Ir al contenido

Posts from the ‘Soluciones’ Category

10
Feb

HAProxy – IIS and X-Forward-For Header

IIS and X-Forwarded-For Header

So, you’re using IIS and you want to track your clients by IP address in your IIS logs. Unfortunately, out of the tin, this is not directly supported. The X-Forwarded-For (XFF) HTTP header is an industry standard method to find the IP address of a client machine that is connecting to your web server via an HTTP proxy, load balancer etc. Fortunately, depending on the version of IIS being used, there are a number of ways to enable this.

A – IIS 7 & later :

Microsoft do now have a solution – it’s called IIS Advanced Logging. This is an installable IIS feature and can be downloaded here. Once installed on the IIS server, you’ll see an extra option called ‘Advanced Logging’ for the sites in IIS.

Once installed, follow the steps below to add the X-Forwarded-For log field to IIS:

1. From your Windows Server 2008 or Windows Server 2008 R2 device, open IIS Manager

2. From the Connections navigation pane, click the appropriate server, web site, or directory on which you are configuring Advanced Logging. The Home page appears in the main panel

3. From the Home page, under IIS, double-click Advanced Logging

4. From the Actions pane on the right, click Edit Logging Fields

5. From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:

-in the Field ID box, type X-Forwarded-For

-from the Category list, select Default

-from the Source Type list, select Request Header

-in the Source Name box, type X-Forwarded-For

-click the OK button in the Add Logging Field box, and then click the OK button in the Edit Logging Fields box

6. Click a Log Definition to select it. By default, there is only one: %COMPUTERNAME%-Server. The log definition you select must have a status of Enabled

7. From the Actions pane on the right, click Edit Log Definition

8. Click the Select Fields button, and then check the box for the X-Forwarded-For logging field

9. Click the OK button

10. From the Actions pane, click Apply

11. Click Return To Advanced Logging

12. In the Actions pane, click Enable Advanced Logging

Now, when you look at the logs the client IP address is included.

B – IIS 6 :

Unfortunatey the Microsoft solution mentioned above is not available for IIS 6. luckily there are a number of solutions available to address this limitation – some that cost money and others that have been released as open source. One excellent example that we’ve tested with our products is F5′s X-Forwarded-For ISAPI filter. It’s avaialable in both in 32 & 64 bit versions.

1. Download the zipped archive from here and extract to an appropriate folder

2. Navigate to the relevant version (32 or 64 bit)

3. Copy F5XForwardedFor.dll to a suitable location on your server, e.g. C:ISAPIfilters

4. Make sure you have ISAPI Filters enabled on your IIS server

5. Open IIS Manager, right-click the site and select Properties

6. Select the ISAPI Filters tab

7. Click ‘add’, then in the popup enter a suitable name and select the DLL file stored in step 3

8. Restart your website

That’s it – you should now start seeing the IP address of the client PC’s in your IIS logs rather than the IP of the load balancer.

———————————————————————————————————————————–

IIS X-Forward-For ISAPI Filter

A recent customer issue came up where they were load balancing servers but we unable to get the true client address logged in their IIS logs. They had their servers fronted by a BIG-IP and when clients would make requests the address passed to the server was the internal address of the BIG-IP and not that of the client.

This is a common issue with proxies and fortunately there is a standard for forwarding client information. It is the HTTP X-Forwarded-For header which is handled by most proxies. So, I set out to find an existing ISAPI filter to replace the c-ip (client ip) log value in IIS with the contents of the X-Forwarded-For header (if it exists). I was amazed to find that I couldn’t find a single instance of any open source (or even commercial) filter that would do this.

So, I dug out Visual Studio and whipped up a filter that does just that. It’s very basic and contains no user configuration so all you need to do is plug it into your Web Applications list of ISAPI Filters within the IIS Administration and you’re set to go.

We’ve released the source under the iControl End User License Agreement (available in any iControl SDK download). You can download it in the CodeShare section of DevCentral. If you find a way to optimize this filter, please let me know and I’ll update the sources here.

After 24-hours of posting, a customer already returned some performance testing on the filter indicating that it only effected the traffic by less than 1 percent. I’m sure there are ways to optimize the memory allocation in the filter to speed this up a bit more, but I’ll leave that for the community to work on.

Oh, and it should be noted that the X-Forwarded-For header isn’t supported the same way across all proxy products so you’ll want to make sure you test this out before using it. It is expecting the header to only contain an IP Address as it does a straight substitution on the value in the c-ip section of the log entry.

Enjoy!

6
Feb

HAProxy – Instalación, configuración, actualización…..

Pruebas con HAProxy.  Muy buena experiencia general, estupendo balanceo con muuuchas opciones.

Para más información y detalles de HAProxy

Instalar la distribucion de linux deseada, en mi caso opté por Debian, Ubunto lo traé integrado en el repositorio.

Configurar las tarjetas de red con ip´s fijas y las que sean necesarias según el entorno, para ello editamos el fichero /etc/network/interfaces:

Como ejemplo:

nano /etc/network/interfaces

allow-hotplug eth0
auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.254.0
gateway 10.0.1.254
dns-nameservers 10.0.0.21 10.0.0.22

auto eth0:0
iface eth0:0 inet static
address 10.0.1.1
netmask 255.255.254.0
gateway 10.0.1.254
dns-nameservers 10.0.0.21 10.0.0.22
——————————————————————–

Actualizar el sistema.

apt-get update

apt-get upgrade

apt-get dist-update

INSTALAMOS:

Aquí comienza la instación de los requisitos para HAProxy:

apt-get install build-essential make libpcre3 libpcre3-dev

apt-get install build-essential libssl-dev libpopt-dev git libpcre3-dev

apt-get install linux-kernel-headers  (opcional)

——————————————————————————————————————————————

Opcional para evitar estos avisos o errores con versiones de kernel 2.6.xx:

PCRE library supports JIT : no (USE_PCRE_JIT not set)

PCRE library supports JIT : no (libpcre build without JIT?)

——————————————————————————————————————————————

cd /usr/src/

wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.32.tar.gz

tar xzfv pcre-8.32.tar.gz

cd pcre-8.32

./configure –enable-jit –enable-utf && make

——————————————————————————————————————————————
Ahora descargamos el programa HAProxy:

cd /usr/src/

wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev21.tar.gz

tar xzfv haproxy-1.5-dev21.tar.gz

cd haproxy-1.5-dev21

COMPILAMOS:

Tenemos varias opciones de compilación, yo utilizo la última (en negrita):

make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1

make TARGET=linux2628 CPU=native USE_STATIC_PCRE=1 USE_LINUX_TPROXY=1

make TARGET=linux2628 CPU=native USE_PCRE=1 USE_STATIC_PCRE=1 USE_LINUX_TPROXY=1 USE_POLL=default USE_OPENSSL=1 USE_ZLIB=1

make TARGET=custom CPU=native USE_PCRE=1 USE_LIBCRYPT=1 USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1

make TARGET=linux2628 CPU=native USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_POLL=default USE_PCRE=1

make TARGET=linux2628 CPU=native USE_PCRE=1 USE_LIBCRYPT=1 USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_ZLIB=1

make TARGET=linux2628 CPU=native USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_POLL=default USE_PCRE=1 USE_ZLIB=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1

make TARGET=linux2628 CPU=native USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 PCRE_INC=/usr/src/pcre-8.32/ \PCRE_LIB=/usr/src/pcre-8.32/.libs

make TARGET=linux2628 CPU=native USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_POLL=default USE_ZLIB=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 PCRE_INC=/usr/src/pcre-8.32/ \PCRE_LIB=/usr/src/pcre-8.32/.libs

make TARGET=linux2628 CPU=native ARCH=x86_64 USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_POLL=default USE_ZLIB=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 PCRE_INC=/usr/src/pcre-8.32/ \PCRE_LIB=/usr/src/pcre-8.32/.libs

make install

CREAMOS LINKS y CARPETAS:

ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy

mkdir /usr/share/haproxy

nano /etc/init.d/haproxy  (creamos script de inicio-parada del sevicio)

—————————————————————————

#!/bin/sh
### BEGIN INIT INFO
# Provides:          haproxy
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
# Description:       This file should be used to start and stop haproxy.
### END INIT INFO

# Author: Arnaud Cornet <acornet@debian.org>

PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIDFILE=/var/run/haproxy.pid
CONFIG=/etc/haproxy/haproxy.cfg
HAPROXY=/usr/sbin/haproxy
EXTRAOPTS=
ENABLED=0

test -x $HAPROXY || exit 0
test -f “$CONFIG” || exit 0

if [ -e /etc/default/haproxy ]; then
. /etc/default/haproxy
fi

test “$ENABLED” != “0” || exit 0

[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions

haproxy_start()
{
start-stop-daemon –start –pidfile “$PIDFILE” \
–exec $HAPROXY — -f “$CONFIG” -D -p “$PIDFILE” \
$EXTRAOPTS || return 2
return 0
}

haproxy_stop()
{
if [ ! -f $PIDFILE ] ; then
# This is a success according to LSB
return 0
fi
for pid in $(cat $PIDFILE) ; do
/bin/kill $pid || return 4
done
rm -f $PIDFILE
return 0
}

haproxy_reload()
{
$HAPROXY -f “$CONFIG” -p $PIDFILE -D $EXTRAOPTS -sf $(cat $PIDFILE) \
|| return 2
return 0
}

haproxy_status()
{
if [ ! -f $PIDFILE ] ; then
# program not running
return 3
fi

for pid in $(cat $PIDFILE) ; do
if ! ps –no-headers p “$pid” | grep haproxy > /dev/null ; then
# program running, bogus pidfile
return 1
fi
done

return 0
}

case “$1” in
start)
log_daemon_msg “Starting haproxy” “haproxy”
haproxy_start
ret=$?
case “$ret” in
0)
log_end_msg 0
;;
1)
log_end_msg 1
echo “pid file ‘$PIDFILE’ found, haproxy not started.”
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
stop)
log_daemon_msg “Stopping haproxy” “haproxy”
haproxy_stop
ret=$?
case “$ret” in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
reload|force-reload)
log_daemon_msg “Reloading haproxy” “haproxy”
haproxy_reload
case “$?” in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
;;
restart)
log_daemon_msg “Restarting haproxy” “haproxy”
haproxy_stop
haproxy_start
case “$?” in
0)
log_end_msg 0
;;
1)
log_end_msg 1
;;
2)
log_end_msg 1
;;
esac
;;
status)
haproxy_status
ret=$?
case “$ret” in
0)
echo “haproxy is running.”
;;
1)
echo “haproxy dead, but $PIDFILE exists.”
;;
*)
echo “haproxy not running.”
;;
esac
exit $ret
;;
*)
echo “Usage: /etc/init.d/haproxy {start|stop|reload|restart|status}”
exit 2
;;
esac

:

—————————————————————————————

chmod +x /etc/init.d/haproxy

update-rc.d haproxy defaults

nano /etc/default/haproxy (creamos el fichero de configuración para habilitarlo)

————————————————————————————

# Set ENABLED to 1 if you want the init script to start haproxy.
ENABLED=1
# Add extra flags here.
#EXTRAOPTS=”-de -m 16″

—————————————————————————————

groupadd haproxy
useradd -g haproxy haproxy

mkdir /etc/haproxy

mkdir /etc/haproxy/errors

cp /usr/src/haproxy-1.5-dev21/examples/errorfiles/* /etc/haproxy/errors

nano /etc/haproxy/haproxy.cfg

service haproxy restart

Ya estaría funcionando.

