUs
within an Ipanema System can be transferred by the End User to other such modules in the same
Ipanema System as long as the corresponding total number of ISUs is not exceeded. Any other
modification of the configuration will modify the already granted right to use and must be described
in a subsequent commercial proposal or contract.
4. The Licensee is not allowed hereunder to copy, modify, disassemble, decompile, decode,
translate, analyze, and perform reverse engineering. The End User is not authorized to sell,
lease, sublicense or distribute the Software in any form whatsoever. End User has no right to
use the Software for performing comparisons or other "benchmarking" activities and to publish
corresponding results without written authorization of Ipanema.
Ipanema expressly reserves the right to intervene in the Software to enable it to be used for its
intended purpose and in particular to correct the errors, and that under conditions of support service
offered independently hereof.
The Licensee may make one copy of the Software for back-up or archival purposes. This copy may
be used only in case of failure of the copy of the Software provided to Licensee.
10. 1. 2. Intellectual Property

1. Ipanema owns and shall retain all rights in particular the intellectual property rights, title
and interest in and to the Software and the Documentation, including any copies, customized
versions, corrections, bug fixes, updates, enhancements, new versions, or other modifications
to the Software. Except for the license rights granted herein, no intellectual property rights are
transferred.
2. Some components of the Software may be covered under one or more of the open source
licenses below. The Ipanema warranty for these modules apply as they are used embedded in
October 2014
10-1
Ipanema System
the Ipanema System. For licenses that require it, machine readable copies of modifications made
by Ipanema are available upon request. List of open source software used in the Software and
related copyright or license is available on the License Information page at the following address:
https://support.ipanematech.com/.
10. 1. 3. Term and Termination

1. The License is effective on the shipment date of the Software license key for the duration of the
intellectual property rights protection granted by French law, subject to the payment of the Initial
Software License Fee and of Software support fees.
2. Should the End User fail to comply with any of the terms and conditions of this License, Ipanema
or its Reseller shall be entitled to terminate the License. Such termination shall be effective fifteen
(15) days after formal demand requiring correction of the breach shall have been sent by registered
post with return receipt requested without the breach having been so corrected.
In the event of termination of this license, the End User shall:
Cease immediately all use of the Software;

De-install the Software within eight calendar days;
Pay to Ipanema or its Reseller all sums remaining due as at the date of termination.
10. 1. 4. Warranty
1. Ipanema warrants that the Software performs substantially according to its documentation for a
period of thirty (30) days date of shipment of the Software license key.
If the Software does not function as warranted during the Warranty Period, the End-User remedy
shall be, at Ipanemas option, to correct the Ipanema Software or to replace it free of charge with
a corrected version.
The warranty shall not apply to any non-conformity that is caused by: (a) the End Users misuse
or improper use of the Software, including, without limitation, the use or operation of the Software
with an application or in an environment other than that specified by Ipanema, or introduction of
data into any data structures or tables used by the Software by any means other than use of the
Software; (b) any third party software or hardware; (c) any modifications or additions to the Software
performed by parties other than Ipanema; or (d) the End Users failure to implement all problem
corrections and new releases.
2. EXCEPT FOR THE WARRANTIES SET FORTH IN SECTION 1. ABOVE, NEITHER IPANEMA
NEITHER ANY PERSON ON IPANEMAS BEHALF HAS MADE OR MAKES ANY OTHER
WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED
ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
SATISFACTORY QUALITY, NON-INTERRUPTION OF USE OR FREE OF BUGS, ERRORS OR
OTHER DEFECTS, TITLE, AND OF NON-INFRINGEMENT.
10. 1. 5. Liability
1. The Licensee is responsible for selecting the Software, for the use that is made and the results
that will be obtained. It assumes all liabilities relating to the qualification and competence of its staff.
The Licensee and End User must take all precautions to prevent the loss or destruction of its data,
including, but not limited, backups and regular audits. Licensee shall comply with all export laws
and regulations in particular but not limited to French and United States export restrictions.
2. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR PARTNERS (OR THEIR
REPRESENTATIVES) BE LIABLE FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL
DAMAGES, LOST PROFITS, LOSS OF DATA OR CLIENTS ARISING OUT OF OR RELATING
TO ANY BREACH OF THIS LICENSE OR THE USE OF IPANEMA SYSTEM, EVEN IF SUCH
DAMAGES WERE FORESEEABLE. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR
PARTNERS (OR THEIR REPRESENTATIVES) AGGREGATE LIABILITY ARISING OUT OF
OR RELATING TO ANY BREACH OF THIS LICENSE, TORT (INCLUDING NEGLIGENCE OR
OTHERWISE, EXCEED (i) 250.000 OR (ii) THE AMOUNT PAID TO IPANEMA PURSUANT
TO THIS LICENSE IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE
TO THE CLAIM, WHICHEVER IS LESS.
10-2
October 2014
Software License Agreement
10. 1. 6. Miscellaneous
1. This License may be amended only by written agreement of the parties.
2. If any provision hereof is held invalid, the remainder shall continue in full force and effect.
3. A failure or delay in exercising any right, power or privilege in respect of this License will not be
presumed to operate as a waiver, and a single or partial exercise of any right, power or privilege will
not be presumed to preclude any subsequent or further exercise, of that right, power or privilege
or the exercise of any other right, power or privilege.
4. Parties expressly agree that this License is governed by French law and any proceedings arising
out of or in connection with this license shall be submitted to the court of Paris, France.
10. 2. LICENCE DUTILISATION DU LOGICIEL IPANEMA

