Backups, Backups, Backups!

Every system administrator, infrastructure manager and experienced user knows the importance of having current backups available… just in case!  The security of knowing you have an up-to-date version of the configuration can be worth it’s weight in gold when it is needed – be it a machine failure, unexpected issues following system change or even a full blown disaster recovery scenario – when time is of the essence, a lot of stress can be removed by having your configuration available and it will also reduce the downtime of your environment significantly.
So the decision on which method is best for you and your appliance… To be honest it’s very simple; a copy of the install image, SSL certificates and your support download archive* – Done!

The support download archive gathers all the relevant configuration and log files from the appliance before compressing them into an archive file format. If you use SSL offloading with Pound or Stunnel then it’s important to ensure you have copies of your SSL certificates, also if you have added any custom scripts or manual configurations to your appliance then you would need to make sure you have them available too (although this would not be critical to getting the appliance back online).

Continue reading product roadmap (as always a work in progress)

Understandably we get quite a few requests for a product road map. We’ve had a chat about this internally and thought that it would be nice to have a permanent post on the blog that we change on the fly as customer requirements change.
Putting this on the blog enables our customers to express their arguments for and against new features etc. This entry should also give you a better idea of our priorities and how we develop the product:

Continue reading

Cluster recovery made easier has always given high-availability the utmost priority in its product design. However prior to v7.6, cluster recovery (i.e. re-synchronized master & slave appliances after a cluster failure) without downtime was a slightly convoluted process that while possible – was not simple. support staff often recommended a full heartbeat restart on both nodes as the simplest solution even though it involved a small amount of downtime. We’ve made a big effort to ensure that this process in V7.6 is as simple as possible in the rare event of a cluster hardware or software failure.

Continue reading

Some small changes to default settings make achieving high availability easier….. has always been about high-availability, that is the fundamental reason for our products existence. Performance has always been a nice side effect while maintainability of your application cluster is generally a key sub-set of the primary high-availability objective.

However it’s time for a confession, the default settings for the appliances in a cluster configuration up until v7.5 have been set by default  for both ease of use and certainty of a valid configuration. The default recommendation for setting up or disaster recovery on the high-availability of the cluster (Heartbeat) has been to force a full sync and therefore inflict a small amount of down time in a maintenance window.



Whilst we’ve always had documentation showing how to handle cluster maintenance and configuration with zero downtime it was definitely time for a change.

Continue reading

Loadbalancing an internal webserver behind two Microsoft TMG 2010 servers at layer4 using DR mode

We were looking at Microsoft’s new TMG server and loadbalancing and after a search of the web found there was not really any Guide on how to loadbalance incoming web connections via two TMG servers to an internal NAT’ed web sever at layer4.
The TMG servers are effectivley acting as WAFs (Web Application Firewalls) for the incomming traffic.
They require the traffic to be transparent (so they can inspect the client source IP address), so layer 4  DR mode is a logical choice.

The main problems were getting the required loopback adapter on the TMG servers to function correctly

So this is how we got it to work.

Please note this is not a guide on how to loadbalance your firewalls for outbound connections where the TMG servers are acting as a reverse proxy / web filter aka. squid (allthough it would be very similar and that can be discussed in another blog)

The Network we will build will look like the following where we are loadbalancing the connections between the two TMG servers via a loadbalancer, this is then sent from the TMG Server to the WebServer via a NAT rule.

Continue reading

Load balancing Microsoft Print Server

Microsoft print server provides a great way to share printers throughout your organisation, but when the print server service falls over, the phone quickly starts to ring. By adding a load balancer and a second print server configured with the same print queues , you’ll quickly have a load balanced and resilient printing infrastructure for your users.

Continue reading

NTLM Authenticating Proxy Check Script

We do quite a bit of work with web proxy vendors, loadbalancing multiple web filters/proxies with one of our appliances and our customers have requested a way of health checking through the proxy when they have NTLM authentication enabled. Always happy to help where we can I have created a script that will retrieve a web page via your proxy (logging in first of course) if it retrieves it successfully then the program exits with a code 0, if it fails it exits with a code 1. Simple!!

Continue reading

Load balancing Windows Terminal Server – HAProxy and RDP Cookies or Microsoft Connection Broker

When you have users depending on Windows Terminal Services for their main desktop, it’s a good idea to have more than one Terminal Server. RDP, however, is not an easy protocol to load balance; sessions are long-lived and need to be persistent to a particular server, and users may connect from different source addresses during one session.

The current development version of HAProxy has made an important step forward in making this possible. Thanks to work by Exceliance, it now supports RDP Cookies, offering a solution to the persistence problem.

Continue reading

Loadbalancing FAQ (Frequently Asked Questions)

This load balancing post is a little bit cheeky.. as its a bit of an experiment with catching Google’s eye on the net, the site does pretty well for the search term “Load Balancer”… but sucks big time for the second most popular term “Load Balancing”… Now I noticed that gets a first search page result with no virtually zero relevant content so the domain name must help a lot! Continue reading

Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

OK so I’ve previously blogged about how to get TPROXY and HAProxy working nicely together. But what if you want to terminate SSL traffic on the load balancer in order to use HaProxy to insert cookies in the standard HTTP stream to the backend servers?

Many thanks to Krisztián Ivancsó  for working on the TPROXY patch for Pound for us, we can finally do this!

Continue reading – Now in the Cloud

Over the last few months we’d experienced two fairly lengthly outages on our web server. It was a dedicated server with a UK host and we’re not exactly sure of the reason for the downtime – could have been network failure, could have been the server crashing. It had become pretty annoying for us, and we realised that for a company touting the use of load balancers for High Availability, it is important that our own website should be up! Also, as recieves traffic from every corner of the globe, we wanted to see what we could do to reduce latency to the farther-flung continents. Continue reading guarantee 99.999% (5 nines) uptime to all of our customers.

Yeah right :-). Maybe after we sort out problems in our own back yard….

Our web server crashed again the other day (It last happened about 2 years ago). I was on holiday at the time and got an automated message saying “ is toast!”.  I thought OK thats annoying but not the end of the world, but it was a Sunday afternoon and about an hour later I got a message from one of our support guys saying that they could not get through to the 24*7 support engineers to look into the server failure. Thats when I remembered that last time this happened I thought about setting up a mirror dedicated server to save downtime in the event of a re-build being required… oops didn’t do  that did I?

Continue reading