6 Preparing the Load Balancer and Firewalls for an Enterprise Deployment
It is important to understand how to configure the hardware load balancer and ports that must be opened on the firewalls for an enterprise deployment.
- Configuring Virtual Hosts on the Hardware Load Balancer
The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring. - Configuring the Firewalls and Ports for an Enterprise Deployment
As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.
Parent topic: Preparing for an Enterprise Deployment
Configuring Virtual Hosts on the Hardware Load Balancer
The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
The following topics explain how to configure the hardware load balancer, provide a summary of the virtual servers that are required, and provide additional instructions for these virtual servers:
- Overview of the Hardware Load Balancer Configuration
- Typical Procedure for Configuring the Hardware Load Balancer
- Summary of the Virtual Servers Required for an Enterprise Deployment
- Additional Instructions for admin.example.com
- Additional Instructions for soa.example.com
- Additional Instructions for soainternal.example.com
- Additional Instructions for osb.example.com
- Additional Instructions for mft.example.com
Overview of the Hardware Load Balancer Configuration
As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
In the context of a load-balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.
The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services that are available in the enterprise deployment.
In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers. At the same time, this monitoring should not overload the backend system with too frequent health requests. In the end, a trade off needs to be made between how fast the death detection occurs and how much overhead is introduced on the systems that are monitored
Note that after you configure the load balancer, you can later configure the web server instances in the web tier to recognize a set of virtual hosts that use the same names as the virtual servers that you defined for the load balancer. For each request coming from the hardware load balancer, the web server can then route the request appropriately, based on the server name included in the header of the request. See Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Typical Procedure for Configuring the Hardware Load Balancer
The following procedure outlines the typical steps for configuring a hardware load balancer for an enterprise deployment.
Note that the actual procedures for configuring a specific load balancer will differ, depending on the specific type of load balancer. There may also be some differences depending on the type of protocol that is being load balanced. For example, TCP virtual servers and HTTP virtual servers use different types of monitors for their pools. Refer to the vendor-supplied documentation for actual steps.
-
Create a pool of servers. This pool contains a list of servers and the ports that are included in the load-balancing definition.
For load balancing between the web hosts, create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 to each port used in the OHS. For example, a pool to WEBHOST1 and WEBHOST2 to port 4443 for access to applications like SOA and OSB, another pool to WEBHOST1 and WEBHOST2 to port 4444 for internal accesses, and another pool to WEBHOST1 and WEBHOST2 to port 4445 for access to admin consoles.
-
Create rules to determine whether a given host and service is available and assign it to the pool of servers that are described in Step 1.
-
Create the required virtual servers on the load balancer for the addresses and ports that receive requests for the applications.
For a complete list of the virtual servers required for the enterprise deployment, see Summary of the Virtual Servers Required for an Enterprise Deployment.
When you define each virtual server on the load balancer, consider the following:
-
If your load balancer supports it, specify whether the virtual server is available internally, externally, or both. Ensure that the internal addresses are only resolvable from inside the network.
-
Assign the pool of servers created in Step 1 to the virtual server.
-
Configure SSL for the virtual server.
-
Configure SSL for the communication with the pool of servers.
Some load balancers may need to be provided with the backend's certificate (the SSL certificate used by the OHS listeners in the backend pool) to establish the appropriate SSL communication. In that case you may need to add the OHS's CA certificate to the load balancer as a trusted certificate. Since this guide uses example certificates based on the WebLogic per-domain CA, you can add this after the domain is created.
-
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Summary of the Virtual Servers Required for an Enterprise Deployment
This topic provides details of the virtual servers that are required for an enterprise deployment.
The following table provides a list of the virtual servers that you must define on the hardware load balancer for the Oracle SOA Suite enterprise topology:
Table 6-1 List of Virtual Servers
Virtual Host | Server Pool | Protocol | External |
---|---|---|---|
admin.example.com:445 |
|
HTTPS |
No |
soa.example.com:443 |
|
HTTPS |
Yes |
soainternal.example.com:444 |
|
HTTPS |
No |
osb.example.com:443 |
|
HTTPS |
Yes |
mft.example.com:7022 |
|
TCP (SFTP) |
Yes |
mft.example.com:443 |
|
HTTPS |
Yes |
Note:
If SOA Suite and Oracle Managed File Transfer are deployed on the same host, then Managed File Transfer can share the HTTPS virtual servers that are used by SOA to access the Managed File Transfer console. However, a separate Managed File Transfer virtual server is required for TCP protocol (used to load balance SFTP requests).
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Additional Instructions for admin.example.com
This section provides additional instructions that are required for the virtual server-admin.example.com.
When you configure this virtual server on the hardware load balancer:
-
Enable address and port translation.
-
Enable reset of connections when services or hosts are down.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Additional Instructions for soa.example.com
When you configure this virtual server on the hardware load balancer:
-
Use port 443. If port 80 is used for customer usability, then it is recommended to redirect any requests to it (non-SSL protocol) to port 443 (SSL protocol). Refer to your load balancer’s specific documentation to implement this redirection.
-
Specify ANY as the protocol (non-HTTP protocols are required for B2B).
-
Enable address and port translation.
-
Enable reset of connections when services and nodes are down.
-
Create rules to filter out access to
/management
and/em
on this virtual server.These context strings direct requests to the Oracle WebLogic Remote Console and to the Oracle Enterprise Manager Fusion Middleware Control and must be used only when you access the system from
admin.example.com
.
