If you are using Internet Explorer, please remove blackberry.com from your compatibility view settings.

Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Regular Contributor
Shamrock
Posts: 83
Registered: ‎05-13-2009
My Device: Not Specified

BAS and Hardware Load Balancing

Anyone actually have success hardware load balancing two BAS servers?  I originally had everything running on my BES, and then decided to offload the BAS onto 2 separate servers and load balance them.  In order to do this I had to change the BAS pool name, and update my DNS.  However since I changed the pool name, and shutdown the BAS services on my original BES I haven't been able to even open the webpage on my new load balanced BAS servers. 
Please use plain text.
Regular Contributor
Shamrock
Posts: 83
Registered: ‎05-13-2009
My Device: Not Specified

Re: BAS and Hardware Load Balancing

I worked with RIM and I finally got my setup so that I can at least get to the admin web interface.  However now I just get a system error when trying to just browse to the page itself.

 

Also I'm not entirely sure why RIM has stated that you can use a hardware load balancer because from what I've seen with my 2 BAS servers; it appears that there's always a primary node, and if you try and login locally on the passive node via the web interface it doesn't work.  I'm very skeptical that the load is actually getting balanced across both of my BAS servers.  How can it be if the web interface only works on 1 of the nodes? 

 

If I stop the services on 1 node, then I can login on the 2nd node, and vice versa.

Please use plain text.
Contributor
devans
Posts: 20
Registered: ‎04-01-2008
My Device: Not Specified

Re: BAS and Hardware Load Balancing

I recently read through the Installation & Configuration guide about how to create a Administration Service pool using DNS round robin, but I could not find instruction about how to configure the pool with a hardware load balancer.

I contacted RIM through our Tx3 subscription informing them that we plan to use an F5 load balancer, & asked if they could provide me with information on how to create a Administration Service pool using a hardware load balancer?

This was the reply:
[I]When setting up a hardware load balancer it would depend on the settings with the load balancer. So you will want to point the BES to the Hardware load balancer then configure the Administration Service Pool.[/I]

Not overly helpful. Does anyone else have experience with this & can shed some light.

Please use plain text.
New Contributor
scarnes
Posts: 4
Registered: ‎03-05-2010
My Device: 8830
My Carrier: Verizon

Re: BAS and Hardware Load Balancing

I've had similar unresponsiveness with T-support over this issue. You are correct that one node in the BAS pool is active and one is passive at any given time. A load balancer is not going to be helpful for distributing load but could be helpful in providing high availability if properly setup. While DNS round robin is what F5 touts in their deployment guide, this is extremely bogus since DNS round robin can only be used to assist in distributing load, not directing traffic to the active node in an active/passive configuration like BAS uses. Using DNS round robin in a situation like this results in a page not found error half the time.

 

So, the problem is how to determine which is the active BAS node on the F5.IIt would be extremely valuable to BES Admins everywhere if someone with insight on how to set this up properly would post details on how to do so.

Please use plain text.
New Contributor
scarnes
Posts: 4
Registered: ‎03-05-2010
My Device: 8830
My Carrier: Verizon

Re: BAS and Hardware Load Balancing

[ Edited ]

After a ton of back and forth with RIM and a ton of trial and error, here is how we were able to setup successfully Blackberry Administration Service 5.0 with an F5 3600 LTM (OS 10.2)

 

1)      Install BAS per RIM installation guide specifying a BAS pool name. This is the FQDN that ultimately you will want to connect to when using the BAS.

 

2)      Configure BAS to use TCP to communicate between nodes. http://www.blackberry.com/btsc/dynamickc.do?externalId=KB19436&sliceID=1&command=show&forward=nonthr...

