10.3.2. Firewall / load balancer configuration example on WEB site publication (one arm)¶
| Operation Confirmed Version: | |
|---|---|
| Brocade 5600vRouter Version4.2R1S1 | |
| Operation Confirmed Version: | |
| Citrix Netscaler VPX Version11.0 Build67.12 Standard Edition | |
In order to publish the web server to the outside, we set firewall (FW) and load balancer (LB) according to the following policy.
Firewall
We will use two VRRP redundant configurations. We will build VRRP on all segments.
The FW rule rejects all basic from the external segment and allows only specific HTTP / HTTPS access. All trusted segments are allowed.
From the external segment, let's access the global IP of FW, not IP of LB's virtual server, and convert the destination to IP of virtual server by NAT translation.
Load Balancer
We will use two VRRP redundant configurations. Configure VRRP on the FW segment.
We set up a virtual server for HTTP / HTTPS and distribute communication round robin to two WEB servers. HTTPS performs SSL offloading.
ECL 2.0 load balancer (NetScaler VPX) has one VRRP setting (pair of virtual IP address and VRRP group ID) that can be registered for one interface. Therefore, it is not possible to register multiple VRRP groups. As an alternative, it is possible to make multiple VIPs redundant by registering a virtual IP address in a segment different from the virtual IP registered for VRRP and setting it as the sorting target IP address. This configuration uses redundant configuration using this method.
Image of setting concept
System diagram¶
Note
"Windows Server 2012R2" is used as OS of Client/Server.
"CentOS 7.1.1503" is used as Server OS.
"Apache 2.2.32" is used as Web server.
Configuration of Firewall¶
Firewall Interface setting
Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Please note that if you submit the interface setting command below, an error will be returned.
Note
Interface settings can not be set except by customer portal.
- FW-01
set interfaces dataplane dp0s4 address '1.X.X.253/24'
set interfaces dataplane dp0s5 address '192.168.100.253/24'
set interfaces dataplane dp0s6 address '192.168.20.253/24'
- FW-02
set interfaces dataplane dp0s4 address '1.X.X.252/24'
set interfaces dataplane dp0s5 address '192.168.100.252/24'
set interfaces dataplane dp0s6 address '192.168.20.252/24'
VRRP Setting
Before setting up VRRP, you must implement VRRP communication permission setting on the customer portal.
(See VRRP communication setting registration , and register the VRRP communication settings.)
- FW-01
dp0s4
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 preempt 'true'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '150'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'test-b'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '1.X.X.254'
dp0s5
set interfaces dataplane dp0s5 vrrp vrrp-group 21 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 preempt 'true'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 priority '150'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 sync-group 'test-b'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 virtual-address '192.168.100.254'
dp0s6
set interfaces dataplane dp0s6 vrrp vrrp-group 31 advertise-interval '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 preempt 'true'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 priority '150'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 'rfc-compatibility'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 sync-group 'test-b'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 virtual-address '192.168.20.254'
- FW-02
dp0s4
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 preempt 'true'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'test-b'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '1.X.X.254'
dp0s5
set interfaces dataplane dp0s5 vrrp vrrp-group 21 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 preempt 'true'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 priority '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 sync-group 'test-b'
set interfaces dataplane dp0s5 vrrp vrrp-group 21 virtual-address '192.168.100.254'
dp0s6
set interfaces dataplane dp0s6 vrrp vrrp-group 31 advertise-interval '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 preempt 'true'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 priority '20'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 'rfc-compatibility'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 sync-group 'test-b'
set interfaces dataplane dp0s6 vrrp vrrp-group 31 virtual-address '192.168.20.254'
Note
Asymmetric communication is not supported in this configuration. When using VRRP with multiple interfaces, synchronize the switching of VRRP by sync-group setting.
The VRRP advertise interval was recommended to be 20 seconds or longer because VRRP communication was rarely unstable on the base side in the initial setting (as of December 2016). Please design according to your system configuration (as of August 2017). (When a hello packet is not received three times in succession, a disconnection is detected). If you want to change this setting, change it from the firewall on the Backup side. When changing from the Master side, the Hello packet transmission interval to the Backup side changes, so the Backup side is also promoted to Master and both devices may become Master.
Resource group setting
Create a port group to use for the allowed ports of FW rules.