Note:
Oracle recommends that you configure LBR for cookie-based persistence because session persistence is required for some web applications of SOA, such as BPM Worklist (/integration/worklistapp
), SOA Composer (/soa/composer
), BPM Composer (/bpm/composer
), BPM Workspace (/bpm/workspace
), and so on.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Additional Instructions for soainternal.example.com
When you configure this virtual server on the hardware load balancer:
-
Enable address and port translation.
-
Enable reset of connections when services or nodes are down.
-
As with the soa.example.com, create rules to filter out access to
/console
and/em
on this virtual server.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Additional Instructions for osb.example.com
When you configure this virtual server on the hardware load balancer:
-
Use port 443. If port 80 is used for customer usability, then it is recommended to redirect any requests to it (non-SSL protocol) to port 443 (SSL protocol). Refer to your load balancer’s specific documentation to implement this redirection.
-
Enable address and port translation.
-
Enable reset of connections when services and nodes are down.
-
Create rules to filter out access to
/management
and/em
on this virtual server.These context strings direct requests to the Oracle WebLogic Remote Console and to the Oracle Enterprise Manager Fusion Middleware Control and should be used only when you access the system from
admin.example.com
.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Additional Instructions for mft.example.com
The Managed File Transfer requires a TCP virtual server in the load balancer for the Secure File Transfer Protocol (SFTP), in addition to the virtual server for HTTPS.
In the Managed File Transfer scenario, the load balancer directly routes the SFTP requests to the SFTP embedded servers. These SFTP embedded servers are running on the Managed File Transfer Managed Servers. For consistency, the port used in the hardware load balancer and in the SFTP servers is 7022. The Oracle HTTP Servers are not used for the SFTP requests because they cannot manage the SFTP protocol.
The Managed File Transfer also uses a HTTPS virtual server to access the MFT console. In this virtual server, the load balancer routes the HTTPS requests to the Oracle HTTP Servers.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Configuring the Firewalls and Ports for an Enterprise Deployment
As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.
The following tables lists the ports that you must open on the firewalls in the topology:
Note:
The TCP/IP port for B2B is a user-configured port and is not predefined. Similarly, the firewall ports depend on the definition of TCP/IP ports.
Firewall notation:
-
FW0 refers to the outermost firewall.
-
FW1 refers to the firewall between the web tier and the application tier.
-
FW2 refers to the firewall between the application tier and the data tier.
Table 6-2 Firewall Ports Common to All Fusion Middleware Enterprise Deployments
Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
---|---|---|---|---|---|
Browser request |
FW0 |
80 Note: You need this option only if redirection from port 80 to port 443 is used. |
HTTP / Load Balancer |
Inbound |
Timeout depends on the size and type of HTML content. |
Browser request |
FW0 |
44x |
HTTPS / Load Balancer |
Inbound |
Timeout depends on the size and type of HTML content. |
Browser request |
FW1 |
44x |
HTTPS / Load Balancer |
Outbound (for intranet clients) |
Timeout depends on the size and type of HTML content. |
Callbacks and Outbound invocations |
FW1 |
44x |
HTTPS / Load Balancer |
Outbound |
Timeout depends on the size and type of HTML content. |
Load balancer to Oracle HTTP Server |
n/a |
444X |
HTTPS |
n/a |
n/a |
Session replication within a WebLogic Server cluster |
n/a |
n/a |
n/a |
n/a |
By default, this communication uses the same port as the server's listen address. |
WebLogic Remote Console and Enterprise Manager Console |
FW1 |
9002 |
HTTPS / Remote Console and Enterprise Manager t3s |
Both |
You should tune this timeout based on the type of access to the Remote console (whether you plan to use the Oracle WebLogic Remote Console from the application tier clients or clients external to the application tier). |
Database access |
FW2 |
1521 |
SQL*Net |
Both |
Timeout depends on database content and on the type of process model used for SOA. |
Coherence for deployment |
n/a |
9991 Coherence requires the following connectivity between members:
|
n/a |
n/a |
n/a |
Oracle Unified Directory access |
FW2 |
389 636 (SSL) |
LDAP or LDAP/ssl |
Inbound |
You should tune the directory server's parameters based on load balancer, and not the other way around. |
Oracle Notification Server (ONS) |
FW2 |
6200 |
ONS |
Both |
Required for Gridlink. An ONS server runs on each database server. |
MFT SFTP Requests |
FW0, FW1 |
7022 |
SFTP/Embedded SFTP servers in WLS_MFTn |
Inbound |
Timeout depends on the size of the transferred files. |
MFT HTTP Requests |
FW1 |
7010 |
HTTPS/ WLS_MFTn |
Inbound |
Timeout depends on the size and type of the HTML content. |
*External clients can access SOA servers directly on RMI or JMS (for example, for JDeveloper deployments and for JMX monitoring), in which case FW0 might need to be open or not depending on the security model that you implement.
Type | Firewall | Port and Port Range | Protocol/Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
---|---|---|---|---|---|
WSM-PM access |
FW1 |
7010 |
HTTPS / WLS_WSM-PMn |
Inbound |
Set the timeout to 60 seconds. |
SOA Server access |
FW1* |
7004 |
HTTPS / WLS_SOAn |
Inbound |
Timeout varies based on the type of process model used for SOA. |
Oracle Service Bus Access |
FW1 |
8003 |
HTTPS / WLS_OSBn |
Inbound/ Outbound |
Set the timeout to a short period (5-10 seconds). |
BAM access |
FW1 |
7006 |
HTTPS / WLS_BAMn |
Inbound |
Connections to BAM WebApps are kept open until the report/browser is closed, so set the timeout as high as the longest expected user session. |
Oracle Enterprise Scheduler access |
FW1 |
7008 |
HTTPS/WLS_ESSn |
Inbound |
- |