AppWall 4 6 0-SG

Application Delivery Controller (ADC) Implementation
Using AppDirector and AppWall

Solution Guide
February, 2009
North America
Radware Inc.
575 Corporate Dr., Lobby 1
Mahwah, NJ 07430
Tel: (888) 234-5763
International
Radware Ltd.
22 Raoul Wallenberg St.
Tel Aviv 69710, Israel
Tel: 972 3 766 8666
www.radware.com
Application Delivery Controller (ADC) Implementation using AppDirector and
AppWall Solution Guide
Table of Contents
Introduction ...................................................................................................................................... 3
General Configuration Steps .......................................................................................................... 4
Tested Example Configurations ..................................................................................................... 4
Example Configuration 1 ................................................................................................................. 6
AppDirector Active.......................................................................................................................... 7
Network Configuration ................................................................................................................ 7
Farm Configuration..................................................................................................................... 7
Servers Configuration................................................................................................................. 8
Compression Configuration ........................................................................................................ 8
Cache Configuration................................................................................................................... 8
SSL Policy Configuration............................................................................................................ 8
Layer 4 Configuration ................................................................................................................. 9
Layer 7 Configuration ................................................................................................................. 9
AppDirector Health Monitoring ................................................................................................. 10
VRRP Configuration ................................................................................................................. 10
AppDirector Backup...................................................................................................................... 11
Network Configuration .............................................................................................................. 11
Redundancy ............................................................................................................................. 11
AppWall ........................................................................................................................................ 12
First Time Configuration ........................................................................................................... 12
Configure AppWall Cluster Manager ........................................................................................ 13
Configure Cluster Tunnels........................................................................................................ 14
Web Servers................................................................................................................................. 20
Example Configuration 2 ............................................................................................................... 21
AppDirector Active........................................................................................................................ 22
Farm Configuration................................................................................................................... 22
Servers Configuration............................................................................................................... 23
SSL Policy Configuration.......................................................................................................... 23
Compression Configuration ...................................................................................................... 23
Cache Configuration................................................................................................................. 24
Layer 4 Configuration ............................................................................................................... 24
Layer 7 Configuration ............................................................................................................... 24
AppDirector Health Monitoring ................................................................................................. 24
AppDirector Backup...................................................................................................................... 26
Redundancy ............................................................................................................................. 26
AppWall ........................................................................................................................................ 27
First Time Configuration ........................................................................................................... 27
Configure AppWall Cluster Manager ........................................................................................ 28
Configure Cluster Tunnels........................................................................................................ 29
Web Servers................................................................................................................................. 36
Technical Support .......................................................................................................................... 37
Page 2
Introduction
As part of the Radware Application Delivery Controller (ADC) solution, AppGuard, in conjunction with
AppDirector, can perform traffic redirection and application acceleration with scalability and high availability, in
addition to Web Applications security. For more information on AppDirector, see the AppDirector User Guide.
For more information on AppWall, see the AppWall Management Application User Guide.
The combined solution can support various configurations, such as:

• Environments where both load balancing and SSL offloading are required. In such an environment,
AppDirector performs traffic redirection, SSL offloading, caching, and compression, after which
AppWall will inspect clear HTTP traffic.
• Environments where encryption must be maintained throughout the connection between the client
and the Web servers. In this environment, AppDirector performs traffic redirection, SSL offloading,
caching, and compression, and then sends traffic re-encrypted to AppWall. AppWall then decrypts the
traffic, inspects it, and opens a secure encrypted connection to the Web servers.
The basic solution architecture consists of an AppWall farm connecting to AppDirector as a proxy server farm.
AppDirector redirects the traffic to the destination Web Server farm via the AppWall farm, balancing the load
among the devices in the AppWall farm. After AppWall inspects the traffic, AppWall sends it back to
AppDirector to be distributed among the back-end Web servers. The following figure illustrates a generic
implementation of the solution.
FIGURE 1 – GENERIC IMPLEMENTATION OF THE APPDIRECTOR/APPWALL SOLUTION

