6 Preparing the Load Balancer and Firewalls for an Enterprise Deployment

This chapter describes how to configure your network for an enterprise deployment.

This chapter contains the following sections:

6.1 Configuring Virtual Hosts on the Hardware Load Balancer

The following sections explain how to configure the hardware load balancer for an enterprise deployment:

6.1.1 Overview of the Hardware Load Balancer Configuration

As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.

In context of a load balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.

The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services available in the enterprise deployment.

For more information about the virtual servers required for an Oracle SOA Suite enterprise deployment, see Section 3.3.1, "Summary of Oracle SOA Suite Load Balancer Virtual Server Names".

In addition, you should configure the load balancer to monitor the host computers and ports for availability so that the traffic to a particular server is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers.

Note that after you configure the load balancer, you can later configure the Web server instances in the Web tier to recognize a set of virtual hosts that use the same names as the virtual servers you defined for the load balancer. For each request coming from the hardware load balancer, the Web server can then route the request appropriately, based on the server name included in the header in the request. For more information, see Section 11.7, "Configuring Oracle HTTP Server for Administration and Oracle Web Services Manager".

6.1.2 Typical Procedure for Configuring the Hardware Load Balancer

The procedures for configuring a load balancer differ, depending on the specific type of load balancer. Refer to the vendor supplied documentation for actual steps.

The following steps outline the general configuration flow. Refer to Table 6-1 for a listing of each virtual server you must define on the load balancer:

  1. Create a pool of servers. This pool contains a list of servers and the ports that are included in the load balancing definition.

    For example, for load balancing between the Web hosts, create a pool of servers which would direct requests to hosts WEBHOST1 and WEBHOST2 on port 7777.

  2. Create rules to determine whether or not a given host and service is available and assign it to the pool of servers described in Step 1.

  3. Create a Virtual Server on the load balancer. This is the address and port that receives requests used by the application.

    For example, to load balance Web Tier requests you would create the following virtual host:

    soa.example.com:80
    

    When you define each virtual server on the load balancer, consider the following:

    1. If your load balancer supports it, specify whether or not the virtual server is available internally, externally or both. Ensure that internal addresses are only resolvable from inside the network.

    2. Configure SSL Termination, if applicable, for the virtual server.

    3. Assign the Pool of servers created in Step 1 to the virtual server.

6.1.3 Summary of the Virtual Servers Required for an Oracle SOA Suite Enterprise Deployment

Table 6-1 provides a list of the virtual servers you must define on the hardware load balancer for the Oracle SOA Suite enterprise topology.

Table 6-1 Summary Virtual Servers to Define on the Hardware Load Balancer

Virtual Host Server Pool Protocol SSL Termination? External?

admin.example.com:80

WEBHOST1.example.com:7777
WEBHOST2.example.com:7777

HTTP

No

No

soa.example.com:443

WEBHOST1.example.com:7777
WEBHOST2.example.com:7777

HTTPS

Yes

Yes

soainternal.example.com:80

WEBHOST1.example.com:7777
WEBHOST2.example.com:7777

HTTP

No

No

osb.example.com:443

WEBHOST1.example.com:7777
WEBHOST2.example.com:7777

HTTPS

No

Yes


6.1.4 Additional Instructions for admin.example.com

When you configure this virtual server on the hardware load balancer:

  • Enable address and port translation.

  • Enable reset of connections when services or hosts are down.

6.1.5 Additional Instructions for soa.example.com

When you configure this virtual server on the hardware load balancer:

  • Use port 80 and port 443. Any request that goes to port 80 (non-ssl protocol) should be redirected to port 443 (ssl protocol).

  • Specify ANY as the protocol (non-HTTP protocols are required for B2B).

  • Enable address and port translation.

  • Enable reset of connections when services and/or nodes are down.

  • Create rules to filter out access to /console and /em on this virtual server.

    These context strings direct requests to the Oracle WebLogic Server Administration Console and to the Oracle Enterprise Manager Fusion Middleware Control and should be used only when accessing the system from admin.example.com.

6.1.6 Additional Instructions for soainternal.example.com

When you configure this virtual server on the hardware load balancer:

  • Enable address and port translation.

  • Enable reset of connections when services or nodes are down.

  • As with the soa.example.com, create rules to filter out access to /console and /em on this virtual server.

6.1.7 Additional Instructions for osb.example.com

When you configure this virtual server on the hardware load balancer:

  • Use port 80 and port 443. Any request that goes to port 80 (non-ssl protocol) should be redirected to port 443 (ssl protocol).

