WebMux Glossary and FAQ

WebMux Glossary and FAQ (Frequently Asked Questions) is for general reference only. Please refer to the WebMux Manual for additional setup details. If there are any questions or additional assistance required, contact us by phone, email at ‘techsupport@avanu.com’ or submit your request here.

Please back check frequently for updates and additions.  Thank you.

 

WEBMUX NETWORK TRAFFIC MANAGER – APPLIANCE

CPU
The WebMux appliance models are built with the best-in-class server-grade hardware with up to 18-core CPU processing power to provide outstanding, feature-rich performance for extensive cryptographic, compression, and network traffic management functionality.

Front Panel – Reset Button
WebMux network appliance models front panel Reset Button – This is the HARD RESET button to force restart the WebMux. When this button is pushed in, it will force a reboot of the WebMux. Only use this to reboot the WebMux if all other normal means to reboot the unit (through the LCD, web GUI, or CLI) does not work.

It will take about a minute for the WebMux to completely reboot and begin reporting activity in the LCD display. This will not reset your settings. It is for restarts only. To perform a factory reset refer to the WebMux Manual.

Front Panel – Failure Indicator
WebMux network appliance models front panel red LED Failure Indicator – The system monitors the CPU and will flash this indicator light if it should fail. If the system exceeds the CPU temperature limit, this indicator light will go on and the CPU will add idle cycles – lowering performance (and heat). This is only likely to occur in cases of CPU fan failure or a data center cooling failure to the WebMux. The failure indicator will also light up if any of the system fans cease to operate. You might also notice the speed of the remaining fans increase in speed. This is to compensate the loss of air flow to help prevent overheating. Please contact AVANU for repair service.

Front PanelBackup Indicator
WebMux network appliance models front panel green LED Backup Indicator – This indicates link connectivity/activity on the Backup network interface when two WebMux units are configured for backup/standby High Availability. If the Backup indicator does not light up when the two WebMux units are connected to each other, the Ethernet cable might be defective.

Front Panel – LCD and Key Pad
The WebMux network appliances models have a front panel LCD (Liquid crystal display) and key pad that can be used for a fast & easy setup to quickly deploy the WebMux on the network.

Front Panel – Management LAN Indicator
WebMux network appliance models front panel Yellow/Gold Management LAN Indicator – Under normal operations this indicates activity on the Management LAN interface. Even if the system is not running, there is still standby power. If there is an active Ethernet connection in this port and the system is not running, it is useful both as a front panel indication that there is standby power to the system and that there is a connection link on the Management LAN interface (indicating that the switch at the remote end of the cable is up too).

Front panel – Power Switch
WebMux network appliance models front panel Power Switch – This switch toggles power on and off. To power off, the switch must be pressed and held for 5 seconds. However, it is recommended that you do not regularly use this power switch to shut down the unit. It is highly recommended to use the LCD panel, web interface, or command line interface to issue a proper shut down.

Ports – IPMI
The IPMI port is available on some appliance models and is for connecting to a management network for access to IPMI services on the WebMux. This allows you to remotely control power on/off (including soft and hard resets), monitor temperature, and even access a remote console.

Ports – USB
The USB port may be used for firmware updates and to collect log data when network options for those functions are not available. This is a future option that is currently in development.

Ports – RS-232
The RS-232 port is available for serial console connections as well as for modem-dependent services, such as paging—where Internet-based services may be limited for security purposes. To connect to this port using a serial communications terminal, set the communications software for 115200 baud, 8 bit, Parity none, 1 stop bit.

Ports – Management
The MGMT port is a Gigabit Ethernet LAN connection that enables management (GUI and command- line) to be limited to a separate port and network. By default, this interface will get its IP via DHCP. A static IP can be assigned through the LCD setup or from the CLI.

Ports – Backup
The BACKUP port is used in a High-Availability (HA) configuration to connect two (2) WebMux units together. The cable is auto-sensed where straight or crossover cables can be used. Link status LEDs will be lit when they are connected.

Ports – Network Traffic
The Network Traffic ports are the ports used for Internet-to-Server load balancing. The ports can be configured to all be on the same network (in Transparent, Single Network, and Direct Server Return modes) or on separate networks (NAT mode). In two port models, the “Internet” side port is on the left; the “Server” side port is on the right. For units with four physical ports, the “Internet” side are the two ports on the left; the “Servers” side are the two ports on the right. In the four port models, the two port pairs are configured as bonded/LACP ports that can be paired with a switch that is configured to aggregate the links and increase you bandwidth.

