8 Preparing the Load Balancer and Firewalls for an Enterprise Deployment
It is important to understand how to configure the hardware load balancer and ports that must be opened on the firewalls for an enterprise deployment.
- Configuring Virtual Hosts on the Hardware Load Balancer
The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring. - Configuring Global Load Balancers
As indicated in the previous sections, the Global Load Balancer (GLBR) is responsible for performing smart routing of requests between multiple Local Load Balancers. - Configuring the Firewalls and Ports for an Enterprise Deployment
As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology. - Configuring the Firewalls and Ports for an Exalogic Enterprise Deployment
Parent topic: Preparing for an Enterprise Deployment
Configuring Virtual Hosts on the Hardware Load Balancer
The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
The following topics explain how to configure the hardware load balancer, provide a summary of the virtual servers that are required, and provide additional instructions for these virtual servers:
- Overview of the Hardware Load Balancer Configuration
- Typical Procedure for Configuring the Hardware Load Balancer
- Load Balancer Health Monitoring
- Summary of the Virtual Servers Required for an Enterprise Deployment
- Summary of the Virtual Servers Required for an Oracle Identity and Access Management Exalogic Deployment
Overview of the Hardware Load Balancer Configuration
As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
In the context of a load-balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.
The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services that are available in the enterprise deployment.
In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers.
Note that after you configure the load balancer, you can later configure the web server instances in the web tier to recognize a set of virtual hosts that use the same names as the virtual servers that you defined for the load balancer. For each request coming from the hardware load balancer, the web server can then route the request appropriately, based on the server name included in the header of the request. See Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Typical Procedure for Configuring the Hardware Load Balancer
The following procedure outlines the typical steps for configuring a hardware load balancer for an enterprise deployment.
Note that the actual procedures for configuring a specific load balancer will differ, depending on the specific type of load balancer. There may also be some differences depending on the type of protocol that is being load balanced. For example, TCP virtual servers and HTTP virtual servers use different types of monitors for their pools. Refer to the vendor-supplied documentation for actual steps.
-
Create a pool of servers. This pool contains a list of servers and the ports that are included in the load-balancing definition.
For example, for load balancing between the web hosts, create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 on port 7777.
-
Create rules to determine whether a given host and service is available and assign it to the pool of servers that are described in Step 1.
-
Create the required virtual servers on the load balancer for the addresses and ports that receive requests for the applications.
For a complete list of the virtual servers required for the enterprise deployment, see Summary of the Virtual Servers Required for an Enterprise Deployment.
When you define each virtual server on the load balancer, consider the following:
-
If your load balancer supports it, specify whether the virtual server is available internally, externally, or both. Ensure that internal addresses are only resolvable from inside the network.
-
Configure SSL Termination, if applicable, for the virtual server.
-
Assign the pool of servers created in Step 1 to the virtual server.
-
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Load Balancer Health Monitoring
The load balancer must be configured to check that the services in the Load Balancer Pool are available. Failure to do so will result in requests being sent to hosts where the service is not running.
The following table shows examples of how to determine whether a service is available:
Table 8-1 Examples Showing How to Determine Whether a Service is Available
Service | Monitor Type | Monitor Mechanism |
---|---|---|
OUD |
ldap |
ldapbind to cn=oudadmin |
OHS |
http |
check for GET /\r\n |
OTD |
http |
check for GET /\r\n |
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Summary of the Virtual Servers Required for an Enterprise Deployment
This topic provides details of the virtual servers that are required for an enterprise deployment.
The following table provides a list of the virtual servers that you must define on the hardware load balancer for the Oracle Identity and Access Management enterprise topology:
Virtual Host | Server Pool | Protocol | SSL Termination? | Other Required Configuration/ Comments |
---|---|---|---|---|
|
|
HTTPS |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
HTTPS |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
HTTP |
||
|
|
HTTP |
||
|
|
HTTP |
||
|
|
TCP |
||
|
|
TCP |
||
|
|
TCP |
No |
Only required for active-active multi datacenter deployments. |
Note:
-
Port 80 is the
HTTP_PORT
from the Worksheet. -
Port 443 is the
HTTPS_PORT
from the Worksheet. -
Port 7777 is the
OHS_PORT
from the Worksheet. -
Port 9002 is the
MSAS_PORT
from the Worksheet. -
Port 1389 is the
LDAP_PORT
from the Worksheet. The example given is for OUD. -
Port 1636 is the
LDAP_SSL_PORT
from the worksheet. The example given is for OUD. -
Port 5575 is the
OAM_PROXY_PORT
from the worksheet.
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Summary of the Virtual Servers Required for an Oracle Identity and Access Management Exalogic Deployment
For an Oracle Identity and Access Management deployment on Exalogic hardware, configure your load balancer as described.
