Domain creation, ip|reporter Solaris installation, ip|reporter web 2.2
Nov. 2006
S
Chapter 3
Alarming function
Feb. 2007
T
All
manual organization; ip|reporter’s portmapper port; ip|reporter multi network interfaces server; Apache web server configuration for ip|reporter web edition; BW tracking principles; configuring ip|engines; ip|engine alarms description; removal of a report
Nov. 2007
U
All
in accordance with the V4.4 software version
Jan. 2008
V
Chapters 2 and 7
ip|reporter web (no license key; user rights definition); 7.3.2. How to read the reports; periodicity of some reports (minor corrections)
April 2008
W
All
in accordance with the v5.0.0r8 software version
July 2008
X
Chapters 2 and 3
Solaris installation removed from this manual; radius configuration
October 2014
Ipanema Technologies
1
Ipanema System
Oct. 2008
Y
All
in accordance with the v5.0.0r12 software version
Dec. 2008
Z
All
in accordance with the v5.1 software version
Jan. 2009
AA
Chapter 2
2.5.4. Install/Uninstall ip|reporter on Windows, 2.6.1. Install ip|reporter web on Windows
March 2009
AB
All
in accordance with the v5.2 software version
May 2009
AC
All
Minor corrections: 1. 2. 3. 5, 3. 6. 1 and 7.1.2: SNMP port; 2.5.6.1: InfoVista license key; 2.6.1.8: Customizing VistaPortal SE; 4.5.3: ip|boss Java client menu bar; 6.5.3: Helpdesk maps colors New: 2.3.3 install ip|boss using the CLI; 3.9: note on Inventory printing; 4.9.7. Tools; 4.9.8. smart|path advanced parameters; 4.10.5.4: User class sensitivity; 4.11.3.1: Alarm severity; 6.5.1: Link supervision
June 2009
AD
Chapters 2, 9
2.1 JDK is not required any longer; 9.1 Technical Support contact information
Nov. 2009
AE
Chapters 2, 4, 7
2.8.2 software upgrade (FTP) 4.9.3 and 4.10.5.4 RAM-based and Disk-based compression are replaced by Zero Delay and Standard Redundancy Elimination (ZRE, SRE) 4.10.3.2 applications list 7. several report updates in version 5.2 had not been reflected in the manual
Nov. 2009
AF
Chapters 2, 4, 6, 7
2.2.3 and 2.3.3 minor corrections 4.9 Export / Import objects 4.10.8 and 4.11.5.4 new smart|path parameter in v5.2.2 6.5.2 freeze the view in the real time flows list 7.6.3, 7.6.4 and 7.6.5 three new SLA reports
March 2010
AG
All
in accordance with the v6.0 software version
May 2010
AH
Chapter 1
A bug in the documentation system, which replaced chapter 1 by chapter 10, has been fixed.
Aug. 2010
AI
Chapters 1, 2, 4, 5 and 8
1.2.3.2 minor correction 2.7 and 8.16 (mainly) ip|export has been completely redesigned
Dec. 2010
AJ
Chapter 8
8.8.11.1 minor correction
Aug. 2011
AK
All
“Virtual ip|engines” are now called “tele|engines”. The ”optimization” feature is now called “QoS & control”. 2.5 reports_desc.impsys and VistaViews are now automatically installed with ipreporter_setup.exe; Solaris 9 is not supported any longer; Windows 2008 is supported
Chapter 2
2
Nov. 2011
AL
All
in accordance with the v7.0 software version installation is now described in a separate manual
Dec. 2011
AM
All
Chapter 1 - Ipanema System was missing in rev. AL
March 2012
AN
All
in accordance with the v7.0.2 software version major changes: User Classes are renamed Application Groups; report pm – top host application on volume is restored
July 2012
AO
All
in accordance with the v7.1 software version
Sep. 2012
AP
All
suppression of the Undo button
Ipanema Technologies
October 2014
Dec. 2012
AQ
All 1.1.2 4.2.3 4.8.3 8.13
in accordance with the v7.1.4 software version SALSA architecture updated the Undo button has been put back in applications list updated; description of the common name (https attribute) improved SEM reports are renamed SAM
Jan. 2013
AR
3.4.2.1 4.6.1 4.8.3.3 4.8.4 8.4
A Timezone is added to the Domain configuration Export function updated RTP/RTCP plugin configuration updated Implicit max bandwidth = 500 x objective minor corrections (reports availability on tele-managed sites with IMA)
March 2013
AS
3.4.2.1, 7.2.1 Chapter 7 Chapter 8
More details on the time zone More details on the throughput displayed in ip|dashboard SLA, CIFS and PM-compression reports updated
April 2013
AT
3.6.1 4.7.2 4.9.3.1 -
More details on User rights on the reports Definition of the WAN access’ Network Report key for DWS More details on the syntax of the alarm rules in ip|boss’s Alarming function
June 2013
AU
4.8.3.2
List of recognized applications updated
July 2013
AV
all
In accordance with the v8.0 RC software version
Aug. 2013
AW
Chapter 1
The Introduction has been completely revised.
Sept. 2013
AX
Chapter 7
In accordance with the v8.0 GA software version
Oct. 2013
AY
5.2.1.2
ip|engine supervision details: minor correction xxx Ipanema Software License Agreement
Oct. 2013
AZ
10
New Ipanema Software License Agreement
March 2014
BA
All 4.7.3
“QoS & control” is renamed “Application Control”. New names for the WAN access attributes and new fields for the multipath mode in the ip|engine configuration window.
April 2014
BB
9.11
SSL optimization report added
June 2014
BC
All
In accordance with v8.1 RC software version
July 2014
BD
All 9.18
Minor correction on the Sites terminology SP reports: monitored resources
Oct. 2014
BE
October 2014
In accordance with v8.1 GA software version
Ipanema Technologies
3
Ipanema System
2. LIST OF ASSOCIATED DOCUMENTS The system installation on Windows is described in a separate document: ■
Ipanema System Installation Manual
For each range of ip|engine (nano, 10, 100 and 1000), there are two manuals: ■
■
Directives and Regulations Manual ip|engine Directives, Regulations and Certificates. Read the safety instructions before connecting an ip|engine to the sypply. Configuration manual Technical characteristics and ip|engines installation, configuration and set-up procedures; troubleshooting. This manual is intended for ip|engines integrators, administrators and users.
3. DOCUMENT ORGANIZATION This document contains 10 chapters: ■ ■
■
■ ■ ■ ■ ■ ■ ■ ■
4
Chapter 1 - Ipanema System: system overview. Chapter 2 - Unified access to the Ipanema System (SALSA client): how to access a Domain with the various components of the system. Chapter 3 - Managing Domains, Users and Licenses (ip|uniboss): Domains and Users creation and modification procedures, Licenses management. Chapter 4 - Configuring Services (ip|boss): the different set-up and configuration procedures. Chapter 5 - Ipanema System Supervision (ip|boss): system supervision procedures. Chapter 6 - Using Ipanema Services (ip|boss): system exploitation procedures. Chapter 7 - Monitoring (ip|dashboard): application monitoring. Chapter 8 - Optimizing SSL (ip|dashboard): optimization service to the SSL encrypted flows. Chapter 9 - Reporting (ip|reporter): description of the Ipanema reporting. Chapter 10 - Software license agreement. Chapter 11 - Technical support: description of the Ipanema Support.
Ipanema Technologies
October 2014
4. TERMS USED AG:
Application Group.
Aggregated flow:
an aggregated flow groups together IP micro-flows sharing given common characteristics. It is specified by a source subnet, a destination subnet and, where appropriate, a protocol, an application and a client/server direction and a TOS.
ANS:
Autonomic Networking System.
Applications Dictionary:
the Applications Dictionary contains a list of the applications recognized by the system. The applications are identified by protocol, a TCP or UDP port number, a type of Codec, a URL for HTTP, a published application for Citrix...
Applications Group:
Group of Applications with a certain Criticality level and a certain QoS Profile; contains key parameters for AQS measurement and Application Control.
Application Quality Score:
Ipanema notation for the traffic Quality. From 0 (very bad) to 10 (very good). The notation is calculated according to the expected behavior.
AQS:
Application Quality Score (see description above).
ASL:
Application Service Level.
BDP:
Bandwidth Delay Product.
Byte counting:
the system indicates the number of bytes in the IP packet, including IP headers.
CIFS:
Common Internet File System, aka SMB (Server Message Block).
CLI:
Command Line Interface.
Congestion:
state of a network resource in which the traffic incident on the resource exceeds its output capacity over an interval of time.
CoS:
Class of Service.
CPE:
Customer’s Premises Equipment (network access equipment located on the customer’s site. In the case of an IP network this is usually an access router).
Delay variation:
Standard deviation of the delay on a given period.
DPI:
Deep Packet Inspection, the application recognition mechanism used by Ipanema, based on the layer 7 syntax.
DSCP:
DiffServ Code Point.
DstPort:
Destination Port.
Datagram:
block of data transmitted on the packet switched network.
D/J/L:
Delay/Jitter/Loss.
Domain:
a Domain is composed of a set of ip|engines making and exchanging observations and making measurements based on these. ip|engines are configured and operated via the ip|boss central software. All elements in a Domain must be connected in the IP sense (each element must have an IP address that can be routed on the network).
DWS:
Dynamic WAN Selection (feature provided by the smart|path service).
October 2014
Ipanema Technologies
5
Ipanema System
6
Elementary observation:
measure of time, length, etc., performed by the ip|engine on each measured packet.
Equipped site:
site with an ip|engine, a nano|engine or a virtual|engine.
Flow:
in the Ipanema system, we call a flow all the sessions of a given application, from a given source to a given destination.
Fragmentation:
the process of division of a datagram into several fragments (IP packets), to facilitate traffic flow on low-speed links for example.
GLASS:
GlobaL Autonomic Support System: ip|engine metrics aimed at accelerating technical escalations.
GPS:
Global Positioning System (a positioning and synchronization system based on a satellite constellation (~ 24) in medium altitude orbit, covering practically the entire surface of the earth and is highly accurate. It used to be used in early versions of the Ipanema system).
Goodput:
Number of received bits per second above layer 4 (i.e., TCP or UDP payload).
GUI:
Graphic User Interface.
HSRP:
Hot Standby Router Protocol (Cisco).
ICMP:
Internet Control Message Protocol.
IMA:
Ipanema Mobile Agent.
IP:
Internet Protocol.
IP micro-flow:
an IP micro-flow is specified by all packets identified by the same IP source and destination address, the same protocol and, where appropriate, the same TCP/UDP ports.
ip|agent:
Ipanema software running on Ipanema appliances (ip|engines and nano|engines) and virtual appliances (virtual|engines); by extension, we call ip|agent the software running on Ipanema Mobile Agents (IMAs), although the latter do not run all ip|agent services. ip|agent services are ip|true, ip|fast, ip|xcomp, ip|xtcp, ip|xapp, smart|path and smart|plan.
ip|boss:
component of the SALSA suite used to configure the Domains.
ip|coop:
tele|engines’ cooperative control (part of ip|fast).
ip|dashboard:
component of the SALSA suite allowing to monitor the traffic (in reality the server is part of ip|boss server).
ip|engine:
Ipanema appliance that performs measurement, control, compression, acceleration, etc., to provide Visibility, Application Control and WAN Optimization.
ip|fast:
ip|agent providing Application Control.
ip|reporter:
component of the SALSA suite that generates the reports; it is powered by InfoVista.
ip|true:
ip|agent’s measurement service, behind the Application Visibility feature.
ip|uniboss:
component of the SALSA suite used to manage the Domains, Users and Licenses.
ip|xapp:
ip|agent providing CIFS acceleration (part of the WAN optimization feature).
ip|xcomp:
ip|agent providing Compression (SRE and ZRE — part of the WAN optimization feature).
Ipanema Technologies
October 2014
ip|xtcp:
ip|agent providing TCP acceleration (part of the WAN optimization feature).
IPDR:
IP Data Records.
ISU:
Ipanema Software Unit.
ITP:
Ipanema Time Protocol.
Jitter:
standard deviation of the delay on a given period.
JRE:
Java Runtime Environment.
LAN:
Local Area Network (the same geographical site may have several LANs interconnected by a router).
LAN-to-LAN:
used for the measurement from the LAN port of the source ip|engine to the LAN port of the destination ip|engine; applies to the throughput, Delay, Jitter and packet Loss. Also abbreviated “LAN” (e.g. LAN-to-LAN Delay = “LAN Delay”).
LDAP:
Lightweight Directory Access Protocol, used for authentication and authorization in SALSA.
LTL:
Local Traffic Limiting.
Measurement interface:
interface on the ip|engine giving access to the point of measure.
Measurement ticket:
the measurement ticket groups together the elementary observations made on an IP packet by an ip|engine.