FW-01/02 Common
set resources group port-group HTTP-HTTPS port '80'
set resources group port-group HTTP-HTTPS port '443'
FW rule settings
Enable Stateful Firewall
FW-01/02 Common
set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
Create a rule to control access for communication coming from the external segment side.
-Essentially all denied
-Communication from FW-02 is permitted (to perform management communication such as VRRP)
-Allow only HTTP (80), HTTPS (443) communication
- FW-01
set security firewall name Untrust-to-HTTP default-action 'drop'
set security firewall name Untrust-to-HTTP rule 1 action 'accept'
set security firewall name Untrust-to-HTTP rule 1 source address '1.X.X.252'
set security firewall name Untrust-to-HTTP rule 10 action 'accept'
set security firewall name Untrust-to-HTTP rule 10 destination address '1.X.X.254'
set security firewall name Untrust-to-HTTP rule 10 destination port 'HTTP-HTTPS'
set security firewall name Untrust-to-HTTP rule 10 protocol 'tcp'
set security firewall name all_accept default-action 'accept'
- FW-02
set security firewall name Untrust-to-HTTP default-action 'drop'
set security firewall name Untrust-to-HTTP rule 1 action 'accept'
set security firewall name Untrust-to-HTTP rule 1 source address '1.X.X.253'
set security firewall name Untrust-to-HTTP rule 10 action 'accept'
set security firewall name Untrust-to-HTTP rule 10 destination address '1.X.X.254'
set security firewall name Untrust-to-HTTP rule 10 destination port 'HTTP-HTTPS'
set security firewall name Untrust-to-HTTP rule 10 protocol 'tcp'
set security firewall name all_accept default-action 'accept'
Apply the created FW rule to the interface.
FW-01/02 Common
set interfaces dataplane dp0s4 firewall in 'Untrust-to-HTTP'
set interfaces dataplane dp0s6 firewall out 'all_accept'
Configure NAT to change HTTP and HTTPS access to FW from the external segment to the address of the virtual server set for the load balancer.
FW-01/02 Common
set service nat destination rule 10 destination address '1.X.X.254'
set service nat destination rule 10 destination port '80'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 protocol 'tcp'
set service nat destination rule 10 translation address '192.168.200.100'
set service nat destination rule 11 destination address '1.X.X.254'
set service nat destination rule 11 destination port '443'
set service nat destination rule 11 inbound-interface 'dp0s4'
set service nat destination rule 11 protocol 'tcp'
set service nat destination rule 11 translation address '192.168.200.200'
set service nat destination rule 11 translation port '443'
Configure NAT to change HTTP and HTTPS access to FW from the external segment to the address of the virtual server set for the load balancer.
set protocols static route 192.168.200.0/24 next-hop '192.168.20.251'
Confirmation of setting contents
If the above setting has been thrown correctly, you can check the output below.
- FW-01
user-admin@FW-01# show interfaces
interfaces {
dataplane dp0s4 {
address 1.X.X.253/24
firewall {
in Untrust-to-HTTP
}
vrrp {
vrrp-group 11 {
advertise-interval 20
preempt true
priority 150
rfc-compatibility
sync-group test-b
virtual-address 1.X.X.254
}
}
}
dataplane dp0s5 {
address 192.168.100.253/24
vrrp {
vrrp-group 21 {
advertise-interval 20
preempt true
priority 150
rfc-compatibility
sync-group test-b
virtual-address 192.168.100.254
}
}
}
dataplane dp0s6 {
address 192.168.20.253/24
firewall {
out all_accept
}
vrrp {
vrrp-group 31 {
advertise-interval 20
preempt true
priority 150
rfc-compatibility
sync-group test-b
virtual-address 192.168.20.254
}
}
}
loopback lo
}
user-admin@FW-01# show resources
resources {
group {
port-group HTTP-HTTPS {
port 80
port 443
}
}
}
user-admin@FW-01# show security firewall
firewall {
global-state-policy {
icmp
tcp
udp
}
name Untrust-to-HTTP {
default-action drop
rule 1 {
action accept
source {
address 1.X.X.252
}
}
rule 10 {
action accept
destination {
address 1.X.X.254
port HTTP-HTTPS
}
protocol tcp
}
}
