7 Preparing the Load Balancer and Firewalls for an Enterprise Deployment

It is important to understand how to configure the hardware load balancer and ports that must be opened on the firewalls for an enterprise deployment.

• Configuring Virtual Hosts on the Hardware Load Balancer
  The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
• Configuring Global Load Balancers
  As indicated in the previous sections, the Global Load Balancer (GLBR) is responsible for performing smart routing of requests between multiple Local Load Balancers.
• Configuring the Firewalls and Ports for an Enterprise Deployment
  As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.

Configuring Virtual Hosts on the Hardware Load Balancer

The hardware load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

The following topics explain how to configure the hardware load balancer, provide a summary of the virtual servers that are required, and provide additional instructions for these virtual servers:

• Overview of the Hardware Load Balancer Configuration
  
• Typical Procedure for Configuring the Hardware Load Balancer
  
• Load Balancer Health Monitoring
  
• Summary of the Virtual Servers Required for an Enterprise Deployment
  
• Summary of the Virtual Servers Required for an Oracle Identity and Access Management Deployment
  

Overview of the Hardware Load Balancer Configuration

As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

In the context of a load-balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.

The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services that are available in the enterprise deployment.

In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers.

Note that after you configure the load balancer, you can later configure the web server instances in the web tier to recognize a set of virtual hosts that use the same names as the virtual servers that you defined for the load balancer. For each request coming from the hardware load balancer, the web server can then route the request appropriately, based on the server name included in the header of the request. See Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager.

Typical Procedure for Configuring the Hardware Load Balancer

The following procedure outlines the typical steps for configuring a hardware load balancer for an enterprise deployment.

Note that the actual procedures for configuring a specific load balancer will differ, depending on the specific type of load balancer. There may also be some differences depending on the type of protocol that is being load balanced. For example, TCP virtual servers and HTTP virtual servers use different types of monitors for their pools. Refer to the vendor-supplied documentation for actual steps.

1. Create a pool of servers. This pool contains a list of servers and the ports that are included in the load-balancing definition.

   For example, for load balancing between the web hosts, create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 on port 7777.

2. Create rules to determine whether a given host and service is available and assign it to the pool of servers that are described in Step 1.

3. Create the required virtual servers on the load balancer for the addresses and ports that receive requests for the applications.

   For a complete list of the virtual servers required for the enterprise deployment, see Summary of the Virtual Servers Required for an Enterprise Deployment.

   When you define each virtual server on the load balancer, consider the following:

   1. If your load balancer supports it, specify whether the virtual server is available internally, externally, or both. Ensure that internal addresses are only resolvable from inside the network.

   2. Configure SSL Termination, if applicable, for the virtual server.

   3. Assign the pool of servers created in Step 1 to the virtual server.

Load Balancer Health Monitoring

The load balancer must be configured to check that the services in the Load Balancer Pool are available. Failure to do so will result in requests being sent to hosts where the service is not running.

The following table shows examples of how to determine whether a service is available:

Table 7-1 Examples Showing How to Determine Whether a Service is Available

Service	Monitor Type	Monitor Mechanism
OUD	ldap	ldapbind to cn=oudadmin
OHS	http	check for GET /\r\n

Summary of the Virtual Servers Required for an Enterprise Deployment

This topic provides details of the virtual servers that are required for an enterprise deployment.

The following table provides a list of the virtual servers that you must define on the hardware load balancer for the Oracle Identity and Access Management enterprise topology:

Virtual Host	Server Pool	Protocol	SSL Termination?	Other Required Configuration/ Comments
login.example.com:443	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTPS	Yes	Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSL Header Value: ssl Header Name: WL-Proxy-SSL Header Value: true
prov.example.com:443	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTPS		Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSL Header Value: ssl Header Name: WL-Proxy-SSL Header Value: true
iadadmin.example.com:80	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTP
igdadmin.example.com:80	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTP
igdinternal.example.com:7777	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTP
idstore.example.com:1389	LDAPHOST1.example.com:1389 LDAPHOST2.example.com:1389	TCP
idstore.example.com:1636	LDAPHOST1.example.com:1636 LDAPHOST2.example.com:1636	TCP
oam.example.com:5575	OAMHOST1.example.com:5575 OAMHOST2.example.com:5575	TCP	No	Only required for active-active multi datacenter deployments.

Note:

• Port 80 is the HTTP_PORT from the Worksheet.