MetaView:
Object we report on (Domain, Site, group of Sites, Application Group, etc.), created in ip|boss. The reports aggregate data on MetaViews, in ip|reporter.
MOS:
Mean Opinion Score (standard Measure of the Quality of a Voice Call (notation between 0 (very bad) to 5 (very good), normalized by the ITU-T (G.107)).
MRE:
Multi Redundancy Elimination (= SRE + ZRE; synonymous with Compression).
nano|engine:
Ultra compact Ipanema appliance that performs measurement and control, to provide Visibility and Application Control in small Branch offices (no WAN Optimization, unlike ip|engines).
NAP:
Network Access Point.
OWD:
One Way Delay.
Packets:
series of binary elements organized in a predefined format and transferred as a whole.
Packet counting:
the system indicates the number of datagrams observed. It is insensitive to fragmentation by routers, whether this fragmentation occurred in the Domain of Measure (between ip|engines) or outside the Domain (before the first ip|engine).
Packet loss:
the system indicates the number of datagrams lost. It is therefore insensitive to fragmentation by routers, whether this fragmentation occurred in the Domain of Measure (between ip|engines) or outside the Domain (before the first ip|engine).
PBR:
Policy Base Routing.
Physical site:
(Obsolete) old name for an Equipped site.
Point of measure:
place of traffic acquisition where measures are made.
QoE:
Quality of Experience (measured by the AQS).
October 2014
Ipanema Technologies
7
Ipanema System
8
QoS:
Quality of Service.
QoS Profile:
Set of parameters in ip|boss, which applies to an Application Group. The parameters are: the traffic type (real time, transactional or background), the bandwidth objective and the maximum bandwidth (per session), followed by 6 quality metrics (delay, jitter, loss, RTT, SRT and TCP retransmission) with two thresholds each (objective — maximum).
RADIUS:
Remote Authentication Dial-In User Service.
Router:
interconnection gateway between two IP networks.
Routing:
operation of determining the route to be taken through a network by a data packet.
RTT:
Round Trip Time.
SALSA:
Scalable Application Level Service Architecture.
SAML:
Security Assertion Markup Language.
Sensitivity:
Application Group parameter, used for DWS.
SLA:
Service Level Agreement.
smart|path
ip|agent providing Dynamic WAN Selection.
smart|plan
ip|agent’s Network Rightsizing service
SNMP:
Simple Network Management Protocol.
SrcPort:
Source port.
SRE:
Standard Redundancy Elimination (AKA “Disk-based compression”).
SRT:
Server Response Time.
SSL:
Secure Socket Layer.
TCP:
Transmission Control Protocol.
tele|engine:
Allows traffic on unequipped Sites to be measured and controlled by the ip|engines of the remote Sites, thus providing Application Visibility and Control without any appliance on the local Site (branch office). tele|engines are configured in ip|boss as ”physical”ip|engines, checking a specific box. A Site with a tele|engine is called a tele-managed Site.
Tele-managed Site:
Site with a tele|engine.
Ticket Record:
groups measurement tickets together for transmission between ip|engines.
TOS:
Type Of Service.
TOS Dictionary:
the TOS Dictionary contains a list of TOS recognized by the system. The TOS are identified by the field Type Of Service in IP packet.
Traffic profile:
a description of the temporal properties of a traffic stream such as rate and burst size.
Transfer delay:
the transfer delay of a packet between ip|engines is measured when the last bit of the packet passes the measure points. In the event of fragmentation of the datagram into several IP packets, the measure is made when the last bit of the last fragment passes.
Throughput:
Number of bits per second at the IP level.
Ipanema Technologies
October 2014
UC:
Unified Communications.
UDP:
User Data Protocol.
VF0 / VF4:
Vista Foundation 0 / 4 (InfoVista platforms provided with ip|reporter).
Virtual ip|engine:
(Obsolete) old name for a tele|engine (< SALSA v6).
Virtual site:
(Obsolete) old name for a tele-managed Site.
virtual|engine:
Software image of an ip|engine, to be deployed on VMware ESXi.
VoIP:
Voice over IP.
VPN:
Virtual Private Network.
VRF:
Virtual Routing and Forwarding.
WAN:
Wide Area Network (long distance network that allows data exchange between remote sites).
WAN-to-WAN:
used for the measurement from the WAN port of the source ip|engine to the WAN port of the destination ip|engine. Applies to the throughput, Delay, Jitter and packet Loss. Also abbreviated “WAN” (e.g. WAN-to-WAN Delay = “WAN Delay”). LAN-to-LAN Delay = Delay generated by the source ip|engine, if any + WAN-to-WAN Delay + Delay generated by the destination ip|engine, so the LAN-to-LAN Delay includes (and is higher than or equal to) the WAN-to-WAN Delay.
WFQ:
Weighted Fairness Queuing.
Wizard:
Way to create combinations of MetaViews and reports in ip|boss’ Reports menu.
ZRE:
Zero delay Redundancy Elimination (AKA “RAM-based compression”).
October 2014
Ipanema Technologies
9
CHAPTER 1. IPANEMA SYSTEM Document organization
1. 1. OVERVIEW 1. 1. 1. Autonomic Networking System Ipanema’s self-learning and self-optimizing Autonomic Networking System™ (ANS) tightly integrates all the features to guarantee the best application performance: Application Visibility, Application Control, WAN Optimization, Dynamic WAN Selection and Network Rightsizing. Easy to use and highly scalable, ANS addresses mid-size and thousands-sites companies. It also addresses Service Providers with thousands of customers. Based on the SALSA central management platform and on a family of appliances and software agents, ANS fits from the smallest Branch Office to the largest Datacenter.
Autonomic: – It guarantees applications performances through global and distributed coordination between Ipanema appliances and software agents, – it dynamically adapts to traffic and network changes thanks to a “Sense and Respond" mechanism (Sense: Real-time view of the network performances and users demand; Respond: Dynamic and distributed computation with second-by-second optimal policies enforcement), – full control is provided, in most cases (depending on the network architecture), with as few as 10-20% of the sites equipped with physical appliances.
■
All-in-one: – All features are tightly coupled, – it optimizes all application flows: data transfers (FTP, CIFS...), interactive flows (ERPs, Citrix...), real-time flows (VoIP, Videoconference...), etc.
■
Service Framework: – A unified management GUI is provided for all features, – the multi-tenant SALSA platform scales up to 10M’s users and 100K’s sites, – objective-based control enables Application SLAs and global WAN Governance.
1-2
Ipanema Technologies
October 2014
Ipanema System
1. 1. 2. Ipanema features This section quickly describes Ipanema features (for more details see 1.3. Features description). Application Visibility ■ ■
Goal: understand application usage and performance over the entire network. How: providing clear application performance KPIs (Application Quality Score — or AQS — and MOS), high level consolidated reports, and very detailed information at the flow level.
Application Visibility
October 2014
Ipanema Technologies
1-3
Ipanema System
Application Control ■
■
Goal: guarantee users’ experience by controlling each application flow in real-time, depending on the network resources. How: dynamically enforcing Application SLAs for each user thanks to a global and dynamic approach, where the whole traffic matrix is taken into account in real time. Application Control manages the application flows in the most efficient way, even in full-mesh and very large networks.
Application Control
1-4
Ipanema Technologies
October 2014
Ipanema System
WAN Optimization ■ ■
Goal: accelerate delay sensitive applications and reduce bandwidth consumption. How: eliminating redundancy in the application flows (both at the packet level and data stream level), and accelerating TCP segments, CIFS application, SSL flows, etc.
WAN Optimization
These features are tightly coupled to address all situations.
Tightly coupled features
October 2014
Ipanema Technologies
1-5
Ipanema System
Network Rightsizing: ■ ■
Goal: align network sizing to budget and business requirements. How: combining Application Visibility and Application Control data to determine sizing options and their consequences; the results are displayed in easy-to-use reports.
Network Rightsizing
1-6
Ipanema Technologies
October 2014
Ipanema System
Dynamic WAN Selection: ■
■
Goal: guarantee application performance across hybrid [MPLS + Internet] networks, improve business communication continuity, exploit large network capacity at low cost, benefit from Internet immediacy and ubiquity, turn back-up lines into business lines, eliminate complex policy based routing and unify the management of hybrid networks. How: automatically and dynamically selecting the best path for each application flow across the various networks.
DWS
October 2014
Ipanema Technologies
1-7
Ipanema System
1. 1. 3. Ipanema appliances, VMs and software agents Ipanema features are performed by Ipanema appliances, virtual machines and software agents, generally located at the interface between the enterprise network (LAN) and the access router to the operator network (WAN). There are two families of appliances: ip|engines and nano|engines, and two families of software agents: virtual|engines and Ipanema Mobile Agents (IMAs). Application Visibility and Application Control features are also available on sites that are not equipped (no ip|engine, no nano|engine and no virtual|engine on the site), declaring “tele|engines” on these sites. ip|engines: hardware devices; various models are available, with different capacities
nano|engines: hardware ultra compact devices, for small Branch Offices tele|engines: logical service delivered through the remote collaborating ip|agents
virtual|engines: virtual machines in .vmdk format
IMAs: software agents for Windows desktops ip|agent is the software running on ip|engines, nano|engines and virtual|engines. IMAs run some of ip|agent’s services (but we also call them ip|agents, by extension). To provide the features described above, ip|agents run the following services: ■
for Application Visibility: – ip|true: measurement, – ip|sync: time synchronization,
■
for Application Control: – ip|fast: the Application Control service, – ip|coop: tele|engines’ cooperative control,
■
for WAN Optimization: – ip|xtcp: TCP acceleration, – ip|xcomp: compression (SRE and ZRE) + TCP acceleration, – ip|xapp: CIFS acceleration,
■
for Network Rightsizing: – smart|plan
■
for Dynamic WAN Selection: – smart|path.
1-8
Ipanema Technologies
October 2014
Ipanema System
1. 1. 4. Features availability The table below summarizes the features provided by the different Ipanema appliances and virtual machines, and on tele-managed sites:
ip|e ax
ip|e non-ax
nano|e
virtual|e
tele|e
ip|true
yes
yes
yes
yes, performed by the remote ip|agents; no D/J/L info
ip|fast
yes
yes
yes
yes, performed by the remote ip|agents
no, except on hosts running IMAs
yes
no, except on hosts running IMAs
ip|xcomp SRE
yes
no
ip|xcomp ZRE
yes**
no
yes
no
ip|xtcp
yes**
no*
no*
no*
ip|xapp
yes***
no, except on hosts running IMAs
yes***
no, except on hosts running IMAs
smart|path
yes
yes
no
no
smart|plan
yes
yes
yes
no
Features availability * ip|xtcp is a single-box sender-side technology, so traffic to a site with a nano|engine, a virtual|engine or a tele|engine can be accelerated. ** except for ip|e 40so. *** ip|xapp is a single-box client-side technology, so the ip|engine or virtual|engine must be installed in the Branch Office (where the clients are). If it is not (sites with a nano|engine or a tele|engine), the feature can still be delivered, thanks to IMA.
October 2014
Ipanema Technologies
1-9
Ipanema System
1. 1. 5. Functional architecture SALSA (Scalable Application Level Service Architecture) is the Central Management Software; it is composed of: ■
ip|uniboss software (one server): it ensures the creation and management of the Domains, Unified User Management and Licenses management.
■
ip|boss software (one or several servers, depending on the number of Domains and their sizes; it can be installed on the same server as ip|uniboss): it ensures system administration, system configuration (system provisioning, application provisioning and reports provisioning), service activation, real time monitoring (ip|dashboard), supervision, collect of the Correlation Records generated by ip|agents every minute (according to the parameters), interface with ip|reporter to create or delete reports (the main reports are automatically created).
■
ip|reporter software (one or several servers, depending on the number of Domains, the volume of traffic and the number of reports; on very small networks — less than 10 sites — it can be installed on the same server as ip|boss/ip|uniboss): it ensures the reporting function, polling ip|boss to collect the raw data that it then consolidates it in many different dimensions, with about 40 pre-defined report templates. ip|reporter is powered by InfoVista and embeds an InfoVista run time licence; this run time provides all user functions in local, remote or client/server mode or with an HTML interface with VistaPortalSE. InfoVista can be provided with two different VistaFoundation platforms: VF0 (provided to most Ipanema customers) and VF4 (provided for MSPs/NSPs or customers with very large networks only). Only VF0 platform is described in this document. For VF4 information, please refer to the relevant Technical notes. ip|export, an optional module of ip|reporter, allows automatic and dynamic export of any data from any reports in text, CSV or Excel formats. It is designed for seamless inter-operability between network measurement systems and Business Support Services.