Page 3
General Configuration Steps
The following are the generic configuration steps that need to be done in order to implement any of the
examples included in this guide. The generic configuration steps are reference Figure 1. These steps are
discussed in more detail in Example Configuration 1 and Example Configuration 2.
1. Define a back-end Layer 4 policy on AppDirector, which redirects traffic to the destination Web
Servers farm. The policy should use an internal Virtual IP (VIP) (for example, 1.1.1.1, as shown in
Figure 1). Alternatively, if Layer 7 inspection is required, create a Layer 7 policy that redirects traffic to
the Web Servers farm, and have the Layer 4 policy redirect traffic to that Layer 7 policy.
2. Define Web servers on AppWall Gateway or Cluster Server (CS) using the AppWall Management
Application, with the VIP you created in the back-end Layer 4 policy (in Figure 1, 1.1.1.1). AppWall
uses this VIP to forward the inspected traffic via AppDirector to the Web Servers.
3. Create a tunnel on the AppWall Gateway or CS using the AppWall Management Application. In an
AppWall Cluster, each instance will have a different listening IP and forwarding IP (the IP that
replaces the client IP), but all the tunnels will have the same protected entity (that is, the Web server
you defined in step 2). As shown in the example in Figure 1, assume the tunnels have the listening
IPs of 3.3.3.1, 3.3.3.2 and 3.3.3.3.
4. Define an AppWall farm on AppDirector with the servers having the listening IPs of the AppWall
tunnels you defined (in the example, 3.3.3.1, 3.3.3.2, and 3.3.3.3).
5. Define a front-end Layer 4 policy on AppDirector, which includes the external VIP of the protected
Web service, redirecting traffic to the AppWall Gateways. In this Layer 4 policy there is no need to set
Layer 7 persistency because every AppWall Gateway can handle any HTTP request. Nevertheless, if
deploying backend SSL, SSL id persistency must be used in order for the same AppWall to decrypt
the same SSL session. Define additional Layer 4 policies for both HTTP and HTTPS traffic, where the
HTTPS policy also performs SSL decryption. If required, cache and compression can be added to the
Front-End Layer 4 policies.
Note: AppWall is always a non-transparent proxy, therefore whenever putting it in the traffic path, the client IP
address changes. AppWall has an option to copy the client IP into the X-Forwarded-For HTTP header so that
the Web Servers will receive the client IP.
Tested Example Configurations
This solution guide includes two example configurations that were tested by Radware. When implementing
these example configurations, note the following:
- Health Monitoring uses HTTP and HTTPS protocol checks.