Power Supplies
All WebMux appliance models support hot-swap power supplies. If a power supply fails, it is easily replaced without affecting the WebMux operations. WebMux hot-swappable universal power supplies supports 90-264V input. Devices with redundant power supplies should have the power cords plugged in to separate circuits so WebMux does not fail due to one failed circuit. Properly ground the WebMux at the grounding terminal.

 

GENERAL OPERATION

Application and Services Setup/Configuration Wizards
The configuration wizards are intended to be a first time and one time use feature. These wizards will set all the main settings for the WebMux (IP addresses, dispatch method, farm and servers, etc.) all in one shot. Running a configuration wizard will always overwrite any existing WebMux configuration. Current wizards for popular applications and services include HTTP Servers, HTTPS Servers, HTTP/HTTPS Servers, Microsoft Exchange® 2010, Microsoft Exchange® 2013, Terminal Services, SharePoint®, Lync, Skype® for Business, RedHat JBoss®, Eclipse Jetty®, LiteScape®, Pexip®, Apache Tomcat®, Oracle WebLogic®, IBM WebSphere®.

GUI
Graphical User Interface – WebMux is designed to easy to configure, deploy, and manage with the use of an intuitive secured web-based GUI

Front Panel LCD (Setup/Configuration)
Pressing and holding down the check mark button on the LCD panel for 5 seconds will enter the setup/configuration mode to configure the basic network settings and deployment method. You can also find the proper power off and reboot screens in this mode.

Compression-Software
Reference “HTTP Compression”. WebMux can perform software based compression for HTTP load balancing services.

Health Checks (Applications and Services)
How does WebMux manage servers?
WebMux has a variety of health checks to adapt to loss of back-end servers. These include applications, services, protocol-level per server, and customized per server health checks. WebMux additionally supports custom health-check capabilities that can be integrated into other system and security management systems or simply rely on reading a custom status file on a server. WebMux supports a “Last Resort” server that is accessed when all load-balanced servers are out of service but the network and the WebMux are responding. This allows a special message to be relayed to the user that the services are down.

Enhanced Dual-boot
WebMux firmware version 11 introduces the Enhanced Dual-Boot Feature. This feature is a WebMux system safeguard that keeps a backup system image available for use. When a firmware update is performed, the old firmware and settings are saved as a backup. Generally, reverting back to the previous firmware version would not be necessary. However, should the need arise, the Enhanced Dual-Boot Feature provides a mechanism for our customers to quickly revert back to the previous firmware version without needing to re-flash the firmware.

If a failed firmware update attempt renders the WebMux unit unbootable. The Enhanced Dual-Boot Feature ensures that a bootable image is available for fast recovery. Unlike other WebMux features, this is one feature that we hope you would never need to use under normal circumstances.

Management Port
The WebMux management port is designed to allow you to secure management access to the WebMux GUI and command line interface on a separate network from the load balancing traffic of the WebMux. For best security DO NOT set a management port IP address that is on either from the WebMux “router LAN IP” nor “server LAN” subnets.

By default, the management port is set with the IP address of 192.168.10.21 with the netmask of 255.255.255.0.

You can connect to it by setting your client computer with an IP address in the 192.168.10.x network and connecting it to the management port of the WebMux. You can then access the WebMux GUI at http://192.168.10.21:24 or https://192.168.10.21:35. You can also access the WebMux CLI by telnet on port 87 or by ssh on port 77.

Management Console
How many browsers can simultaneously access the WebMux management console? The limit is 4.

SMTP
Simple Mail Transfer Protocol – WebMux uses any SMTP server for sending email notifications.

Web Cache
WebMux can store web documents (HTML pages and images) through its web cache feature reducing bandwidth usage, re-loading lag time, and server loads.

NETWORK

One-Armed Single Network
One-Armed Single Network is a special case of bridging in which the WebMux bridges internally on one interface (that can be bonded for higher capacity). The bridge loop issue is eliminated. Note that all traffic is “source NATted” (aka SNAT)–so the WebMux becomes the client and the server does not see the IP address of the client. A limitation of this configuration is that an additional IP address must be assigned to the WebMux for each 65,000 simultaneous connections–because of that SNAT configuration and client-server relationship.