——————————————————————————————————————————————

Lo siguiente es para organizar los logs y que se eliminen pasado un tiempo (28 días).

nano /etc/rsyslog.d/haproxy.conf

if ($programname == ‘haproxy’ and $syslogseverity-text == ‘info’) then -/var/log/haproxy/haproxy-info.log
& ~
if ($programname == ‘haproxy’ and $syslogseverity-text == ‘notice’) then -/var/log/haproxy/haproxy-notice.log
& ~

nano /etc/logrotate.d/haproxy

/var/log/haproxy/*.log {
daily
missingok
rotate 28
compress
delaycompress
notifempty
create 644 root adm
sharedscripts
postrotate
/etc/init.d/haproxy reload > /dev/null
endscript
}

——————————————————————————————————————————————

Para actualizar o cambiar de versión de HAProxy:

cd /usr/src/haproxy-xxxxxx
make clean
make TARGET=linux2628 CPU=native ARCH=x86_64 USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_POLL=default USE_ZLIB=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 PCRE_INC=/usr/src/pcre-8.32/ \PCRE_LIB=/usr/src/pcre-8.32/.libs
sudo make install

Ya estaría cambiada la versión.

——————————————————————————————————————————————

Reiniciar el servicio sin apenas parada, aunque de por sí es muy rápido.

haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

haproxy -f configfile -sf

——————————————————————————————————————————————

Si queremos tener varios HAProxy por si falla el principal que tome el control otro, podemos utilizar Keepalived.

Primero lo instalamos.

apt-get install -y keepalived

update-rc.d keepalived defaults

echo “net.ipv4.ip_nonlocal_bind = 1” >> /etc/sysctl.conf
sysctl -p

La configuración del principal o master sería (XXX.XXX.XXX.XXX = IP Virtual deseada):

Master

nano /etc/keepalived/keepalived.conf

———————————————————————————————–

vrrp_script chk_haproxy {
script “killall -0 haproxy”   # verify the pid existance
interval 2                    # check every 2 seconds
weight 2                      # add 2 points of prio if OK
}

vrrp_instance VI_1 {
interface eth0                # interface to monitor
state MASTER
virtual_router_id 51          # Assign one ID for this route
priority 101                  # 101 on master, 100 on backup
virtual_ipaddress {
XXX.XXX.XXX.XXX            # the virtual IP
}
track_script {
chk_haproxy
}
}

La configuración del backup o esclavo sería (XXX.XXX.XXX.XXX = IP Virtual deseada):

Esclavo

nano /etc/keepalived/keepalived.conf

vrrp_script chk_haproxy {
script “killall -0 haproxy”   # verify the pid existance
interval 2                    # check every 2 seconds
weight 2                      # add 2 points of prio if OK
}

vrrp_instance VI_1 {
interface eth0                # interface to monitor
state MASTER
virtual_router_id 51          # Assign one ID for this route
priority 100                  # 101 on master, 100 on backup
virtual_ipaddress {
XXX.XXX.XXX.XXX            # the virtual IP
}
track_script {
chk_haproxy
}
}

————————————————————————————————–

/etc/init.d/keepalived start

ip a | grep -e inet.*eth0

cat /var/log/messages | grep VRRP_Instance

——————————————————————————————————————————————

Para comprobar si la configuración del HAProxy es correcta antes de ponerla en producción:

haproxy -f /etc/haproxy/haproxy.cfg -c
——————————————————————————————————————————————

Saber versión instalada de HAProxy y compilación:

haproxy -vv

——————————————————————————————————————————————

Ejemplo de fichero de configuración haproxy.cfg para versión 1.4 (XXX.XXX.XXX.XXX = IP Virtual):

———————————————- Inicio fichero haproxy.cfg 1.4.xx ——————————————–

global
daemon
log /dev/log local0 info
log /dev/log local0 notice
maxconn 1000
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.stat mode 600 level admin

userlist stats-auth
group admin             users Admin
user  Admin  insecure-password password
group readonly          users user
user  user        insecure-password password

defaults
backlog 10000
default-server inter 3s rise 2 fall 3
log global
option  contstats
option  dontlognull
option  redispatch
retries 3
timeout client 300s
timeout connect 30s
timeout http-keep-alive 5s
timeout http-request 15s
timeout queue 30s
timeout tarpit 1m
timeout server 300s

frontend ft_ftp_tcp
bind *:21 name ftp
mode tcp
maxconn 2000
default_backend bk_ftp_server_pool

frontend ft_sftp_tcp
bind XXX.XXX.XXX.XXX:22 name sftp
mode tcp
maxconn 2000
default_backend bk_sftp_server_pool

frontend ft_smtpsrv_tcp
bind XXX.XXX.XXX.XXX:25 name smtp
mode tcp
maxconn 2000
default_backend bk_smtpsrv_server_pool

frontend ft_web_http
bind *:80 name http
mode http
maxconn 10000
default_backend bk_web_server_pool

frontend ft_pop_tcp
bind *:110 name imap
mode tcp
maxconn 2000
default_backend bk_pop_server_pool

frontend ft_imap_tcp
bind *:143 name imap
mode tcp
maxconn 2000
default_backend bk_imap_server_pool

frontend ft_exchange_tcp
bind *:443 name https
mode tcp
maxconn 10000
default_backend bk_exchange_server_pool

frontend ft_smtpcli_tcp
bind *:587 name smtpcli
bind *:5587 name smtpcli
mode tcp
maxconn 2000
default_backend bk_smtpcli_server_pool

frontend ft_ftps_tcp
bind *:990 name imaps
mode tcp
maxconn 2000
default_backend bk_imaps_server_pool

frontend ft_imaps_tcp
bind *:993 name imaps
mode tcp
maxconn 2000
default_backend bk_imaps_server_pool

frontend ft_pops_tcp
bind *:995 name pops
mode tcp
maxconn 2000
default_backend bk_pops_server_pool

frontend ft_eset_tcp
bind *:2221-2222 name esethttp
mode tcp
maxconn 2000
default_backend bk_eset_server_pool

frontend ft_antispam_tcp
bind *:8081 name antispam_http
bind *:8481 name antispam_https
mode tcp
maxconn 2000
default_backend bk_antispam_server_pool

frontend ft_weblog_tcp
bind *:9991 name weblog
mode tcp
maxconn 2000
default_backend bk_weblog_server_pool

backend bk_ftp_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server FTP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 21
server FTP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 21

backend bk_sftp_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server SFTP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 22
server SFTP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 22

backend bk_smtpsrv_server_pool
option tcplog
option abortonclose
option smtpchk HELO dominio.com
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server SMTP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 25
server SMTP_1.XX 10.0.1.1XXweight 1 maxconn 1000 check port 25 backup

backend bk_web_server_pool
mode http
option httpclose
option forwardfor
option httplog
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server WEB_1.XX 10.0.1.XX:80 weight 1 maxconn 5000 check port 82
server WEB_1.XX 10.0.1.XX:80 weight 1 maxconn 5000 check port 82

backend bk_pop_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server POP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 110
server POP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 110

backend bk_imap_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server IMAP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 143
server IMAP_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 143

backend bk_exchange_server_pool
option tcplog
option abortonclose
option ssl-hello-chk
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server HTTPS_1.XX 10.0.1.XX:443 weight 1 maxconn 5000 check port 443
server HTTPS_1.XX 10.0.1.XX:443 weight 1 maxconn 5000 check port 443

backend bk_smtpcli_server_pool
option tcplog
option abortonclose
option smtpchk HELO dominio.com
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server SMTPCLI_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 587
server SMTPCLI_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 587

backend bk_ftps_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server FTPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 990
server FTPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 990

backend bk_imaps_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server IMAPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 993
server IMAPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 993

backend bk_pops_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server POPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 995
server POPS_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 995

backend bk_eset_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server ESET_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 2221
server ESET_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 2221

backend bk_antispam_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server ANTISPAM_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 8481
server ANTISPAM_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 8481 backup

backend bk_weblog_server_pool
option tcplog
option abortonclose
stick-table type ip size 10240k expire 60m
stick on src
balance leastconn
server WEBLOG_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 9991
server WEBLOG_1.XX 10.0.1.XX weight 1 maxconn 1000 check port 9991

listen admin
bind *:8080
mode http
acl AUTH       http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
http-check expect status 200
maxconn    10
option abortonclose
option forceclose
option httpclose
option http-server-close
stats admin if AUTH_ADMIN
stats enable
stats hide-version
stats http-request auth unless AUTH
stats refresh 30s
stats show-desc RBHAProxyD1
stats show-legends
stats uri /stats

———————————————-Final fichero haproxy.cfg 1.4.xx ———————————————-

Ejemplo de fichero de configuración haproxy.cfg para versión 1.5 (XXX.XXX.XXX.XXX = IP Virtual):