SALSA architecture
1-10
Ipanema Technologies
October 2014
Ipanema System
A SALSA unified portal gives access to ip|uniboss, ip|boss, ip|dashboard and ip|reporter web. A Domain selector (drop-down list) allows selecting the Domain to be configured (with ip|boss) or monitored (with ip|dashboard) prior to connecting.
SALSA unified portal It can be accessed with a web browser at https:///salsa/.
October 2014
Ipanema Technologies
1-11
Ipanema System
1. 2. GENERAL PRINCIPLES 1. 2. 1. System deployment A Domain is made up of a set of Ipanema appliances and virtual machines positioned at the measurement or control points of a network, in the same LANs as the CPE routers. Their ip|agent software measure, control, compress and accelerate the network traffic on the entire network. One Domain has to be created by logical entity, using ip|uniboss software. Once created, it is managed by a dedicated ip|boss instance.
System deployment ip|agents belonging to the same Domain cooperate (distributed intelligence), but do not interact with other ip|agents belonging to other Domains. To measure, control and accelerate flows on a site with no ip|agent (no appliance nor virtual machine), the user can declare a tele|engine on that site (in the same way as they would declare a real ip|engine, in ip|boss). To make this possible, ip|agents must be present at the other ends of the flows (measurement, control and acceleration will be performed by the remote ip|agents indeed — reason why such a site is also called a tele-managed site).
1-12
Ipanema Technologies
October 2014
Ipanema System
ip|agents cooperation in a Domain (with tele-managed sites) The system performs measurement, control, redundancy elimination and acceleration on the basis of the observed traffic in the user’s private IP addressing plan. Each ip|agent recognizes the local network (LAN) traffic transmitted to and received from the long-distance network (WAN). LANs have an IP address range expressed in the form a.b.c.d and a prefix, the length of which is expressed by /p. For correct system operation: ■ ■
each ip|engine, nano|engine, and virtual|engine must have a fixed IP address, the server running ip|boss must be accessible by all ip|engines, nano|engines and virtual|engines (it is not necessary for IMAs). It must therefore have an IP address, but the latter is not necessarily a fixed address, in theory (except if ip|reporter server is installed on another station, which should be the case in most cases). The server is not necessarily on the customer part of the network.
October 2014
Ipanema Technologies
1-13
Ipanema System
1. 2. 2. Communication between system elements A Technical note, “TN-0300164-02_Flow_matrix_SALSA_v”, shows all ports used between all components of the Ipanema system.
1. 2. 2. 1. Communication between ip|agents ip|agents exchange measurement and control information, among others. To accomplish this, each ip|agent hosts a specific server reachable by all other ip|agents on predetermined TCP and UDP ports. An ip|agent also hosts a specific client that transmits measurement and control signals and compressed data to the remote ip|agent servers. The source ports are dynamically selected by the transmitting ip|agents.
Service
L4
Port
ip|true
TCP
19999
ip|fast
UDP
19999
ip|agent capacity advertising
TCP
19996
ip|xcomp SRE
—
—
ip|xcomp ZRE dictionary and control
TCP
19988
ip|xcomp ZRE compression tunnel
UDP
19988
ip|xcomp ZRE keep alive
UDP
19987
ip|xtcp
—
—
ip|xapp
—
—
ip|sync (ITP)
UDP
19995
Clustering
UDP
19997
Ports used between ip|agents
1-14
Ipanema Technologies
October 2014
Ipanema System
1. 2. 2. 2. Communication between ip|boss and ip|agents There are three types of communication channels between ip|agents and ip|boss: ■ ■ ■
configuration and supervision, polling of the measurement records (Correlation Records), polling of the real-time graphs’ data.
Service
L4
Port
Usage
HTTPS
TCP
443
Configuration, supervision, collect of the Correlation Records.
FTP
TCP
20–21
Download ip|agent software (the FTP server is not necessarily on ip|boss).
SSH
TCP
22
Remote connection on Ipanema appliances and virtual machines (enabled by default). (The remote access is not necessarily granted from ip|boss.)
Telnet
TCP
23
Remote connection on Ipanema appliances and virtual machines (disabled by default). (The remote access is not necessarily granted from ip|boss.)
Real-time graphs
TCP
19990–19993
Additional polling to provide a real-time view in ip|dahsboard.
Ports used between ip|agents ■
Configuration and supervision channel
Each ip|engine, nano|engine and virtual|engine hosts an HTTPS server accessible by ip|boss for configuration and supervision. This server is reached on TCP/443 destination port (default value; another value can be configured on request). If remote connections (SSH and/or Telnet) are to be established from ip|boss (not mandatory, but very helpful), then ports 22 (SSH) and/or 23 (Telnet) are also used. (By default, SSH is enabled on all ip|agents, and Telnet is disabled.) If ip|boss is used as an FTP server to download ip|agent software, then ports TCP/20 and 21 are also used (they are not otherwise; the FTP server can be on other devices, such as an external server or even an ip|engine, for instance). ■
Periodic measurement collection channel
The HTTPS server embedded in ip|agents is also used by ip|boss to retrieve the measures (pull) (same port and remark as above). ■
Real-time measurement polling channel
Real-time measures are sent by the ip|agents on a unidirectional TCP connection to a predefined destination port (in the 19990–19993 range by default; other ranges can be configured). The TCP source port is dynamically selected (a fixed port can be configured) by the transmitting ip|agent.
October 2014
Ipanema Technologies
1-15
Ipanema System
1. 2. 2. 3. Communication between ip|boss client and ip|boss server Communications between ip|boss web client and ip|boss server use HTTPS (port TCP/443).
1. 2. 2. 4. Communication between ip|boss and ip|reporter Two kinds of communication channels exist between ip|boss and ip|reporter: ■
■
1-16
configuration and supervision channel: ip|boss supervises and configures the reporting system via the InfoVista interfaces. The used TCP ports are dynamic by default, but they can be fixed by configuration. This channel allows the reports creation and deletion according to the configuration and ip|reporter’s supervision status. collect channel (SNMP): ip|boss houses an SNMP agent used by ip|reporter (InfoVista) in order to collect the measurement data (pull mode). This SNMP agent is reachable via a UDP port configured for each Domain in ip|uniboss.
Ipanema Technologies
October 2014
Ipanema System
1. 2. 3. Security The Ipanema System provides robust security features (SSL, SSH, tools for key generation and distribution, etc.) to protect the system against break-in and hostility threats. Authentication mechanisms to access the different system elements, and between them, protect the system against unauthorized accesses. Communication encryption between the system elements protects the system against sniffing of configuration information or measurement results exchanged between them.
1. 2. 3. 1. Appliances Access Control (Console and SSH) Many security features regarding the access to Ipanema appliances, through the console or through the network, are implemented. They are listed below (however access to a particular appliance is limited to a very small number of cases): ■ ■
■
console access is secured with full password management; remote access is secured with the use of the SSH protocol (Telnet is also available, but for security reasons it is disabled by default); commands limitation: when remotely accessing an Ipanema appliance (or virtual machine), the set of available user commands is carefully restricted to the minimum (device basic configuration and troubleshooting, namely).
1. 2. 3. 2. Secured ip|boss — ip|agents communications SSL protocol is used to download the configuration file from ip|boss to all ip|agents, to monitor all appliances and to collect the measurement data. Both authentication and encryption are used. The Ipanema System allows three security levels: ■
First level (default mode): The customer uses the default factory certificate. Communications are secured. Nevertheless, as the certificate is not unique to the customer, the security level is not at its maximum.
■
Second level: The customer defines their own certificate. This can be achieved either in ip|boss or using a certificate generator. Certificate installation on ip|agents is managed from ip|boss and does not require local access to the Ipanema appliances or virtual machines. Communications are secured. Unauthorized people will not be able to enter the system nor to read or interpret configuration or measurement data.
■
Third level: The customer defines their own certificate and an SSL passphrase. This requires not only an ip|boss certificate installation, but also to have local access to all ip|agents in order to setup the passphrase configuration. Communications are secured. Combination of certificate and local passphrase provides the highest level of security.
Important reminder 80% of the security breaches are internal to companies.
October 2014
Ipanema Technologies
1-17
Ipanema System
1. 3. FEATURES DESCRIPTION 1. 3. 1. Application Visibility (ip|true) The primary goal of Application Visibility is to understand application usage and performance over the entire network. To reach that goal, applications are classified in Application Groups (AGs), and each AG has specific QoS performance objectives (nominal bandwidth per session and two thresholds — objective and maximum — for one-way-delay, jitter, packets loss, RTT, SRT and TCP retransmission ratio), thus allowing to check whether performance objectives are met or not, and to calculate an Application Quality Score (AQS) accordingly. Ipanema Application Visibility is: ■ ■ ■ ■ ■ ■
comprehensive (see the list of metrics below), highly accurate, relying on time synchronization from the network (thanks to ITP, Ipanema Time Protocol), very precise and non-intrusive: measurements are made on the actual data packets and not on test packets nor simulated flows, exhaustive: all IP packets are measured, independent from the operator network access and core technology (measurements are made at the IP layer), confidential: the contents of user packets are not, at any time, stored, saved or even transmitted between the different system components.
ip|true provides the following metrics: ■ ■ ■
the number of packets and bytes transmitted and received, the number of sessions, the following one-way metrics: – Delay, – Jitter, – packet Loss, all three (called D/J/L) both: – ingress (from the LAN to the WAN) and – egress (from the WAN to the LAN), and both: – between the LAN interfaces of the appliances (LAN-to-LAN metrics, simply called “LAN”) and – between their WAN interfaces (WAN-to-WAN metrics, simply called “WAN”):
■
the following TCP metrics: – RTT (Round Trip Time), – SRT (Server Response Time), – TCP retransmission ratio,
1-18
Ipanema Technologies
October 2014
Ipanema System
■
the following composite metrics: – Voice’s MOS (Mean Opinion Score), – all flows’ AQS (Application Quality Score).
AQS Individual measurements are aggregated and analyzed according to multiple criteria (source and destination sites, source and destination subnets, Application Groups, applications, etc.). The results are presented in the form of detailed flows lists, real-time graphs, charts, etc., and archived with periodic aggregation (in hourly, daily, weekly and monthly reports). They are made available for subsequent processing or reference, and can be used to generate alarms, analyze long-term trends, forecast future traffic increase to estimate optimum network sizing, etc. Users can specify their own aggregation criteria, thus taking into account their enterprise organization (e.g. the different countries, departments, services, etc.). The following system elements are involved: ■ ■ ■
ip|agents (ip|true): elementary observations, correlation, traffic classification, ip|boss: configuration, polling of the Correlation Records (HTTPS), MIB update, ip|reporter: polling of ip|boss’ MIB (SNMP), reports publishing and reports database management.
1. 3. 1. 1. ip|agents’ elementary observations, correlation and classification Each IP packet observed by an ip|agent undergoes a series of operations: ■ ■
filtering of IP v4 packets, classification and filtering of packets according to their types: – – – –
■
local traffic on the LAN, ingress traffic (LAN to WAN traffic), egress traffic (WAN to LAN traffic), transit traffic.
correlation, to calculate the one-way metrics (Delay, Jitter and packet Loss), when both the source and the destination of the flow are equipped with Ipanema appliances or virtual machines (this condition is necessary); this operation is achieved in four steps: – 1. when the packet is sent and crosses the upstream ip|agent, the latter calculates a signature (hash) and stores it locally, – 2. when the packet is received and crosses the downstream ip|agent, the latter calculates a signature (the same one), – 3. once a second, the downstream ip|agent sends its signatures back to the upstream one, in a compact “Ticket Record”. Ticket Records have an average length of 300 bytes and the overload they generate is approximately 2% of the measured traffic (<< 2% on large sites, due to statistical reasons — the more the traffic, the less the overload). – 4. the upstream ip|agent correlates the signatures it has calculated with the signatures it has received from the downstream ip|agent (the two ip|agents must be synchronized),
October 2014
Ipanema Technologies
1-19
Ipanema System
Thanks to this correlation mechanism, the upstream ip|agent knows how many packets have been received and when they were received, thus allowing it to calculate the flows’ D/J/L.
Correlation mechanism ■
traffic classification according to the multiple criteria: – by application: applications are recognized thanks to a syntax engine allowing layer 7 attributes to be taken into account, thus allowing to identify the vast majority of the user applications, – by source and destination sites, – by source and destination subnets (according to the User subnets directory), – by TOS value (the "TOS" field of the IP header identifies the Type of Service; they can be configured in the TOS dictionary), – etc. (the classification level can be determined by configuration),
Then ip|agents output measurement tickets (“Correlation Records”), when polled by ip|boss Collector, every minute (or every 5 minutes on very large networks; this parameter — “Collect” — is set at the Domain level in ip|uniboss). (ip|boss will store the information in a MIB, depending on the created MetaViews (see the reports configuration in ip|boss) and in ip|dashboard’s database, and ip|reporter will poll ip|boss’s MIB using SNMP to aggregate the information and generate the reports; see below.)
