External communication to Access Gateway is typically configured to use HTTPS. In an HTTPS configuration, an L4 switch performs health checks of Access Gateways with the published DNS name of Access Gateway plus the following path:
/nesp/app/heartbeat
L4 switches require you to use IP address rather than the DNS name. If the IP address of Access Gateway is 10.10.16.172, and you have configured Access Gateway for HTTPS, the heartbeat has the following URL:
https://10.10.16.172:443/nesp/app/heartbeat
For an L4 switch to support an HTTPS query for the health of Access Gateway, the switch must support an L7 health check. For a Foundry switch, the L7 health check script string must look similar to the following when the hostname is ag1 and the IP address is 10.10.172.
healthck ag1ssl tcp dest-ip 10.10.16.172 port ssl protocol ssl protocol ssl url "GET /nesp/app/heartbeat HTTP/1.1\r\nHost: st160.lab.tst" protocol ssl status-code 200
If your L4 switch does not support an SSL L7 health check, the HTTPS health check URL returns an error, usually a 404 error. To solve this problem, you can create a specialized reverse proxy that opens a non-SSL port for the heartbeat URL. The following instructions configure this reverse proxy to use port 81, because port 80 on the specified IP address is reserved for redirects to the SSL port.
To create a reverse proxy for the health check:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
To create an additional reverse proxy service (such as heartbeat), click New and specify a name.
Change the Non-Secure Port to 81.
Configure Access Gateway to listen on the same IP address as the service using port 443. For non-SSL, you must use port 81. Do not use port 80.
For proper heartbeat information when there are multiple IP addresses configured in your Access Gateway, ensure that you configure the reverse proxy service created for the heartbeat URL to listen in the same IP address as the authenticating reverse proxy service.
Click New to create the proxy service.
Configure the following fields:
Proxy Service Name: Specify a name that identifies the purpose of this proxy service.
Published DNS Name: Specify a second DNS name that resolves to the VIP of Access Gateways on the L4 switch. For example, if the DNS name is jwilson.provo.novell.com for Access Gateways, you could use heartbeat.jwilson.provo.novell.com for the second name.
Web Server IP Address: Specify the internal address:127.0.0.1.
Host Header: Select Forward Received Host Name. This field is not used.
Click OK.
On the Reverse Proxy page, click the new proxy service, then click Web Servers.
Change the Connect Port value on the Web Servers page to 9009.
The service provider (ESP) in Access Gateway that provides the heartbeat service listens on 127.0.0.1:9009.
Click Protected Resources.
Click New, then specify a name.
In the URL Path List, click /*, and modify the path to contain the following value:
/nesp/app/heartbeat
This is the path to the heartbeat application.
Click OK > OK.
The heartbeat of this Access Gateway is available from the following URL (See Step 4.):
http://heartbeat.jwilson.provo.novell.com:81/nesp/app/heartbeat
If the protected resource is configured with a path of / or /*, the solution works. However, it can be vulnerable to attacks because the configuration opens ESP over a non-SSL port. Restricting the resource to /nesp/app/heartbeat automatically denies access to ESP except for the heartbeat.
Click OK and apply the changes to the configuration.
Add a line similar to the health check script:
For a Foundry switch, your string must look similar to the following if the hostname is ag1 and the IP address is 10.10.16.172:
healthck ag1 tcp dest-ip 10.10.16.172 port http protocol http protocol http url "GET /nesp/app/heartbeat HTTP/1.1\r\nHost:st160.lab.tst" protocol http status-code 200
For a Radware Alteon switch, your string must look similar to the following if the hostname is ag1 and the IP address is 10.10.16.172:
open 81,tcp send GET /nesp/app/heartbeat HTTP/1.1\r\nHOST:heartbeat.lab. tst\r\n\r\n expect HTTP/1.1 200 close