Latest Posts



Translate

Total Pageviews

Thursday, 14 May 2015

NSX Deepdive Part 10 - Advanced Load Balancing


1. Generate a Certificate
You generate a certificate reqiuest and instruct the VMware NSX Edge™ instance to create a self signed certificate from that request.
1. In the left navigation pane, select NSX Edges.
2. In the edge list, double-click the Perimeter Gateway entry to manage that object.
3. Click the Manage tab and click Settings.
4. In the settings category panel, select Certificates.
5. Select Generate CSR from the Actions drop-down menu to to open the Generate CSR dialog
box, and perform the following acitons.
a. Enter 172.16.10.1in the Common Nametext box.
b. Enter ABC Medicalin the Organization Nametext box.
c. Ver if y th at RSA is the selected Message Algorithm.
d. Verify that 2048is the selected Key Size.
e. Leave all other settings at default value and click OK.
6. In the certificate list, select the newly generated signing request and select Self Sign Certificate
from the Actions drop-down menu.
7. When prompted, enter 365 in the Number of days text box, and click OK




2. Modify the Existing Load Balancer
You update the application profile to include the self-signed certificate, and update the server pool to
use HTTP instead of HTTPS. Consider the Web server as not having its own certificate for this lab.
The self-signed certificate is used instead for communication between clients and the virtual
server. Communciation between the virtual server and the member servers uses HTTP.
1. On the Manage tab, click the Load Balancer button.
2. In the load balancer category panel, select Application Profiles.
3. Select the single application profile listed and click the pencil icon.
4. In the Edit Profile dialog box, perform the following actions.
a. Deselect the Enable SSL Passthrough check box.
b. At the bottom of the dialog box, in the certificate list, click the Service Certificates >
172.16.10.1button.
c. Leave all other settings at default value and click OK.
5. In the load balancer category panel, select Pools.
6. Select the single pool that appears and click the pencil icon.
7. In the Edit Pool dialog box, perform the following actions for each member server listed.
a. Select the member server and click the pencil icon.
b. In the Edit Member dialog box, change both the Port and the Monitor Port to 80and click
OK.
c. Ensure that both member servers are updated.
8. Click OK to close the Edit Pool dialog box.

3. Capture Network Traffic at Perimeter Gateway
You examine two different packet captures. A packet capture on the uplink interface is examined to
verify the SSL communciation between clients and the virtual server. A packet capture on the transit
network is examined to verify round-robin operation.
1. Minimize the Firefox window.
2. In the PuTTY window, begin capturing SSL traffic on the uplink interface by running the
following command.
debug packet display interface vNic_0 port_443
3. Leave the packet capture running and position the window so that you remember that it contains
the uplink capture.
4. On the ControlCenter desktop, double-click the PuTTY shortcut.
5. In the PuTTY window, double-click the Edge Services GWsaved session.
6. Log in as adminand enter the VMware1!VMware1! password.
7. In the new PuTTY window, begin capturing HTTP traffic on the web-tier-temp interface by
running the following command.
debug packet display interface vNic_2 port_80
The two packet captures show the load balancer virtual server receiving SSL traffic and
connecting to a pool member server using HTTP.
8. Leave both PuTTY windows open and position the windows so that the captures can be
compared.
9. On the ControlCenter desktop, double-click the Internet Explorer shortcut.
Ensure that you use Internet Explorer for the following tests
10. In the Internet Explorer window, go to https://172.16.10.1.
11. When Internet Explorer reports a problem with the Web site’s security certificate, click the
Continue to this website (not recommended) link.
The Web site security message might appear after a minute. After you click the continue link,
the Web page might be displayed after a minute.
12. Minimize the Internet Explorer window.
13. Select the PuTTY window that contains the uplink interface capture.
14. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.
• 192.168.110.10
This address is the IP address of the ControlCenter system.
• 172.16.10.1
This address is the virtual IP (vIP) address of the load balancer in the one-arm configuration.
15. Press Ctrl+C to stop the traffic capture.
16. Select the PuTTY window that contains the transit interface capture.
17. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses. Only one of the Web server IP addresses appears.
• 192.168.110.10
This address is the IP address of the ControlCenter system that is maintained in transparent
mode.
• 172.16.10.11 or 172.16.10.12
These addresses are the IP addresses of the Web servers on the Web logical switch network.
18. Restore the Internet Explorer window and click the page refresh icon.
19. Close the Internet Explorer window.
20. Select the PuTTY window that contains the transit interface capture.
21. In the PuTTY window, examine the reported network packets and verify that the exchange is
between a combination of the following IP address.
• 192.168.110.10
This address is the IP address of the ControlCenter system that is maintained in transparent
mode.
• 172.16.10.11 or 172.16.10.12
These addresses are the IP addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
transit network capture.
22. Press Ctrl+C to stop the traffic capture.
23. Close the PuTTY window used to capture traffic on the transit network and click OK when
prompted to confirm.
24. Keep the original PuTTY window open.
25. Restore the Firefox window.