Table 8-2 Load Balancer Configuration Details
Load Balancer Virtual Server | Server Pool | Server Pool (External OHS) | Protocol | SSL Termination | External | Other Required Configuration/Comments |
---|---|---|---|---|---|---|
|
|
|
HTTPS |
Yes |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
HTTPS |
Yes |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
HTTP |
No |
No |
NA |
|
|
|
HTTP |
No |
No |
NA |
|
|
|
TCP |
No |
No |
Only required for active-active multi datacenter deployments. |
Footnote 1
For information about configuring IS_SSL, see About User Defined WebGate Parameters in Administrator's Guide for Oracle Access Management.
If you do not want to use an OTD failover group for faster failover detection, substitute WEBHOST1-VHN and WEBHOST2-VHN with the host names corresponding to the client access network. For example: WEBHOST1 and WEBHOST2.
In Exalogic deployments it is assumed that LDAP and inter app calls will be load balanced via OTD.
If you are using an external OHS then the servers will point to the external OHS hosts.
For information about configuring IS_SSL, see About User Defined WebGate Parameters in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
Port 80 is the HTTP_PORT from the Worksheet
Port 443 is the HTTPS_PORT from the Worksheet
Port 7777 is the OHS_PORT from the Worksheet
Port 1389 is the LDAP_PORT from the Worksheet
Port 1636 is the LDAP_SSL_PORT from the worksheet
Parent topic: Configuring Virtual Hosts on the Hardware Load Balancer
Configuring Global Load Balancers
As indicated in the previous sections, the Global Load Balancer (GLBR) is responsible for performing smart routing of requests between multiple Local Load Balancers.
Configuring the Firewalls and Ports for an Enterprise Deployment
As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.
The following tables lists the ports that you must open on the firewalls in the topology:
Firewall notation:
-
FW0 refers to the outermost firewall.
-
FW1 refers to the firewall between the web tier and the application tier.
-
FW2 refers to the firewall between the application tier and the data tier.
Table 8-3 Firewall Ports Common to All Fusion Middleware Enterprise Deployments
Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
---|---|---|---|---|---|
Browser request |
FW0 |
80 |
HTTP / Load Balancer |
Inbound |
Timeout depends on the size and type of HTML content. |
Browser request |
FW0 |
443 |
HTTPS / Load Balancer |
Inbound |
Timeout depends on the size and type of HTML content. |
Browser request |
FW1 |
80 |
HTTP / Load Balancer |
Outbound (for intranet clients) |
Timeout depends on the size and type of HTML content. |
Browser request |
FW1 |
443 |
HTTPS / Load Balancer |
Outbound (for intranet clients) |
Timeout depends on the size and type of HTML content. |
Callbacks and Outbound invocations |
FW1 |
80 |
HTTP / Load Balancer |
Outbound |
Timeout depends on the size and type of HTML content. |
Callbacks and Outbound invocations |
FW1 |
443 |
HTTPS / Load Balancer |
Outbound |
Timeout depends on the size and type of HTML content. |
Load balancer to Oracle HTTP Server |
n/a |
7777 |
HTTP |
n/a |
n/a |
OHS registration with Administration Server |
FW1 |
7001 |
HTTP / t3 |
Inbound |
Set the timeout to a short period (5-10 seconds). |
OHS management by Administration Server |
FW1 |
OHS Admin Port (7779) |
TCP / HTTP |
Outbound |
Set the timeout to a short period (5-10 seconds). |
Session replication within a WebLogic Server cluster |
n/a |
n/a |
n/a |
n/a |
By default, this communication uses the same port as the server's listen address. |
Administration Console access |
FW1 |
7001 |
HTTP / Administration Server and Enterprise Manager t3 |
Both |
You should tune this timeout based on the type of access to the admin console (whether you plan to use the Oracle WebLogic Server Administration Console from the application tier clients or clients external to the application tier). |
Database access |
FW2 |
1521 |
SQL*Net |
Both |
Timeout depends on database content and on the type of process model used for SOA. |
Coherence for deployment |
n/a |
9991 |
n/a |
n/a |
n/a |
Oracle Unified Directory access |
FW2 |
389 636 (SSL) |
LDAP or LDAP/ssl |
Inbound |
You should tune the directory server's parameters based on load balancer, and not the other way around. |
Oracle Notification Server (ONS) |
FW2 |
6200 |
ONS |
Both |
Required for Gridlink. An ONS server runs on each database server. |
Table 8-4 Firewall Ports Specific to the Oracle Identity and Access Management Enterprise Deployment
Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
---|---|---|---|---|---|
Webtier Access to Oracle Weblogic Administration Server (IAMAccessDomain) |
FW1 |
7010 |
HTTP / Oracle HTTP Server and Administration Server |