One-Armed Direct Server Return (DSR)
One-Armed Direct Server Return (DSR) the highest-performance option in cases where it is supported, also known as “Direct Routing” or “Out-of-Path (OOP)” this makes the WebMux the traffic director for incoming traffic but return traffic can route back bypassing the WebMux (unless the WebMux does SSL termination). Note that this requires a simple configuration of a “loopback adapter” on the servers and there is no performance advantage if SSL or TLS termination is required as the WebMux becomes the endpoint for the SSL/TLS security relationship.

Two-Armed Network Address Translation (NAT)
Two-Armed NAT is the required configuration when you have two subnets. It is the common “Destination” NAT configuration in which the clients connect to an IP address on the WebMux and the WebMux proxies to the back-end servers. The servers “see” the IP address of the client, as if the WebMux was not there. This is the required configuration when there are two IP subnets (Internet-side and Internal).

Two-armed Transparent
Two-Armed Transparent makes the WebMux an inline bridge–seeing all of the traffic below the IP layer and able to manage traffic without IP address changes. Note that being a bridge, you must avoid bridge loops–having a circular path through inter-connected bridges. Also, being inline and 2-Arms, the load-balanced traffic flows through the WebMux.

Can I set up WebMux in NAT and DSR/OOP together?
Yes, WebMux can be configured together in NAT and direct server return (DSR)/Out-of-Path (OOP) mode.

strong>BAM
The Burst Activity Management is a WebMux function allowing the in rush of DNS requests to be distributed to different devices.

Bonding/Teaming Ports (802.3ad/LACP)
Port Bonding/Teaming (also known as Link Aggregation Group, LAG) allows you to combine two or more ports together to act as a single network interface with a combined bandwidth of all the ports in the LAG.

Content Encoding (HTTP Compression)
HTTP compression improves transfer speed and bandwidth utilization. If the client web browser sends out a MIME header that states that it accepts compressed data, the WebMux will compress HTTP data to the client browser. If the WebMux detects that the servers in the farm are already compressing the data, the WebMux will not perform compression. Instead, it will let the compressed data from the servers pass through without additional processing. When enabled the MIME header “X-WebMux-Compression: true” will be appended to the server response MIME header.

High Availability – Failover Configuration
Two (2) WebMux units are required for high availability in a fail-over configuration. The primary WebMux unit is active and the second WebMux unit is passive. If the primary unit goes down, the second WebMux unit will take over within seconds.

Why didn’t the secondary WebMux take over when I powered down Primary WebMux?
Possible reasons: 1) The two WebMux units are not running on the same version of firmware, or 2) The secondary WebMux not only monitors the primary WebMux, but a few other things as well. Before it takes over, it makes sure it can reach to the router LAN gateway, as well as at least one server defined in any farm. If the secondary WebMux cannot reach to the front router LAN gateway, or if it cannot see any server in any farm, then it will consider that the primary was disconnected or powered down purposely by operator.

WebMux Appliance Power
All WebMux appliance models support dual hot-swap power supplies for high availability without affecting the WebMux operations. If the primary power supply fails, the second power supply takes over immediately (0 time).

HTTP Compression
HTTP compression improves transfer speed and bandwidth utilization. If the client web browser sends out a MIME header that states that it accepts compressed data, the WebMux will compress HTTP data to the client browser. If the WebMux detects that the servers in the farm are already compressing the data, the WebMux will not perform compression. Instead, it will let the compressed data from the servers pass through without additional processing. When enabled the MIME header “X-WebMux-Compression: true” will be appended to the server response MIME header.

Multiple Address and Port (MAP™)
The WebMux MAP feature binds multiple addresses and ports as a single service, thus one client will be sent to the same server across all those addresses and ports. This is useful for making audio/video calls, or in complex database configurations.

Multiple Gateway Network Failover
The WebMux can be configured with multiple default gateways allowing the WebMux to maintain Internet connection should one Internet gateway go down.

Multiple VLAN Trunking (IEEE 802.1Q)
The WebMux load balance ports can be configured to participate in 802.1q Tagged VLANs.

Reverse Proxy
A reverse proxy server retrieves resources on behalf of a client from one or more servers. WebMux performs the reverse proxy function for Microsoft Lync Server at the external edge where WebMux is always proxying as part of the load balancing operation.