name all_accept {
default-action accept
}
}
user-admin@FW-01# show service nat destination
destination {
rule 10 {
destination {
address 1.X.X.254
port 80
}
inbound-interface dp0s4
protocol tcp
translation {
address 192.168.200.100
}
}
rule 11 {
destination {
address 1.X.X.254
port 443
}
inbound-interface dp0s4
protocol tcp
translation {
address 192.168.200.200
port 443
}
}
}
user-admin@FW-01# show protocols static
static {
route 192.168.200.0/24 {
next-hop 192.168.20.251
}
}
- FW-02
user-admin@FW-02# show interfaces
interfaces {
dataplane dp0s4 {
address 1.X.X.252/24
firewall {
in Untrust-to-HTTP
}
vrrp {
vrrp-group 11 {
advertise-interval 20
preempt true
priority 20
rfc-compatibility
sync-group test-b
virtual-address 1.X.X.254
}
}
}
dataplane dp0s5 {
address 192.168.100.252/24
vrrp {
vrrp-group 21 {
advertise-interval 20
preempt true
priority 20
rfc-compatibility
sync-group test-b
virtual-address 192.168.100.254
}
}
}
dataplane dp0s6 {
address 192.168.20.252/24
firewall {
out all_accept
}
vrrp {
vrrp-group 31 {
advertise-interval 20
preempt true
priority 20
rfc-compatibility
sync-group test-b
virtual-address 192.168.20.254
}
}
}
loopback lo
}
user-admin@FW-02# show resources
resources {
group {
port-group HTTP-HTTPS {
port 80
port 443
}
}
}
user-admin@FW-02# show security firewall
firewall {
global-state-policy {
icmp
tcp
udp
}
name Untrust-to-HTTP {
default-action drop
rule 1 {
action accept
source {
address 1.X.X.253
}
}
rule 10 {
action accept
destination {
address 1.X.X.254
port HTTP-HTTPS
}
protocol tcp
}
}
name all_accept {
default-action accept
}
}
user-admin@FW-02# show service nat destination
destination {
rule 10 {
destination {
address 1.X.X.254
port 80
}
inbound-interface dp0s4
protocol tcp
translation {
address 192.168.200.100
}
}
rule 11 {
destination {
address 1.X.X.254
port 443
}
inbound-interface dp0s4
protocol tcp
translation {
address 192.168.200.200
port 443
}
}
}
user-admin@FW-02# show protocols static
static {
route 192.168.200.0/24 {
next-hop 192.168.20.251
}
}
Load Balancer setting¶
Load balancer interface setting
Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Note
Interface settings can not be set except by customer portal.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| Interface 1/1 | 192.168.20.250/24 | 192.168.20.249/24 |
Configuration Check
Move to the menu "System" - "Network" - "IPs" and confirm the IP address setting.
- LB01
- LB02
VRRP settings(Interface 1/1)
The contents of the VRRP setting of the load balancer as the redundant gateway are described below.
Before setting up VRRP, you must implement VRRP communication permission setting on the customer portal.
For details, please refer to VRRP redundancy setting .
Please set VMAC with the following parameters.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| VRID | 40 | 40 |
Priority value |
200 | 100 |
| Preemption | Check |
Check |
Next, we configure Virtual IP and bind it to VMAC we created earlier.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| VirtualIP | 192.168.20.251/24 | 192.168.20.251/24 |
| Netmask | 255.255.255.0 | 255.255.255.0 |
| IP Type | Virtual IP | Virtual IP |
| Virtual Router ID | 40 | 40 |
| Traffic Domain | 10 | 10 |
Configuration Check
Move to the menu "System"-"Network"-"IPs"-"IPV 4s" and check the VirtualIP setting.
- LB01
- LB02
Configuration Check
Move to the menu "System"-"Network"-"VMAC" and confirm the VRRP setting.
- LB01
- LB02
Rooting Settings
Set the default gateway as routing to a network that is not directly connected to the load balancer.
The next hop specifies the VRRP IP address of the firewall's load balancer side.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
Destination |
0.0.0.0 | 0.0.0.0 |
Subnet mask |
0.0.0.0 | 0.0.0.0 |
Gateway address |
192.168.20.254 | 192.168.20.254 |
| Traffic Domain | 10 | 10 |
Note
The default gateway setting cannot be set except for the customer portal.
Configuration Check
Move to the menu "System"-"Network"-"Routes" and confirm the routing setting.