———————————————- Inicio fichero haproxy.cfg 1.5.xx ————————————–

global
daemon
log /dev/log local0 info
log /dev/log local0 notice
maxconn 1000
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.stat mode 600 level admin

userlist stats-auth
group admin             users Admin
user  Admin  insecure-password password
group readonly          users user
user  user        insecure-password password

defaults
backlog 10000
compression algo gzip
compression type text/html text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint
default-server inter 3s rise 2 fall 3
log /dev/log local0 info
log /dev/log local0 notice
maxconn 100
option  contstats
option  dontlognull
option    log-health-checks
option  redispatch
option    tcp-smart-accept
option    tcp-smart-connect
retries 3
timeout client 300s
timeout connect 30s
timeout http-keep-alive 30s
timeout http-request 60s
timeout queue 300s
timeout server 600s
timeout tarpit 300s

frontend f-ftp-in
bind *:21 name ftp
mode tcp
maxconn 100
stick-table type ip size 200 expire 30s store conn_cnt
tcp-request content reject if { src_updt_conn_cnt gt 3 }
default_backend b-ftp

frontend f-sftp-in
bind XXX.XXX.XXX.XXX:22 name sftp
mode tcp
maxconn 100
stick-table type ip size 200 expire 30s store conn_cnt
tcp-request content reject if { src_updt_conn_cnt gt 3 }
default_backend b-sftp

frontend f-smtpsrv-in
bind XXX.XXX.XXX.XXX:25 name smtp
mode tcp
maxconn 100
default_backend b-smtpsrv

frontend f-http-in
bind *:80 name http
mode http
maxconn 200
option forceclose
option forwardfor
option httpclose
option httplog
option http-server-close
default_backend b-http

frontend f-pop-in
bind *:110 name pop3
bind *:995 name pop3s
mode tcp
maxconn 100
default_backend b-pop

frontend f-imap-in
bind *:143 name imap
bind *:993 name imaps
mode tcp
maxconn 100
default_backend b-imap

frontend f-https-in
bind *:443 name https
mode tcp
acl aplicaciones req_ssl_sni -i aplicaciones.dominio.com
acl aplicaciones2 req_ssl_sni -i aplicaciones2.dominio.com
acl aplicaciones3 req_ssl_sni -i aplicaciones3.dominio.com
maxconn 200
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend b-aplicaciones if aplicaciones
use_backend b-aplicaciones2 if aplicaciones2
use_backend b-aplicaciones3 if aplicaciones3
default_backend b-https

frontend f-smtpcli-in
bind *:587 name smtpcli
bind *:5587 name smtpcli
mode tcp
maxconn 100
default_backend b-smtpcli

frontend f-ftps-in
bind *:990 name imaps
mode tcp
maxconn 100
stick-table type ip size 200 expire 30s store conn_cnt
tcp-request content reject if { src_updt_conn_cnt gt 3 }
default_backend b-ftps

frontend f-eset-in
bind *:2221-2222 name esethttp
mode tcp
maxconn 100
default_backend b-eset

frontend f-mysql-in
bind *:3306 name mysql
mode tcp
maxconn 200
default_backend b-mysql

frontend f-ums-in
bind *:8015 name antispam_http
mode http
maxconn 100
option forceclose
option forwardfor
option httpclose
option httplog
option http-server-close
default_backend b-ums

frontend f-antispam-in
bind *:8081 name antispam_http
mode http
maxconn 100
option forceclose
option forwardfor
option httpclose
option httplog
option http-server-close
default_backend b-antispam

frontend f-weblog-in
bind *:9991 name weblog
mode http
maxconn 100
option forceclose
option forwardfor
option httpclose
option httplog
option http-server-close
default_backend b-weblog

backend b-ftp
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option tcp-check expect string 220
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server FTP_1.XX 10.0.1.XX:21 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server FTP_1.XX 10.0.1.XX:21 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-sftp
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option tcp-check
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server SFTP_1.XX 10.0.1.XX:22 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server SFTP_1.XX 10.0.1.XX:22 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-smtpsrv
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option smtpchk HELO dominio.com
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server SMTP_1.XX 10.0.1.XX:25 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server SMTP_1.XX 10.0.1.XX:25 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions backup

backend b-http
mode http
http-check expect status 200
balance roundrobin
option abortonclose
option forceclose
option forwardfor
option httpchk
option httpclose
option httplog
option http-server-close
stick-table type ip size 10240k expire 60m
stick on src
server HTTP_1.XX 10.0.1.XX:80 weight 1 maxconn 200 check port 82 inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server HTTP_1.XX 10.0.1.XX:80 weight 1 maxconn 200 check port 82 inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-pop
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option tcplog
option tcp-check expect string +OK
stick-table type ip size 10240k expire 60m
stick on src
server POP_1.XX 10.0.1.XX:110 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server POP_1.XX 10.0.1.XX:110 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-imap
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option tcplog
option tcp-check expect string * OK
stick-table type ip size 10240k expire 60m
stick on src
server IMAP_1.XX 10.0.1.XX:143 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server IMAP_1.XX 10.0.1.XX:143 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-https
mode tcp
balance leastconn
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
option abortonclose
option  persist
option  redispatch
option ssl-hello-chk
option tcplog
stick-table type binary len 32 size 10240k expire 60m
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
tcp-request content accept if clienthello
tcp-request inspect-delay 5s
tcp-response content accept if serverhello
server HTTPS_1.XX 10.0.1.XX:443 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server HTTPS_1.XX 10.0.1.XX:443 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-aplicaciones
mode tcp
balance leastconn
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
option abortonclose
option ssl-hello-chk
option tcplog
stick-table type binary len 32 size 10240k expire 60m
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
tcp-request content accept if clienthello
tcp-request inspect-delay 5s
tcp-response content accept if serverhello
server HTTPS_0.XX 10.0.0.XX:443 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-aplicaciones2
mode tcp
balance leastconn
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
option abortonclose
option ssl-hello-chk
option tcplog
stick-table type binary len 32 size 10240k expire 60m
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
tcp-request content accept if clienthello
tcp-request inspect-delay 5s
tcp-response content accept if serverhello
server HTTPS_0.XX 10.0.0.XX:443 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-aplicaciones3
mode tcp
balance leastconn
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
option abortonclose
option ssl-hello-chk
option tcplog
stick-table type binary len 32 size 10240k expire 60m
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
tcp-request content accept if clienthello
tcp-request inspect-delay 5s
tcp-response content accept if serverhello
server HTTPS_0.XX 10.0.0.XX:443 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-smtpcli
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option smtpchk HELO dominio.com
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server SMTPCLI_1.XX 10.0.1.XX:587 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server SMTPCLI_1.XX 10.0.1.XX:587 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-ftps
mode tcp
balance leastconn
option abortonclose
option  persist
option  redispatch
option tcp-check
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server FTPS_1.XX 10.0.1.XX:990 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server FTPS_1.XX 10.0.1.XX:990 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-eset
mode tcp
balance roundrobin
option abortonclose
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server ESET_1.XX 10.0.1.XX:2221 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server ESET_1.XX 10.0.1.XX:2221 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-mysql
mode tcp
balance roundrobin
option abortonclose
option mysql-check user haproxy
option  persist
option  redispatch
option tcplog
stick-table type ip size 10240k expire 60m
stick on src
server MYSQL_1.XX 10.0.1.XX:3306 weight 10 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server MYSQL_1.XX 10.0.1.XX:3306 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server MYSQL_3.XX 10.0.3.XX:3306 weight 1 maxconn 200 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions backup

backend b-ums
mode http
balance roundrobin
http-check expect status 200
option abortonclose
option forceclose
option forwardfor
option httpchk
option httpclose
option httplog
option http-server-close
stick-table type ip size 10240k expire 60m
stick on src
server UMS_1.XX 10.0.1.XX:8015 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

backend b-antispam
mode http
balance leastconn
http-check expect status 200
option abortonclose
option forceclose
option forwardfor
option httpchk
option httpclose
option httplog
option http-server-close
stick-table type ip size 10240k expire 60m
stick on src
server ANTISPAM_1.XX 10.0.1.XX:8081 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server ANTISPAM_1.XX 10.0.1.XX:8081 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions backup

backend b-weblog
mode http
balance roundrobin
option abortonclose
option forceclose
option forwardfor
option httpchk
option httpclose
option httplog
option http-server-close
stick-table type ip size 10240k expire 60m
stick on src
server WEBLOG_1.XX 10.0.1.XX:9991 weight 10 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server WEBLOG_1.XX 10.0.1.XX:9991 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions
server WEBLOG_1.XX 10.0.1.XX:9991 weight 1 maxconn 100 check inter 3s rise 2 fall 3 on-marked-down shutdown-sessions

listen admin
bind *:8080
mode http
acl AUTH       http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
http-check expect status 200
maxconn    10
option abortonclose
option forceclose
option httpclose
option http-server-close
stats admin if AUTH_ADMIN
stats enable
stats hide-version
stats http-request auth unless AUTH
stats refresh 30s
stats show-desc RBHAProxyD1
stats show-legends
stats uri /stats

————————————– Final fichero haproxy.cfg 1.5.xx ———————————

Algunos enlaces con información de HAProxy:

Parte 1 : Instalacion y configuracion del servicio

Parte 2: Fichero de reglas de prueba

How to Compile HAProxy From Source and Setup a Basic Configuration

HAProxy Quickstart w/ full example config file

Configure HAProxy with TPROXY kernel for full transparent proxy

Setting up HAProxy with Transparent Mode on Centos 6.x

Setting up HAproxy with TProxy

Install HAProxy and Keepalived (Virtual IP)

HAProxy for Alfresco

Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension

Maintain affinity based on SSL session ID

Configure HAProxy to Load Balance Sites With SSL

Using HAProxy to Build a More Featureful Elastic Load Balancer

HAProxy add test-check-expect to test various http-check methods

HAProxy – route by domain name

High Availability Web Services Using HAProxy

 

 

 

 

 

3
Feb

XBMCbuntu, upgrading XBMC via ppa (Frodo 12.2 to 12.3)

Upgrading XBMC via ppa in XBMCbuntu

see also: What might break when upgrading to v12

You dont have to necessarily wipe your current install to try a new Version of XBMC, like a nightly version or beta for example, you can just fire up Putty or a shell in Linux/OS X.

sudo apt-get install python-software-properties pkg-config
sudo add-apt-repository -r ppa:whatever-ppa-you-have-now
sudo add-apt-repository ppa:whatever-ppa-here
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install xbmc xbmc.bin
See also: Connecting to XBMCbuntu via SSH

————————————————
Ubuntu

Simple Install Instructions
  • Before you run these comands type “sudo echo” into the terminal and hit Enter.
  • Then copy the area below up to sudo add…
  • Go back to the terminal, hit the middle mouse button and when it prompts hit Enter.
  • Copy the part after sudo add… and paste it to the terminal.
  • If it askes you if you want to install enter y and hit Enter
sudo apt-get install python-software-properties pkg-config
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt-get update
sudo apt-get install xbmc

Repositories

Frodo is available from Ubuntu 11.10 (Oneiric Ocelot) to 13.04 (Raring Ringtail), you can install from the team-xbmc PPA as follows or replace the ppa with the desired from above.

sudo apt-get install python-software-properties pkg-config
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt-get update
sudo apt-get install xbmc
5
Sep

How To Update Qnap Firmware

This Document contains these titles;

I – Before Starting

II – How to Upgrade Firmware With Qnapfinder

III – How to Upgrade Firmware With Qnap Interface

IV – How to Upgrade Firmware With Putty

V – How to Upgrade Firmware With Qnap Live Update Feature

VI – Trouble Wih hDownloading Qnap Firmware?