To further explain the reverse proxy role. The One-Armed Single Network configuration would normally cause the incoming TCP “SYN” packet from a client to go to the WebMux farm/Virtual IP (VIP) address, then to a farm server on the back end.

The server, “seeing” the client IP address would reply directly to the client with the TCP “SYN-ACK” and the client would not process it because it would be a SYN-ACK coming from an address it didn’t send a SYN to directly—BUT part of the WebMux Single Network operation uses SNAT (Source NAT, translating the original source) so the WebMux does a TCP negotiation with the client, replying to the SYN itself, as a SYN-ACK from the farm IP address, and then simultaneously sending a SYN to the back-end/server resource (likely a FE—or another WebMux farm in front of the FE servers) to set up that TCP session. The WebMux acts as a proxy to the back-end, in effect standing in as the client, so it is proxying.

The same is true if you look at the 2-arm NAT mode of operation but the focus is the IP layer instead of TCP. The NAT operation is at the IP layer so the WebMux does not terminate a TCP handshake but passes IP-layer traffic doing the destination IP address translation for each packet. The TLS server “sees” the actual client IP address and replies to that address via the WebMux as its default gateway. The client “thinks” it is talking to the WebMux but the WebMux proxies the destination at the IP layer.
This is the basic explanation of reverse proxy. If you intend to use the WebMux in an Edge-External configuration, as a reverse proxy, then you can simply set up two farms on the external IP address, port 80 (translating to 8080 at the back end) and 443 (translating to 4443). So you set up farms for 80 and 443 and when you add the servers you configure them to be listening on 8080 and 4443, respectively.

Router
Is the Server LAN and the Router or Front LAN required to be on separate IP subnets?  It is required that the server LAN and the router LAN be separate IP subnets.

Servers and Server Farms
How many servers does WebMux support?WebMux theoretically supports up to 4,999 virtual or real servers

How does WebMux manage servers?
WebMux has a variety of health checks to adapt to loss of back-end servers. WebMux additionally supports custom health-check capabilities that can be integrated into other system and security management systems or simply rely on reading a custom status file on a server. WebMux supports a “Last Resort” server that is accessed when all load-balanced servers are out of service but the network and the WebMux are responding. This allows a special message to be relayed to the user that the services are down.

If I have multiple servers assigned as STANDBY, how does the WebMux choose which server to use if an ACTIVE server goes down?
The WebMux checks the standby servers in order and activates each one until their total weight meets or exceeds the server that is unavailable.

Will a server with weight 0 act as a STANDBY?
No. A weight of 0 indicates that the server will not accept any new connections. The state is considered neither ACTIVE nor STANDBY. This is to quiet the new connections for the server so that it can be taken out of service. Setting a server to STANBY will immediately disconnect current connections.

Is the Server LAN and the Router or Front LAN required to be on separate IP subnets?
It is required that the server LAN and the router LAN be separate IP subnets.

How come my servers in the farm are showing in red color from time to time, even though the servers are okay?
Your servers are trying to resolve the WebMux unit’s IP address to a name so it could log them into log file. This may delay the server’s ability to reply to the WebMux health check probes. To avoid this problem, set the servers not resolve the IP addresses. You can also try adding all the IP address to the /etc/hosts file on your servers. For example,www.mydomain.com 1.2.3.4 // use your real IP address Webmuxgw 192.168.199.1 // server lan gateway.

I have added a new farm/server, but the changes are not showing up on the STATUS screen.
The web browser cache may be the cause of this. If the new configuration does not appear after clicking on Reload or Refresh, then clear the cache or temporary files on the browser.

Can I use the WebMux as a proxy server for other hosts in my internal network?
Yes. The function that allows the web servers to talk to services such as the credit card validation allows the WebMux to function as a proxy server for any host in the internal network. The WebMux will translate all internal addresses to the IP address of the “first farm” defined. This is the farm that is created when answering the question: WebMux Router LAN IP address:. Configuring other computers using the WebMux unit’s proxy function is easy—just point the gateway IP address to the WebMux backend IP address.

VIP Farm
VIP is a virtual IP address.
Can a single VIP cover multiple services? A VIP (farm) is defined as an IP address and port number combined so that it can only serve one service. Most service runs on its own port number. A single IP address can cover multiple VIP (farm).