LB01 LB02 Common Configuration Items
Virtual Web Server Registration
Register the virtual web server to be distributed to the load balancer.
Following parameters are configured.
Setting Items |
Setting Parameter (LB 01, LB02 common) |
Setting Parameter (LB 01, LB02 common) |
| Name | Web-server-01 | Web-server-02 |
| IPAddress | 192.168.20.11/24 | 192.168.20.12/24 |
| Traffic Domain | 10 | 10 |
Configuration Check
Move to the menu "Traffic Management"-"Load Balancing"-"Servers" and check the virtual web server settings.
LB01 LB02 Common Configuration Items
Service group setting
Register the virtual web server to be distributed to the load balancer.
Following parameters are configured.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| Service Name | HTTP | HTTP |
| EXisting Server | Web-server-01(192.168.20.11)
Web-server-02(192.168.20.12)
|
Web-server-01(192.168.20.11)
Web-server-02(192.168.20.12)
|
| Protocol | HTTP | HTTP |
| Port | 80 | 80 |
| Monitors | http | http |
| Traffic Domain | 10 | 10 |
Configuration Check
Move to the menu "Traffic Management"-"Load Balancing"-"Service Group" and double-click the registered service group displayed in the right menu and confirm the setting.
LB01 LB02 Common Configuration Items
Service Group Members
Click on A in the image above and check the virtual web server settings that will be the sorting destination.
Monitors
Click B in the above image and confirm that Monitor is set.
Note
The IP address of the client is SNAT converted to the load balancer IP address when balancing is done. This setting is enabled by default.
If you want to notify the web server of the client's IP address, please use `X-Forwarded-For function. This setting is disabled by default.
Virtual Server setting
We will set up the virtual server that will actually communicate from outside.
Virtual Server setting for HTTP
Configure the virtual server that performs HTTP communication from the outside.
Following parameters are configured.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| Name | http-vserver | http-vserver |
| Protocol | HTTP | HTTP |
| IP Address Type | IP Address | IP Address |
| IP Address | 192.168.200.100 | 192.168.200.100 |
| Port | 80 | 80 |
| Traffic Domain | 10 | 10 |
Configuration Check
Move to the menu “Traffic Management”-“Load Balancing”-“Service Group” and double-click the registered service group, named “http-vserver”, displayed in the right menu and confirm the setting.
LB01 LB02 Common Configuration Items
Load Balancing Virtual Server Service Group Binding
Click on the picture above and check the service group is specified.
Virtual server setting for SSL offload.
Configure the virtual server that performs SSL communication from the outside. In this case, since HTTP offload is used, HTTP communication reaches the destination virtual Web server.
Following parameters are configured.
Setting Items |
Setting Parameter (LB 01) |
Setting Parameter (LB 02) |
| Name | ssl-vserver | ssl-vserver |
| Protocol | SSL | SSL |
| IP Address Type | IP Address | IP Address |
| IP Address | 192.168.200.200 | 192.168.200.200 |
| Port | 443 | 443 |
| Server Certificate | ia-example.jp | ia-example.jp |
| CA Certificate | example.jp | example.jp |
| Traffic Domain | 10 | 10 |
Note
Please use SSL server certificate issued by certificate authority.
Please refer to How to register a certificate and SSL offload setting .
Configuration Check
Move to the menu “Traffic Management”-“Load Balancing”-“Service Group” and double-click the registered service group, named “ssl-vserver”, displayed in the right menu and confirm the setting.
LB01 LB02 Common Configuration Items
Load Balancing Virtual Server Service Group Binding
Click A in the image above and confirm that the service group is specified.
SSL Virtual Server Service Certificate Binding
Click B in the above image and confirm that SSL server certificate is set up.
SSL Virtual Server CA Certificate Binding
Click C in the image above and confirm that the CA certificate is set.
Setting a server sorting method (round robin)
Make settings for sorting accesses from clients into two web servers, through round robin communications.
Note
For the setting method, please check the Setting Server Distribution Method .
The load balancer setting is completed.
Flow of traffic¶
Communication can be performed via FW-01 and LB-01 at normal operation.
Make sure that you can access the web server from external client, trusted client.
Status check at normal state
The status of the firewall during normal communication can be confirmed as follows.
VRRP status
FW-01 must be Master.
