Load Balancing Solutions

If multiple application servers exist within an environment, some form of load balancing or fail-over capability is desired. FMOS does not provide these capabilities, but there are several options that may be suitable.

  • Load Balancer Machine: Several third-party vendors offer load balancing solutions with physical or virtual machines. For large sites, this the recommended option.

  • Round-Robin DNS: DNS intrinsically provides simple load balancing, as the order of returned results is not guaranteed. This solution requires that the TLS certificates used by the HTTPS server have matching subject names. It also does not provide fail-over or high availability features.

When using either of these options, the public_hostname system configuration variable needs to be set on all application servers before any data collectors are added to the ecosystem. This variable should be set to the name the data collectors will use to connect to the application server cluster, such as the FQDN of the load balancer.

Deploying Multiple Application Servers

For deployments using multiple application servers in a load balanced configuration, the following network requirements must be satisfied:

  • All application servers must be on the same subnet
  • Multicast traffic be allowed between all application servers
  • The IP address for Multicast group is:  224.2.2.3

For deployments using different servers with different roles, the application server and the corresponding DB/ES/CA server must be on the same broadcast domain. We do not support implementations that fall outside of this scenario.

Setting up a Load Balancer when not terminating SSL at the Load Balancer

Do I set the “public_hostname” property on both of the App Servers?

Yes. Before adding DCs, this needs to be set to the FQDN assigned to the load balancer.

Do I need to create a new certificate that includes the VIP of the load balancer (and public_hostname value) then import to both App Servers?

Yes. When not doing TLS termination at the load balancer, all AS appliances need a server certificate with at least the name the DCs will use. It does not strictly have to be the same certificate on both appliances. It just needs to include the "virtual" name.

If I have to create a new certificate, does this need to include the AS actual FQDN as alt names?

Not necessarily, but the `fmos pki gen-csr` command will add it.

Using a F5 BIG-IP as a Load Balancer for Application Servers

These are steps for setting up load balancing for your FireMon application servers with SSL termination done at the F5 BIG-IP. There are many customizations that can be made based on your environment so the below instructions are only guidelines.

  1. You will need three virtual servers created on the same IP address.

    • Ports 80 and 443 should be reachable by users.
    • Ports 443 and 55555 should be reachable by your FM Data Collectors.

  2. SSL Certificate setup. CA signed.

    1. Generate CSR from your F5 BIG-IP:

      • Click System > Certificate Management > Traffic Certificate Management > SSL Certificate list > Create.

      • In the Common Name box, type the name of your Virtual Server (example: firemon.example.com)

      • If you want to add Subject Alternative Names, you can specify them in the format DNS:firemonha.example.com, DNS:www.exchange.example.com, DNS:www.example.net.

      • Click Finished.

    2. Download the Request File.

    3. Click Finished (stay on this screen to import the certificate).

    4. Upload the Request File to your FireMon CA/DB server.

    5. Run the FMOS commands below:

      • fmos ca sign example.csr example.crt

      • fmos ca export-ca-cert --ca server server-chain.crt

    6. Upload example.crt and server-chain.crt to your F5

      • Import certificate by either pasting or uploading.

      • Import server-chain (Import > Certificate > New).

      • Name this certificate so you can tell it's your FireMon CA certificate.

    7. Build a SSL profile with the example key, example cert, and server-chain.

      • Local Traffic > Profiles > SSL > Client > New.

      • Choose a name for this SSL profile.

      • Choose an appropriate parent profile for your organization.

      • Override Certificate Key Chain, Click Add.

      • Fill in your created certificate for certificate and key. Use the FireMon CA certificate for Chain.

      • Click Add.

      • Click Finished.

First pool settings:

  • Port 443, HTTPS monitor (GET /\r\n), Slow Ramp Time of 45 seconds.
  • Add all application servers into this pool

Second pool settings:

  • Port 55555, HTTPS monitor, Slow Ramp Time of 10 seconds.
  • This pool only needs any one application server.

First virtual server setup settings:

  • Port 443, HTTP profile, SSL profiles for Client and Server. You can use the default 'serverssl' profile for your server side. For client SSL profile, use the profile previously set up. If your LTM is not your default gateway, set up a Source Address Translation. Use some sort of session persistence. If using cookie, set up source_addr as a fallback. The Data Collector servers will connect to your Application Servers and will not use cookies.
  • The default pool for this should be pointing to your pool with port 443.
  • Refer to F5 article K14754 for websocket support information.

Second virtual server setup settings:

  • Use all of the same settings as the 443 VS except for this should listen on port 55555 for the FireMon Server Control Panel. This VS does not need session persistence and users will not have any reason to access this VS.
  • The default pool for this should be pointing to your pool with port 55555.

Third virtual server setup settings:

  • This VS should listen on port 80 just to redirect to port 443. It only needs port 80, an HTTP profile, and the irule _sys_https_redirect assigned to it. It does not need a pool.

Not using SSL termination on your load balancer:

  • Set up virtual servers using TCP and leave SSL profiles blank. Do not put any HTTP profile.