VII – Qnap Firmware Update Troubleshooting;

VIII – I Got Problem With Installing Qnap Fimrware / Qnap Firmware Seem as 1.0.0 (1119T) Firmware, How Can I Fix This Problem?

I – Before Starting

For Firmware Update, you must have an installed System. You cant update Firmware without any HDD installed, except some models.

You can updgrade firmware By 4 ways;

First Download Qnap Firmware From http://www.qnap.com

After Download completes, unzip image file to your desktop;

II – How to Upgrade Firmware With Qnapfinder

Open Qnapfinder, choose your Qnap. At the top of the menus, choose tools ->firmware Update. This is the best,easiest and safe way to update,

Update Firmware by Finder

The NAS firmware can be updated by the QNAP Finder. Select a NAS model and choose “Update Firmware” from the “Tools” menu.

Login the NAS as an administrator.

Browse and select the firmware for the NAS. Click “Start” to update the system.

Note: The NAS servers of the same model on the same LAN can be updated by the Finder at the same time. Administrator access is required for system update.
 .

III – How to Upgrade Firmware With Qnap Interface

Login Qnap and go Administration page ->firmware update and show your Qnap image file.

Update Firmware by Web Administration Page

Note: If the system is running properly, you do not need to update the firmware.
Before updating the system firmware, make sure the product model and firmware version are correct. Follow the steps below to update firmware:
1. Download the release notes of the firmware from the QNAP website http://www.qnap.com. Read the release notes carefully to make sure it is required to update the firmware.
2. Download the NAS firmware and unzip the IMG file to the computer.
3. Before updating the system firmware, back up all the disk data on the NAS to avoid any potential data loss during the system update.
4. Click “Browse” to select the correct firmware image for the system update. Click “Update System” to update the firmware.
The system update may take tens of seconds to several minutes to complete depending on the network connection status. Please wait patiently. The NAS will inform you when the system update has completed.

IV – How to Upgrade Firmware With Putty

1 – Download Qnap firmware, and unzip it to Public Folder. Your Unzipped Image file should be looking like this : 809U_3.4.2_Build0331.img

2 – Login Qnap via Putty and type this commands;

# mv /share/Public/TS-809U_3.4.2_Build0331.img /mnt/HDA_ROOT/update/

# ln -sf /mnt/HDA_ROOT/update /mnt/update

# /etc/init.d/update.sh /mnt/HDA_ROOT/update/TS-809U_3.4.2_Build0331.img

just reboot the device with this command;

# reboot

From : http://forum.qnap.com/viewtopic.php?p=236036

V – How to Upgrade Firmware With Qnap Live Update Feature

Trust me and stay away from this option. But If you want to learn how;

Live Update

Select “Enable live update” to allow the NAS to automatically check if a new firmware version is available for download from the Internet. If a new firmware is found, you will be notified after logging in the NAS as an administrator.

Click “CHECK FOR UPDATE” to check if any firmware update is available.

Note that the NAS must be connected to the Internet for these features to work.

.

VI – Trouble With Downloading Qnap Firmware?

First, go http://www.qnap.com, then Support ->Download

Choose your NAS device from Category, and your NAS model at the right Dropdown menu. If your device model is not in that list, Choose “Archive” from the left dropdown menu.

You can Choose older firmware if you want. Download from Europe;

After Download completes, you can Install Firmware.

.

VII – Qnap Firmware Update Troubleshooting;

Qnap gives error when I try to install firmware;

Make sure you have an installed device, then try to update firmware

Make sure you download right firmware. Ts-459 and Ts-459U firmware is not the same thing.

If you still get probem about installing firmeware, Please contact with Qnap support.

Qnap Firmware Stuck at %20;

Download a lower Firmware version from this link;

http://web.qnap.com/download.asp

Choose an older Firmware with swithing right dropdown menu with “All”

Restart Qnap and try firmware update again.

VIII – I Got Problem With Installing Qnap Fimrware / Qnap Firmware Seem as 1.0.0 (1119T) Firmware, How Can I Fix This Problem?

How to Fix;

1 – NAS Firmware Update When No HDD(s) Installed

From QNAPedia

NOTE:

  1. This procedures are used to update the flash / DOM (disk on module) firmware on the NAS.
  2. Make sure no HDD installed before update.
  3. Flash image are required for NAS with 16MB flash or 128MB DOM.
  4. For NAS with 512MB DOM, just use the firmware on QNAP download site (http://www.qnap.com/download.asp).
  5. This updated procedures are generally used when the NAS can be found by QNAP Finder but cannot be initialized with HDD(s).
  6. QNAP NAS also store firmware on the HDDs. If you have initialized the NAS with HDDs before, this update procedures will cause the firmware version mismatch between the NAS and the HDDs. You need to update the firmware again after boot up with HDDs installed.

2 – Update Procedures:

  1. Power off the NAS
  2. Remove all the HDDs
  3. Power on the NAS
  4. After a short beep and a long beep(about two minutes after first short beep), run the QNAP Finder(Make sure the Finder is the latest version).
  5. QNAP Finder should find the NAS and its IP
  6. Select the NAS and click “Tools” -> “Update Firmware”
  1. Input default username and password (admin/admin)
  2. Select the image files on your PC for the NAS.
  1. After firmware update, the NAS will be reboot.
  2. Make sure the firmware have been updated
  3. Power off the NAS
  4. Plug all the HDD back
  5. After power on, follow the messages on the Finder to initialize the NAS.

From : http://wiki.qnap.com/w/index.php?title=NAS_Firmware_Update_When_No_HDD(s)_Installed

Obtained from this link

25
Jun

Instalación de KMS

1. Introducción

En el post anterior se habló de las opciones para activar Windows usando las claves MAK o KMS. En esta ocasión pondré el procedimiento paso a paso de la instalación del servicio, sobre un servidor con Windows 2008 R2 (opción recomendada).

Algo que quiero hacer notar, es que este servicio es “ultraliviano”, por lo que bajo ningún caso se  requiere un servidor dedicado, a menos que las políticas internas de la empresa lo dicten así.

2. Instalación del servicio KMS

2.1 Obtención de la clave KMS

Para obtener las claves KMS o MAK, se debe acceder al sitio https://www.microsoft.com/licensing/servicecenter/home.aspx, e ingresar con una cuenta passport que esté registrada con el contrato de licenciamiento correspondiente. Una vez en el sitio, entonces se debe buscar claves como las de la imagen:

Con la clave de Windows 7, se puede activar Windows 7 y Windows Vista, con la clave Windows Server 2008 R2, se puede activar Windows Servers y Windows 7 y Vista. Es decir, la versión superior de clave KMS abarca a los otros productos.

El proceso de instalación, en un servidor Windows 2008 R2 o Windows 7 es el siguiente:

  1. Inciar sesión con credenciales de administrador en el servidor donde se dejará el servicio
  2. Clic en el botón Start -> All Programs -> Accesories
  3. Clic derecho sobre Command Prompt y luego clic en Run as administrator
  4. En la consola de comandos escribir cd C:\Windows\system32 y luego presionar la tecla enter
  5. Ejecutar cscript.exe slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE, donde AAAAA-BBBBB-CCCCC-DDDDD-EEEEE es la clave KMS para Windows Server 2008 R2 o Windows 7 que debe ser obtenida desde el sitio de licenciamiento. Con esto se mostrará un resultado como el de la imagen.

 

2.2 Habilitación del servicio en el Firewall de Windows

Para que el servicio atienda a los clientes, debe permitirse en el firewall de Windows.

Para configurar el servicio KMS en el firewall:

  1. Inciar sesión con credenciales de administrador en el servidor CLSCLKMSPRD
  2. Clic en el botón Start -> Control Panel
  3. Clic en System and Security
  4. Clic en Windows Firewall
  5. Clic en Allow a program of feature trough Windows Firewall
  6. Clic en Key Management Service y luego marcar la columna de Domain
  7. Clic en OK

Debe quedar configurado como muestra la figura.

 

 

2.3 Creación de registro DNS

Para que los equipos clientes puedan encontrar al servidor que provee la activación en la red interna, se debe crear un registro DNS de tipo SRV. Por omisión los clientes buscarán este registro y solicitaran la activación al servidor correspondiente.

Para crear el registro DNS:

  1. Ingresar al servidor DNS con credenciales de administrador (generalmente es el mismo servidor controlador de dominio o Active Directory)
  2. Abrir la consola DNS
  3. Expandir Forward Lookup Zones
  4. Expandir la zona DNS correspondiente al dominio de los equipos, en este caso Arauco.cl
  5. Clic derecho sobre _tcp y clic en Other New records
  6. En la lista hacer clic sobre Service Location (SRV) y luego en el botón Create Record
  7. Llenar los siguientes campos:
    1. Service = _VLMCS
    2. Protocol = _tcp
    3. Priority = 0
    4. Weight = 0
    5. Port Number = 1688
    6. Host offering this service = “nombre fqdn del servidor kms, por ejemplo: KMS01.Contoso.com”
    7. Clic en OK

2.4 Revision del servicio KMS

Para revisar el estado del servicio KMS:

  1. Iniciar sesión con credenciales de administrador en el servidor KMS
  2. Clic en el botón Start -> Run..
  3. Escribir CMD.exe
  4. En la consola de comandos escribir cd C:\Windows\system32 y luego presionar la tecla enter
  5. Ejecutar cscript.exe slmgr.vbs /dlv
  6. Se deberá obtener un resultado como el de la figura.