1-20
Ipanema Technologies
October 2014
Ipanema System
1. 3. 1. 2. Considerations on fragmentation Transmitting large packets on the network can degrade the quality of service for applications, particularly if access speed is low. IP protocol allows datagrams to be fragmented into several packets (fragments). Fragmentation can be performed at different points, but is generally performed: ■ ■
by the access router (CPE) connected to a low-speed interface, by an access or transit router in certain cases of congestion.
Fragments are not reassembled on the network or in the router, but by the end station. To keep measures consistent without making assumptions on whether and where fragmentation occurred (before or after the first ip|agent), the Ipanema system performs measurements on the datagrams. This choice allows the classification mechanisms to operate correctly, even though port numbers of the TCP/UDP protocol are present only in the first fragment of a datagram. This choice is also consistent with applications’ behaviors. Indeed, the user application must wait for the datagram to be reassembled before it is able to use the data it contains. It is therefore the reception of the last fragment that is important. A datagram is considered to be lost as soon as one or more of its fragments is lost. In this case, the datagram is not delivered to the transport layer by the destination terminal.
1. 3. 1. 3. Time synchronization ip|engines, nano|engines and virtual|engines synchronization on the Domain is used for correlation (see above), hence for Delay/Jitter/Loss measurement (and measurement only: control, redundancy elimination, etc., do not require synchronization). There are two synchronization layers: ■
Time servers – – – –
■
they can be either ip|engines, virtual|engines, ip|boss or External NTP servers, one is enough, if several are used, they MUST deliver a consistent time between each other, if an ip|engine is a Time Server, it will use its local ITP configuration.
Synchronization servers – they must be ip|engines or virtual|engines of the Domain, – they will not use their local reference, except in case of Time servers failure, – they share their clocks with their peers (all other synchronization servers).
The Synchronization servers take their timing from the Time server and issue it to the rest of the Domain’s appliances and virtual machines.
Synchronization two-layer model
October 2014
Ipanema Technologies
1-21
Ipanema System
This two-layer model allows GPS-less yet precise synchronization across the whole Domain, out of Domain synchronization and short term “no time” function (a Domain can be disconnected from its Time server, thus improving resiliency).
1. 3. 1. 4. ip|boss: monitoring and SNMP Agent ip|boss monitoring function and ip|dashboard client provide a real-time view of the performance and activity of the observed traffic in the form of graphs. Measures collected in the Correlation Records are stored in ip|dashboard’s database, thus allowing real time monitoring of the traffic, and in ip|boss’ MIB, where they can be polled by ip|reporter (or other devices), thus allowing any view (local, global, etc.), aggregating the data according to multiple criteria (by sites, by countries, by applications, etc.).
1-22
Ipanema Technologies
October 2014
Ipanema System
1. 3. 2. Application Control (ip|fast) End-to-end QoS depends on both network infrastructures (transmission lines, access lines, traffic engineering policies) and user traffic. Network bottlenecks result in congestions and, at times, limit optimum bandwidth to well below its rated value. Transmitting more traffic will only result in increased transfer time and losses, thereby degrading QoS and application "goodput". The goal of the Application Control feature is to anticipate and avoid congestions, and to guarantee the users’ experience by adjusting each application flow in real-time. To reach that goal, Application Groups’ attributes include: ■ ■ ■ ■
the business criticality of the application flow (top, high, medium or low), the bandwidth objective (bandwidth requirements of the application flow, necessary and sufficient to provide it with good quality), the traffic type (real time, transactional or background), compression and acceleration capabilities,
thus allowing to the controlling agent (ip|fast) to protect the business critical flows dynamically and efficiently, also taking into account the demand in real time (measured by ip|true). There is no need to set low-level, network or device-specific policy rules.
The utilization of these parameters by ip|fast can be summarized as follows: ■ ■
■
business criticality: the higher the criticality of the flow, the more ip|fast will protect it; bandwidth objective: bandwidth that ip|fast will try to provide to the application flow, even when the available bandwidth is scarce; the higher the criticality of the flow, the more likely its bandwidth objective will be met at all times; traffic type: ip|fast will manage the priorities between the different queues depending on the sensitivities of the flows to avoid Delay and Jitter on the sensitive ones, knowing that: – real time flows are sensitive to Delay and Jitter; examples: VoIP and Video conference, – transactional flows are sensitive to Delay (but not to Jitter); examples: Telnet, Citrix, – background flows are not sensitive — at all; examples: file transfer, e-mail.
■
compression and acceleration capabilities: to know whether the flow can be compressed (with ip|xcomp, see below) and/or accelerated (with ip|xtcp, see below).
Congestion anticipation and avoidance is performed by comparing the available bandwidth (or network capacity) and the bandwidth used by all flows currently running (network usage). The comparison is performed on the access links, ingress and egress, and possibly end-to-end (namely if the available bandwidth between any pair of sites is not fix and guaranteed). If the network usage reaches about 95% of the network capacity, then ip|fast triggers and starts controlling the bandwidth allocation. ■ ■
The network usage is known very precisely, thanks to ip|true who measures each and every packet crossing the Ipanema appliance or virtual machine. The network capacity is: – either fix (and defined in ip|boss, in the WAN access parameter), – or (if it varies) automatically and dynamically estimated by the Tracking function. The Tracking function itself is activated in the WAN access window, where a maximum and a minimum bandwidths can be defined: • if the minimum is set at a lower value than the maximum (min < max), then the Tracking function will estimate the instantaneous bandwidth, at any moment, between these two thresholds; • if the minimum is set at the same value as the maximum (min = max), then the Tracking function is disabled, and the available bandwidth is considered as constant. It is also the Tracking function that anticipates and avoids end-to-end congestions.
October 2014
Ipanema Technologies
1-23
Ipanema System
ip|fast principles
ip|fast is completely transparent to the network (the CPE only performs IP routing functions for network access) — except when the Coloring function is used, in which case the ToS field can be marked (see below). ip|fast and CoS If an operator offers different Classes of Service, assigning a CoS to the traffic becomes difficult. To adapt to this constraint and allow “full compatibility” between Ipanema’s traffic protection and the operator’s policy, the Ipanema System can automatically “color” (or mark) the packets according to the traffic Criticality and Type, using the ToS/DSCP field. The mode is “Color-Blind” (all packets are treated as if they were uncolored: they are marked according to the selected coloring rule regardless their initial color, if any). Topology: how to control flows end-to-end, even in a full-mesh environment From a topological point of view, as several access points may send data to the same destination (and an access point may send data to several others), it can result in One-to-N or N-to-One type congestions. To solve the issue, ip|fast dynamically shares the global network available bandwidth to all active sources, taking into account the traffic demand, network bottlenecks and N-to-N congestions. This is made possible thanks to the permanent communication between ip|agents. Summary ip|fast can be summarized as follows: ■ ■ ■
it globally and dynamically controls bandwidth allocation between all access points, it adapts QoS policies to current network performance and real user demand, it selects, for each traffic flow, the right Class of Service in terms of performance,
based on: ■ ■ ■
1-24
the traffic requirements (criticality, bandwidth objectives), the bandwidth demand, the network performance.
Ipanema Technologies
October 2014
Ipanema System
1. 3. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp) End-to-end quality of application flows vastly depends on the capacity of the links, and on the end-to-end delays. WAN Optimization, that leverages the Application Control feature, helps improving quality by accelerating delay sensitive applications and by reducing bandwidth consumption. To reach that goal, three services are used: ■ ■ ■
1. 3. 3. 1. ip|xtcp TCP was not designed for networks with a large BDP (Bandwidth-Delay Product, i.e. large RTT and/or high available bandwidth) or with a significant Bit Error Rate: ■ ■
the slow-start mechanism increases the latency of short transfers, due to the BDP limitation, the TCP sessions cannot fully utilize the available bandwidth, and error recovery is slow.
TCP acceleration (ip|xtcp service) overcomes these two limitations, using an ip|agent on the sender side (single-side technology). To achieve that goal, it is tightly coupled with ip|fast: ■
■
ip|fast “knows” the available bandwidth precisely, so we do not need the (old) TCP mechanism to discover it, thanks to ip|fast, ip|xtcp is able to provide the flows with just the “right amount of acceleration” (accelerating flows too much could create congestion!), still guarantying critical applications protection.
It uses two mechanisms, independent from each other: ■ ■
speed-up the slow start (“fast start”), overcome the BDP limitation (“over-bdp”).
The key idea is, for each connection, to proactively enslave the TCP source rate to the ip|fast computed rate for this connection.
1. 3. 3. 2. ip|xcomp For many reasons, it can be difficult to increase the bandwidth of a link (cost, operator delay, etc.). ip|xcomp overcomes this problem, by increasing the volume of traffic that can be sent on the network. To achieve that goal, two different mechanisms are used: ■
■
SRE (Standard Redundancy Elimination): Transparent mechanism that uses a TCP proxy and stores the redundant patterns, at the stream level, on the ip|engines’, virtual|engines’ or device hosting IMA’s hard disks, and exchanges small signatures instead, thus reducing bandwidth consumption. SRE is particularly efficient to compress “big flows” such as large file transfers, for instance. ZRE (Zero-delay Redundancy Elimination): Mechanism that compresses the data, at the IP packet level, without buffering them (hence its name, “zero delay”) and encapsulates the compressed data in UDP tunnels before sending them (tunnels are automatically created). ZRE is particularly efficient with delay-sensitive flows, and with flows that do not have large redundant patterns (typically transactional applications).
The best mechanism is automatically selected for each flow, but it can also be forced by configuration (in ip|boss), site by site and Application Group by Application Group. ip|xcomp SRE also accelerates TCP, by using window scaling (RFC 1323) between the two proxies. ip|xcomp and ip|xtcp are mutually exclusive: when both are available, it is ip|xcomp that prevails (ip|xcomp SRE also accelerates TCP anyway).
October 2014
Ipanema Technologies
1-25
Ipanema System
1. 3. 3. 3. ip|xapp The ip|xapp service allows accelerating CIFS traffic. CIFS stands for Common Internet File System, also known as SMB (Server Message Block). It is a proprietary Network protocol, the most common use of which is sharing files on a LAN, but also, due to “Data Server Consolidation”, over the WAN. ip|xapp accelerates CIFS version (or Dialect) “NT LM 0.12” (SMB1). Deployment CIFS Acceleration is a Client-side technology. So the typical deployment case uses ip|engines installed near the CIFS clients, or IMAs on the hosts running them, therefore mainly in Branch Offices. CIFS acceleration and Redundancy elimination ip|xapp and ip|xcomp are compatible. It is possible to compress accelerated CIFS traffic, both with ZRE and SRE, in one, the other or both directions, depending on the Application Group CIFS is matching, and on the local and remote sites’ compression/decompression capacities.
1-26
Ipanema Technologies
October 2014
Ipanema System
1. 3. 4. Dynamic WAN Selection (smart|path) The goal of Dynamic WAN Selection (DWS) is to combine multiple physical networks (hybrid networks, e.g. MPLS and Internet) into one unified logical network, maximizing both Quality of Experience & business continuity. To achieve that goal, smart|path: ■
■
automatically and dynamically selects the best traffic path, according to Application Groups and WAN accesses configuration, the Ipanema appliance handles the dynamic traffic conditioning according to the destination of the flows.
This maximizes application performance, security and network usage based on: ■ ■ ■
network quality and availability, application Performance SLAs, sensitivity level of the information.
single router with multiple interfaces, several routers with one interface (for example HSRP clustering).
These cases can be combined in a same site or in a same network.
October 2014
Ipanema Technologies
1-27
Ipanema System
1. 3. 5. Network Rightsizing (smart|plan) The bandwidth usage at a site does not reflect the actual users needs. Moreover, TCP uses as much bandwidth as it can (TCP elasticity), and TCP does not make any difference between a non critical FTP transfer and an ERP critical flow, for instance: although less critical, FTP will use more bandwidth than the ERP. As a consequence, usage based provisioning is always over-estimated: usage based provisioning = over-provisioning There is also a drawback in increasing the bandwidth at a site (apart from the cost): the more available bandwidth, the less its usage matches the business needs of the company: more bandwidth “attracts” useless traffic! The Network Rightsizing feature, provided by an optional module of ip|reporter, allows aligning network sizing to budget and business requirements, thus allowing companies to size their networks “at the best” rather than over-provisioning them: ■ ■ ■
by taking the actual needs of the flows into account, by eliminating security margins (“tempest of the century” syndrome), by being insensitive to the topology.