VLAN
Virtual LAN.
Why can’t VLAN IP address be used as farm IP in Direct Server Return WebMux?
WebMux uses VLAN IP to forward the packets to the servers in Direct Server Return mode. If that VLAN IP address is also the farm address, then the loopback adapter on the server will have the same IP address. During a health check from WebMux, a server will not be able to send the reply back to WebMux, since the server finds the same IP on itself.

X-Forwarded-For (XFF)
XFF is a HTTP header field that identifies the originating IP address of a client when they connect to a web server.
AVANU WebMux inserts the X-Forwarded-For header by default in One-Armed Single Network Mode and is available as a farm option in Two-Armed NAT, Two-Armed Transparent, and One-Armed Direct Server Return Modes.

 

LOAD BALANCING – SCHEDULING ALGORITHMS

HTTP to HTTPS Redirect

HTTP to HTTPS Redirect
This option can be configured on the WebMux so that the HTTP to HTTPS redirect is done on the WebMux, prior to reaching the server. That way, you only need the WebMux farm as the single point to do the redirect, instead of putting a redirect rule in all your servers. HTTP to HTTPS redirect on the WebMux requires two farm configurations. The first farm will listen on the HTTP port and will redirect the connection to a second farm that uses the same farm IP, but is listening on the HTTPS port. The HTTPS farm will contain the real servers.

Least Connection
Load balancing is determined by the number of active connections to each server and servers with the fewest connections are allocated more transactions in turn until their connection volume is level with the other servers in the farm.

Least Connection-Persistent
Load balancing is determined by the number of active connections to each server and servers with the fewest connections are allocated more transactions in turn until their connection volume is level with the other servers in the farm with persistent connections enforced.

Persistent
Persistent scheduling methods mean that the WebMux will send a returning client that has previously connected to the farm to the same server that it initially was sent to.  The WebMux keeps track of the client IP for a certain amount of time (the persistance timeout setting in the network management page sets this, default of 10 minutes).  If the same client IP returns to the farm within that given time period, it will be sent to the same server that it initially connected to.  Otherwise if it is a client of a different IP or a returning client after the timeout period has expired, the selected scheduling method algorithm will determine which server in the farm it will be sent to.

Non-persistent scheduling methods are distributed solely by the selected scheduling method algorithm.

Non-persistent scheduling methods are good for server farms that are not session dependent or have their own central way to track and share sessions among each other.  If the servers already have a way to track and share sessions, then it will not matter if a client gets sent to another server in the farm…their session is able to continue.

Persistent scheduling methods are good for server farms are require sessions, but have no way of sharing session information among each other.  In this case, a returning client will always be sent to the same server so that their session will not be broken.

Round Robin
Transactions are allocated one-by-one to each server in turn.

Round Robin Persistent
Transactions are allocated one-by-one with persistence enforced to each server in turn.

Weighted Fastest Response
Servers with the fastest response times are allocated more transactions with weight imposed.

Weighted Fastest Response—Persistent
Servers with the fastest response times are allocated more transactions with weight imposed and persistence enforced.

Weighted Least Connection
Load balancing is determined by the number of active connections to each server and servers with the fewest connections are allocated more transactions in turn with weight imposed until their connection volume is level with the other servers in the farm.

Weighted Least Connections—Persistent
Load balancing is determined by the number of active connections to each server and servers with the fewest connections are allocated more transactions in turn with weight imposed and persistence enforced until their connection volume is level with the other servers in the farm.

Weighted Round Robin
Permits a weighting value to be assigned to each server that reflects the server’s inherent power and capacity. Servers with higher weights means they are more powerful, and are therefore allocated more transactions.

Weighted Round Robin—Persistent
Permits a weighting value to be assigned to each server that reflects the server’s inherent power and capacity. Servers with higher weights means they are more powerful, and are therefore allocated more transactions with persistence enforced.

IP Persistence
With IP Persistence, the load balancing scheduling method is overridden if a client returning from the same source IP reconnects back to the farm before the persistence timeout expires. In this case, instead of being redirected to a server according the scheduling method, the client is sent back to the server that it made its original connection to.

Layer 7 Persistence
Layer 7 persistence, like IP persistence, sends clients to the same server it previously connected to. But, instead of using the source IP to determine the returning clients, a layer 7 application level cookie is used to identify whether or not the incoming client is a new connection or a returning connection.

INTERNET PROTOCOL (IP)

ASP
ASP stands for Active Server Pages. It is the server-side scripting engine for Microsoft’s IIS Web Server for dynamically generated web pages.