(FRENCH)
Avertissement : Lisez attentivement ce contrat de Licence avant de poursuivre. En installant et
utilisant le logiciel tel que dfini ci-aprs, vous acceptez les conditions et dispositions de cette
License.
Pour avoir le droit dutiliser tout ou partie des modules logiciels Ipanema (le Logiciel ) composant
l Autonomic Networking System dIpanema, ( Systme Ipanema ), lUtilisateur Final doit
obtenir une licence dutilisation (la Licence) soit directement auprs dIpanema Technologies (
Ipanema ) soit auprs dun revendeur agr par Ipanema (le Revendeur ).
10. 2. 1. Etendue des Droits Concds

1. Par le prsent contrat de Licence, Ipanema concde lUtilisateur Final (le Licenci) le droit
dusage non exclusif et non cessible du Logiciel, dans les conditions ci-aprs dveloppes en
contrepartie du paiement du prix.
2. Le droit dusage concd lUtilisateur Final pour le Logiciel est restreint lutilisation du Logiciel
Ipanema dans le but exclusif de faire fonctionner le Systme Ipanema suivant les recommandations
et instructions dIpanema, mises sous quelque forme que ce soit, y compris le manuel dutilisation
(la Documentation ).
3. La proposition commerciale ou le contrat prcise lassociation du droit dusage de certains
modules du Logiciel la configuration spcifique du Systme Ipanema, et celui des autres
modules du Logiciel un certain nombre dISUs ( Ipanema Software Units ). Le droit dutiliser
les modules du Logiciel associs des ISUs au sein dun mme Systme Ipanema peut tre
modifi par lutilisateur final au profit dautres modules du Logiciel galement associs des ISUs
au sein du mme Systme Ipanema, pourvu que le nombre total dISUs dans le Systme Ipanema
ne soit pas dpass. Toute autre modification de configuration doit entraner la modification du
droit dutilisation dj concd tel que dcrit dans la proposition commerciale ou le contrat.
4. En dehors des droits concds ci-dessus et sans prjudice de ceux-ci, le Licenci nest pas
autoris au titre des prsentes copier, modifier, dsassembler, d-compiler, dcoder, le traduire,
lanalyser, procder lingnierie inverse vis--vis du Logiciel moins dy avoir t expressment
autoris par une disposition lgale dordre public. LUtilisateur Final nest pas autoris vendre,
louer, sous-licencier ou distribuer le Logiciel sous quelque forme que ce soit. LUtilisateur Final na
pas le droit dutiliser le Logiciel dans le but de mener des comparaisons ou dautres activits de
benchmarking ni den publier les rsultats sans un accord formel pralable dIpanema.
Ipanema se rserve expressment le droit exclusif dintervenir sur le Logiciel pour lui permettre
dtre utilis conformment sa destination et notamment pour en corriger les erreurs, et ce dans
des conditions de la prestation de maintenance offerte indpendamment des prsentes.
Le Licenci est autoris effectuer une unique copie du Logiciel usage de sauvegarde. Cette
copie ne pourra tre utilise quen cas de dfaillance de lexemplaire du Logiciel remis au Licenci.
October 2014
10-3
Ipanema System
10. 2. 2. Proprit Intellectuelle

1. Tous les droits de proprit industrielle et intellectuelle relatifs au Logiciel (incluant les copies,
adaptations, modifications, amliorations et toute future version), la Documentation demeurent la
proprit entire et exclusive dIpanema.
2. Le droit dusage de certains composants du Systme Ipanema est accord par une ou plusieurs
des licences Open Sources suivantes. La garantie Ipanema sapplique pour ces modules
dans le cadre de leur utilisation au sein du Systme Ipanema. Pour les licences qui le stipulent,
Ipanema fournira sur simple demande les modifications qui ont pu tre ralises. Liste des
logiciels open source utiliss ainsi que les licences y affrentes est disponible ladresse suivante
https://support.ipanematech.com/.
10. 2. 3. Dure
1. La Licence prend effet compter de mise disposition de la cl de licence Logiciel et ce pour la
dure de protection lgale des droits dauteur pour les logiciels. Elle est soumise au paiement de
la redevance initiale du Logiciel et de la maintenance du Logiciel pendant toute la dure deffet.
2. En cas de manquement de lUtilisateur Final aux obligations mentionnes dans la Licence,
Ipanema ou le Revendeur pourra rsilier la Licence. Cette rsiliation sera effective quinze (15) jours
aprs envoi avec Accus Rception dune demande de correction du manquement aux obligations
reste sans effet.
En cas de rsiliation de la licence, lutilisateur final devra :
Cesser immdiatement dutiliser le Logiciel,