• Port 443 is the HTTPS_PORT from the Worksheet.

• Port 7777 is the OHS_PORT from the Worksheet.

• Port 1389 is the LDAP_PORT from the Worksheet. The example given is for OUD.

• Port 1636 is the LDAP_SSL_PORT from the worksheet. The example given is for OUD.

• Port 5575 is the OAM_PROXY_PORT from the worksheet.

Summary of the Virtual Servers Required for an Oracle Identity and Access Management Deployment

For an Oracle Identity and Access Management deployment, configure your load balancer as described.

Table 7-2 Load Balancer Configuration Details

Load Balancer Virtual Server	Server Pool	Server Pool (External OHS)	Protocol	SSL Termination	External	Other Required Configuration/Comments
login.example.com:443	WEBHOST1vhn1.example.com:7777 WEBHOST2vhn1.example.com:7777	WEBHOST1.example.com:7777 WEBHOST2.example.com:7777	HTTPS	Yes	Yes	Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSLFoot 1 Header Value: ssl Header Name: WL-Proxy-SSL Header Value: true
prov.example.com:443	WEBHOST1vhn1.example.com:7777 WEBHOST2vhn1.example.com:7777	OHSHOST1.example.com:7777 OHSHOST2.example.com:7777	HTTPS	Yes	Yes	Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSL Header Value: SSL Header Name: WL-Proxy-SSL Header Value: true
iadadmin.example.com:80	WEBHOST1vhn1.example.com:7777 WEBHOST2vhn1.example.com:7777	OHSHOST1.example.com:7777 OHSHOST2.example.com:7777	HTTP	No	No	NA
igdadmin.example.com:80	WEBHOST1vhn1.example.com:7777 WEBHOST2vhn1.example.com:7777	OHSHOST1.example.com:7777 OHSHOST2.example.com:7777	HTTP	No	No	NA
oam.example.com:5575	WEBHOST1vhn1.example.com:7777 WEBHOST2vhn1.example.com:7777	OAMHOST1.example.com:5575 OAMHOST2.example.com:5575	TCP	No	No	Only required for active-active multi datacenter deployments.

^Footnote 1

For information about configuring IS_SSL, see About User Defined WebGate Parameters in Administrator's Guide for Oracle Access Management.

If you are using an external OHS then the servers will point to the external OHS hosts.

For information about configuring IS_SSL, see About User Defined WebGate Parameters in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Note:

Port 80 is the HTTP_PORT from the Worksheet

Port 443 is the HTTPS_PORT from the Worksheet

Port 7777 is the OHS_PORT from the Worksheet

Port 1389 is the LDAP_PORT from the Worksheet

Port 1636 is the LDAP_SSL_PORT from the worksheet

Configuring Global Load Balancers

As indicated in the previous sections, the Global Load Balancer (GLBR) is responsible for performing smart routing of requests between multiple Local Load Balancers.

This smart routing is usually done based on the originating request. In an Oracle Fusion Middleware Identity and Access Management multi-data center active-active deployment, it is recommended that you restrain callbacks and invocations that come from servers in a specific site to the same site again. As the GLBR is typically located in one of the two sites, physically, this also makes the invocations to such a site more efficient. You must configure a global load balancer for multi-site deployments whether the second site is active or being used for disaster recovery.

Configuring the Firewalls and Ports for an Enterprise Deployment

As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.

The following tables lists the ports that you must open on the firewalls in the topology:

Firewall notation:

• FW0 refers to the outermost firewall.

• FW1 refers to the firewall between the web tier and the application tier.

• FW2 refers to the firewall between the application tier and the data tier.