- Throughout this guide, reference is made to the “Radware” pre-configured certificate, but you can
import a certificate or create a new certificate in AppDirector. For more information on exporting,
importing, or creating a certificate, see the AppDirector User Guide.
- If you need to have persistency on the sessions pointing to the Web servers’ VIP (applicable for the
Back-End server’s Layer 4 policy only), you must add a Layer 7 policy or a Layer 7 persistency, or
both, to the AppDirector. For more information on configuring Layer 4 and Layer 7 policies, see the
AppDirector User Guide.
- If you use the AppWall BruteForce filter, Radware recommends using hashing as the dispatch
method because AppWall maintains a short history of user actions.
- While the example configurations guarantee high availability of all their component devices and
servers, they assume that at least one instance of each type of device must be up at any given time.
In the unusual case in which all of the AppWall devices are down, it is still possible to guarantee
Page 4
service continuity by completely bypassing AppWall during the failure period. This mechanism, called
bypass, exists, but it is not included in the examples because it compromises security and it solves a
very rarely occurring problem. If you are interested in implementing bypass in your system, please
contact Radware Technical Support for details.
Page 5
Example Configuration 1
This configuration is suitable for the following solutions:
- If you require AppDirector for SSL security offloading, traffic compression and cache acceleration to
free up the Web servers’ CPU, and AppWall for application inspection.
- If you do not require security, but need high availability, load balancing, and traffic acceleration
using traffic compression.
The following is a list of the software and hardware used in testing this configuration:
- AppDirector version 2.0 running on OnDemand Switch 2
- AppWall v.4.6.0 running on OnDemand Switch 1 XL
- Microsoft IIS 7.0 running on the Web Servers
- IE 7.0 running on the Web Client
The following figure illustrates the configuration that was tested.
FIGURE 2 – CONFIGURATION 1
Page 6
The following are the settings for each of the following devices in this configuration:
AppDirector Active
AppDirector Backup
AppWall
Web Servers
AppDirector Active
The following are the settings for the Active AppDirector:
Network Configuration
Farm Configuration
Servers Configuration
Compression Configuration
Cache Configuration
SSL Policy Configuration
Layer 4 Configuration
AppDirector Health Monitoring
VRRP Confuguration
1. Create IP 10.1.30.101/16 on port 1
2. Create 2.1.6.101/24 on port 2
3. Create 2.1.7.101/24 on port 3
4. Create default route to 10.1.0.1
Farm Configuration
1. Create Farm named “AppWall.Farm” in AppDirector -> Farms -> Farm Table with these
parameters:
- Farm Name – AppWall.Farm
- Session mode – Regular
- Dispatch Method - Cyclic
- Connectivity checks – No Checks
- Leave all other fields as default
2. Create Farm named “Web.Servers” in AppDirector -> Farms -> Farm Table with these
parameters:
- Farm Name – Web.Servers
- Session mode – Server per session
Page 7
1. Create Server named “AppWall.1” and attach it to Farm “AppWall.Farm” in AppDirector
-> Servers -> Application Servers -> Table with these parameters:
- Farm Name – AppWall.1
- Server Address – 2.1.7.11
2. Create Server named “AppWall.2” and attach it to Farm “AppWall.Farm” in AppDirector

-> Servers -> Application Servers -> Table with these parameters:
3. Create Server named “Web.Server.1” and attach it to Farm “Web.Servers” in

AppDirector -> Servers -> Application Servers -> Table with these parameters:
- Farm Name – Web.Server.1

Create Compression policy named “HTTP.compression.policy” in AppDirector -> Servers ->
Layer4 Traffic configuration -> Compression Policy with these parameters:
- Policy Name – HTTP.compression.policy
- Algorithm – GZIP
- Compression level - 1
Cache Configuration
Create Compression policy named “Cache.policy” in AppDirector -> Servers -> Layer4
Traffic configuration -> Caching Policy with these parameters:
- Admin Status – Enable

Create SSL policy in AppDirector -> L4 Traffic Redirection -> SSL Policy
- Policy name – HTTPS.pol
- Certificate – radware
- Listening Server Port – 80 (AppWall listens in HTTP port clear traffic)
Page 8
Note: Throughout this guide, reference is made to the “radware” pre-configured certificate,
but you can import a certificate or create a new certificate in AppDirector. For more
information on exporting, importing, or creating a certificate, see the AppDirector User Guide.
1. Create L4 Policy for HTTPS Traffic named “AppWall.HTTPS.policy” in AppDirector ->
Servers -> Server Table with these parameters:
- Virtual IP – 10.1.30.200
- L4 Protocol – TCP
- L4 Port – 443
- L4 Policy Name – AppWall.HTTPS.policy
- Application - HTTPS
- SSL Policy – HTTPS.pol
- Caching Policy - Cache.policy
- Compression Policy - HTTP.compression.policy
2. Create L4 Policy for HTTP Traffic named “AppWall.HTTP.policy” in AppDirector ->

Servers -> Server Table with these parameters:
- Virtual IP – 10.1.30.200
- L4 Port – 80
- L4 Policy Name – AppWall.HTTP.policy
- Application - HTTP
3. Create L4 Policy for Web Servers HTTP Traffic named “Web.Servers.HTTP.policy” in