Dónde:

  1. Comando para ver el estado del servicio
  2. Número rearm disponibles para resetear el estado de activación (sólo son 3 por default)
  3. Cantidad de máquinas que han solicitado activación. Este número debe ser mayor a 5 para comenzar a activar servidores Windows 2008 y superiores, y mayor a 25 para comenzar a activar equipos con Windows Vista o Windows 7.
  4. Número de requerimientos recibidos, esto puede ser mayor que el número de máquinas, ya que una máquina puede generar varios requerimientos hasta ser activada.

Con lo anterior ya tendríamos el servicio funcionando, por lo que el paso siguiente es empezar a acumular clientes para comenzar a activar.

 

3. Activación de clientes

Debe tomarse en cuenta que las versiones empresariales de Windows Vista, 7, 2008 y 2008 R2 y Office 2010 son clientes KMS por default, por lo que una vez que el servicio está funcionando, los equipos clientes se activarán automáticamente, sin necesidad de realizar intervenciones manuales. Sin embargo, en el caso de que se requiera activar un equipo, existen dos formas de hacerlo:

3.1 Entorno gráfico en el PC

  1. Iniciar sesión en el equipo cliente con credenciales de administrador
  2. Clic en Inicio
  3. Clic derecho sobre Computador y luego en Propiedades
  4. Navegar a la sección Activación de Windows
  5. Clic sobre Activar Windows Ahora

3.2 Usando script:

El método de script está recomendado en los casos de despliegue automático o cuando se requiere de realizar troubleshooting con respecto a la activación de los equipos.

Para activar un equipo usando script:

  1. Iniciar sesión con credenciales de administrador en el equipo cliente
  2. Clic en el botón Start -> Run..
  3. Escribir CMD.exe
  4. En la consola de comandos escribir cd C:\Windows\system32 y luego presionar la tecla enter
  5. Ejecutar cscript.exe slmgr.vbs /ato
  6. Debe aparecer un mensaje como el siguiente:

Visualmente se puede comprobar que un equipo está activado cuando en la propiedades aparece un logo como este:

 

A estas alturas seguramente habrá gente opinando “pero cómo?? y no hay una consola??”, por lo que en el siguiente post, decribiré la instalación de la consola VAMT y sus utilizaciones.

Obtenido de este link

25
Jun

Activación de Windows

Introducción

En muchos empresas me he encontrado con casos donde se utilizan claves de activación equivocadas o desconocimiento del significado/utilización de la clave KMS o MAK. Estas claves nacieron con Windows Vista, pero debido a la gran adopción de Windows 7, se han hecho más utilizadas ahora. En esta serie de post, describiré las características de cada clave, sus implicancias y el procedimiento de instalación de un servidor KMS.

La activación de Windows usando claves MAK o KMS, se requiere para los productos Windows Vista, 2008, 7 y 2008 R2 y de ellos en adelante. Sin embargo, el proceso de activación es algo que se empezó a utilizar desde el viejo y querido Windows XP.

Pues bien, como mi primer post, les quiero dejar información aclaratoria de cuales son las diferencias  y las ventajas de cada método. Luego, en las siguientes secciones, podrán encontrar información relacionada a la implementación del servicio KMS.

En primer lugar debemos dejar en claro algunos puntos:

  • La activación de un producto (en este caso Windows), es la validación del mismo con el fabricante.
  • Tanto la clave MAK como la clave KMS, se pueden obtener desde el sitio de licenciamiento del cliente. Es decir, cada cliente que compre productos Microsoft (en cantidades), tiene acceso al sitio de licenciamiento eOpen (http://eopen.microsoft.com), desde donde se pueden descargar productos y las claves correspondientes a ellos. Para tener acceso a dicho sitio, es necesario tener un contrato de licenciamiento o ser el administrador del sitio de licenciamiento del cliente.
  • Las licencias pueden ser obtenidas a través del retail (ej: un PC adquirido en una tienda comercial), OEM (PC comprado al fabricante de hardware y que viene con SO) o por Volumen (sistema utilizado por las empresas con un número grande de equipos).
  • Un equipo tiene 30 días para activarse, luego de lo cual entra en modo “reducido” (fondo de pantalla negro, etc).

Activación por MAK (Multiple Activation Key)

Esta clave es una cadena de 25 caracteres que se ingresa al momento de ejecutar el wizard de activación, una alternativa (si no se tiene la clave) es activar el producto por vía telefónica, siguiendo las instrucciones del mismo wizard. La activación por este método se realiza sólo una vez por instalación de Windows.

Si bien eta es la forma “clásica” (históricamente estamos acostumbrados a ingresar una key), existen casos en que no se recomienda por motivos de seguridad y optimización de tiempo. Cada vez que se activa un equipo usando este método, debe existir una persona (técnico) que realice el trabajo. Si tomaramos como promedio que un técnico puede llegar a tardar 15 minutos en realizar el proceso, en una empresa con 1000 equipos, gastaría 250 hrs (32 días hábiles), sólo en esta tarea (eso sin tomar en cuenta que los equipos pueden ser reinstalados por algun motivo). Además, desde el punto de vista seguridad, si un cliente deja en manos de terceros la instalación de sus equipos, deberá entregarles las claves MAK, con lo que perderá el control de cuantos equipos serán instalados con dicha clave. Este último punto es relevante, ya que las claves MAK son acotadas (ej: 1000) y para obtener más, se debe pagar un costo.

 

Activación por KMS (Key Management Service)

KMS es un servicio que se instala en un servidor (recomendado) de la red interna o una estación de trabajo. Cumple con la función de activar Windows (u Office 2010) de forma automática sin necesidad de ingresar la clave de 25 caracteres. Este método está pensado para ambientes de empresa donde hay más de 25 equipos a activar (requisito mínimo de activaciones). Además, la implementación de este servicio, evita que todos los equipos de la red se conecten a Internet para realizar la activación.

Para identificar la clave KMS se debe buscar en el sitio de licenciamiento una key del tipo “Windows 7 Enterprise KMS Key” o “Windows 2008 Standard KMS Key”. Es necesario obtener estas key desde el sitio de licenciamiento, ya que éstas son renovadas junto con el contrato de licenciamiento, por ende de un año a otro pueden variar.

Algo importante es que la clave KMS se debe utilizar sólo para instalar dicho servicio, y NO para activar los PC o servidores, en otras palabras, cuando un equipo pida activación NO SE DEBE INGRESAR LA CLAVE KMS. Este es un error típico, pero que es totalmente solucionable, sin necesidad de reinstalar el sistema operativo.

En el próximo post, indicaré pasos básicos para la instalación de un servidor KMS.

Obtenido de este link

19
Jun

Usando BgInfo

BgInfo es la típica utilidad de toda la vida (por cierto, cómo no, de Sysinternals) que nos puede servir para aclararnos un poco la vida, sobre todo si andamos en entornos grandes y desconocemos en qué servidor andamos logueándonos, o para hacer demos o cursos y que los alumnos vean cláramente en qué servidor estamos. Es una aplicación totalmente parametrizable en la que nos mostrará bastante información sobre el equipo donde se ejecuta. Podemos configurar que muestre en pantalla (combinado con el fondo de pantalla) el nombre del equipo, su dirección IP, sistema operativo, nivel de service pack, hora de arranque, tipo de CPU, puerta de enlace, máscara de red, servidores DNS, servidor DHCP, espacio libre en discos, discos duros disponibles, versión de Internet Explorer, dominio al que pertenece, controlador de dominio que le validó, Memoria RAM, tarjeta de red, velocidad de la red, tipo de equipo, usuario en uso, dominio logueado…

Bueno, podemos descargarlo gratuitamente de su web oficial (http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx), lo ejecutamos en un equipo y ahí en tenemos las opciones para configurarlo, podemos seleccionar los campos que nos interesa que se vea, así como modificar cualquier necesidad, como el tamaño de la letra, idioma (manualmente)… si le damos a “Apply” se nos aplicará esa configuración en el equipo donde lo estemos ejecutando.

Y quedaría tipo esto, puede que no nos interese como está, podemos configurar lo que queremos que se vea y por supuesto mediante directivas del Directorio Activo para poder ejecutarlo en todos nuestros servidores o PC’s.

Estos son los parámetros que tenemos sobre el ejecutable bginfo.exe, pudiendo configurar el tiempo de espera a que se aplique el fondo (/timer), con ‘/popup’ en una ventana emergente, ‘/taskbar’ pondrá un icono en la barra de herramientas, con ‘/all’ conseguimos que se aplique a todos los usuarios logueados en el servidor, ‘/log’ nos generará logs, ‘/silent’ para que si hay errores no los muestre, ‘/rtf’ nos generará un archivo de ese formato con la info, y con ‘/nolicprompt’ evitaremos que nos pregunte por el acuerdo de licencia.

Así que abrimos Bginfo, nos configuramos la plantilla como queremos que sea, tipo letra, blablaba… y lo guardamos “File” > “Save As…”, en mi caso será algo parecido a:

—————————————

Nombre de equipo:

Hora de encendido:

CPU:

Memoria:

Disco duro:

Dirección IP:

Máscara de red:

Puerta de enlace:

Servidor DHCP:

Servidor DNS:

Dirección MAC:

Espacio libre:

Dominio:

Sistema Operativo:

Usuario:

—————————————–

Indicamos un nombre .bgi & “Guardar”,

Y ahora mediante un simple script lo podemos ejecutar en todos los equipos que nos interese, ejemplo:

\SERVIDORBgInfoBginfo.exe \SERVIDORBgInfobujarra.bgi /timer:0 /silent /nolicprompt

Y así quedaría nuestro fondo!

