7 Preparing the Load Balancer and Firewalls for an Enterprise Deployment

It is important to understand how to configure the external load balancer and ports that must be opened on the firewalls for an enterprise deployment.

• Configuring Virtual Hosts on the External Load Balancer
  The external load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
• Configuring the Firewalls and Ports for an Enterprise Deployment
  As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.

Configuring Virtual Hosts on the External Load Balancer

The external load balancer configuration facilitates to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

The following topics explain how to configure the external load balancer, provide a summary of the virtual servers that are required, and provide additional instructions for these virtual servers:

• Overview of the External Load Balancer Configuration
  
• Typical Procedure for Configuring the External Load Balancer
  
• Load Balancer Health Monitoring
  
• Summary of the Virtual Servers Required for an Enterprise Deployment
  

Overview of the External Load Balancer Configuration

As shown in the topology diagrams, you must configure the external load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

In the context of a load-balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.

The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services that are available in the enterprise deployment.

In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers. At the same time, this monitoring should not overload the backend system with too frequent health requests. In the end, a trade off needs to be made between how fast the death detection occurs and how much overhead is introduced on the systems that are monitored.

Note that after you configure the load balancer, you can later configure the web server instances in the web tier to recognize a set of virtual hosts that use the same names as the virtual servers that you defined for the load balancer. For each request coming from the external load balancer, the web server can then route the request appropriately, based on the server name included in the header of the request. See Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager.

Typical Procedure for Configuring the External Load Balancer

The following procedure outlines the typical steps for configuring a external load balancer for an enterprise deployment.

Note that the actual procedures for configuring a specific load balancer will differ, depending on the specific type of load balancer. There may also be some differences depending on the type of protocol that is being load balanced. For example, TCP virtual servers and HTTP virtual servers use different types of monitors for their pools. Refer to the vendor-supplied documentation for actual steps.

1. Create a pool of servers. This pool contains a list of servers and the ports that are included in the load-balancing definition.

   For load balancing between the web hosts, create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 to each port used in the OHS. For example, a pool to WEBHOST1 and WEBHOST2 to port 4443 for access to applications like OAM and OIG, a pool to WEBHOST1 and WEBHOST2 to port 4446 for internal accesses, a pool to WEBHOST1 and WEBHOST2 to port 4444 for access to OAM admin consoles, and a pool to WEBHOST1 and WEBHOST2 to port 4445 for access to OIG admin consoles.

   If you are using SSL Termination, then create a pool of servers that would direct requests to hosts WEBHOST1 and WEBHOST2 on port 7777.

2. Create rules to determine whether a given host and service is available and assign it to the pool of servers that are described in Step 1.

3. Create the required virtual servers on the load balancer for the addresses and ports that receive requests for the applications.

   For a complete list of the virtual servers required for the enterprise deployment, see Summary of the Virtual Servers Required for an Enterprise Deployment.

   When you define each virtual server on the load balancer, consider the following:

   1. If your load balancer supports it, specify whether the virtual server is available internally, externally, or both. Ensure that internal addresses are only resolvable from inside the network.

   2. Configure SSL Termination, if applicable, for the virtual server.

   3. Configure SSL for the virtual server for end-to-end SSL.

   4. Configure SSL for the communication with the pool of servers for end-to-end SSL.

      Some load balancers may need to be provided with the backend's certificate (the SSL certificate used by the OHS listeners in the backend pool) to establish the appropriate SSL communication. In that case you may need to add the OHS's CA certificate to the load balancer as a trusted certificate. Since this guide uses example certificates based on the WebLogic per-domain CA, you can add this after the domain is created.

   5. Assign the pool of servers created in Step 1 to the virtual server.

Load Balancer Health Monitoring

The load balancer must be configured to check that the services in the Load Balancer Pool are available. Failure to do so will result in requests being sent to hosts where the service is not running.

The following table shows examples of how to determine whether a service is available:

Table 7-1 Examples Showing How to Determine Whether a Service is Available

Service	Monitor Type	Monitor Mechanism
OUD	ldap	ldapbind to cn=oudadmin
OHS	http	check for GET /healtcheck.html\r\n

Summary of the Virtual Servers Required for an Enterprise Deployment

This topic provides details of the virtual servers that are required for an enterprise deployment.