It is based on the smart|plan service, that leverages ip|fast and provides ip|reporter with further metrics, allowing it to produce very high added value yet easy-to-use reports, enabling a complete analysis of the relationship between bandwidth (resource) and delivered service level (results) for each network access. Using this information, it is possible to immediately decide if the access link is under-provisioned or over-provisioned in regard of the expected service level per application’s business criticality. The data generated by the smart|plan service is available throughout the Ipanema System components. ip|boss makes them available through the SNMP interface, ip|reporter uses them to generate the appropriate easy-to-use reports and ip|export can export them in text or Excel format for post-processing.
Network Rightsizing report To enable this feature on a site: ■ ■ ■
there must be an Ipanema appliance or virtual machine on the site, ip|fast must be enabled, the smart|plan option must be enabled.
Thanks to the smart planning feature, the Ipanema system allows the best usage of the network capacity according to the performance objectives, by enabling the user to select the best cost/performance compromise based on application service levels.
1-28
Ipanema Technologies
October 2014
Ipanema System
1. 3. 6. Tele-managed sites tele|engines were introduced for easier customer acceptance, in case of hub-and-spoke traffic matrix, where they allow Application Visibility and Application Control features on sites that are not equipped (no ip|engine, no nano|engine and no virtual|engine on the site). To make this possible, ip|agents must be present at the other ends of the flows (measurement, control and acceleration will be performed by the remote ip|agents indeed — reason why such sites are called a tele-managed site). Unlike a physically existing ip|agent, yet, a tele|engine does not measure one-way-delays, jitter and loss rates, nor does it accelerate the traffic (but traffic to a tele-managed site can be accelerated); other metrics such as throughput, number of sessions, RTT, SRT and TCP retransmissions can be computed remotely, so they are available on tele-managed sites. tele|engines are configured through ip|boss just the same way as existing physical appliances (ip|engine menu). Then Application Control can classify and control the traffic from or toward these sites, according to the rules defined in the Application Groups. Traffic conditioning functions are automatically instantiated upon traffic recognition. Typical deployment cases: ■ ■
ip|engines, nano|engines or virtual|engines on central sites and sites with meshed traffic, tele|engines for small Branch Offices and simple traffic pattern.
With ip|coop option, a group of remote ip|agents cooperate (RCG: Remote Coordination Group) for each tele|engine, to do what a local ip|agent would have done, namely: ■ ■
measure the traffic (ip|true), detect congestions and control the flows (ip|fast).
The RCG is made of up to 8 ip|agents (on the 8 most active remote sites for each tele-managed site) and is automatically and dynamically configured by ip|boss. Thus, the contribution of each tele|engine can be precisely estimated so that congestion to and from the remote site can be managed (as through a proxy). tele|engines have some limitations, yet: ■ ■ ■ ■
no Delay/Jitter/Loss measurement, neither measurement nor control of “shadow” traffic (traffic between tele-managed sites), end-to-end bandwidth Tracking is less efficient and less reactive, no limitation of egress UDP traffic.
When ip|coop option is enabled, the number of tele|engines is controlled by ip|boss and defined in the license file delivered to the customer. Without this option, the number is unlimited.
October 2014
Ipanema Technologies
1-29
CHAPTER 2. UNIFIED ACCESS TO THE IPANEMA SYSTEM (SALSA CLIENT) Document organization
2. 1. SALSA WEB PORTAL The SALSA Web Portal offers a single access point to all SALSA components: ip|uniboss, ip|boss, ip|dashboard and ip|reporter, with a single URL entry point and a unique username and password. The URL to access SALSA Web Portal is https:///salsa/ where ipanema_server is the server where ip|uniboss was installed. The User is prompted for a login and password:
SALSA Web Portal login window Default login and password are: administrator / admin.
October 2014
Ipanema Technologies
2-1
Ipanema System
Once logged in, the User accesses the SALSA portal:
SALSA portal This page can contain (depending on the User’s access rights): ■
■ ■ ■
■
■
2-2
the Domain selector: drop-down list allowing to choose the Domain to be configured (with ip|boss) or monitored (with ip|dashboard) — this selection is useless for ip|uniboss (as it manages all Domains) and ip|reporter (as it allows browsing in all Domains — depending on the User rights — with a folders structure playing the role of a “Domain selector”), the welcome message for the selected Domain (it can be configured in ip|uniboss), an ip|uniboss button, to open ip|uniboss client, an ip|boss button, to open ip|boss client and configure the Domain selected in the Domain selector, an ip|dashboard button, to open ip|dashboard client and monitor the Domain selected in the Domain selector, an ip|reporter button, to open ip|reporter client and visualize the reports.
Ipanema Technologies
October 2014
Unified access to the Ipanema System (SALSA client)
2. 2. UNIFIED USER MANAGEMENT Users can be: ■ ■
either internal: authentication and authorization are performed by ip|uniboss’ internal LDAP, or external: authentication is performed by an external LDAP or using the SAML service; authorization is performed by ip|uniboss’ LDAP.
Users are configured using ip|uniboss GUI (see 3.6. MANAGING USERS). When a User connects to the SALSA Web Portal: ■ ■ ■
■
1. The portal requests an authentication to the web browser, 2. The portal checks given username/password against the internal LDAP directory, 3. If the User is external, then their username/password are passed onto the external LDAP for authentication, 4. Once the User is authenticated, either internally or externally, the portal retrieves their ACLs from ip|uniboss’ LDAP and caches them in memory, as well as HTTP Authentication headers, before redirecting the request to the appropriate web application given the current portal URL request.
SALSA unified User management with the internal LDAP
Authentication can also be automatic (SSO), supplying the Users’ credentials in the URL or passing the User name as an HTTP header, without authentication — in that case only permissions are checked, using the User name and group supplied in the request headers. Refer to 3.6. MANAGING USERS to see how to configure SALSA Apache server as required.
October 2014
Ipanema Technologies
2-3
Ipanema System
2. 3. SALSA URLS All components of the Ipanema system (ip|uniboss, ip|boss, ip|dashboard and ip|reporter web) can be accessed via SALSA unified client at this URL: ■
https:///salsa
It automatically redirects the User to the welcome page that contains the Domain selector capability: ■
https:///salsa/salsa_portal/.
These components can also be accessed individually and directly at the following URLs (these URLs are secured through LDAP-based authentication, therefore only unified users have access to them; they are entry points for all SALSA components using SSO): ■
https:///salsa/... – – – –
ipuniboss_portal/: ip|uniboss portal, /: selected Domain with ip|boss portal, gui//: selected Domain with ip|dashboard, ipreporter_portal//: selected Domain’s reports with ip|reporter portal.
ip|uniboss and ip|boss CLI clients are available at the following URLs: ■ ■
https:///ipuniboss_cli/: access to ip|uniboss CLI client, https:///ipboss_cli/: access to ip|boss CLI client.
If authentication is external, whatever the method (LDAP or SAML) it is always possible to use an “internal” URL to perform authentication using SALSA users only. Internal authentication is not impacted by the different external services. To use it, simply replace “salsa” by “internal” in SALSA URLs (https:///salsa/...): ■
https:///internal/...
2. 4. LDAP AUTHENTICATION LDAP authentication is performed in the Apache httpd server using mod_authnz_ldap. The configuration for the module is located in production/ip_boss/izpack/httpd_ldap.conf. Upon successful authentication, HTTP headers are added to the request that is forwarded to the Tomcat server through an AJP connection (the configuration of the mod_proxy_ajp module is located here ). These headers (x-6307-is-*) contain the profile of the authenticated user: name, accessible domains, and access rights to ip|boss, ip|uniboss, and ip|reporter web. When forwarding to external users URLs, the front end portal is expected to fill the x-6307-is headers to provide information about the user it has authenticated.
2-4
Ipanema Technologies
October 2014
Unified access to the Ipanema System (SALSA client)
2. 5. VISTAPORTAL AND VPSE CONSIDERATIONS 2. 5. 1. VistaPortal considerations VistaPortal cannot deal with HTTP headers for authorizations. It uses ip|uniboss LDAP servers to retrieve user permissions. We have added a Tomcat valve that parses Ipanema HTTP headers coming from ip|uniboss Apache server and puts them back in ip|uniboss LDAP server in order to always provide authorizations to VistaPortal through our LDAP. Then VistaPortal reads and maps the user permissions into properties that are used to filter Objects like Domains, MetaViews, reports, and so on. There is nothing particular to do for the valve installation; ip|reporter web installer is taking care of installing and configuring the ipanema valve in the VistaPortal tomcat, the only parameters to provide are ip|uniboss LDAP connection parameters during ip|reporter web installation. The code of the Tomcat valve is located under ip_reporter/uum in the ip_reporter_web project (VF_4 feature branch).
2. 5. 2. VistaPortal SE considerations VistaPortalSE cannot deal with HTTP headers for authorizations. It uses internal files to manage users (portalsesetup.xml, security.properties). We have added a Tomcat valve that parses Ipanema HTTP headers coming from ip|uniboss Apache server and maintains internal files model consistent with the Ipanema user permissions and authorizations. VistaPortalSE user internal representation is made by associating Users and InfoVista instances; by this way it lets a user access to reports the Domains of which are located in different InfoVista instances. There is nothing particular to do for the valve installation; ip|reporter web installer is taking care of installing and configuring the Ipanema valve in the VistaPortalSE tomcat, the only parameters to provide are ip|uniboss LDAP connection parameters during ip|reporter web installation.
October 2014
Ipanema Technologies
2-5
CHAPTER 3. MANAGING DOMAINS, USERS AND LICENSES (IP|UNIBOSS) Document organization
3. 1. DOMAINS OVERVIEW After ip|uniboss and ip|boss servers installation, you have to create a Domain to use the system. A Domain is a coherent set of elements: ■ ■
ip|boss, ip|engines. The Domains are hermetic, an ip|engine of a Domain cannot dialog with an ip|engine of another Domain. An ip|boss server can manage several Domains; one instance per Domain should be created. The creation of a Domain is done only on the server.
To create a Domain launch ip|uniboss web client (a CLI client is also available).
October 2014
Ipanema Technologies
3-1
Ipanema System
3. 2. IP|UNIBOSS CLIENT 3. 2. 1. Connection to ip|uniboss To connect to ip|uniboss server, click on ip|uniboss button in SALSA client:
SALSA client
The selected Domain has no impact, as ip|uniboss gives access to all Domains (according to the User rights).
3-2
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 2. 2. ip|uniboss main window
ip|uniboss main window (in this view, Domains already exist) The main window is divided into 5 parts: ■ ■
■ ■
A title bar, with Ipanema Technologies logo; closes all open windows when you click on it. A tool bar, on the left: it is composed of icons which give access to the different screens of the software. A menu bar, on the top: it is composed of five menus, “File”, “Edit”, “Display”, “Actions” and “?”. A tab bar, below the menu bar: it shows all the open windows and allows to select any of them without needing to reload it from the tool bar. The active window’s tab is highlighted in blue.
ip|uniboss client with two windows open ■
The working table, that is subdivided into two parts: – A tool bar, composed of icons which allow to read, create, clone, modify and delete objects (Domains, etc.). – The list of created objects (Domains, etc.).
The buttons of the main tool bar are the following: Update: updates the configuration; flashes when an update is necessary.
October 2014
Ipanema Technologies
3-3
Ipanema System
■
ip|boss servers: opens the ip|boss servers window.
■
Radius: opens the Radius window.
■
Domains: comes back to the Domains window.
■
Users: opens the Users window,
■
User Groups: opens the User Groups window,
■
Inventory: shows the inventory.
■
Log: shows the logged events.
■
Issues: shows the issues, when applicable.
■
ip|reporter web portals: opens the ip|reporter web portals window.
■
VistaMart: opens the VistaMart window.
■
Server Group: opens the Server Group window.
■
IV Server: opens the IV Server window..
About: shows information about ip|uniboss version and license information, and allows to import a license. Quit: quits ip|uniboss client.
3-4
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
The buttons of the working tables are the following: (consult): to consult an object (without modification capability), (new): to create a new object, (clone): to create an object from another one, (modify): to modify one or more objects, (delete): to delete one or more objects.
(search): to search object matching various criteria (see Edit > Search menu below), (new filter): to filter the data (see View > Filter menu below), (modify filter): to modify filters (see View > Filter menu below), (sort by): to sort the data (see View > Sort menu below), (choose columns): to choose the columns to display, (save preferences): to save the view matching the filters, etc.; give the preferences a name (“Preference name”) and select whether you want these to be your default view (checking the “Default preference” box), the default view for mobiles (checking the “Default preference for mobile” box), whether you want them to be accessible to other users (checking the “Shared preference” box) and whether you want them to apply to this view only (checking the “on this view” radio button) or to all views of the same type (checking the “on views of the same type” radio button); then a drop-down list appears on the right (if no preference had been previously saved): , allowing selecting these preferences, other saved preferences, or displaying everything with no filter (selecting “All”), (delete preferences): to delete previously saved preferences.