Obtenido de este enlace

18
Jun

Using a Reverse Proxy to Automatically Force External Lync Meeting Guests to Use Silverlight Client

https://lync.contoso.com/meet/username/EJHFSN and you are not a part of the Contoso organization and you do not have federation set up or do not allow automatic discovery of federated partners, it will fail with a useless numeric error code that means absolutely nothing.  Since the desktop client does not allow you log on anonymously, it will never fallback to guest logon, even if the meeting organizer has it enabled for the meeting. TechNet to the rescue!  All you have to do is append “sl=1” to the end of the query string of the URL, so that you visit https://lync.contoso.com/meet/username/EJHFSN?sl=1 and then it will force the Silverlight client, which will allow you to log on anonymously.  In this scenario, Lync meetings then behave basically like WebEx or GotoMeeting, where external participants need a browser plugin to connect to the meeting.  Perfect.  That’s exactly what I want. Again, one problem.  Imagine trying to get your entire staff to always remember to append that to the meeting link when they set up external meetings.  Despite best efforts, it’s just not going to happen.  Your CFO has better things to do and she will forget, because that is human nature.  And, really, this is Microsoft’s shortsightedness here.  You can read my comment at the TechNet article linked above.

Thanks for the “?sl=1” trick. That did the trick for me. But explaining this to my users is going to be a pain. Imagine me in the CFO’s office after months of extolling the virtues of Lync and how we even got rid of our WebEx subscription because, heck, Lync does meetings too! But suddenly, a meeting participant is also using Lync at his company but we have no federated relationship with each other, so when we click on each other’s meeting links it just fails with a terrible numerical error. “I thought this thing could replace WebEx,” the CFO bellows, scowling at me in disdain. “Oh, it can,” I reply, “just make sure you modify every meeting invitation so that the URL has ?sl=1 at the end of it!” Yea, that will go over well.

Thankfully, there is a workaround.  And due to the way Lync is designed, it’s really not difficult to set up. When you set up your Lync websites, it creates an internal and external site.  The external site by default uses the non-standard ports 8080 and 4443.  The Lync best practice is to use a Reverse Proxy or firewall port forwarding rules to send traffic destined for the normal web ports to the Lync alternate ports.  Your internal users, on the other hand, use ports 80 and 443 as normal, directly communicating with the Lync server. Reverse proxies can also be set up to modify URLs before the connection is sent to the backend.  This is known as URL Rewriting.  In this case, you want a URL rewrite rule that will modify connections to /meet/ such that ?sl=1 is always added to the end.  I found from trial and error that you get the best results by only modifying the /meet/ part of the above URL (assuming you are using Simple URLs like that).  So I set up my topology so that 8080 and 4443 were exposed directly to the outside so I have an option to bypass the reverse proxy once the connection is established.  This is all completely secure and transparent to the end user.  We’re not bypassing the firewall, just the reverse proxy’s URL rewriting when it is not needed. So the final topology looks like this.  (The Lync Front End is either your Edge server or your single server depending on the size of your deployment.) Lync Diagram From outside my firewall, ports 80, 443, 8080, and 4443 are all open.  If you connect to 80 or 443, you are sent to the reverse proxy.  If you go to 8080 or 4443, you are sent directly to Lync. To prepare Lync for this configuration, I first edited the topology so that the published ports are assigned the same as the internal (8080 and 4443) as this will allow us to bypass the reverse proxy when it is not needed. image Whenever you publish your topology, remember to rerun the Lync setup wizard. The reverse proxy can be easily created using IIS.  In fact, you can set it up on your Lync edge server if you want.  It depends on your workload.  For the purposes of this post, we’ll assume you are setting it up on the same server.   Note: Lync will stop any non-Lync website in IIS whenever you publish your topology and rerun setup, so be prepared for this! In order to configure the reverse proxy, you need to install the Application Request Routing and URL Rewrite extensions for IIS.  These both should already be installed if you are using your Lync server. Enable the Application Request Routing.  This is done at the server level.  Click on your IIS server in the IIS manager, double click Application Request Routing Cache, then click on Server Proxy Settings.  Check Enable proxy and keep everything else at defaults. image Create a new website.  Give it a folder path that is not shared with any other site (i.e., don’t reuse C:\Inetpub\wwwroot).  The bindings should be whatever the external IP address is mapped to through your firewall.  Bind HTTP and HTTPS on the default ports.  Make sure you use a different internal IP address than your Lync internal website so there isn’t a collision.  You don’t want internal users going through the reverse proxy. Go into the site’s URL Rewrite section and create a dummy rule.  We are going to overwrite this later, so it doesn’t matter what it is.  We just want to create a web.config that we can edit by hand. Edit the web.config “rules” section for the reverse proxy site.  Now here is where the fun begins.  We are going to modify any request that goes to /meet/ so that it has sl=1 at the end.  I created a rule for both HTTP and HTTPS since I am using default Lync ports (non-standard web ports).  There is also a condition that if the query string already contains sl=, it will not modify it.  Underneath the /meet/ rewrites are the default rules that just pass the request through unmodified to the correct ports.  Obviously, URLs, RegEx, ports, and so on, will all need to be modified to match your environment.

< rules>
    < rule name="ReverseProxyInboundRule1" stopProcessing="true">
        < match url="^meet/(.*)" />
        < conditions>
            < add input="{QUERY_STRING}" pattern="(.*)sl=(.*)" negate="true" />
            < add input="{CACHE_URL}" pattern="^(https)://" />
        conditions>
        < action type="Rewrite" url="{C:1}://lync.contoso.com:4443/{R:0}?sl=1&{QUERY_STRING}" appendQueryString="false" logRewrittenUrl="true" />
    rule>
    < rule name="ReverseProxyInboundRule2" stopProcessing="true">
        < match url="^meet/(.*)" />
        < conditions>
            < add input="{QUERY_STRING}" pattern="(.*)sl=(.*)" negate="true" />
            < add input="{CACHE_URL}" pattern="^(http)://" />
        conditions>
        < action type="Rewrite" url="{C:1}://lync.contoso.com:8080/{R:0}?sl=1&{QUERY_STRING}" appendQueryString="false" logRewrittenUrl="true" />
    rule>
    < rule name="ReverseProxyInboundRule3" stopProcessing="true">
        < match url="(.*)" />
        < conditions>
            < add input="{CACHE_URL}" pattern="^(https)://" />
        conditions>
        < action type="Rewrite" url="{C:1}://lync.contoso.com:4443/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
    rule>
    < rule name="ReverseProxyInboundRule4" stopProcessing="true">
        < match url="(.*)" />
        < conditions>
            < add input="{CACHE_URL}" pattern="^(http)://" />
        conditions>
        < action type="Rewrite" url="{C:1}://lync.contoso.com:8080/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
    rule>
rules>

If you attempt to connect to a meeting externally now, this is what happens.

  1. Browser initiates connection to https://lync.contoso.com/meet/username/EJHFSN.
  2. Reverse Proxy receives the request, adds sl=1 to the query string, and passes the request to the external Lync website at https://lync.contoso.com:4443/meet/username/EJHFSN?sl=1.
  3. Lync server replies and tells the browser to load the Silverlight Lync client which then attempts to connect directly to the lync web services (bypassing the Reverse Proxy) at https://pool1.lync.contoso.com:4443/Reach/Client/WebPages/ReachClient.aspx.
  4. The external user can join as an anonymous guest, or log on using the domain credentials of the organizer’s meeting, if they have that.  The desktop Lync client will never launch!

Hopefully in the future Microsoft will fix the desktop client to allow it to log on anonymously to external meetings and also give us a checkbox in the Lync Server Control Panel that allows us to force all external connections to the Silverlight client (for legacy organizations that might connect to ours).

Obtained from this link

 

18
Jun

Setting up a Reverse Proxy using IIS, URL Rewrite and ARR

Today there was a question in the IIS.net Forums asking how to expose two different Internet sites from another site making them look like if they were subdirectories in the main site.

So for example the goal was to have a site: www.site.com expose a www.site.com/company1  and a www.site.com/company2 and have the content from “www.company1.com” served for the first one and “www.company2.com” served in the second one. Furthermore we would like to have the responses cached in the server for performance reasons. The following image shows a simple diagram of this:

This sounds easy since its just about routing or proxying every single request to the correct servers, right? Wrong!!! If it only it was that easy. Turns out the most challenging thing is that in this case we are modifying the structure of the underlying URLs and the original layout in the servers which makes relative paths break and of course images, Stylesheets (css), javascripts and other resources are not shown correctly.

To try to clarify this, imagine that a user requests using his browser the page at http://www.site.com/company1/default.aspx, and so based on the specification above the request is proxied/routed to http://www.company1.com/default.aspx on the server-side. So far so good, however, imagine that the markup returned by this HTML turns out to have an image tag like “<img src=/some-image.png />”, well the problem is that now the browser will resolve that relative path using the base path on the original request he made which was http://www.site.com/company1/default.aspx resulting in a request for the image at http://www.site.com/some-image.png instead of the right “company1” folder that would be http://www.site.com/company1/some-image.png .

Do you see it? Basically the problem is that any relative path or for that matter absolute paths as well need to be translated to the new URL structure imposed by the original goal.

So how do we do it then?

Enter URL Rewrite 2.0 and Application Request Routing

URL Rewrite 2.0 includes the ability to rewrite the content of a response as it is getting served back to the client which will allow us to rewrite those links without having to touch the actual application.