The following table provides a list of the virtual servers that you must define on the external load balancer for the Oracle Identity and Access Management enterprise topology:

Virtual Host	Server Pool (SSL Terminated)	External	Server Pool (end to end SSL)	Other Required Configuration/ Comments
login.example.com:443	webhost1.example.com:7777 webhost2.example.com:7777	Yes	webhost1.example.com:4443 webhost2.example.com:4443	Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSL Header Value: ssl Header Name: WL-Proxy-SSL Header Value: true
oig.example.com:443	webhost1.example.com:7777 webhost2.example.com:7777	Yes	webhost1.example.com:4444 webhost2.example.com:4444	Identity Management requires that the following be added to the HTTP header: Header Name: IS_SSL Header Value: ssl Header Name: WL-Proxy-SSL Header Value: true
iadadmin.example.com:80	webhost1.example.com:7777 webhost2.example.com:7777	No	webhost1.example.com:4445 webhost2.example.com:4445
igdadmin.example.com:80	webhost1.example.com:7777 webhost2.example.com:7777	No	webhost1.example.com:4446 webhost2.example.com:4446
igdinternal.example.com:7777	webhost1.example.com:7777 webhost2.example.com:7777	No	webhost1.example.com:4447 webhost2.example.com:4447
idstore.example.com:1389	ldaphost1.example.com:1389 ldaphost2.example.com:1389	No
idstore.example.com:1636	ldaphost1.example.com:1636 ldaphost2.example.com:1636	No

Additional Instructions for iadadmin.example.com and igdadmin.example.com

This section provides additional instructions that are required for the virtual server iadadmin.example.com and igdadmin.example.com.

Perform the following steps when you configure this virtual server on the load balancer:

• Enable address and port translation.

• Enable reset of connections when services or hosts are down.

Additional Instructions for login.example.com and oig.example.com

Perform the following steps when you configure this virtual server on the external load balancer:

• Use port 80 and port 443. Any request that is directed to port 80 (non-SSL protocol) should be redirected to port 443 (SSL protocol).

• Enable address and port translation.

• Enable reset of connections when services and nodes are down.

• Create rules to filter out access to /management and /em on this virtual server.

  These context strings direct requests to the WebLogic Remote Console and to the Oracle Enterprise Manager Fusion Middleware Control and must be used only when you access the system from iadadmin.example.com and igdadmin.example.com.

Note:

Oracle recommends that you configure LBR for cookie-based persistence because session persistence is required for some web applications of SOA, such as BPM Worklist (/integration/worklistapp), SOA Composer (/soa/composer), BPM Composer (/bpm/composer), BPM Workspace (/bpm/workspace), and so on.

Additional Instructions for igdinternal.example.com

Perform the following steps when you configure this virtual server on the external load balancer:

• Enable address and port translation.

• Enable reset of connections when services or nodes are down.

As with the login.example.com, create rules to filter out access to /console and /em on this virtual server.

Configuring the Firewalls and Ports for an Enterprise Deployment

As an administrator, it is important that you become familiar with the port numbers that are used by various Oracle Fusion Middleware products and services. This ensures that the same port number is not used by two services on the same host, and that the proper ports are open on the firewalls in the enterprise topology.

The following tables lists the ports that you must open on the firewalls in the topology:

Firewall notation:

• FW0 refers to the outermost firewall.

• FW1 refers to the firewall between the web tier and the application tier.

• FW2 refers to the firewall between the application tier and the data tier.