The menus are the following: File ■ ■
New: to create a new object, Quit: to quit ip|uniboss.
Window ■ ■
Close All: to close all open tabs, : to select the tab corresponding to the selected function.
Edit: you can select an object by clicking on its line. To select other objects, you have to click on their lines while pressing the Ctrl key. The Edit/Select all allows to select all the objects on the list. The Edit/Unselect all allows to unselect all the selected objects. In the status bar, the number of selected objects and the total number of objects is shown. ■
Search: to search for objects; opens a dialog box which allows to find all the objects with an attribute containing the specified text. The navigation between the found objects is made with the menus Edit > Next and Edit > Previous.,
October 2014
Ipanema Technologies
3-5
Ipanema System
■ ■ ■ ■
Next: to jump to the next found object, Previous: to jump to the previous found object, Select all: to select all the objects, Unselect all: to unselect all the objects.
View ■
■ ■
Sort: to sort objects; by clicking on the header of a column, you sort the list according to this column (by clicking again on the column, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available with the menu Display/Sort. Group by: to group objects by various criteria, Filter: you can create some filters on the list which display only the filtered objects according to the criteria. A simple filter works with only one field whereas an extended filter is a combination of simple filters. When a filter is active, the number of displayed objects and the total number of objects is written on the status bar. – New filter: to create a new simple filter, – Modify filter: to modify an existing filter, – Active filter: to activate or deactivate the selected filter.
■ ■
Choose columns: to choose the columns to display, Preferences: – Save: to save the active filter (and column display), – Delete: to delete a filter (and column display).
Actions: allows to make all the actions achieved through the corresponding buttons: ■ ■ ■ ■
Consult, Clone, Modify, Delete.
? ■
About: shows the software version and license information (the same as the About button).
In some tables (Domains, ip|boss servers, etc.), an LED on the left gives the objects’ operational states; for the Domains, it can be: green (“Started”), grey (“n/a”: disabled), amber (Starting), red (the number of ISUs exceeds the total ISU credit), small and dark (when the Domain has just been created, before an Update has been applied). It can be displayed by moving the mouse upon it:
3-6
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Domain’s operational state
October 2014
Ipanema Technologies
3-7
Ipanema System
3. 3. IMPORTING A LICENSE To create Domains, the license file “license.ipmsys” must be installed. To get your license file, please contact the Ipanema Support service at the e-mail address [email protected] or [email protected]. In the Toolbar, select
About:
It shows the software version and license information (maximum number of Domains, total ISU credits (Ipanema Software Units), maximum number of ip|engines and tele|engines, authorized features, etc.):
About menu The total number of ISUs (Ipanema Software Units) can be allocated in a flexible way accross different Domains; refer to the “Create a Domain” section below. To import a license, click on the Import button, browse your folders and select the proper license file (license.ipmsys). (The license file is copied: ■
In the directory uni_boss\conf: – if ip|uniboss and ip|boss are installed on separate servers: on ip|uniboss server, in the directory ~\salsa\uniboss\server\domains\uni_boss\conf. – if both ip|uniboss and ip|boss are installed on the same server: on ip|uniboss / ip|boss server, in the directory ~\salsa\ipboss\server\domains\uni_boss\conf.
■
3-8
In each Domain’s directory (if Domains were already existing, for example when upgrading from a version to a new one): ~\salsa\ipboss\server\domains\\conf (on ip|boss server).)
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. SYSTEM PROVISIONING The procedures in this section and in the following ones are all based on ip|uniboss web client.
3. 4. 1. Declare ip|boss servers Before you can create a Domain, you first need to declare an ip|boss server. ■
Open the ip|boss servers table The ip|boss servers table can be displayed by clicking on Toolbar:
ip|boss servers in ip|uniboss
ip|boss servers table ■
Declare an ip|boss server To declare a new ip|boss server, click on the New icon in the ip|boss servers window. Only the host name (or the IP address) needs to be entered, all other information (ip|boss version, OS version and JRE version) will be polled from the server:
ip|boss server declaration window You need to click on Validate or Apply: – The Ok button creates the object and closes the window. – The Apply button create the object and keeps the window open. This is useful when you want to create several objects. – The Cancel button closes the window without creating an object. Use Cancel after an Apply.
October 2014
Ipanema Technologies
3-9
Ipanema System
In the servers table, the LED on the left shows the compatibility status of the server; it can be: –
green (“Compatible”) if the server is reachable and compatible with ip|boss; ip|boss version, OS version and JRE version are polled and displayed:
Compatible ip|boss server
–
grey (“Unreachable”) if the server is not reachable,
–
small and dark (when the server has just been created, before an Update has been applied: an Update into account).
3-10
is mandatory for the changes to be saved and taken
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. 2. Domains The Domains window is opened when you start ip|uniboss client. ■
If other windows have been opened and if the Domains window is not the active one, click on the “Domains” tab.
■
If the Domains window has been closed, in the Toolbar, select
Domains.
3. 4. 2. 1. Create a Domain Operating procedure table: service ip|reporter ■ ■
An ip|boss server must be created first. Refer to the previous section. A running license is required. Otherwise an error window is displayed when committing a new Domain.
ip|uniboss’ Domains window
In the Domains window, click on the New button
.
A creation window opens where you can indicate your Domain’s characteristics:
October 2014
Ipanema Technologies
3-11
Ipanema System
Domain creation window, ’General’ tab
The fields with a legend in bold characters are mandatory.
3-12
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
The ’General’ tab of the Domain creation window contains the following fields: ■ ■ ■
Name: to specify the name of the Domain (characters string), Description: to give additional information, if needed, Welcome message: to display a text below the selected Domain in SALSA’s Domain selector,
ip|boss server ■
ip|boss server: to choose the server that will manage the Domain (from a drop-down list). In display mode, ip|boss version, OS version, JRE version and the Compatibility status are polled from the server and displayed:
Domain ISU ■
Allocated ISU: to specify the number of Ipanema Software Units that are needed on that Domain. Each function requires a certain number of ISUs, that can be purchased from Ipanema (a new license file is then provided; refer to the “Import a license” section above). The number of consumed ISUs and available ISUs for each Domain is displayed in the Domains windows. In display mode, the Credit ISUs (as a percentage of the total number of ISUs accross all Domains), the Consumed ISUs (according to the activated services and WAN accesses bandwidths) and the number of Available ISUs (= Allocated — Consumed) are computed and displayed:
■
Administrative state: to Enable or Disable the whole Domain When a Domain is disabled, ip|boss services are stopped for this Domain. As a consequence, there is no collect of the Correlation records and no data collection in ip|dashboard or in the reports. ip|engines keep on running, yet (so there is no impact on Application Control, redundancy elimination, acceleration, etc.)
■
Timezone: to choose the time zone for the Domain: – ip|reporter’s timing will be based on this value; – in ip|dashboard, it is possible to choose between this value (thus allowing the User to align the timing in ip|dashboard’s graphs with that of ip|reporter’s reports) and the local time zone (thus allowing the User to display the graphs with their local time).
■
■
Access port: port used by the client for that Domain (0 by default — 0 stands for a dynamic port). Reversor enabled:: to enable the reversor for that Domain.
October 2014
Ipanema Technologies
3-13
Ipanema System
SNMP Parameters This frame allows configuring the SNMP agent of ip|boss: ■
SNMP Port: to specify the port number of the SNMP agent, Each Domain (on the same server) must use its own SNMP port, different from the SNMP port of the other Domains.
■
■
SNMP IP Address: to specify the SNMP agent (ip|boss) to be polled by the SNMP Manager (ip|reporter). By default, it is the same as ip|boss server’s. You can specify a different one in case of multiple interfaces on ip|boss, or a servers cluster (declare the cluster’s virtual IP address). Community name: to specify the community name (’public’ by default).
ip|reporter parameters This frame allows configuring ip|reporter in order to create/delete reports in InfoVista Server: ■
■
Mode: the version of InfoVista’s VistaFoundation platform must be specified here: it can be VF0 or VF4, according to the version that was installed. If you don’t have any ip|reporter server, select Disabled. The next field depends on the selected VistaFoundation platform: – If you are using VF0: IV Server allows to select an InfoVista from the drop-down list. If the InfoVista server you want to use has not been created yet, you can create it from this window, by clicking on the New button next to the selection box. Alternatively, you can use the IV Server function in the Reporting provisioning menu (described below). – If you are using VF4: Group allows to select a servers Group from the drop-down list. If the servers Group you want to use has not been created yet, you can create it from this window, by clicking on the New button next to the selection box. Alternatively, you can use the Server Group function in the Reporting provisioning menu (described below).
■
Logo URL: to customize the logo in the reports (one logo per Domain). The size of the logo should not exceed 150 x 80 pixels; most common formats are supported (gif, jpg and png). This logo will be visible only through a web access.
Tuning This frame allows configuring the maximum number of Application Groups and User subnets, the HTTP timeout and the data collection periods between ip|boss and ip|engines and between ip|reporter and ip|boss, and used as the reporting polling period: ■
■
■
■
Maximum number of Application Groups: the administrator can limit the number of Application Groups; -1 (default value) allows an infinite number, Maximum number of User subnets: the administrator can limit the number of User subnets; -1 (default value) allows an infinite number, HTTP timeout: the timeout (in seconds) used on HTTP (or HTTPS) request; the time entered must be consistent with the network (more than the max. RTT for the most distant ip|engine), Supervision: the polling period of ip|engine updated status (default values should be used): – 1 mn: ip|boss collects the supervision status every minute (default value), – 5 mn: ip|boss collects the supervision status every 5 minutes, – 15 mn: ip|boss collects the supervision status every 15 minutes.
■
Collect: the elementary period of the Correlation Records generation (packets collected during the specified time) and collect period for ip|boss (default values should be used): – 1 mn: ip|engines make a CR and are polled every minute (default value), – 5 mn: ip|engines make a CR and are polled every 5 minutes, – 15 mn: ip|engines make a CR and are polled every 15 minutes.
3-14
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
This parameter is used for ip|dashboard’s real time flows updates and corresponds to ip|boss’ alarms “Trigger occurrences”.
■
Short reporting: update period for clients of collector service (SNMP agent) for short period reports (default values should be used): – 1 mn: the SNMP data are updated by ip|boss every minute (default value), – 5 mn: the SNMP data are updated by ip|boss every 5 minutes, – 15 mn: the SNMP data are updated by ip|boss every quarter . This parameter is used for some reports in Ipanema Libraries like Time Evolution, Detailed per Application, Detailed per Application Group, ....
■
Long reporting: update period for clients of collector service (SNMP agent) for long period reports (default values should be used): – 5 mn: the SNMP data are updated by ip|boss every 5 minutes, – 15 mn: the SNMP data are updated by ip|boss every quarter (default value). This parameter is used for some reports in Ipanema Libraries such as dashboard, Site Talker/Listener, Subnet Talker/Listener....
User management The seventh and last frame allows enabling Remote Authentication Dial-In User Service accounting for the Domain: ■
Radius Accounting: to enable (when the check box is enabled) or disable (when the check box is disabled) RADIUS accounting.
To see the RADIUS parameters, please refer to the “Create Radius servers” section below.
October 2014
Ipanema Technologies
3-15
Ipanema System
The Storage tab allows setting the data lifetime in ip|dashboard: up to 3 days of per-minute data (i.e. the last 72 hours, or 4320 minutes of measured traffic) can be stored in the database and displayed.
Domain creation window, ’Storage’ tab ■
Per minute data lifetime (in hours, between 3 — no history beyond the last 3 hours — and 72): number of hours of per minute data in all evolution quadrants, when the selected time span is the minute (then they display 3 hours of per minute information),
Example: Throughput Evolution quadrant, with time span: min ■
Per minute application flows lifetime (in hours, between 0 — no history — and 72): number of hours of per minute data in the flows lists, when the selected time span is the minute (then they display values averaged over a minute),
■
Per hour data lifetime (in days, between 0 — no hourly aggregation — and 3): number of days of aggregated data in all evolution quadrants, when the selected time span is the hour (then they display 3 days of hourly aggregated information),
Example: Throughput Evolution quadrant, with time span: hour ■
3-16
Per hour application flows lifetime (in days, between 0 — no hourly aggregation — and 3): number of days of per minute data in the flows lists, when the selected time span is the hour (then they display values averaged over an hour),
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
■
Disk size limit (in Bytes, KB, MB, GB, TB); syntax: the desired value followed by the prefix multiplier (B, K, M, G or T) with no space (e.g. “500G”): provided storage lifetimes are configured, an additional Disk size limit can be set as a safety net. History does not go beyond the first of the two limits being met (e.g., if the disk used meets the ’Disk size limit’ after 2 days, the new data will replace the 2–day old data, thus keeping 2 days of information only, even though the Per hour lifetimes have been set to 3 days). Whatever the configuration, data collection will stop if more than 90% of the physical hard disk capacity is used. Technical Notes can help you size the server resources (CPU, RAM, HD) depending on various factors, such as the number of Domains, the number of Sites, data lifetime, etc.
