Adding a HALB virtual server
To add a HALB virtual server:
- In the RAS console, navigate to Farm > <Site> > HALB.
- On the Virtual Servers tab in the right pane, click Tasks > Add. The HALB Configuration wizard opens.
- Make sure the Enable HALB option is selected.
- Type a name for this virtual server and an optional description.
- In the Public address field, type a public FQDN or IP addresses of this server. This is used by the Preferred routing functionality for redirecting client connections. Please see Configuring preferred routing.
- In the Virtual IP section, specify the virtual IP address properties which will be used for incoming client connections by a HALB device that you will assign to this Virtual Server later.
- In the Settings section, select one or more of the following options. Note that at least one "LB" option must be selected. If you skip an option at this time, you can add it later in the virtual server properties dialog:
- LB Gateway Payload: Enables load balancing of normal (unsecured) gateway connections.
- LB SSL Payload: Enables load balancing of SSL connections.
- Client Management: Enables management of Windows client devices connected through HALB.
- Click Next.
From this point forward, depending on the payloads that you selected in the previous step, a wizard page will open where you can configure the payload properties. These pages are described below.
LB Gateway payload
Configure load balancing for normal connections:
- Set the port number used by HALB devices to forward traffic to RAS Secure Gateways. The port is configured on a gateway. The default port is 80.
- In the Gateways list, select a RAS Secure Gateway to be load balanced. Please note that only one IP address per gateway can be used. If you have more than one entry for the same gateway with different IP addresses, you can select just one.
LB SSL payload
Configure load balancing for SSL connections:
- Set the port number used by HALB devices to forward SSL traffic to RAS Secure Gateways. The port is configured on a gateway. The default port is 443.
- Select the SSL mode from Passthrough or SSL Offloading. By default, SSL connections are tunneled directly to gateways (referred to as Passthrough) where the SSL decryption process is performed.
The SSL Offloading mode requires an SSL certificate to be assigned to HALB. When you select it, click Configure and specify the following:
- Accepted SSL Version: Select an SSL version.
- Cipher Strength: Select the cipher strength of your choice. To specify a custom cipher, select Custom and then specify the cipher in the Cipher field.
- The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
- Certificates: Select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the SSL Certificate Management chapter.
The <All matching usage> option will use any certificate configured to be used by HALB. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "HALB" option selected, it can be used with HALB. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
- Select a gateway to be load balanced. Note that only one IP address per gateway can be used.
Device Manager
Configure Windows client device management, select a gateway that will manage Windows client devices. Note that only one IP address per gateway can be used.
Devices
To assign HALB devices to the Virtual Server:
- Click Tasks > Add and select or specify a HALB device. If you haven't deployed any HALB devices (appliances) yet, you can still save the Virtual Server configuration and assign HALB devices to it later. At least two HALB devices are recommended per Virtual Server. For more info, see High Availability Load Balancing (HALB). HALB device priority is set by positioning a device in the list. The device at the top is the primary HALB device. Devices under it are secondary HALB devices. To promote a device to primary, simply move it to the top of the list.
- Finally, click Finish to save the Virtual Server settings and close the wizard.
The new virtual server will appear in the list in the RAS Console.
Modifying Virtual Server and configuring advanced options
To modify the Virtual Server settings, right-click it and choose Properties. The tabs in the Properties dialog have the same options as the wizard pages described above. The only exception is the Advanced tab, which is described below.
To view and configure advanced Virtual Server options, select the Advanced tab. The options that you see on this tab are applied to all HALB devices assigned to a Virtual Server. This list gives you a simple access to the HALB device options without logging in to the virtual machine directly. Please note that changing any of these values may potentially lead to undesired results. You should only change them according to specific network requirements.
The following advanced settings are available:
Option |
Default value |
Description |
Enable RDP UDP tunneling |
Enable |
Enables RDP clients to transfer RDP over UDP traffic through HALB devices. |
Minimum TCP connections |
2000 |
Sets the maximum number of concurrent TCP connections. |
Client inactivity timeout (s) |
150 |
Maximum inactivity time on the client side in seconds. |
Gateway connection timeout (s) |
30 |
Maximum time to wait for a connection attempt to a gateway to succeed in seconds. |
Client connection queue timeout (s) |
30 |
When a device's Max TCP connections is reached, connections are left pending in a queue for the period of this timeout (seconds). |
Gateway inactivity timeout (s) |
150 |
Set the maximum inactivity time for gateways in seconds. |
Amount of TCP connections per second |
1000 |
Set a limit on the number of new connections accepted per second on an HALB device. |
Gateway health check intervals (s) |
5 |
Set the interval between two consecutive health checks in seconds. |
VRRP virtual router ID |
15 |
Used to differentiate multiple instances of VRRP running on the same network. |
VRRP authentication password |
- |
Enable password authentication for VRRP communication between HALB devices used by for failover synchronization. |
VRRP broadcast interval (m) |
1 |
Minimum time interval in minutes for refreshing gratuitous ARPs while device is in active state. |
VRRP health script check interval (s) |
2 |
Set the interval between invocations of the script that ensures local HALB services are up and running (seconds). |
VRRP health script check timeout (s) |
10 |
Execution timeout for the script that ensures local HALB services are up and running (seconds). |
VRRP advertisement interval (s) |
1 |
The time interval between the advertisement packets that are being sent between HALB devices in the same VRRP group (seconds). |
Enable OS updates |
Disable |
Allow HALB devices to automatically update OS packages. |
Keep existing load balancing settings |
Disable |
Keep load balancing configuration currently present on the device and do not overwrite with new settings. |
Keep existing VRRP/keepalived |
Disable |
Keep VRRP/keepalived configuration currently present on the device and do not overwrite with new settings. |