Dsinstaller le Logiciel dans les huit jours calendaires,
Payer Ipanema ou son Revendeur toute somme restant due la date de rsiliation.
10. 2. 4. Garantie
1. Ipanema garantit que le Logiciel se comporte conformment la Documentation pendant une
priode de trente (30) jours suivant la mise disposition de la cl de licence Logiciel.
Dans le cas o le Logiciel ne se comporterait pas selon la Documentation, la garantie correspond
uniquement, au choix dIpanema, la correction des problmes rencontrs ou lenvoi dune
version corrige du Logiciel.
Cette garantie ne sapplique pas aux problmes causs par : a) la mauvaise utilisation du Logiciel,
incluant entre autre lutilisation du Logiciel avec une application ou dans un environnement autre
que celui spcifi par Ipanema ou lintroduction de donnes dans les tables utilises par le Logiciel
par un autre moyen que le Logiciel ; b) tout autre logiciel ou matriel externe Ipanema ; c) toute
modification ou addition au Logiciel non effectue par Ipanema; d) la non installation par lUtilisateur
Final dune solution de contournement ou dune version corrige.
2. LA GARANTIE ENONCEE CI-DESSUS EST LA SEULE GARANTIE A LAQUELLE LE
LICENCIE ET LUTILISATEUR FINAL PEUVENT PRETENDRE. AUCUNE GARANTIE
DEVICTION, AUCUNE GARANTIE RELATIVE A LADEQUATION DU LOGICIEL A UN BESION
SPECIFIQUE, DE NON CONTREFACON DE DROITS DE PROPRIETE INTELLECTUELLE,
DABSENCE DANOMALIES OU DERREUR, OU DE FONCTIONNEMENT ININTERROMPU
NEST ACCORDE.
10. 2. 5. Responsabilit
1. Le Licenci est responsable du choix du Logiciel, de lutilisation qui en est faite et des rsultats
qui en seront obtenus. Il assume toutes les responsabilits en ce qui concernent la qualification et
la comptence de son personnel. LUtilisateur Final doit prendre toutes les prcautions pour viter
la perte ou la destruction de ses donnes, incluant notamment des sauvegardes et vrifications
rgulires. Par ailleurs, il est de la responsabilit du Licenci de respecter les lois et rglements
en matire dexportation en vigueur notamment en France et aux Etats-Unis.
2. LES PARTIES CONVIENNENT EXPRESSEMENT QUE LA PERTE DE PROFIT, PERTE
DE CLIENTELE OU DECONOMIE ESCOMPTEES, PERTE DE COMMANDE, PERTE
10-4
October 2014
Software License Agreement
OU DETERIORATION DE DONNEES SUBIES PAR LUTILISATEUR FINAL SUITE A

LINSTALLATION OU LUTILISATION DUN SYSTEME IPANEMA CONSTITUE DES DOMMAGES
INDIRECTS DONT IPANEMA NE POURRA ETRE TENU RESPONSABLE. EN TOUT ETAT
DE CAUSE, LA RESPONSABILITE DIPANEMA POUR QUELQUE RAISON QUE CE SOIT ET
QUEL QUE SOIT SON FONDEMENT JURIDIQUE, SERA EXPRESSEMENT LIMITEE A LA
PLUS FAIBLE DES DEUX SOMMES SUIVANTES : (i) 250.000 EUR OU (ii) LE TOTAL DES
SOMMES PAYEES AU TITRE DE LA LICENCE DE LOGICIEL PAR LUTILISATEUR FINAL A
IPANEMA OU AU REVENDEUR DURANT LES 12 DERNIERS MOIS PRECEDANT LA DATE DE
LEVENEMENT CAUSE DU DOMMAGE.
10. 2. 6. Dispositions Gnrales