Software Required:

Steps

  1. The first thing you need to do is enable Proxy support in ARR.
    1. To do that just launch IIS Manager and click the server node in the tree view.
    2. Double click the “Application Request Routing Cache” icon
    3. Select the “Server Proxy Settings…” task in the Actions panel
    4. And Make sure that “Enable Proxy” checkbox is marked. What this will do is allow any request in the server that is rewritten to a server that is not the local machine will be routed to the right place automatically without any further configuration.
  2. Configure URL Rewrite to route the right folders and their requests to the right site. But rather than bothering you with UI steps I will show you the configuration and then explain step by step what each piece is doing.
  3. Note that for this post I will only take care of Company1, but you can imagine the same steps apply for Company2, and to test this you can just save the configuration file below as web.config and save it in your inetpub\wwwroot\  or in any other site root and you can test it.
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”Route the requests for Company1″ stopProcessing=”true”>
<match url=”^company1/(.*)” />
<
conditions>
<add input=”{CACHE_URL}” pattern=”^(https?)://” />
</
conditions>
<action type=”Rewrite” url=”{C:1}://www.company1.com/{R:1}” />
<
serverVariables>
<set name=”HTTP_ACCEPT_ENCODING” value=”” />
</
serverVariables>
</rule>
</rules>
<outboundRules>
<rule name=”ReverseProxyOutboundRule1″ preCondition=”ResponseIsHtml1″>
<match filterByTags=”A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script” pattern=”^http(s)?://www.company1.com/(.*)” />
<
action type=”Rewrite” value=”/company1/{R:2}” />
</
rule>
<rule name=”RewriteRelativePaths” preCondition=”ResponseIsHtml1″>
<match filterByTags=”A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script” pattern=”^/(.*)” negate=”false” />
<
action type=”Rewrite” value=”/company1/{R:1}” />
</
rule>
<preConditions>
<preCondition name=”ResponseIsHtml1″>
<add input=”{RESPONSE_CONTENT_TYPE}” pattern=”^text/html” />
</
preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

Setup the Routing

                <rule name=”Route the requests for Company1″ stopProcessing=”true”>
<match url=”^company1/(.*)” />
<
conditions>
<add input=”{CACHE_URL}” pattern=”^(https?)://” />
</
conditions>
<action type=”Rewrite” url=”{C:1}://www.company1.com/{R:1}” />
<
serverVariables>
<set name=”HTTP_ACCEPT_ENCODING” value=”” />
</
serverVariables>
</rule>

The first rule is an inbound rewrite rule that basically captures all the requests to the root folder /company1/*, so if using Default Web Site, anything going to http://localhost/company1/* will be matched by this rule and it will rewrite it to www.company1.com respecting the HTTP vs HTTPS traffic.

One thing to highlight which is what took me a bit of time is the “serverVariables” entry in that rule that basically is overwriting the Accept-Encoding header, the reason I do this is because if you do not remove that header then the response will likely be compressed (Gzip or deflate) and Output Rewriting is not supported on that case, and you will end up with an error message like:

HTTP Error 500.52 – URL Rewrite Module Error.
Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded (“gzip”).

Also note that to be able to use this feature for security reasons you need to explicitly enable this by allowing the server variable. See enabling server variables here.

 

Outbound Rewriting to fix the Links

The last two rules just rewrite the links and scripts and other resources so that the URLs are translated to the right structure. The first one rewrites absolute paths, and the last one rewrites the relative paths. Note that if you use relative paths using “..” this will not work, but you can easily fix the rule above, I was too lazy to do that and since I never use those when I create a site it works for me 🙂

Setting up Caching for ARR

A huge added value of using ARR is that now we can with a couple of clicks enable disk caching so that the requests are cached locally in the www.site.com, so that not every single request ends up paying the price to go to the backend servers.

  1. To do that just launch IIS Manager and click the server node in the tree view.
  2. Double click the “Application Request Routing Cache” icon
  3. Select the “Add Drive…” task in the Actions panel.
  4. Specify a directory where you want to keep your cache. Note that this can be any subfolder in your system.
  5. Make sure that “Enable Disk Cache” checkbox is marked in the Server Proxy Settings mentioned above.

As easy as that now you will see caching working and your site will act as a container of other servers in the internet. Pretty cool hah! 🙂

So in this post we saw how with literally few lines of XML, URL Rewrite and ARR we were able to enable a proxy/routing scenario with the ability to rewrite links and furthermore with caching support.

Obtained from this link

18
Jun

iSCSI Best Practices (Microsoft, EMC, VMware) – Summarized

This document summarizes the best practices of iSCSI usage as described in the following guides from MS, EMC, and VMware.

MS & iSCSI –

Exchange:

–         Microsoft Exchange Server can store its program files, mailboxes, public folders, logs and other data on iSCSI disk volumes in both cluster and non cluster configurations.

–         Keep the Exchange disks in a separate pool on the array.

 

SQL Server – Microsoft SQL Server can store its program files, logs and other data on iSCSI disk volumes in both cluster and non cluster configurations

 

NOTE: iSCSI initiator does not support Dynamic disk volumes and NIC teaming.

 

iSNS – Microsoft iSNS Server is a Microsoft Windows service that processes iSNS registrations, de-registrations, and queries via TCP/IP from iSNS clients, and also maintains a database of these registrations. iSNS servers can be clustered.

 

iSCSI Boot:

–         Windows can be booted off of an iSCSI disk however; the iSCSI boot initiator will disable all kernel mode code paging. Additionally the pagefile must not be located on an iSCSI disk.

–         Windows Server 2003 can be booted from a SAN using either an FC HBA or an iSCSI HBA

iSCSI Best Practices:

–         Deploy on fast networks – at least a GigE or better network

–         Ensure physical security

–         Use strong passwords for all accounts

–         Use CHAP authentication because that ensures each host has its own password. Mutual CHAP authentication is even better. Use One Way or Mutual CHAP

–         Use iSNS for discovery

–         Segregate iSCSI SANs from LAN traffic

–         Use IPsec

–         Use Access Control  or LUN masking

Networking Best Practices for iSCSI:

–         Use non blocking switches and set the negotiated speed on the switches.

–         Disable unicast storm control on iSCSI ports.  Most switches have unicast storm control disabled by default.

–         Enable Flow Control on network switches and adapters; flow control ensures a receiver can make the sender pace its speed and is important in avoiding data loss.

–         Ensure spanning tree algorithm for detecting loops is turned off on the ports used for iSCSI traffic.

–         Segregate SAN and LAN traffic.  iSCSI SAN interfaces should be separated from other corporate network traffic (LAN).   Servers should use dedicated NICs for SAN traffic.  Deploying iSCSI disks on a separate network helps to minimize network congestion and latency.  Additionally, iSCSI volumes are more secure when… Segregate SAN & LAN traffic can be separated using port based VLANs or physically separate networks.

–         Configure additional Paths for High Availability; use either Microsoft MPIO or MCS (multiple connections per session) with additional NICs in the server to create additional connections to the iSCSI storage array through redundant Ethernet switch fabrics.

–         Unbind File and Print Sharing from the iSCSI NIC – on the NICs which connect only to the iSCSI SAN, unbind File and Print Sharing.

–         Use Gigabit Ethernet connections for high speed access to storage.  Congested or lower speed networks can cause latency issues that disrupt access to iSCSI storage and applications running on iSCSI devices.  In many cases, a properly designed IP-SAN can deliver better performance than internal disk drives.

–          iSCSI is suitable for WAN and lower speed implementations including replication where latency and bandwidth are not a concern.

–         Use Server class NICs.  It is recommended to use NICs which are designed for enterprise networking and storage applications.

–         Use CAT6 rated cables for Gigabit Network Infrastructures.  For 10Gigabit implementations, Cat-6a or Cat-7 cabling is usually required for use with distances over 55 meters.

–         Use Jumbo Frames if supported in your network infrastructure. Jumbo Frames can be used to allow more data to be transferred with each Ethernet transaction and reduce the number of frames.  This larger frame size reduces the overhead on both your servers and iSCSI targets. For end to end support, each device in the network needs to support Jumbo frames including the NIC and Ethernet switches.

Redundancy & Load Balancing:

There are two technologies supported with the MS iSCSI software initiator to enable redundancy and load balancing:

–         Multiple connections per session (MCS) – Multiple connections per session (MCS) support is defined in the iSCSI RFC to allow multiple TCP/IP connections from the initiator to the target for

-the same iSCSI session. This is iSCSI Protocol specific. In this way I/O can be sent over either TCP/IP connection to the target. If one connection fails another connection can continue processing I/O without interruption to the application. Note that not all iSCSI targets support MCS.

–         Microsoft MPIO support

 

There are a number of things to consider when choosing to use MCS or Microsoft MPIO for multipathing.

–         If your configuration uses hardware iSCSI HBA then Microsoft MPIO should be used.

–         If your target does not support MCS then Microsoft MPIO should be used.  Most iSCSI target arrays support Microsoft MPIO.

–         If your target does support MCS and you are using the Microsoft software initiator driver then MCS is the best option. There may be some exceptions where you desire a consistent management interface among multipathing solutions and already have other Microsoft MPIO solutions installed that may make Microsoft MPIO an alternate choice in this configuration.

–         If you need to specify different load balance policies for different LUNs then Microsoft MPIO should be used.

–         If you are using Windows XP or Windows Vista, MCS is the only option since Microsoft MPIO is only available with Windows Server SKUS.

 

NOTE: There does not exist a mechanism within the iSCSI protocol to determine whether a target is active/active or active/passive.

 

Load Balance Policies:

 

–         Fail Over Only: No load balancing is performed. There is a single active path and the rest of the paths are standby paths. The active path is used for sending all I/O. If the active path fails then one of the standby paths is used.   When the formally active path is reconnected it will become active and the standby path that was activated would return to standby.

–         Round Robin: All paths are active paths and they will be used for sending I/O in a round robin fashion.

–         Round Robin with a subset of paths: A set of paths are configured as active and a set of paths are configured as standby. I/O is sent in a round robin fashion over the active paths. If all of the active paths fail then one of the standby paths is used. If any of the formerly active paths become available again then the formerly active paths are used and the standby path that was activated becomes a standby path again.

–         Weighted Path: Each path is assigned a weight and I/O will be sent on the path with the lowest weight. If the path with the lowest weight fails then the path with the next lowest weight will be used.

–         Least Queue Depth: This is only supported by MCS. The path that has the fewest number of requests queued is the one where the I/O is sent.

 

NOTE: Windows does not support disks that have been formatted to anything other than a 512byte block size. Block size refers to the low level formatting of the disk and not the cluster or allocation size used by NTFS. Be aware that using a disk with a block size larger than 512 bytes will cause applications not to function correctly.  You should check with your iSCSI target manufacture to ensure that their default block size is set to 512 bytes or problems will likely occur.

EMC & iSCSI –

A Look At EMC iSCSI Storage Systems (CLARiiON):

–         EMC supports Microsoft Windows® 2000 and Microsoft Windows Server™ 2003 servers that run the native iSCSI Microsoft-certified driver for NICs. Supported devices include both onboard NICs in Microsoft-certified servers and PCI-based NICs that are Microsoft-certified.

–         EMC supports Microsoft Windows 2000 and Microsoft Windows Server 2003 servers that use QLogic QLA4010 (optical) or QLA4010C (copper) HBAs and drivers.

–         You cannot mix NICs and HBAs in the same server, even if they are connected to different storage systems.

