6 Preparing the Load Balancer and Firewalls for an Enterprise Deployment

It is important to understand how to configure the hardware load balancer and ports that must be opened on the firewalls for an enterprise deployment.

Configuring Virtual Hosts on the Hardware Load Balancer

The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

The following topics explain how to configure the hardware load balancer, provide a summary of the virtual servers that are required, and provide additional instructions for these virtual servers:

Overview of the Hardware Load Balancer Configuration

As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

In the context of a load-balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.

The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services that are available in the enterprise deployment.

In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers. At the same time, this monitoring should not overload the backend system with too frequent health requests. In the end, a trade off needs to be made between how fast the death detection occurs and how much overhead is introduced on the systems that are monitored

Note that after you configure the load balancer, you can later configure the web server instances in the web tier to recognize a set of virtual hosts that use the same names as the virtual servers that you defined for the load balancer. For each request coming from the hardware load balancer, the web server can then route the request appropriately, based on the server name included in the header of the request. See Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager.

Typical Procedure for Configuring the Hardware Load Balancer

The following procedure outlines the typical steps for configuring a hardware load balancer for an enterprise deployment.

Note that the actual procedures for configuring a specific load balancer will differ, depending on the specific type of load balancer. There may also be some differences depending on the type of protocol that is being load balanced. For example, TCP virtual servers and HTTP virtual servers use different types of monitors for their pools. Refer to the vendor-supplied documentation for actual steps.

  1. Create a pool of servers. This pool contains a list of servers and the ports that are included in the load-balancing definition.

    For load balancing between the web hosts, create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 to each port used in the OHS. For example, a pool to WEBHOST1 and WEBHOST2 to port 4443 for access to applications like SOA and OSB, another pool to WEBHOST1 and WEBHOST2 to port 4444 for internal accesses, and another pool to WEBHOST1 and WEBHOST2 to port 4445 for access to admin consoles.

  2. Create rules to determine whether a given host and service is available and assign it to the pool of servers that are described in Step 1.

  3. Create the required virtual servers on the load balancer for the addresses and ports that receive requests for the applications.

    For a complete list of the virtual servers required for the enterprise deployment, see Summary of the Virtual Servers Required for an Enterprise Deployment.

    When you define each virtual server on the load balancer, consider the following:

    1. If your load balancer supports it, specify whether the virtual server is available internally, externally, or both. Ensure that the internal addresses are only resolvable from inside the network.

    2. Assign the pool of servers created in Step 1 to the virtual server.

    3. Configure SSL for the virtual server.

    4. Configure SSL for the communication with the pool of servers.

      Some load balancers may need to be provided with the backend's certificate (the SSL certificate used by the OHS listeners in the backend pool) to establish the appropriate SSL communication. In that case you may need to add the OHS's CA certificate to the load balancer as a trusted certificate. Since this guide uses example certificates based on the WebLogic per-domain CA, you can add this after the domain is created.

Summary of the Virtual Servers Required for an Enterprise Deployment

This topic provides details of the virtual servers that are required for an enterprise deployment.

The following table provides a list of the virtual servers that you must define on the hardware load balancer for the Oracle SOA Suite enterprise topology:

Table 6-1 List of Virtual Servers

Virtual Host Server Pool Protocol External
admin.example.com:445

WEBHOST1.example.com:4445

WEBHOST2.example.com:4445

HTTPS

No

soa.example.com:443

WEBHOST1.example.com:4443

WEBHOST2.example.com:4443

HTTPS

Yes

soainternal.example.com:444

WEBHOST1.example.com:4444

WEBHOST2.example.com:4444

HTTPS

No

osb.example.com:443

WEBHOST1.example.com:4446

WEBHOST2.example.com:4446

HTTPS

Yes

mft.example.com:7022

SOAHOST1.example.com:7022

SOAHOST2.example.com:7022

TCP (SFTP)

Yes

mft.example.com:443

WEBHOST1.example.com:4443

WEBHOST2.example.com:4443

HTTPS

Yes

Note:

If SOA Suite and Oracle Managed File Transfer are deployed on the same host, then Managed File Transfer can share the HTTPS virtual servers that are used by SOA to access the Managed File Transfer console. However, a separate Managed File Transfer virtual server is required for TCP protocol (used to load balance SFTP requests).

Additional Instructions for admin.example.com

This section provides additional instructions that are required for the virtual server-admin.example.com.

When you configure this virtual server on the hardware load balancer:

  • Enable address and port translation.

  • Enable reset of connections when services or hosts are down.

Additional Instructions for soa.example.com

When you configure this virtual server on the hardware load balancer:

  • Use port 443. If port 80 is used for customer usability, then it is recommended to redirect any requests to it (non-SSL protocol) to port 443 (SSL protocol). Refer to your load balancer’s specific documentation to implement this redirection.

  • Specify ANY as the protocol (non-HTTP protocols are required for B2B).

  • Enable address and port translation.

  • Enable reset of connections when services and nodes are down.

  • Create rules to filter out access to /management and /em on this virtual server.

    These context strings direct requests to the Oracle WebLogic Remote Console and to the Oracle Enterprise Manager Fusion Middleware Control and must be used only when you access the system from admin.example.com.

Note:

Oracle recommends that you configure LBR for cookie-based persistence because session persistence is required for some web applications of SOA, such as BPM Worklist (/integration/worklistapp), SOA Composer (/soa/composer), BPM Composer (/bpm/composer), BPM Workspace (/bpm/workspace), and so on.