 

3)      Configure the Blackberry Administration Services to startup automatically and start them on all BAS nodes. The goal here is to have all your BAS instances running at the same time for high availability. Confirm that the BAS is running properly on each node by going to https://<servername>/webconsole/login where <BAS_servername> is each server running the BAS services. (This is contrary to my previous post that only one BAS instance can be running at a given time)

 

4)      Generate and submit to your certificate authority (CA) a  certificate signing request (CSR) for a trusted certificate to be used on each node in your BAS pool. In our case we used an internally signed certificate since or BAS will never see the Internet but that decision is at your discretion. Thew command we used to generate a 2048 bit CSR against the BAS keystore was:

 

 keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore" -storepass <password> - dname “CN= <BAS_pool_name >,OU= <Company_division>, O= <company name>, L= <City>, ST= <State>, C=<Country>”

 

We actually found a freeware GUI tool that makes managing the java keystore much easier. I would recommend it if you aren’t familiar with the keytool command line utility. http://www.lazgosoftware.com/kse/index.html

 

NOTE: If your CA supports subject alternative names (SAN), you can create a CSR that has the BAS pool name as the common name (CN) on the certificate and each BAS server node as a SAN to ensure that you don’t get a certificate error when connecting to the BAS pool through the LTM or directly using the server name. If your CA doesn’t support SANs, be sure to minimally use the BAS pool name as the CN in the CSR.

 

5)      Once you get the signed certificate back from your CA, install it on each BAS node. Again, this is easily done through the Keystore Explorer app but can also be done by using the keytool utility as well.

 

6)      Once it is installed on each BAS node, use Keystore Explorer to export the certificate and private key to a PKCS#12 bundle which we will later import on the F5 LTM.

 

7)      On the F5 LTM, go to Local Traffic ->Certificates and import the PKCS#12 certificate bundle you just created. If necessary, import any intermediate certificates in the certificate chain onto the LTM as well.

 

8)      On the F5 LTM, go to Local Traffic ->Profiles ->SSL -> Client and select’ Create.’

  • NAME BAS_clientssl
  • Parent Profile – clientssl
  • Certificate – select the BAS_ssl certificate you imported to the LTM in step 7.
  • Key – select the BAS_key you imported in step 7.

9)      On the F5 LTM, go to Local Traffic -> Persistence and select ‘Create.’

  • NAME – BAS_cookie
  • Persistence Type – Cookie
  • Parent profile – cookie
  • Cookie Method – Hash
  • Cookie Name - JSESSIONID

10)      Create a BAS virtual server on your F5 LTM like the following:

a.       NODES (Add a node for each BAS_servername:

  • NAME <BAS_ servername1>
  • Health Monitor – https
  • Connection Limit – 0

b.      POOL

  • NAME <BAS_Pool>
  • Health Monitor – https
  • Members – <BAS_servername1>, <BAS_servername2<, etc…
  • Load Balancing Method – Round Robin

c.       VIRTUAL SERVER

  • NAME <BAS_Virtual_Server>
  • Destination – Host
  • Address - <Virtual IP Address> (This is the IP address you will connect to through the LTM load balanced pool)
  • Service Port – HTTPS
  • Type – Standard
  • Protocol Profile (Client)– http
  • Protocol Profile (Client)– (Use client Profile)
  • HTTP Profile – http
  • SSL Profile (Client) – select the SSLclient profile you created in step 8.
  • SSL Profile (Server) – serverssl (This is the built in sslserver profile that comes on the LTM)
  • SNAT Pool – Automap
  • Address Translation –checked
  • Port translation – checked
  • Default Pool – select the BAS_pool you created in step 10B with all the BAS nodes.
  • Default Persistence – select the BAS_cookie persistence profile you created in step 9.
  • Fallback persistence – source address.
  • iRule – BAS_irule (Optional)

For those interested on redirecting users who go to https://<BAS _pool_name> to https://<BAS _pool_name/ webconsole/login you can create an iRule like the following:

when HTTP_REQUEST {

if { ([HTTP::uri] equals "/") } {

HTTP::redirect https://[HTTP::host]/webconsole/login}

 

11)      Once all this I complete, have a DNS A record created that points <BAS_pool_name> to the Virtual IP Address of the BAS Virtual Server.

While these steps are specific to an F5 LTM, this should work with any load balancer that supports persistence. Also I tried to keep this as short as I could so if you have any questions about any of these please post your question and I will be glad to help if at all possible.

Please use plain text.
Guru III
knottyrope
Posts: 29,932
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: BAS and Hardware Load Balancing

WOW, thanks for sharing all of that. It will help out a lot.

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 5.0.4 and BES 10.2.2 with Exchange 2010 and SQL 2008


Please use plain text.