AppDirector -> Servers -> Server Table with these parameters:
- Virtual IP – 2.1.7.200
- L4 Port – 80
- L4 Policy Name – Web.Servers.HTTP.policy
If you need to have persistency on the sessions pointing to the Web servers’ VIP (applicable for
the Back-End server’s Layer 4 policy only), you must add a Layer 7 policy or a Layer 7
persistency, or both, to the AppDirector. For more information on configuring Layer 4 and Layer 7
policies, see the AppDirector User Guide.
Page 9

1. Enable Health Monitoring in Health Monitoring -> Global Parameters
2. Create a Check for HTTP on server 2.1.7.11 in Health Monitoring -> Check Table
- Check name – AppWall.1.HTTP.Check
- Method – HTTP
- Dest IP – 2.1.7.11
- Dest Port – 80
- Method – HTTP
- Dest IP – 2.1.7.12
- Dest Port – 80
- Check name – Web.Server.1.HTTP.Check
- Method – HTTP
- Dest IP – 2.1.6.11
- Dest Port – 80
- Method – HTTP
- Dest IP – 2.1.6.12
- Dest Port – 80
6. Bind the check AppWall.1.HTTP.Check to Server 2.1.7.11 in Health Monitoring -> Binding
Table
7. Bind the check AppWall.2.HTTP.Check to Server 2.1.7.12 in Health Monitoring -> Binding
Table
8. Bind the Web.Server.1.HTTP.Check to Server 2.1.6.11 in Health Monitoring -> Binding
Table
Table
VRRP Configuration
1. Enable VRRP in AppDirector -> Redundancy -> Global Configuration
- IP Redundancy Admin Status – VRRP
- Interface Grouping – Enable
- ARP with interface grouping – Send
- Backup Fake ARP – Enable
- Backup Interface Grouping – Enable
2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual Router
Table
- IF Index – 1
- VR ID – 1
- Priority – 255 (Highest number is Active device)
Page 10
- Primary IP – 10.1.30.101
- Leave all other options as default
Table
- IF Index – 2
- VR ID – 2
- Primary IP – 2.1.6.101
Table
- IF Index – 3
- VR ID – 3
- Primary IP – 2.1.7.101
5. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP -> Associated IP
Addresses
- IF Index – 1, VR ID – 1, Associated IP 10.1.30.101
AppDirector Backup
The following are the settings for the Backup AppDirector:

Redundancy
VRRP Configuration
1. Create IP 10.1.30.102/16 on port 1
2. Create 2.1.6.102/24 on port 2
3. Create 2.1.7.102/24 on port 3
5. Copy all configuration from the Active AppDirector device
Redundancy
If you have APSolute Insite installed, use the Insite wizard to copy and convert the Active
AppDirector configuration choosing the redundancy mode VRRP or Proprietary. For more
information on this wizard, see the AppDirector User Guide.
VRRP Configuration
Page 11

2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual
Router Table
- IF Index – 1
- VR ID – 1
- Primary IP – 10.1.30.102
Router Table
- IF Index – 2
- VR ID – 2
- Primary IP – 2.1.6.102
Router Table
- IF Index – 3
- VR ID – 3
- Primary IP – 2.1.7.102
5. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

Associated IP Addresses
AppWall
AppWall configuration consists of the following:
First Time Configuration
Configure AppWall Cluster Manager
Configure Cluster Tunnels

Use the AppWall Management Application CLI to perform first time configuration. For more information, see
the AppWall Management Application User Guide.
1. Using the CLI, configure AppWall-1 as follows:

- Create the Management IP on Interface MNG-1 192.168.1.10
Page 12
- Create the IP on interface 1 – 2.1.7.11