Additional Instructions for soainternal.example.com

When you configure this virtual server on the hardware load balancer:

  • Enable address and port translation.

  • Enable reset of connections when services or nodes are down.

  • As with the soa.example.com, create rules to filter out access to /console and /em on this virtual server.

Additional Instructions for osb.example.com

When you configure this virtual server on the hardware load balancer:

  • Use port 443. If port 80 is used for customer usability, then it is recommended to redirect any requests to it (non-SSL protocol) to port 443 (SSL protocol). Refer to your load balancer’s specific documentation to implement this redirection.

  • Enable address and port translation.

  • Enable reset of connections when services and nodes are down.

  • Create rules to filter out access to /management and /em on this virtual server.

    These context strings direct requests to the Oracle WebLogic Remote Console and to the Oracle Enterprise Manager Fusion Middleware Control and should be used only when you access the system from admin.example.com.

Additional Instructions for mft.example.com

The Managed File Transfer requires a TCP virtual server in the load balancer for the Secure File Transfer Protocol (SFTP), in addition to the virtual server for HTTPS.

In the Managed File Transfer scenario, the load balancer directly routes the SFTP requests to the SFTP embedded servers. These SFTP embedded servers are running on the Managed File Transfer Managed Servers. For consistency, the port used in the hardware load balancer and in the SFTP servers is 7022. The Oracle HTTP Servers are not used for the SFTP requests because they cannot manage the SFTP protocol.

The Managed File Transfer also uses a HTTPS virtual server to access the MFT console. In this virtual server, the load balancer routes the HTTPS requests to the Oracle HTTP Servers.

Configuring the Firewalls and Ports for an Enterprise Deployment

As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.

The following tables lists the ports that you must open on the firewalls in the topology:

Note:

The TCP/IP port for B2B is a user-configured port and is not predefined. Similarly, the firewall ports depend on the definition of TCP/IP ports.

Firewall notation:

  • FW0 refers to the outermost firewall.

  • FW1 refers to the firewall between the web tier and the application tier.

  • FW2 refers to the firewall between the application tier and the data tier.

Table 6-2 Firewall Ports Common to All Fusion Middleware Enterprise Deployments

Type Firewall Port and Port Range Protocol / Application Inbound / Outbound Other Considerations and Timeout Guidelines

Browser request

FW0

80

Note:

You need this option only if redirection from port 80 to port 443 is used.

HTTP / Load Balancer

Inbound

Timeout depends on the size and type of HTML content.

Browser request

FW0

44x

HTTPS / Load Balancer

Inbound

Timeout depends on the size and type of HTML content.

Browser request

FW1

44x

HTTPS / Load Balancer

Outbound (for intranet clients)

Timeout depends on the size and type of HTML content.

Callbacks and Outbound invocations

FW1

44x

HTTPS / Load Balancer

Outbound

Timeout depends on the size and type of HTML content.

Load balancer to Oracle HTTP Server

n/a

444X

HTTPS

n/a

n/a

Session replication within a WebLogic Server cluster

n/a

n/a

n/a

n/a

By default, this communication uses the same port as the server's listen address.

WebLogic Remote Console and Enterprise Manager Console

FW1

9002

HTTPS / Remote Console and Enterprise Manager

t3s

Both

You should tune this timeout based on the type of access to the Remote console (whether you plan to use the Oracle WebLogic Remote Console from the application tier clients or clients external to the application tier).

Database access

FW2

1521

SQL*Net

Both

Timeout depends on database content and on the type of process model used for SOA.

Coherence for deployment

n/a

9991

Coherence requires the following connectivity between members:
  • Port 9991 for both UDP and TCP for both multicast and unicast configurations.
  • TCP port 7.
  • Ephemereal ports 32768-60999 for both udp and tcp.

n/a

n/a

n/a

Oracle Unified Directory access

FW2

389

636 (SSL)

LDAP or LDAP/ssl

Inbound

You should tune the directory server's parameters based on load balancer, and not the other way around.

Oracle Notification Server (ONS)

FW2

6200

ONS

Both

Required for Gridlink. An ONS server runs on each database server.

MFT SFTP Requests

FW0, FW1

7022

SFTP/Embedded SFTP servers in WLS_MFTn

Inbound

Timeout depends on the size of the transferred files.

MFT HTTP Requests

FW1

7010

HTTPS/ WLS_MFTn

Inbound

Timeout depends on the size and type of the HTML content.

*External clients can access SOA servers directly on RMI or JMS (for example, for JDeveloper deployments and for JMX monitoring), in which case FW0 might need to be open or not depending on the security model that you implement.

Type Firewall Port and Port Range Protocol/Application Inbound / Outbound Other Considerations and Timeout Guidelines

WSM-PM access

FW1

7010

HTTPS / WLS_WSM-PMn

Inbound

Set the timeout to 60 seconds.

SOA Server access

FW1*

7004

HTTPS / WLS_SOAn

Inbound

Timeout varies based on the type of process model used for SOA.

Oracle Service Bus Access

FW1

8003

HTTPS / WLS_OSBn

Inbound/ Outbound

Set the timeout to a short period (5-10 seconds).

BAM access

FW1

7006

HTTPS / WLS_BAMn

Inbound

Connections to BAM WebApps are kept open until the report/browser is closed, so set the timeout as high as the longest expected user session.

Oracle Enterprise Scheduler access

FW1

7008

HTTPS/WLS_ESSn

Inbound

-