Default parameters ■
■
When migrating a Domain from SALSA v7 to SALSA v8, the default values are: 3, 0, 0, 0, which is completely equivalent to what we had in SALSA v7 (no history and the time span could not be set — it was a minute — as there was no hourly aggregation). When creating a new Domain, the default values are: 3, 3, 3, 3 (3 hours of history in the flows lists, hourly aggregation during 3 days).
When done, you need to click on Validate or Apply: ■ ■
■
The Ok button creates the Domain and closes the window. The Apply button creates the Domain and keeps the window open. This is useful when you want to create several Domains. The Cancel button closes the window without creating any Domain. Use Cancel after an Apply. An Update is mandatory for the changes to be saved and taken into account: click on the Update button
.
The Domains’ parameters can be read in the Domains window and in the Inventory window.
October 2014
Ipanema Technologies
3-17
Ipanema System
After a Domain creation (“HMS” in the example below) the following directory tree is created on ip|boss server (by default in ~\salsa\ipboss\server\domains\):
3. 4. 2. 2. Move a Domain Refer to the document “DomainMove.pdf” provided on the DVD-ROM, in the \doc directory.
3-18
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. 3. Radius The Radius feature allows the user to: ■ ■ ■
Define several Radius servers, Distinguish accounting servers from authentication servers, Select the server selection algorithm.
The Radius configuration is common to all Domains. For each Domain, the Radius management can be activated or not (refer to the “Create a Domain” section above). If the Radius management is not activated, or if all declared Radius servers are unreachable, we automatically fall back to the embedded ip|boss users management mode. The Radius window can be displayed by clicking on
Radius in ip|uniboss Toolbar:
Radius window This window contains two tabs: Configuration and Accounting servers. ■
Configuration
This tab allows to configure the RADIUS accounting parameters: ■
■
■
■
Retry: number of times the server will attempt to contact the Radius servers before falling down to the embedded ip|boss users management mode; default value is 3; Timeout: time interval in seconds to wait for the Radius server to respond before a timeout; default value is 10 seconds; Dead time: duration between two accesses to an unreachable Radius server (a server is considered unreachable when the configured number of retries has been reached without receiving a response within the specified timeout); value 0 means that a server is never removed from the list of available servers; default value is 10 minutes; Selection algorithm: allows to choose between a serial and a round-robin algorithm to select the server, when there are several ones: – serial: the available servers are used one after the other, using the configured timeout and retry. The order is based on the priority attribute: the lower priority value is taken first. – round robin: the available servers are used randomly, using the configured timeout and a retry set to 1. When all servers have been tried, a second loop is done, and so on depending on the retry value. The order is based on the priority attribute: the lower priority value is taken first.
■
Accounting servers
This tab allows to create, modify or delete Accounting servers.
October 2014
Ipanema Technologies
3-19
Ipanema System
Click on the New icon
in the Accounting tab to create a new Accounting server.
Accounting server creation window The Accounting server creation window contains 5 fields: ■
■
■ ■ ■
3-20
Priority: value between 0 and 32767 used to define different priority levels between the different servers, when there are several ones; the higher the value, the lower the priority; default value is 10, Name: name you want to give the server (50 characters max); names must be unique across the servers dictionary, Host name: IP address or host name of the server (50 characters max), Port: port on which the server is listening to accounting requests (generally UDP/1646), Shared secret: shared secret for Radius authentication; it must consist of 15 or fewer printable, non space, ASCII characters; it should have the same qualifications as a well-chosen password.
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 5. REPORTING PROVISIONING The Reporting provisioning menu contains four functions: ip|reporter web portals, VistaMart, Server Group and IV Server. It allows to configure the ip|reporter components, which differ according to InfoVista’ platform being used (VistaFoundation 0 or VistaFoundation 4):
ip|reporter’s architecture with InfoVista’s VF0
ip|reporter’s architecture with InfoVista’s VF4
October 2014
Ipanema Technologies
3-21
Ipanema System
3. 5. 1. ip|reporter web portals (VF0 and VF4) The ip|reporter web portals window can be displayed by clicking on in ip|uniboss Toolbar:
ip|reporter web portals
ip|reporter web portal’s window This window shows all created ip|reporter web portals in a table with 5 columns: ■ ■
■
■
■
3-22
Host name (mandatory parameter), Description: a short description can be written for each ip|reporter web portal (not mandatory), Mode: it can be either VF0 or VF4, according to the version of InfoVista platform being installed (mandatory parameter), Base URL: the URL extension to be used to reach the portal; default values are “PortalSE” with VF0 and “VPortal” with VF4 (mandatory parameter), HTTP Port: port being used, if defined (not mandatory).
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Click on the New icon
to create a new ip|reporter web portal.
ip|reporter web portal creation window The 5 parameters in this window are described above.
October 2014
Ipanema Technologies
3-23
Ipanema System
3. 5. 2. VistaMart (VF4 only) The VistaMart window can be displayed by clicking on
VistaMart in ip|uniboss Toolbar:
VistaMart window This window shows all created VistaMart servers in a table with 7 columns: ■
A status LED, which can be: –
green (Operational state = reachable),
–
red (Operational state = unreachable),
– ■ ■ ■ ■ ■ ■
3-24
grey (when a new VistaMart server has been created but before the configuration has been updated),
Host name, Version: VistaMart version (this piece of information is polled from the server), Description: description for the VistaMart server, Port: port being used to access the VistaMart server, Login: login to the VistaMart server, ip|reporter web portal: ip|reporter web portal that runs the VistaPortal attached to the VistaMart server.
Host name, Description: a short description can be written for each VistaMart server, Port: port being used to access the VistaMart server; default value is 11080, Login: login to the VistaMart server; default login is vmar_operator, Password and Confirm password: the password, if any, must be typed in twice, ip|reporter web portal: the ip|reporter web portal that runs the VistaPortal attached to the VistaMart server can be selected from a drop-down list. A new ip|reporter web portal can be created using the New button next to the selection box. It opens the same creation window as described in the previous section.
October 2014
Ipanema Technologies
3-25
Ipanema System
3. 5. 3. Server Group (VF4 only) In InfoVista, a server belongs to a Group, and an Ipanema Domain is allocated to a Group. A Group can be made of several servers, according to required capacity. The Server Group window can be displayed by clicking on Toolbar:
Server Group in ip|uniboss
Server Group window This window shows all created Groups in a table with three columns: ■ ■ ■
Name: name of the Group (mandatory parameter), VistaMart: VistaMart server that manages this Group (mandatory parameter), Description: short description for that Group (not mandatory).
Click on the New icon
to create a new Group.
Group creation window The three parameters in this window are described above.
3-26
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 5. 4. IV Server The IV Server window can be displayed by clicking on
IV Server in ip|uniboss Toolbar:
IV Server window This window shows all created IV Servers in a table with 12 columns: ■ ■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■
Host name: IV Server host name, Server Group (VF4 only): Group the IV Server belongs to, Description: short description for the IV Server, Viewer username (VF4 only): identifier used by VistaPortal SE to get connected to IV Server (’viewer’ by default), Viewer password (VF4 only): password for the Viewer username on the IV Server (no password by default for the ’viewer’ login), Username: login to the IV Server (’administrator’ by default), Password: password for the Username on the IV Server (no password by default for the ’administrator’ login), ip|reporter web portal (VF0 only): ip|reporter web portal (VistaPortal SE server) connected to IV Server. Port mapper: port used by the services based on Remote Procedure Call (RPC) which do not listen for requests on a ”well-known’’ port, but rather pick an arbitrary port when initialized; they then register this port with a Portmapper service running on the same machine. Default value for IV Server is 1275. Manager: TCP port configured in the IV Server for the manager service (0 for a dynamic port), Collector: TCP port configured in the IV Server for the collector service (0 for a dynamic port), Browser: TCP port configured in the IV Server for the browser service (0 for a dynamic port). the 3 previous fields are optional (used in firewall environment).
Click on the New icon
to create a new IV Server.
This window contains two tabs, Basic and Advanced. ■
Basic contains the following parameters: Host name (mandatory), Server Group (VF4 only, mandatory), Description (not mandatory), Username (default value: ’administrator’; mandatory), Password (there is no password by default for the ’administrator’ login; not mandatory) and ip|reporter web portal (VF0 only, not mandatory)
October 2014
Ipanema Technologies
3-27
Ipanema System
■
Advanced contains the following parameters: Viewer username (VF4 only, default value: viewer; mandatory), Viewer password (VF4 only, not mandatory), Port mapper (default value: 1275; mandatory), Manager (not mandatory), Collector (not mandatory), Browser (not mandatory)
All these parameters are described above. There is one more field, at the top of the creation window, to select the VistaFoundation version: ■
Mode: select either VF0 or VF4 with the radio buttons, according to InfoVista’s platform version being installed.
IV Server creation window (two tabs), with VF0 selected
IV Server creation window (two tabs), with VF4 selected
3-28
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. MANAGING USERS UNIFIED USER MANAGEMENT SALSA can be configured to enable different types of user accesses to its resources: ■
Internal or external: – internal: authentication and authorization are performed by ip|uniboss’s internal LDAP; Users only have to be declared in ip|uniboss (see 3.6.1.); – external: • authentication is performed by an external LDAP (see 3.6.5.) or using the SAML service (see 3.6.6.); • authorization is performed by ip|uniboss’s LDAP, at the Users (see 3.6.1.) and/or at the User Groups (see 3.6.2.) levels; when defined at both levels, authorizations are merged. If authentication is external, whatever the method (LDAP or SAML) it is always possible to use an “internal” URL to perform authentication using SALSA users only. Internal authentication is not impacted by the different external services. To use it, simply replace “salsa” in SALSA portal URL (https:///salsa/salsa_portal/) by “internal” (https:///internal/salsa_portal/) — this also applies to all URLs used in the SALSA suite.
■
Manual or automatic: – manual: users supply their credentials on logging in SALSA portal (no configuration is required in SALSA — this is the default); – automatic: the users’ credentials can be supplied in the URL (see 3.6.3.) or the user name can be passed as an HTTP header, without authentication — only permissions are checked using the user name and the group supplied in the request headers (see 3.6.4.).
The sections below describe how to configure SALSA to enable these different accesses to its resources: ■ ■ ■ ■ ■ ■
3.6.1. 3.6.2. 3.6.3. 3.6.4. 3.6.5. 3.6.6.
System administration: Users (ip|uniboss) System administration: User Groups (ip|uniboss) User credentials supplied in the URL User name as an HTTP header External LDAP authentication External SAML authentication
October 2014
Ipanema Technologies
3-29
Ipanema System
3. 6. 1. System administration: Users User access types to SALSA resources To create internal Users, select System administration in the Toolbar, then window is displayed:
Users. The Users
External Users can belong to User Groups (see the next section), in which case they do not have to be created as (individual) Users with the procedure described here. If they are defined at both levels, their authorizations are merged.
Users window This window shows a table with the following columns: ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■
Name: User name, Groups: User Groups the User belong to, Locale: shows the User’s preferred language. Tag: free field. ip|uniboss rights: shows the User’s rights on ip|uniboss (three levels: no access (blank), ’read only’ or ’read/write’), Domains: shows the Domains the User can access (’*’: the User can access all Domains), ip|boss access: shows whether the User has access to ip|boss or not (*), ip|dashboard access: shows whether the User has access to ip|dashboard or not (*), Discovery: shows whether the User can use the Discovery function or not (*), Application Flows: shows whether the User has access to the Real-time Flows or not (*), Real-time Graph: shows whether the User has access to the Real-time Graphs or not (*), SSL Configuration: shows whether the User can configure SSL optimization (*), iPhone access: shows whether the User has access to the Ipanema system via the ad hoc iPhone software application or not (*), ip|reporter access: shows whether the User has access to the reports or not (*),
(*): Access is granted when these columns display ’access’, it is denied when they are blank.