- Create default Gateway to – 2.1.7.101

- Create the default Gateway to – 2.1.7.101
Note: If you are using a single AppWall in your configuration, skip this section and go to Configure Cluster
Tunnels. In this case, all references to the “cluster” can be replaced with the “AppWall Management
Application”.
1. Install the AppWall Cluster Manager on one of the AppWall devices for central control of all AppWall
devices in the cluster.
The AppWall Cluster Manager enables you to deploy AppWall devices in a cluster using a single
Security Console, which is connected to the AppWall Cluster Manager. It is possible to manage
relevant changes to a Security Policy across a number of AppWall devices.
2. From the AppWall Cluster Manager, check the Cluster Manager mode in System Configuration-
>Settings. If Cluster Manager is not selected, click Setup Cluster Manager, and then OK at the
prompt.
3. If you have not already done so, obtain a Cluster Manager license from Radware and install it using
the AppWall Management Application from Configuration -> AppWall Server -> Management ->
Licenses.
Page 13
After adding the AppWall nodes to the device, you now configure the tunnels and the cluster will distribute
them to all nodes.
1. In the AppWall Management Application, in the Configuration view, open Server Group -> AppWall
Server -> Tunnels and right-click HTTP. Select Wizard.
2. Click Next in the welcome window.
3. Type Tunnel.1 in the Name field, and click Next.
Page 14
4. In the Listening Address field, select 2.1.7.11.
Page 15
5. To the right of the Protected Object field, click New.
6. In the dialog box, add the VIP IP pointing to the web servers that you configured on the AppDirector
as follows:
- Name – Web.Server.VIP
- Description - Web.Server.VIP
- IP – 2.1.7.200 (This is the IP configured on the AppDirector that is load balancing the
Web servers)
- Port – 80 (any port can be chosen if needed)
- Protocol - HTTP
7. Click OK, then click Next.
Page 16
8. Click Next.
9. Click Finish.
10. Highlight Tunnel.1, which you just created, and select the TCP properties tab. Configure the Listening
Address and Forwarding Address as appropriate.
Page 17
11. Do one of the following:

- If you do not have a Cluster license skip to step 14.
- If you do have a Cluster license, highlight Configuration Manager, and right-click and select Add.
12. In the Configuration view, right-click the Server Group and add the second AppWall (AppWall-2)
using the Management IP address 192.168.1.11.
Page 18
13. Click OK, then click Save on the bottom right-corner of the screen, then click Apply Changes.
14. Double-click the tunnel rule and change the Listening Address and Forwarding Address to the correct
IPs and port.
Page 19
15. Click OK, then click Apply Changes.
Web Servers
Configure the Web Servers as follows:
1. For Web Server -1
- Create IP 2.1.6.11/24
- Create the default Gateway to 2.1.6.101
- Create IP 2.1.6.12/24
Page 20
Example Configuration 2
In this scenario, traffic is secured by SSL throughout the entire traffic path of the configuration. This
configuration is intended for servers that are configured not to use HTTP. In order to lower the amount of the
traffic going through AppWall and the Web servers, AppWall and the Web servers use a lower encryption
certificate. However, this lower encryption certificate is still sufficiently secure.
The following is a list of software and hardware used in testing this configuration:
- AppDirector version 2.0 running on OnDemand Switch 2
- AppWall v.4.6.0 running on OnDemand Switch 1 XL
- Microsoft IIS 7.0 running on the Web Servers
- IE 7.0 running on the Web Client
The following figure illustrates the configuration that was tested.
FIGURE 3 – CONFIGURATION 2
Page 21
The following are the settings for each of the following devices in this configuration:
AppDirector Active
AppDirector Backup
AppWall
Web Servers
AppDirector Active
The following are the settings for the Active AppDirector:
Farm Configuration
Cache Configuration
VRRP Confuguration
1. Create IP 10.1.30.101/16 on port 1
2. Create 2.1.6.101/24 on port 2
3. Create 2.1.7.101/24 on port 3
Farm Configuration
1. Create Farm named “AppWall.Farm” in AppDirector -> Farms -> Farm Table with these
parameters:
- Session mode – Regular
2. Create Farm named “Web.Servers” in AppDirector -> Farms -> Farm Table with
these parameters:
- Session mode – Server per session
3. Select the “AppWall.Farm” entry in AppDirector -> Farms -> Extended
Parameters and update the parameter:
Page 22
- SSL Id Tracking – Enabled