Table 7-3 Firewall Ports Common to All Fusion Middleware Enterprise Deployments

Type	Firewall	Port and Port Range	Protocol / Application	Inbound / Outbound	Other Considerations and Timeout Guidelines
Browser request	FW0	80	HTTP / Load Balancer	Inbound	Timeout depends on the size and type of HTML content.
Browser request	FW0	443	HTTPS / Load Balancer	Inbound	Timeout depends on the size and type of HTML content.
Browser request	FW1	80	HTTP / Load Balancer	Outbound (for intranet clients)	Timeout depends on the size and type of HTML content.
Browser request	FW1	443	HTTPS / Load Balancer	Outbound (for intranet clients)	Timeout depends on the size and type of HTML content.
Callbacks and Outbound invocations	FW1	80	HTTP / Load Balancer	Outbound	Timeout depends on the size and type of HTML content.
Callbacks and Outbound invocations	FW1	443	HTTPS / Load Balancer	Outbound	Timeout depends on the size and type of HTML content.
Load balancer to Oracle HTTP Server	n/a	7777	HTTP	n/a	n/a
OHS registration with Administration Server	FW1	7001	HTTP / t3	Inbound	Set the timeout to a short period (5-10 seconds).
OHS management by Administration Server	FW1	OHS Admin Port (7779)	TCP / HTTP	Outbound	Set the timeout to a short period (5-10 seconds).
Session replication within a WebLogic Server cluster	n/a	n/a	n/a	n/a	By default, this communication uses the same port as the server's listen address.
Administration Console access	FW1	7001	HTTP / Administration Server and Enterprise Manager t3	Both	You should tune this timeout based on the type of access to the admin console (whether you plan to use the Oracle WebLogic Server Administration Console from the application tier clients or clients external to the application tier).
Database access	FW2	1521	SQL*Net	Both	Timeout depends on database content and on the type of process model used for SOA.
Coherence for deployment	n/a	9991	n/a	n/a	n/a
Oracle Unified Directory access	FW2	389 636 (SSL)	LDAP or LDAP/ssl	Inbound	You should tune the directory server's parameters based on load balancer, and not the other way around.
Oracle Notification Server (ONS)	FW2	6200	ONS	Both	Required for Gridlink. An ONS server runs on each database server.

Table 7-4 Firewall Ports Specific to the Oracle Identity and Access Management Enterprise Deployment

Type	Firewall	Port and Port Range	Protocol / Application	Inbound / Outbound	Other Considerations and Timeout Guidelines
Webtier Access to Oracle Weblogic Administration Server (IAMAccessDomain)	FW1	7010	HTTP / Oracle HTTP Server and Administration Server	Inbound	N/A
Webtier Access to Oracle Weblogic Administration Server (IAMGovernanceDomain)	FW1	7101	HTTP / Oracle HTTP Server and Administration Server	Inbound	N/A
WSM-PM access	FW1	7010 Range: 7010 to 7999	HTTP / WLS_WSM-PMn	Inbound	Set the timeout to 60 seconds.
Enterprise Manager Agent - web tier to Enterprise Manager	FW1	5160	HTTP / Enterprise Manager Agent and Enterprise Manager	Both	N/A
Oracle HTTP Server to WLS_OAM	FW1	14100	HTTP / Oracle HTTP Server to WebLogic Server	Inbound	Timeout depends on the mod_weblogic parameters used
Oracle HTTP Server WLS_OIM	FW1	14000	HTTP / Oracle HTTP Server to WebLogic Server	Inbound	Timeout depends on the mod_weblogic parameters used
Oracle HTTP Server WLS_SOA	FW1	8001	HTTP / Oracle HTTP Server to WebLogic Server	Both	Timeout depends on the mod_weblogic parameters used
Oracle HTTP Server WLS_AMA	FW1	14150	HTTP / Oracle HTTP Server to WebLogic Server	Both	Timeout depends on the mod_weblogic parameters used
Oracle HTTP Server WLS_BI	FW1	9704	HTTP / Oracle HTTP Server to WebLogic Server	Both	Timeout depends on the mod_weblogic parameters used
Access Manager Server	FW1	5575	OAP	Both	N/A
Access Manager Coherence port	FW1	9095	TCMP	Both	N/A
Oracle Coherence Port	FW1	8000–8088	TCMP	Both	N/A
Application Tier to Database Listener	FW2	1521	SQL*Net	Both	Timeout depends on all database content and on the type of process model used for Oracle Identity and Access Management
Oracle Notification Server (ONS)	FW2	6200	ONS	Both	Required for Gridlink. An ONS server runs on each database server
OUD Port	FW2	1389	LDAP	Inbound	Ideally, these connections should be configured not to time out
OUD SSL Port	FW2	14636	LDAPS	Inbound	Ideally, these connections should be configured not to time out
Load Balancer LDAP Port	FW2	386	LDAP	Inbound	Ideally, these connections should be configured not to time out
Load Balancer LDAP SSL Port	FW2	636	LDAPS	Inbound	Ideally, these connections should be configured not to time out
Node Manager	N/A	5556	TCP/IP	N/A	N/A
Oracle Unified Directory Replication	N/A	8989	TCP/IP	N/A	N/A