–         You must not connect a single server to both a CLARiiON® Fiber Channel storage system and an iSCSI storage system.

–         Servers with HBAs and servers with NICs can connect to the same storage system.

–         A single server can connect to CLARiiON CX-Series iSCSI storage systems and Symmetrix® iSCSI storage systems when a common network configuration, common failover software, and common driver support for both platforms exists.

–         A single server can connect to CLARiiON AX-Series iSCSI storage systems, and through IP-to-FC switches, to CLARiiON AX-Series Fibre Channel storage systems when a common network configuration, common failover software, and common driver support for both platforms exists.

–         A single server can connect to CLARiiON CX-Series iSCSI storage systems, and through IP-to-FC switches, to CLARiiON CX-Series Fibre Channel storage systems when a common network configuration, common failover software, and common driver support for both platforms exists.

–         Using the CLARiiON Open Systems Configuration Guide (OSGC) definition of fan-in (server to storage system), you can connect a server to a maximum of four storage systems.

–         Using the EMC Support Matrix (ESM) definition of fan-in (storage-system ports visible to a single initiator), you can connect an initiator to a maximum of 16 storage-system ports, but no more than four storage systems. The connection to the storage system must be 1-gigabit copper (RJ45).

–         EMC does not support 10/100 NIC connections that are connected directly to the storage system, except for those connected to the management ports.

–         Direct connections must be either with or 10/100/1000 NICs (operating at 1 gigabit) or QLA4010C HBAs. Ethernet crossover cables must be used with NICs to direct the server to the storage system.

–         Using the OSCG and ESM definitions of fan-out (initiators per SP port), you can connect a maximum of 128 initiators to a CX-Series iSCSI SP port.

–         If your service will not use iSNS, you must configure target storage-system addresses manually on the server initiators.

–         You must configure server names and passwords manually on the iSCSI storage system. If you want authentication, you must use CHAP (Challenge Handshake Authentication Protocol).

–         A CX-Series iSCSI storage system has two front-end (data) iSCSI ports per storage processor.

–         EMC supports up to four HBAs or four NICs in one server that connects one CX-Series iSCSI storage system.

–         Currently you cannot boot a Windows system using an iSCSI disk volume that the Microsoft iSCSI Software Initiator provides. The only currently supported method for booting a Windows system using an iSCSI disk volume is with a supported HBA.

–         Microsoft iSCSI Software Initiator does not support dynamic disks.

–         Microsoft iSCSI Initiator version 1.05a supports iSCSI Windows Server 2003 Cluster environments with a maximum of two nodes.

–         The Microsoft iSCSI Initiator default configuration ignores multiple NICs on the same subnet. When multiple NICS are on the same subnet, use the Advanced button in the Log On to Target dialog box of the Microsoft iSCSI Software Initiator UI to associate a specific NIC with a specific SP port.

–         Do not use Microsoft iSCSI Software Initiator to control the QLogic HBAs. QLogic’s SANsurfer utility is the only supported interface to HBAs.

–         A CX-Series iSCSI storage system does not support Microsoft iSCSI Software Initiator version 1.05a configured for MPIO, CRC/Checksum Data digest, or Header digest.

–         Supported Configurations:

  • Servers’ with Single NIC/HBA & 1 Subnet
  • Servers’ with Multiple NICs/HBAs & 1 Subnet
  • Servers’ with Multiple NICs/HBAs & Multiple Subnets
  • Servers with Multiple NICs/HBAs & Direct Connections
  • Multiple NICs/HBAs to Multiple Subnets, Routed or Independent (Including Direct Connections) is supported.

 

NOTE: A high hop count can also contribute to performance degradation.  Performance anomalies can also result for reasons associated with the various inherent TCP/IP flow control algorithms such as delayed ACK, slow start, and Nagle.

 

NOTE: You can use an iSCSI analyzer to perform protocol analysis of traffic flowing into and out of any suspect port on the storage system.

 

NOTE: You must install the Microsoft iSCSI Software Initiator because the Navisphere Server Utility uses it to configure iSCSI connections.  You must install the Initiator Service option of the Microsoft iSCSI Software Initiator because the QLogic driver requires it.

 

NOTE: PowerPath iSCSI is no longer available for CX3 series and CX series storage systems. PowerPath 4.5.1 or earlier Do not select Microsoft MPIO Multipathing Support for iSCSI. Do not select Microsoft MPIO Multipathing Support for iSCSI or Software Initiator.

 

NOTE: You can improve the performance of any NICs that will be used primarily for iSCSI traffic rather than general network traffic by changing the network settings so that NICs immediately acknowledge incoming TCP segments. If you are running a version of the Navisphere Server Utility that is earlier than 6.24.1.4.0, you need to manually modify the TCP/IP registry settings, as described below, to improve performance. If you are running Navisphere Server Utility version 6.24.1.4.0 or later, the system will prompt you to change these settings when you configure the network parameters for your NICs (set up iSCSI connections).

 

NOTE: When you remove an iSCSI target, the specified target and all other targets on the storage system will be removed. If you want to remove a specific target but not all targets on the storage system, you must use the Microsoft Software Initiator.

VMware & iSCSI –

–         VI3 uses single connection for a session

–         At present, the VMware software initiator does not support jumbo frames. And until 10 gigabit Ethernet is supported by the VMware software initiator, the performance benefit of using jumbo frames would be minimal.

–         The software-initiator iSCSI implementation leverages the VMkernel to perform the SCSI to IP translation and does require extra CPU cycles to perform this work. As a result, software iSCSI can reduce overall server performance when CPUs are under heavy load.

–         Don’t use VMware Consolidated Backup over iSCSI

–         Best practice is to have a dedicated LAN for iSCSI traffic and not share the network with other network traffic.  It is also best practice not to oversubscribe the dedicated LAN.

–         VMkernel has a single routing table for all its VMkernel Ethernet interfaces

–         Make sure both the VMotion and IP Storage network and the service console port connection have appropriate IP addresses and are routed properly to the array.

–         The VMware VMkernel IP networking stack has been extended to handle the following functions:

  • iSCSI as a virtual machine datastore (new in ESX Server 3)
  • NFS as a virtual machine datastore (new in ESX Server 3)
  • NFS for the direct mounting of ISO files, which are presented as CD-ROMs to virtual machines
  • Migration with Vmotion

–         Make sure both the VMotion and IP Storage network and the service console port connection have appropriate IP addresses and are routed properly to the array.

–         The IP address that you assign to the service console during installation must be different from the IP address that you assign to VMkernel’s IP stack from the Configuration > Networking tab of the Virtual Infrastructure Client. The NFS and iSCSI functions must be configured together. They always share the same IP address, gateway, netmask, and other parameters. They are connected to the same virtual switch and, therefore, to the same physical Ethernet adapter. Before configuring software iSCSI for the ESX Server host, you need to open a firewall port.

–         Metadata Updates – A VMFS holds files, directories, symbolic links, RDMs, and so on, along with corresponding metadata for these objects. Metadata is accessed each time the attributes of a file are accessed or modified. These operations include, but are not limited to:

  • Creating, growing, or locking a file.
  • Changing a file’s attributes.
  • Powering a virtual machine on or off.

CAUTION After you create a new VMFS volume or extend an existing VMFS volume, you must rescan the SAN storage from all ESX Server hosts that could see that particular volume (LUN). If this is not done, the shared volume might become invisible to some of those hosts.

–         Levels of Indirection – If you’re used to working with traditional SANs, the levels of indirection can initially be confusing.

  • You cannot directly access the virtual machine operating system that uses the storage. With traditional tools, you can monitor only the VMware ESX Server operating system (but not the virtual machine operating system). You use the VI Client to monitor virtual machines.
  • Each virtual machine is, by default, configured with one virtual hard disk and one virtual SCSI controller during installation. You can modify the SCSI controller type and SCSI bus sharing characteristics by using the VI Client to edit the virtual machine settings. You can also add hard disks to your virtual machine.
  • The HBA visible to the SAN administration tools is part of the ESX Server system, not the virtual machine.
  • Your ESX Server system performs multipathing for you. Multipathing software (such as PowerPath) in the virtual machine is not supported (and not required).

–         Choosing Larger or Smaller LUNs:

Plan how to set up storage for your ESX Server systems before you perform installation.

  • One large LUN or many LUNs with a single VMFS volume spanning all LUNs: You might want fewer, larger LUNs for the following reasons:
    • More flexibility to create virtual machines without asking the SAN administrator for more space.
    • More flexibility for resizing virtual disks, doing snapshots, and so on
    • Fewer LUNs to identify and manage

 

  • Many LUNs with one VMFS volume on each LUN:  You might want more, smaller LUNs for the following reasons:
    • Less contention on each VMFS because of locking and SCSI reservation issues.
    • Different applications might need different RAID characteristics.
    • More flexibility (the multipathing policy and disk shares are set per LUN).

 

NOTE: You can divide your datacenter into servers that are best configured with fewer, larger LUNs and other servers that use more, smaller LUNs.

 

NOTE: You can boot from a SAN only with ESX Server 3 and with hardware iSCSI.

 

NOTE: If you plan to use NIC teaming to increase the availability of your network access to the iSCSI storage array, you must turn off port security on the switch for the two ports on which the virtual IP address is shared. The purpose of this port security setting is to prevent spoofing of IP addresses. Thus many network administrators enable this setting. However, if you do not change it, the port security setting prevents failover of the virtual IP from one switch port to another and NIC teaming cannot fail over from one path to another. For most LAN switches, the port security is enabled on a port level and thus can be set on or off for each port.

 

NOTE: SCSI reservations are held during metadata updates to the VMFS volume. ESX Server uses short‐lived SCSI reservations as part of its distributed locking protocol.

 

NOTE: VMware recommends that you load balance virtual machines over servers, CPU, and storage. Run a mix of virtual machines on each server so that not all experience high demand in the same area at the same time.

 

NOTE: Whether a virtual machine can run management software successfully depends on the storage system in question.

Obtained from thid link

Uso de cookies

Este sitio web utiliza cookies cookies propias y de terceros partes para mejorar la experiencia de usuario. Si continua navegando, consideramos que acepta su uso. Puede obtener más información en nuestra Política de cookies.

ACEPTAR
Aviso de cookies

Última actualización 18/10/2017 20:49