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s4 11 MASTER dp0vrrp2 no 2d18h47m32s test-b
dp0s5 21 MASTER dp0vrrp1 no 2d18h47m32s test-b
dp0s6 31 MASTER dp0vrrp3 no 2d18h47m32s test-b
FW-02 must be Backup.
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s4 11 BACKUP dp0vrrp3 no 2d18h48m34s test-b
dp0s5 21 BACKUP dp0vrrp2 no 2d18h48m34s test-b
dp0s6 31 BACKUP dp0vrrp1 no 2d18h48m34s test-b
The status of the load balancer in normal state can be confirmed as follows.
VRRP status
Move to the menu "System"-"Network"-"VMAC" and confirm the VRRP setting.
LB-01 must be Master.
LB-02 must be Backup.
Virtual Server status
Move to the menu "Traffic Management"-"Load Balancing"-"Virtual Servers"-"statistics" and check the virtual web server settings is in UP status.
Client Connection check
HTTP and HTTPS access from client.
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on external client (HTTP access)
Client browser screen on external client (HTTPS access)
HTTP and HTTPS access from trusted Client
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on trusted client (HTTP access)
Client browser screen on trusted client (HTTPS access)
This completes the confirmation of normal operation.
Flow of communication when a firewall failure occurs¶
The route switches to FW-02 at failure.
Note
As a test method of instance failure, we adopted a method to temporarily invalidate VRRP of FW-01.
Following is stop/resume any vrrp-group by following command.
As a test method assuming the same failure, there is a method of "Restarting the Firewall" for FW-01.
Since VRRP MASTER returns to FW - 01 when FW - 01 is activated, it is not suitable for checking the switching state for a long time,
It is not adopted in this operation confirmation.
Following is stop/resume any vrrp-group by following command.
# Stop
set interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
# Resume
delete interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
Check Status When a Failure Occurs
The status of the firewall at the time of failure can be confirmed as follows.
VRRP status
FW-01 VRRP is stopped.
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
Note
The status is not displayed since VRRP of FW-01 is stopped.
FW-02 is Master.
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s4 11 MASTER dp0vrrp3 no 3m0s test-b
dp0s5 21 MASTER dp0vrrp2 no 4m1s test-b
dp0s6 31 MASTER dp0vrrp1 no 3m57s test-b
Note
The way to check status of loadbalancer is same as normal.
Client Connection check
We have confirmed that even when a firewall failure occurs access is possible without problems.
HTTP and HTTPS access from client.
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on external client (HTTP access)
Client browser screen on external client (HTTPS access)
HTTP and HTTPS access from trusted Client
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on trusted client (HTTP access)
Client browser screen on trusted client (HTTPS access)
This completes the confirmation at firewall failure.
Flow of traffic when a load balancer failure occurs¶
The route switches to LB-02 at failure.
Note
Unlike firewalls, load balancers can not manually deactivate VRRP as product specifications. For this reason, instance faults are reproduced by changing Priority value this time.
In addition, there are the following as a method for forcibly switching VRRP.
Disable all of Virtual IP, and delete VMAC configuration.
Restarting the instance (If Preemption is enabled, a revert will occur according to Priority)
By stopping VRRP with VMAC deletion and stopping all IP resources, it is possible to reliably respond at the switching destination....
Check Status When a Failure Occurs
The status of the LB at the time of failure can be confirmed as follows.
※In order to switch VRRP, the Priority value of LB 01 is changed from 200 to 90.
VRRP status
Move to the menu "System"-"Network"-"VMAC" and confirm the VRRP setting.
LB-01 must be Backup.
LB-02 must be Master.
Virtual Server status
Move to the menu "Traffic Management"-"Load Balancing"-"Virtual Servers"-"statistics" and check the virtual web server settings is in UP status.
Client Connection check
We have confirmed that access is possible without problem even when load balancer failure occurs.
HTTP and HTTPS access from client.
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on external client (HTTP access)
Client browser screen on external client (HTTPS access)
HTTP and HTTPS access from trusted Client
HTTP / HTTPS access (accessed twice each) [OK]
It can be confirmed that it hits to the virtual server "http-vserver" "ssl-vserver" and is distributed to "web-server 01, 02".
Client browser screen on trusted client (HTTP access)
Client browser screen on trusted client (HTTPS access)
This completes the confirmation of status at load balancer failure.