Basic Layer 2 Protocols (ie. STP, MSTP, RSTP….)
Layer 2 protocols are the link level proto

DNS
The Domain Name Server (DNS) is a directory server that resolves domain names to their corresponding IP address.

FTP
File Transfer Protocol
If I’m running a UNIX®-based FTP, such as wuftp, how can I get the ftp server in the farm to resolve the WebMux IP addresses?
The IP addresses typically will not be able to be resolved since the servers in the farm are typically using non-routable or private network addresses. In order for wuftp to resolve the IP addresses and stop complaining, place the non-routable IP address entries in the /etc/hosts file on those servers.

HTTP
Hypertext Transfer Protocol is the application level protocol of the World Wide Web.

HTTPS (SSL/TLS; SNI-Server Name Indication
WebMux (v12 +) supports and does health checks using the Server Name Indication (SNI) TLS extension.

To ease the administration of SSL/TLS certificates, SNI is almost universally used at the present time. This extension to SSL/TLS allows specifying explicitly the domain name for which a SSL/TLS connection is requested. Thus the same server can have several separate certificates, each for a different virtual host.  These certificates may have different expiration dates and be obtained from different certificate authorities. Thus if a new virtual host is added, it is not necessary to worry about any of the certificates for the existing hosts; it is only necessary to get a new certificate for the new virtual host.

IMAP
Internet Message Access Protocol is an Internet standard protocol for e-mail clients to retrieve messages from an e-mail server.

IPv4/IPv6
IPv4 is a 32-bit binary addressing system used to identify devices on a network. IPv4 addresses can be written in decimal form as four numbers (ranging from 0-255) separated by periods. IPv6 is a new 128-bit Internet addressing system written in hexadecimal and separated by colons. IPv6 is designed to be able to coexist with IPv4 as the transition from the use of IPv4 to IPv6 progresses.

LDAP
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

NNTP
The Network News Transfer Protocol is an application protocol used for transporting Usenet news articles between news servers and for reading and posting articles by end user client applications.

POP3
Post Office Protocol version 3 is a protocol for receiving email by downloading all your messages to your computer from a mailbox on the server of an Internet service provider, unlike IMAP which only retrieves messages as needed.

Radius
Remote Authentication Dial-In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force standards.

RDP (Terminal Services)
Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection.

SMTP
Simple Mail Transfer Protocol is an Internet standard for electronic mail (email) transmission.

SNMP
Simple Network Management Protocol is an Internet-standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

SSH
Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.

Streaming Media
Streaming media is video or audio content sent in compressed form over the Internet and played immediately, rather than being saved to the hard drive. With streaming media, a user does not have to wait to download a file to play it. Because the media is sent in a continuous stream of data it can play as it arrives.

TCP/UDP Applications and Services
Transmission Control Protocol and User Datagram Protocol.
What can I do if the service that I want to load balance is not in the list?
The WebMux already supports many different services. If your service is not in the list, you could use generic TCP and/or UDP to set your farm. If this is not ideal, you may contact us for developing a special service aware module for you for a modest fee in most cases.

TFTP
Trivial File Transfer Protocol is an Internet software utility for transferring files that is simpler to use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required.

SECURITY AND SSL

Access Control List System
An access control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service.

Authentication – TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services.

Automatic Attack Detection (AAD)
The AAD (Automatic Attack Detection) feature deals with controlling the number of concurrent open TCP connections that come from the same IP. Depending on situation, it may be perfectly normal to get 50 concurrent connections coming from the same client. In some other situations, seeing more than 5 concurrent connections might be unusual. It may require some other means of network analysis (outside of the WebMux) to help you determine what the normal activity it for your environment. Or you can refer to you server’s actual resource limits and set AAD TCP connection threshold to a value under the servers real limits for concurrent connections as a safeguard against server overload. AAD helps safeguard for situations where an attacker from a single IP can open so many TCP connections and leave them open that the farm can no longer accept any new connections.

What is the difference between AAD and the Flood Control feature?
It is still possible for an attacker, using a few concurrent TCP connections that are below the AAD TCP connection limit, to generate such a tremendous amount of packets that servers run out of resource to process them and severely disrupt service. That is where the Flood Control feature comes in. Flood Control deals with limiting the allowable packet rate from a single IP. The “Packet Rate” setting can also be understood as a limit on the allowable average number of packets per second and “Packet Threshold” can be understood as the limit on the number of instantaneous packets. Again, it may require network analysis outside of the WebMux to determine what your normal network activity is like in order to get the values that are appropriate for your environment. For example, if you know how many packets per second and packet bursts your servers are able to handle, you can set the Flood Control limits somewhere below those values in order to safeguard against server overload.