Inbound |
N/A |
Webtier Access to Oracle Weblogic Administration Server (IAMGovernanceDomain) |
FW1 |
7101 |
HTTP / Oracle HTTP Server and Administration Server |
Inbound |
N/A |
WSM-PM access |
FW1 |
7010 Range: 7010 to 7999 |
HTTP / WLS_WSM-PMn |
Inbound |
Set the timeout to 60 seconds. |
Enterprise Manager Agent - web tier to Enterprise Manager |
FW1 |
5160 |
HTTP / Enterprise Manager Agent and Enterprise Manager |
Both |
N/A |
Oracle HTTP Server to WLS_OAM |
FW1 |
14100 |
HTTP / Oracle HTTP Server to WebLogic Server |
Inbound |
Timeout depends on the |
Oracle HTTP Server WLS_OIM |
FW1 |
14000 |
HTTP / Oracle HTTP Server to WebLogic Server |
Inbound |
Timeout depends on the |
Oracle HTTP Server WLS_SOA |
FW1 |
8001 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
Oracle HTTP Server WLS_AMA |
FW1 |
14150 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
Oracle HTTP Server WLS_BI |
FW1 |
9704 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
Oracle HTTP Server management by Administration Server |
FW1 |
OPMN remote port (6701) and OHS Administration Port (7779) |
TCP and HTTP, respectively |
Outbound |
Set the timeout to a short period, such as 5-10 seconds |
Access Manager Server |
FW1 |
5575 |
OAP |
Both |
N/A |
Access Manager Coherence port |
FW1 |
9095 |
TCMP |
Both |
N/A |
Oracle Coherence Port |
FW1 |
8000–8088 |
TCMP |
Both |
N/A |
Application Tier to Database Listener |
FW2 |
1521 |
SQL*Net |
Both |
Timeout depends on all database content and on the type of process model used for Oracle Identity and Access Management |
Oracle Notification Server (ONS) |
FW2 |
6200 |
ONS |
Both |
Required for Gridlink. An ONS server runs on each database server |
OUD Port |
FW2 |
1389 |
LDAP |
Inbound |
Ideally, these connections should be configured not to time out |
OUD SSL Port |
FW2 |
14636 |
LDAPS |
Inbound |
Ideally, these connections should be configured not to time out |
Load Balancer LDAP Port |
FW2 |
386 |
LDAP |
Inbound |
Ideally, these connections should be configured not to time out |
Load Balancer LDAP SSL Port |
FW2 |
636 |
LDAPS |
Inbound |
Ideally, these connections should be configured not to time out |
Node Manager |
N/A |
5556 |
TCP/IP |
N/A |
N/A |
Oracle Unified Directory Replication |
N/A |
8989 |
TCP/IP |
N/A |
N/A |
Configuring the Firewalls and Ports for an Exalogic Enterprise Deployment
Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services and ensure that the same port number is not used by two services on a host.
Most port numbers are assigned during installation.
The following table lists the ports used in the Oracle Identity and Access Management topology, including the ports that you must open on the firewalls in the topology.
Note:
In this table,
-
FW0 refers to the outermost firewall
-
FW1 refers to the firewall between the web tier and the application tier
-
FW2 refers to the firewall between the application tier and the data tier
On Exalogic systems:
-
FW1 is in between the load balancer and the Exadata Machine, unless an External OHS is used
-
FW2 will be present only if your database does not reside on Exadata
Table 8-5 Ports Used in the Exalogic Reference Topology
Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
---|---|---|---|---|---|
Load balancer to Oracle Traffic Director |
FW0 |
7777 |
HTTP |
n/a |
Timeout depends on all HTML content and the process models used for the Oracle Fusion Middleware products you are using in the Exalogic environment. |
IAMAccess Domain Administration Console access |
FW1 |
7001 |
HTTP / Administration Server and Enterprise Manager |
Both |
You should tune this timeout based on the type of access to the Administration console (whether it is planned to use the Oracle WebLogic Server Administration Console from application tier clients or clients external to the application tier). |
IAMGovernance Domain Administration Console access |
FW1 |
7101 |
HTTP / Administration Server and Enterprise Manager |
Both |
You should tune this timeout based on the type of access to the Administration console (whether it is planned to use the Oracle WebLogic Server Administration Console from application tier clients or clients external to the application tier). |
Coherence |
n/a |
8088 Range: 8080 - 8090 |
n/a |
n/a |
|
Application tier to data tier (Oracle database or RAC outside of Oracle Exalogic machine via Ethernet) |
FW2 |
1521 |
n/a |
n/a |
|
Oracle HTTP Server WLS_OAM |
FW1 |
14100 |
HTTP |
Inbound |
Managed Servers, which use |
Oracle HTTP Server WLS_OIM |
FW1 |
14000 |
HTTP |
Inbound |
Managed Servers, which use |
Oracle HTTP Server WLS_SOA |
FW1 |
8001 |
HTTP |
Inbound |
Managed Servers, which use |
Oracle HTTP Server WLS_AMA |
FW1 |
14150 |
HTTP |
Inbound |
Managed Servers, which use |