4. Select the “Web.Servers” entry in AppDirector -> Farms -> Extended
Parameters and update the parameter:
- SSL Id Tracking – Enabled
1. Create Server named “AppWall.1” and attach it to Farm “AppWall.Farm” in AppDirector ->
Servers -> Application Servers -> Table with these parameters:
2. Create Server named “AppWall.2” and attach it to Farm “AppWall.Farm” in


AppDirector -> Servers -> Application Servers -> Table with these parameters

Create SSL policy in AppDirector -> L4 Traffic Redirection -> SSL Policy
- Policy name – HTTPS.pol
- Certificate – radware
- Listening Server Port – 80 (The AppWall listen in HTTP port clear traffic)
- Backend SSL State – Enable
- Backend SSL Cipher - LOW
Note: Throughout this guide, reference is made to the “radware” pre-configured certificate, but
you can import a certificate or create a new certificate in AppDirector. For more information on
exporting, importing, or creating a certificate, see the AppDirector User Guide.
Create Compression policy named “HTTP.compression.policy” in AppDirector -> Servers
-> Layer4 Traffic configuration -> Compression Policy with these parameters
- Policy Name – HTTP.compression.policy
- Algorithm – GZIP
- Compression level - 1
Page 23
Cache Configuration
Create Compression policy named “Cache.policy” in AppDirector -> Servers -> Layer4
Traffic configuration -> Caching Policy with these parameters
- Admin Status – Enable
1. Create L4 Policy for HTTP Traffic named “AppWall.HTTP.policy” in AppDirector -> Servers ->
Server Table with these parameters:
- Virtual IP – 10.1.30.200
- L4 Port – 80
- L4 Policy Name – AppWall.HTTP.policy
2. Create L4 Policy for Web Servers HTTP Traffic named “Web.Servers.HTTPS.policy” in

AppDirector -> Servers -> Server Table with these parameters:
- Virtual IP – 2.1.7.200
- L4 Port – 443
- L4 Policy Name – Web.Servers.HTTPS.policy
- Application - HTTPS
If you need to have persistency on the sessions pointing to the Web servers’ VIP
(applicable for the Back-End server’s Layer 4 policy only), you must add a Layer 7 policy
or a Layer 7 persistency, or both, to the AppDirector. For more information on configuring
Layer 4 and Layer 7 policies, see the AppDirector User Guide.

1. Enable Health Monitoring in Health Monitoring -> Global Parameters
- Method – HTTP
- Dest IP – 2.1.7.11
- Dest Port – 80
- Method – HTTP
- Dest IP – 2.1.7.12
- Dest Port – 80
Page 24
4. Create a Check for HTTPS on server 2.1.7.11 in Health Monitoring -> Check Table
- Check name – AppWall.1.HTTPS.Check
- Method – HTTPS
- Dest IP – 2.1.7.11
- Dest Port – 443
5. Create a Check for HTTPS on server 2.1.7.12 in Health Monitoring -> Check Table
- Check name – AppWall.2.HTTPS.Check
- Method – HTTPS
- Dest IP – 2.1.7.12
- Dest Port – 443
- Method – HTTP
- Dest IP – 2.1.6.11
- Dest Port – 80
- Method – HTTP
- Dest IP – 2.1.6.12
- Dest Port – 80
8. Bind the check AppWall.1.HTTP.Check to Server 2.1.7.11 in Health Monitoring ->

Binding Table
9. Bind the check AppWall.2.HTTP.Check to Server 2.1.7.12 in Health Monitoring ->
Binding Table
10. Bind the check AppWall.1.HTTPS.Check to Server 2.1.7.11 in Health Monitoring ->
Binding Table
11. Bind the check AppWall.2.HTTPS.Check to Server 2.1.7.12 in Health Monitoring ->
Binding Table
Table
Table
VRRP Configuration
2. Create Virtual Router interfaces in AppDirector -> Redundancy -> VRRP -> Virtual Router Table
- IF Index – 1
- VR ID – 1
- Primary IP – 10.1.30.101
Page 25
- IF Index – 2
- VR ID – 2
- Primary IP – 2.1.6.101
- IF Index – 3
- VR ID – 3
- Primary IP – 2.1.7.101