  • Specify ANY as the protocol (non-HTTP protocols are required for B2B).

  • Enable address and port translation.

  • Enable reset of connections when services and/or nodes are down.

  • Create rules to filter out access to /console and /em on this virtual server.

    These context strings direct requests to the Oracle WebLogic Server Administration Console and to the Oracle Enterprise Manager Fusion Middleware Control and should be used only when accessing the system from admin.example.com.

6.2 Configuring the Firewalls and Ports for an Enterprise Deployment

Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services and ensure that the same port number is not used by two services on a host.

Most port numbers are assigned during installation.

Table 6-2 lists the ports used in the SOA topology, including the ports that you must open on the firewalls in the topology.

Note:

The TCP/IP port for B2B is a user-configured port and is not predefined. Similarly, the firewall ports depend on the definition of TCP/IP ports.

Firewall notation:

  • FW0 refers to the outermost firewall.

  • FW1 refers to the firewall between the web tier and the application tier.

  • FW2 refers to the firewall between the application tier and the data tier.

Table 6-2 Port Information Required When Configuring the Firewalls in an Enterprise Deployment

Type Firewall Port and Port Range Protocol / Application Inbound / Outbound Other Considerations and Timeout Guidelines

Browser request

FW0

80

HTTP / Load Balancer

Inbound

Timeout depends on all HTML content and the type of process model used for SOA.

Browser request

FW0

443

HTTPS / Load Balancer

Inbound

Timeout depends on all HTML content and the type of process model used for SOA.

Browser request

FW1

80

HTTPS / Load Balancer

Outbound (for intranet clients)

Timeout depends on all HTML content and the type of process model used for SOA.

Browser request

FW1

443

HTTPS / Load Balancer

Outbound (for intranet clients)

Timeout depends on all HTML content and the type of process model used for SOA.

Callbacks and Outbound invocations

FW1

80

HTTPS / Load Balancer

Outbound

Timeout depends on all HTML content and the type of process model used for SOA.

Callbacks and Outbound invocations

FW1

443

HTTPS / Load Balancer

Outbound

Timeout depends on all HTML content and the type of process model used for SOA.

Load balancer to Oracle HTTP Server

n/a

7777

HTTP

n/a

n/a

OHS registration with Administration Server

FW1

7001

HTTP/t3

Inbound

Set the timeout to a short period (5-10 seconds).

OHS management by Administration Server

FW1

OHS Admin Port (7779)

TCP and HTTP, respectively

Outbound

Set the timeout to a short period (5-10 seconds).

WSM-PM access

FW1

7010

Range: 7010 - 7999

HTTP / WLS_WSM-PMn

Inbound

Set the timeout to 60 seconds.

SOA Server access

FW1Foot 1 

8001

Range: 8000 - 8010

HTTP / WLS_SOAn

Inbound

Timeout varies based on the type of process model used for SOA.

Oracle Service Bus Access

FW1

8011

Range: 8011-8021

HTTP / WLS_OSBn

Inbound/
Outbound

Set the timeout to a short period (5-10 seconds).

BAM access

FW1

9001

Range: 9000 - 9080

HTTP / WLS_BAMn

Inbound

Connections to BAM WebApps are kept open until the report/browser is closed, so set the timeout as high as the longest expected user session.

Session replication within a WebLogic Server cluster

n/a

n/a

n/a

n/a

By default, this communication uses the same port as the server's listen address.

Administration Console access

FW1

7001

HTTP / Administration Server and Enterprise Manager

t3

Both

You should tune this timeout based on the type of access to the admin console (whether it is planned to use the Oracle WebLogic Server Administration Console from application tier clients or clients external to the application tier).

Node Manager

FW1

5556

TCP/IP

Both

n/a

Database access

FW2

1521

SQL*Net

Both

Timeout depends on database content and on the type of process model used for SOA.

Coherence for deployment

n/a

8088

Range: 8000 - 8090

 

n/a

n/a

Oracle Internet Directory access

FW2

389

LDAP or LDAP/ssl

Inbound

You should tune the directory server's parameters based on load balancer, and not the other way around.

Oracle Notification Server (ONS)

FW2

6200

ONS

Both

Required for Gridlink. An ONS server runs on each database server.


Footnote 1  External clients can access SOA servers directly on RMI or JMS (for example, for JDeveloper deployments and for JMX monitoring), in which case FW0 might need to be open or not depending on the security model that you implement.