1. Les prsentes ne peuvent tre modifies que par voie davenant sign par les deux parties.
2. Si lune quelconque des stipulations du contrat est nulle au regard dune rgle de droit ou dune
loi en vigueur, elle sera rpute non crite, mais nentranera pas la nullit des prsentes.
3. Le fait pour lune des parties de ne pas se prvaloir ou de tarder se prvaloir de lapplication
dune clause du prsent contrat ne saurait tre interprt comme une renonciation ladite clause
ou comme une modification du prsent contrat.
4. De convention expresse entre les parties, la prsente Licence est soumise au droit franais.
Tous les litiges relatifs lexcution ou linterprtation de cette Licence seront soumis au tribunal
comptent de Paris, France.
October 2014
10-5
CHAPTER 11. TECHNICAL SUPPORT

Do not attempt to repair the equipment yourself. Do not remove ip|engine covers
and casings. This would void any warranty.
Please refer to the support and maintenance contract for specific information about these services.
Should you have any problem with your system, please contact your supplier for technical
assistance.
In any case, you can get support and information by logging on Ipanemas Support web site:
https://support.ipanematech.com/,
where you can access the Public Knowledge Database, find Technical notes and FAQs, be informed
of the latest developments and updates, download all the Ipanema software, create and track
tickets, and find other relevant information relating to the Ipanema System.
An account will be created on demand.
Other contact information:
E-mail: support@ipanematech.com
Phone: +(33)1 55 52 15 22
Fax: +(33)1 55 52 15 01
In the event of a technical problem, please supply as much information as possible, in particular:
your name, address, telephone number and the name of your company,
your Ipanema Technologies license number, see window about in ip|boss field reference,
the names, versions and serial numbers of the products you are using,
the version of ip|boss servers Operating System,
a description of the installed configuration and the configuration files,
a detailed description of the problem you have encountered.
October 2014
11-1

Ipanema System User Manual 8.1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ipanema System User Manual 8.1

Caricato da

Copyright:

Formati disponibili

Ipanema System

Issue: October 2014

The information contained in this document is subject to change without notice.

CHAPTER 1 IPANEMA SYSTEM ............................................ ..........

CHAPTER 2 UNIFIED ACCESS TO THE IPANEMA SYSTEM

CHAPTER 3 MANAGING DOMAINS, USERS AND LICENSES

6. 5. External LDAP authentication ..................................... ..........

CHAPTER 4 CONFIGURING SERVICES (IP|BOSS) ............. ..........

CHAPTER 5 IPANEMA SYSTEM SUPERVISION (IP|BOSS) . ..........

3. SYSTEM PROVISIONING: TOOLS .................................... ..........

CHAPTER 6 USING IPANEMA SERVICES (IP|BOSS) .......... ..........

CHAPTER 7 MONITORING (IP|DASHBOARD) ...................... ..........

CHAPTER 8 OPTIMIZING SSL (IP|DASHBOARD) ................ ..........

2. 4. Customize the SSL Proxy Certificate Trust Store ....... ..........

CHAPTER 9 REPORTING (IP|REPORTER) ........................... ..........

10. PM COMPRESSION REPORTS ....................................... ..........

CHAPTER 10 SOFTWARE LICENSE AGREEMENT ............... ..........

CHAPTER 11 TECHNICAL SUPPORT

in accordance with the V2.4 software version

in accordance with the V2.5 software version

in accordance with the V2.5.11 software version

in accordance with the V2.6.1 software version

in accordance with the V2.7.5 software version

in accordance with the V2.7.6 software version

in accordance with the V2.8 software version

in accordance with the V3.0 software version

in accordance with the V3.2 software version

in accordance with the V3.4 software version

in accordance with the V4.0 software version

ip|boss Solaris installation

in accordance with the V4.2 software version

in accordance with the V4.3 software version

Domain creation, ip|reporter Solaris installation,

manual organization; ip|reporters portmapper port;

in accordance with the V4.4 software version

ip|reporter web (no license key; user rights

in accordance with the v5.0.0r8 software version

Solaris installation removed from this manual;

in accordance with the v5.0.0r12 software version

in accordance with the v5.1 software version

2.5.4. Install/Uninstall ip|reporter on Windows, 2.6.1.

in accordance with the v5.2 software version

Minor corrections: 1. 2. 3. 5, 3. 6. 1 and 7.1.2:

2.1 JDK is not required any longer;

2.8.2 software upgrade (FTP)

2.2.3 and 2.3.3 minor corrections

in accordance with the v6.0 software version

A bug in the documentation system, which replaced

1.2.3.2 minor correction

8.8.11.1 minor correction

Virtual ip|engines are now called tele|engines.

in accordance with the v7.0 software version

Chapter 1 - Ipanema System was missing in rev. AL

in accordance with the v7.0.2 software version

in accordance with the v7.1 software version

suppression of the Undo button

in accordance with the v7.1.4 software version

A Timezone is added to the Domain configuration

More details on the time zone

More details on User rights on the reports

List of recognized applications updated

In accordance with the v8.0 RC software version

The Introduction has been completely revised.

In accordance with the v8.0 GA software version