AppDirector Backup
The following are the settings for the Backup AppDirector:
Redundancy
VRRP Configuration
1. Create IP 10.1.30.102/16 on port 1
2. Create 2.1.6.102/24 on port 2
3. Create 2.1.7.102/24 on port 3
5. Copy all configuration from the Active AppDirector device
Redundancy
If you have APSolute Insite installed, use the Insite wizard to copy and convert the Active
AppDirector configuration choosing the redundancy mode VRRP or Proprietary. For more
information on this wizard, see the AppDirector User Guide.
VRRP Configuration
Page 26

Router Table
- IF Index – 1
- VR ID – 1
- Primary IP – 10.1.30.102
Router Table
- IF Index – 2
- VR ID – 2
- Primary IP – 2.1.6.102
Router Table
- IF Index – 3
- VR ID – 3
- Primary IP – 2.1.7.102

AppWall
AppWall configuration consists of the following:

Use the AppWall Management Application CLI to perform first time configuration. For more information, see
the AppWall Management Application User Guide.

- Create default Gateway to – 2.1.7.101

Page 27

- Create the default Gateway to – 2.1.7.101
Note: If you are using a single AppWall in your configuration, skip this section and go to Configure AppWall
Cluster Manager. In this case, all references to the “cluster” can be replaced with the “AppWall Management
Application”.
1. Install the AppWall Cluster Manager on one of the AppWall devices for central control
of all AppWall devices in the cluster.
The AppWall Cluster Manager enables you to deploy AppWall devices in a cluster using a single
Security Console, which is connected to the AppWall Cluster Manager, it is possible to manage
relevant changes to a Security Policy across a number of AppWall devices.
2. From the AppWall Cluster Manager, check the Cluster Manager mode in System Configuration-
>Settings. If Cluster Manager is not selected, click Setup Cluster Manager, and then OK at the
prompt.
3. If you have not already done so, install the Cluster Manager license using the AppWall
Management Application from Configuration -> AppWall Server -> Management -> Licenses.
Page 28
After adding the AppWall nodes to the device, you now configure the tunnels and the cluster will distribute
them to all nodes.
1. In the AppWall Management Application, in the Configuration view, open Server Group -> AppWall
Server -> Management -> Certificates -> Personal – Server and click Create.
2. Enter the name www.radware.com and click OK.
3. Open Server Group -> AppWall Server -> Tunnels and right-click HTTPS. Select Wizard.
Page 29
4. Click Next in the welcome window.
5. Type Tunnel.1 in the Name field, and click Next.
Page 30
6. In the Listening Address field, select 2.1.7.11, and in the Listening TCP Port field, type 443. Click
Next.
7. Select SSL - SSL for the tunnel mode and click on the certificate that you want to use for this tunnel.
Click Next.
Page 31
8. Select 2.1.7.11 for the Forwarding Address 2.1.7.11. To the right of the Protected Object field, click
New.
9. In the dialog box, add the VIP IP pointing to the Web servers that you configured on the AppDirector,
as follows:
- Name – Web.Server.VIP.HTTPS
- Description - Web.Server.VIP.HTTPS
- IP – 2.1.7.200 (This is the IP configured on the AppDirector LB (?) the Web servers)
- Port – 443 (any port can be chosen if needed)
- Protocol - HTTPS
10. Click OK, then click Next.
Page 32
11. Click Next.
12. Click Finish.