Table 7-2 Firewall Ports for SSL Terminated Enterprise Deployments

Type	Firewall	Port and Port Range	Protocol / Application	Inbound / Outbound	Other Considerations and Timeout Guidelines
Browser request	FW0	80 Note: You need this option only if redirection from port 80 to port 443 is used.	HTTP / Load Balancer	Inbound	Timeout depends on the size and type of HTML content.
Browser request	FW0	443	HTTPS / Load Balancer	Inbound	Timeout depends on the size and type of HTML content.
Browser request	FW1	443	HTTPS / Load Balancer	Outbound (for intranet clients)	Timeout depends on the size and type of HTML content.
Callbacks and Outbound invocations	FW1	443	HTTPS / Load Balancer	Outbound	Timeout depends on the size and type of HTML content.
Load balancer to Oracle HTTP Server	n/a	7777	HTTP	n/a	n/a
Session replication within a WebLogic Server cluster	n/a	n/a	n/a	n/a	By default, this communication uses the same port as the server's listen address.
WebLogic Remote Console and Enterprise Manager Console	FW1	7001	HTTP/t3	Both	You should tune this timeout based on the type of access to the Remote console (whether you plan to use the Oracle WebLogic Remote Console from the application tier clients or clients external to the application tier).
OAM Server Access	FW1	14100	HTTP	Inbound	Set the timeout to a short period (5-10 seconds).
OAM Policy Manager	FW1	14150	HTTP	Inbound	Set the timeout to a short period (5-10 seconds).
OIG Administration Console Access	FW1	7101	HTTP	Inbound	Set the timeout to a short period (5-10 seconds).
OIM Server Access	FW1	14000	HTTP	Inbound	Set the timeout to a short period (5-10 seconds).
SOA Server Access	FW1	7003	HTTP	Inbound	Set the timeout to a short period (5-10 seconds).
Database access	FW2	1521	SQL*Net	Both	Timeout depends on database content and on the type of process model used for SOA.
Oracle Notification Server (ONS)	FW2	6200	ONS	Both	Required for Gridlink. An ONS server runs on each database server.
Coherence for deployment	n/a	9991 Coherence requires the following connectivity between members: Port 9991 for both UDP and TCP for both multicast and unicast configurations. TCP port 7. Ephemereal ports 32768-60999 for both udp and tcp.	n/a	n/a	n/a
Oracle Unified Directory access	FW2	1389	LDAP	Inbound	You should tune the directory server's parameters based on load balancer, and not the other way around.

Table 7-3 Firewall Ports for End to End SSL Enterprise Deployments

Type	Firewall	Port and Port Range	Protocol / Application	Inbound / Outbound	Other Considerations and Timeout Guidelines
Browser request	FW0	443	HTTPS / Load Balancer	Inbound	Timeout depends on the size and type of HTML content.
Browser request	FW1	443	HTTPS / Load Balancer	Outbound (for intranet clients)	Timeout depends on the size and type of HTML content.
Callbacks and Outbound invocations	FW1	443	HTTPS / Load Balancer	Outbound	Timeout depends on the size and type of HTML content.
Load balancer to Oracle HTTP Server	n/a	4445-4449	HTTPS	n/a	n/a
OHS registration with Administration Server	FW1	7002	HTTPS / t3s	Inbound	Set the timeout to a short period (5-10 seconds).
OHS management by Administration Server	FW1	OHS Admin Port (7779)	TCP / HTTP	Outbound	Set the timeout to a short period (5-10 seconds).
Session replication within a WebLogic Server cluster	n/a	n/a	n/a	n/a	By default, this communication uses the same port as the server's listen address.
OAM Administration Console access	FW1	9001	HTTPS / Administration Server and Enterprise Manager https/t3s	Both	You should tune this timeout based on the type of access to the WebLogic Remote Console (whether you plan to use the WebLogic Remote Console from the application tier clients or clients external to the application tier).
OAM Server Access	FW1	14101	HTTPS	Inbound	Set the timeout to a short period (5-10 seconds).
OAM Policy Manager	FW1	14151	HTTPS	Inbound	Set the timeout to a short period (5-10 seconds).
OIG Administration Console Access	FW1	9102	HTTPS	Inbound	Set the timeout to a short period (5-10 seconds).
OIM Server Access	FW1	14001	HTTPS	Inbound	Set the timeout to a short period (5-10 seconds).
SOA Server Access	FW1	7004	HTTPS	Inbound	Set the timeout to a short period (5-10 seconds).
Database access	FW2	1521	SQL*Net	Both	Timeout depends on database content and on the type of process model used for SOA.
Oracle Notification Server (ONS)	FW2	6200	ONS	Both	Required for Gridlink. An ONS server runs on each database server.
Coherence for deployment	n/a	9991 Coherence requires the following connectivity between members: Port 9991 for both UDP and TCP for both multicast and unicast configurations. TCP port 7. Ephemereal ports 32768-60999 for both udp and tcp.	n/a	n/a	n/a
Oracle Unified Directory access	FW2	1636	LDAPS	Inbound	You should tune the directory server's parameters based on load balancer, and not the other way around.