Credit Card Validation
Will my web server be able to communicate to a credit card validation service, like CyberCash?
Yes. For any communication initiated from the internal or private network, the WebMux will substitute the IP address of its router LAN interface for the IP address of the host initiating the conversation. For any service that requires a specific IP address to allow communication into their network, the IP address of the router LAN interface must be the one provided. We have had CyberCash engineers work with us to test this.

DoS/DDos Protection (Flood Control™ UDP/TCP level)
WebMux’s Flood Control feature can limit or stop unwanted Internet Protocol (IP) network traffic, including protocols that rely on IP such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), among others.

Denial of Service (DOS, DoS) Attacks, or Distributed Denial of Service (DDOS, DDoS) Attacks, are one example of unwanted traffic. These attacks, which may be sent from unsuspecting proxy computers, try to establish large numbers of network connections to prevent legitimate traffic from getting through to the intended system, the target of the attack. Flood Control lets the user set the rules, or parameters, that permit normal traffic while blocking traffic outside the definition of normal.

How is AVANU’s WebMux Flood Control different from a Firewall?

ECSSA
The Elliptic Curve Digital Signature Algorithm is supported with the WebMux A500X/A500XD models.

FIPS 140-2
Federal Information Processing Standard (FIPS) Publication 140-2. WebMux is FIPS140-2 compliant.

Firewall
Do I need to have a firewall in front of the WebMux?
In most cases, no. In NAT mode, the WebMux blocks all the incoming traffic from router LAN to your internal network. Unless there is a farm defined for a port number, the outside traffic will not be able to reach to any server or computers behind the WebMux. The WebMux does not have the management functionality for restricting which IP address or services an internal host can reach to the outside. If such restriction is desirable, then additional firewall is needed. A firewall is recommended if running the WebMux in Transparent Mode or Direct Server Return.

Heartbleed Bug
On April 7, 2014, the Heartbleed bug made industry news, as it causes a serious vulnerability to the OpenSSL cryptographic software library.

WebMux is vulnerable to the Heartbleed bug only if both SSL termination is enable (with PKI keys on the WebMux) and the webMux firmware is version 9.2.00 or newer

NOTE: If you permit access to the WebMux on port 35 (the default HTTPS administration port), this port will be vulnerable if you are running version 9.2 or newer. We recommend that you do not allow inbound access to port 35 unless it is from a trusted IP address.
The WebMux firmware patch tackles the latest OpenSSL vulnerability (CERT Vulnerability Note VU #720951). This vulnerability is a bug in the code of the “Heartbeat Extension” (RFC 6520) for transport layer security (TLS). It allows an attacker to repeatedly retrieve 64kB chunks of data, like:
• Primary key material – secret keys
• Secondary key material – user names and passwords used by the vulnerable services
• Protected content – sensitive data used by the vulnerable services
• Collateral – memory addresses and content that can be leveraged to bypass exploit mitigations

IP Address Filtering
IP filtering is simply a mechanism that decides which types of IP datagrams will be processed normally and which will be discarded.

SSL Acceleration
SSL acceleration (TLS acceleration) is a method of offloading processor-intensive public-key encryption and decryption for Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), to a hardware accelerator.

SSL Certificates (Third Party Support)
SSL certificates signed by any third party Certificate Authority can be used on the WebMux as long as you have the corresponding private key as well.

SSL Certificate Signing Request (CSR)
The SSL Certificate Signing Request is an encoded block of text that is sent to the Certificate Authority to be digitally verified and signed. A signed certificate will allow the web browser to display an indication that the certificate being used on the site has been validated by a trusted Certificate Authority.

SSL Termination/Offloading
SSL termination is supported on all WebMux units – WebMux’ SSL termination rating is based on actual SSL transactions per second.

SSL Encryption Strength (bits) 1024, 2048, 4096, 8192
The certificate encryption strength is a measure of number of bits in the key used to encrypt data during an SSL session. The bigger the number, the longer it takes for computer(s) to decrypt enciphered data.

Web Application Firewall (WAF)