Page 33
13. Highlight Tunnel.1 and select the TCP properties tab. Configure the Listening Address and
Forwarding Address as appropriate, and click Apply Changes.
14. Do one of the following:

- If you do not have a Cluster license skip to step 17.
- If you do have a Cluster license, highlight Configuration Manager, and right-click and select Add.
Page 34
15. In the Configuration view, right-click the Server Group and add the second AppWall (AppWall-2)
using the Management IP address 192.168.1.11.
16. Click OK, then click Save on the bottom right-corner of the screen, then click Apply Changes.
Page 35
17. Double-click on the tunnel rule and change the Listening Address and Forwarding Address to the
correct IPs and port.
18. Click OK, then click Apply Changes.
Web Servers
Configure the Web Servers as follows:
- Create IP 2.1.6.11/24
- Import to the Web server the AppWall Certificate
- Create IP 2.1.6.12/24
- Import to the Web server the AppWall Certificate
Page 36
Technical Support
Radware offers technical support for all of its products through the Radware Certainty Support Program.
Please refer to your Certainty Support contract, or the Radware Certainty Support Guide available at:
http://www.radware.com/content/support/supportprogram/default.asp.
For more information, please contact your Radware Sales representative or:
U.S. and Americas: (866) 234-5763
International: +972(3) 766-8666
© 2009 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are
registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the
property of their respective owners. Printed in the U.S.A.
Page 37

AppWall 4 6 0-SG

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AppWall 4 6 0-SG

Caricato da

Copyright:

Formati disponibili

Application Delivery Controller (ADC) Implementation

Using AppDirector and AppWall

The combined solution can support various configurations, such as:

FIGURE 1 – GENERIC IMPLEMENTATION OF THE APPDIRECTOR/APPWALL SOLUTION

General Configuration Steps

Tested Example Configurations

- Health Monitoring uses HTTP and HTTPS protocol checks.

The following figure illustrates the configuration that was tested.

2. Create Server named “AppWall.2” and attach it to Farm “AppWall.Farm” in AppDirector

3. Create Server named “Web.Server.1” and attach it to Farm “Web.Servers” in

4. Create Server named “Web.Server.2” and attach it to Farm “Web.Servers” in

SSL Policy Configuration

2. Create L4 Policy for HTTP Traffic named “AppWall.HTTP.policy” in AppDirector ->

3. Create L4 Policy for Web Servers HTTP Traffic named “Web.Servers.HTTP.policy” in

AppDirector Health Monitoring

The following are the settings for the Backup AppDirector:

- IP Redundancy Admin Status – VRRP

5. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

First Time Configuration

1. Using the CLI, configure AppWall-1 as follows:

- Create the IP on interface 1 – 2.1.7.11

2. Using the CLI, configure AppWall-2 as follows:

Configure AppWall Cluster Manager

Configure Cluster Tunnels

2. Click Next in the welcome window.

3. Type Tunnel.1 in the Name field, and click Next.

4. In the Listening Address field, select 2.1.7.11.

5. To the right of the Protected Object field, click New.

7. Click OK, then click Next.

11. Do one of the following:

15. Click OK, then click Apply Changes.

The following figure illustrates the configuration that was tested.

- SSL Id Tracking – Enabled

2. Create Server named “AppWall.2” and attach it to Farm “AppWall.Farm” in

3. Create Server named “Web.Server.1” and attach it to Farm “Web.Servers” in

SSL Policy Configuration

2. Create L4 Policy for Web Servers HTTP Traffic named “Web.Servers.HTTPS.policy” in

AppDirector Health Monitoring

8. Bind the check AppWall.1.HTTP.Check to Server 2.1.7.11 in Health Monitoring ->

- Leave all other options as default

5. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

- IF Index – 1, VR ID – 1, Associated IP 10.1.30.101

- Backup Interface Grouping – Enable

5. Create Associated IP Addresses in AppDirector -> Redundancy -> VRRP ->

First Time Configuration

1. Using the CLI, configure AppWall-1 as follows:

2. Using the CLI, configure AppWall-2 as follows:

- Create the IP on interface 1 – 2.1.7.12

Configure AppWall Cluster Manager

Configure Cluster Tunnels

2. Enter the name www.radware.com and click OK.

4. Click Next in the welcome window.

5. Type Tunnel.1 in the Name field, and click Next.

10. Click OK, then click Next.

11. Click Next.

12. Click Finish.

14. Do one of the following:

18. Click OK, then click Apply Changes.

Potrebbero piacerti anche