3-30
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Click on the New icon
to create a new User:
User creation window
October 2014
Ipanema Technologies
3-31
Ipanema System
This window contains the following fields: ■ ■ ■
Name: User name, Password and Confirm password: the password for the User must be typed in twice, Groups: allows specifying which User Groups the User belongs to. Including Users in Groups allows to authenticate them with external LDAPs (see the “User Groups” section below). When a User belongs to several Groups, their rights are merged, with the higher rights of all Groups (e.g. if a User belongs to a Group with read only rights on ip|boss for a Domain, and to another Group with read and write rights on ip|boss for the same Domain, then they will get read and write rights). – The left frame shows the User Groups the User does not belong to (all exiting groups before any selection has been made), – the right frame shows the User Groups the User does belong to. One can include the User in one or more User Groups by moving the Groups from one frame to the other using the different arrows: to move all Groups to the right frame to move the Groups selected in the left frame to the right (i.e. include the User in these Groups) to move the Groups selected in the right frame to the left (i.e. to exclude the User from these Groups) to move all Groups to the left frame (the User will not belong to any Group; they will not be authenticated by any external LDAP, but by the embedded one only)
■ ■
Locale: in the current version you can only select “English”, Tag: free field. The next 6 frames are totally identical to the 6 frames in the User Group creation window (described in the next section), except that they allow defining the rights of individual Users, instead of User Groups.
ip|uniboss ■
ip|uniboss rights: allows to give read only or read/write access to ip|uniboss (no access at all by default).
domains This frame allows restricting the User access on certain Domains only when they use ip|boss, ip|dashboard or ip|reporter (this frame does not affect ip|uniboss, as ip|uniboss is the piece of software that allows creating Domains — so it shows them all): ■
■
All domains: if the box is checked , then the User is granted an access to all Domains; if not, they are only granted an access to the Domains selected below, Domains: allows specifying which Domains the User can access (greyed if the previous check box has been selected). – The left frame shows the Domains the User can not access (all existing Domains before any selection has been made), – the right frame shows the Domains the User can access. One can grant the User access to one or more Domains by moving them from one frame to the other: – Click “All Domains” above the left frame
3-32
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
All Domains
to move all Domains to the right frame (the User will have access to all Domains) to move the Domains selected in the left frame to the right (i.e. to grant the access to these Domains) to move all Domains to the right frame (it is equivalent to selecting the “All domains” box, but for the already existing Domains only) to move the Domains selected in the right frame to the left (i.e. to deny the access to these Domains) to move all Domains to the left frame (the User will not have access to any Domain!)
ip|boss ■
■
ip|boss access: checking this box grants access to ip|boss; then the access levels must be specified for each menu (below); System administration, Service activation, Supervision, Reporting, Application provisioning and System provisioning: if access is granted to ip|boss (above), one must select the access level for each of the six ip|boss menus from the corresponding drop-down list (’read only’ or ’read/write’; blank by default — i.e. no access);
ip|dashboard ■
■
■
ip|dashboard access: checking this box grants access to ip|dashboard’s basic functions, i.e. all views and functions except the Discovery, Real-time Flows, Real-time Graphs and SSL configuration; access to these views and functions can be set independently, thanks to the following check boxes: Discovery, Application Flows and Real-time Graph: checking these boxes grants access to the corresponding function and views; SSL Configuration: checking this box allows the User to enter the SSL certificate necessary to accelerate SSL traffic;
iPhone ■
iPhone access: checking this box grants access to the simplified dashboard thanks to the ad hoc iPhone application.
ip|reporter ■
■
ip|reporter access: checking this box grants access to the reports; access rights can be defined precisely thanks to the following filters (note that they are case sensitive): MetaView: one can grant the User an access to the reports on certain MetaViews only. – Syntax in VF0: • • • •
“*” alone: any text string (default value) ”.”: any character ”.*” before or after a text: any text string before or after that text “|”: OR logical operator
Examples: • “Site”: reports on all Sites (but on Sites only) • “Domain|Site”: Domain and Sites reports • “Application Group.*Internet”: reports on AGs containing “Internet”
October 2014
Ipanema Technologies
3-33
Ipanema System
– Syntax in VF4: • “*”: any text string ■
Period: access to the reports can be per periods (hour, day, week, month). – – – –
■
“*”: grant an access to all four periods (default value) “hour”, “day”, “week”, “month”: grant an access to the corresponding period “|”: OR logical operator (VF0 only) Example (in VF0): “week|month” grants an access to the weekly and monthly reports.
Report: one can give the User an access to certain reports only. – “*”: grant an access to all reports (default value) – “|”: OR logical operator (VF0 only) – Example (in VF0): “slm|sla” grants an access to the SLM and SLA reports only.
■
Note: combining the three previous filters allows defining the access rights very precisely. For instance, one can grant an access to one report only. E.g., to grant access to SLM - Application Synthesis monthly report, on Site HQ (mind the case sensitivity!): – MetaView: “Site.*HQ” – Period: “month” – Report: “slm - application synthesis”
■
Navigation mode (VF0 only): one can choose between three values: – All: the User can navigate in the Sites reports using either the Sites MetaViews folders or the two Navigation hierarchical levels (called “Folder” and “Subfolder” in ip|engines window), – No navigation: the User can navigate in the Sites reports using the Sites MetaViews folders only (they cannot select “Navigation” and navigate using the two Navigation hierarchical levels), – No Folder: the User can navigate in the Sites reports using the two Navigation hierarchical levels only (they cannot select Folder and navigate using the MetaViews folders, so they cannot access reports other than Sites reports — the only ones that are accessible through the Navigation menu).
■
■
Folder (VF0 only) and Subfolder (VF0 only): for Users who navigate using the Navigation menu, one can specify which Folders and Subfolders (as defined in ip|engines creation window, e.g.: Continents and Countries) they can access (the default is *, i.e. any string of characters). Scope: one can give the User an access to – the public reports only (by selecting ’public’), – or to the private reports only (by selecting ’private’), – or to both the public and the private reports (by selecting ’All’). When a User is created, they have no access to any component, by default.
3-34
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 2. System administration: User Groups User access types to SALSA resources Users can be created in SALSA’s internal LDAP (see the previous section), but it is also possible to allow Users defined in an external LDAP to access SALSA by defining the User Groups they belong to and the User rights for these groups (described here), and by enabling and configuring the service. In this case, authentication is performed by an external LDAP (see 3.6.5.) or using the SAML service (see 3.6.6.), and authorization is performed by SALSA’s embedded LDAP. External Users belonging to User Groups do not have to be created as (individual) Users with the procedure described in the previous section. Yet, if they are defined at both levels, their authorizations are merged.
In the Toolbar, select
User Groups. The User Groups window is displayed:
User Groups window This window shows a table with 15 columns: ■ ■ ■ ■
■ ■
■ ■ ■ ■ ■ ■ ■ ■
■
Name: User Group name, Description, All users: shows whether all Users belong to the Group or not, Internal users: shows the internal Users (created in ip|uniboss’s embedded LDAP) belonging to the Group, External users: shows the external Users (created in external LDAPs) belonging to the Group, ip|uniboss rights: shows the User Group’s rights on ip|uniboss (three levels: no access (blank), ’read only’ or ’read/write’), Domains: shows the Domains the Group can access (’*’: access to all Domains), ip|boss access: shows whether the Group has an access to ip|boss or not (*), ip|dashboard access: shows whether the Group has an access to ip|dashboard or not (*), Discovery: shows whether the Group can use the Discovery function or not (*), Application Flows: shows whether the Group has access to the Real-time Flows or not (*), Real-time Graph: shows whether the Group has access to the Real-time Graphs or not (*), SSL Configuration: shows whether the Group can configure SSL optimization (*), iPhone access: shows whether the Group has an access to the Ipanema system via the ad hoc iPhone software application or not (*), ip|reporter access: shows whether the Group has an access to the reports or not (*),
(*): Access is granted when these columns display ’access’, it is denied when they are blank.
October 2014
Ipanema Technologies
3-35
Ipanema System
Click on the New icon
to create a new User Group:
User Group creation window This window contains the following fields: ■ ■
Name: User Group name, Description (optional field),
Users ■ ■
All users: if this box is checked, all the Users will belong to that Group. Internal users: allows specifying which internal Users (created in ip|uniboss’s embedded LDAP) belong to that Group: – The left frame shows the internal Users who do not belong to that Group, – the right frame shows the internal Users who do belong to that Group. One can include or more Users in the User Groups by moving the Users from one frame to the other using the different arrows: to move all internal users to the right frame to move the internal users selected in the left frame to the right (i.e. include them in the User Group) to move the internal users selected in the right frame to the left (i.e. to exclude them from the User Group) to move all internal users to the left frame (there will be no internal user in that Group)
■
External users: allows creating, modifying or deleting external Users (i.e. Users defined in external LDAPs). You can create an external user in the Group with the opens, where you have to specify the User name:
3-36
Ipanema Technologies
New button. A pop-up window then
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
New External User
The name you choose here must match the name of the User in the external LDAP: on the User logging, if external, then their name will be passed onto the external LDAP for authentication, prior to authorization according to their rights as defined in ip|uniboss (either at the User level, or for the Groups they belong to). External users can be modified or deleted with the ad hoc buttons (
Modify /
Delete).
These operations (creation, modification and deletion) only impact ip|uniboss’ embedded LDAP (no User can be created in, modified or deleted from an external LDAP via ip|uniboss menus). The next 6 frames are totally identical to the 6 frames in the User creation window (described in the previous section), except that they allow defining the rights of User Groups, instead of individual Users. Please refer to 3.6.1. System administration: Users for detailed explanations. ip|uniboss domains ip|boss ip|dashboard iPhone ip|reporter
When a User Group is created, they have no access to any component, by default.
October 2014
Ipanema Technologies
3-37
Ipanema System
3. 6. 3. User credentials supplied in the URL User access types to SALSA resources This service allows providing the credentials needed for authentication directly in the URL. Authentication is automatic and SALSA login page is skipped. Authentication is achieved using SALSA internal LDAP, and possibly an external LDAP, if configured (see 3.6.5. External LDAP authentication). Authorizations for the user are computed using information stored in the internal LDAP server. This service is not compatible with the SAML service described in 3.6.6. External SAML authentication.
3. 6. 3. 1. Enabling the service The service is disabled by default. To enable it: ■ ■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-ipaas.conf”; 2. Replace “false” by “true” in the “SetEnvIf” line: SetEnvIf SERVER_PROTOCOL ".*" IPAAS_ENABLED=true; 3. Save the modifications and restart Apache.
3. 6. 3. 2. Using the service To skip the login page, simply replace “salsa” by “ipaas” in the URL and provide the user credentials using a dedicated query parameter: ip_auth. The URL must be of the form: https:///ipaas/. ip_auth query parameter should be built as follows: ip_auth= where is the concatenation of “Basic%20” and base 64 encoding of the string “:”. Base 64 encoding must be performed before calling the URL.
The resulting parameter string for a user “administrator” using password “admin” is: ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg== The resulting URL for this user to access SALSA portal is: https:///ipaas/salsa_portal /?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg== It is also possible to use this syntax with all components of the SALSA suite. For instance, to access the reports of Domain “ACME”: https:///ipaas/ipreporter_portal/ACME /?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg==
3-38
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 4. User name as an HTTP header User access types to SALSA resources This service allows skipping the login page and authentication phase, but it requires using a proxy in front of SALSA Apache server. The user name must be supplied as an HTTP header and it is used to compute the authorizations.
3. 6. 4. 1. Enabling the service The service is disabled by default. To enable it: ■ ■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-ext.conf”; 2. Replace “Off” by “On” in the “SalsaExtAuthn” line: SalsaExtAuthn On; 3. Uncomment the “SalsaExtAuthnAllow” line and specify the host name or the IP address of your proxy server; example with a proxy on 172.1.1.1: SalsaExtAuthnAllow from 172.1.1.1; For the directive “SalsaExtAuthnAllow”, you can use “all” instead of the address to disable the check on the proxy or any mask of the Apache “allow” directive http://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html#allow but be very careful if you use “all”, as this can be a security hole (any host providing a correct HTTP header will be a trusted one!)
■
4. Save the modifications and restart Apache.
3. 6. 4. 2. Using the service Your proxy should provide one or two headers when transmitting the requests to the SALSA Apache server: Header
Value
Status
Description
REMOTE_USER
User name
mandatory
The external authenticated user
x-6307-is-user-profile
User group name
optional
If provided, should match a SALSA group name
The permissions are computed using the SALSA groups defined in ip|uniboss (see 3.6.2. System administration: User Groups) that meet one of the following conditions: ■ ■
the “External users” list contains the user name (supplied by the REMOTE_USER header), the name is equal to the user group name (supplied by the x-6307-is-user-profile header).
All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-39
Ipanema System
3. 6. 5. External LDAP authentication User access types to SALSA resources This service allows authentication using an external LDAP. Credentials supplied in the login page previous section) are checked during SALSA’s internal LDAP, if the user is check is performed, using the external
or in the URL (if the service has been activated, see the the authentication phase. The first check is done using not found or the password doesn’t match then a second LDAP.
3. 6. 5. 1. Enabling the service The service is disabled by default. To enable it: ■
■
■
■ ■ ■ ■
■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-externalLDAPAlias.conf”: 2. Modify the LDAP URL in the “AuthLDAPURL” line; the syntax is explained here: http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl; 3. Add the directives required to allow Apache communicating with your LDAP (AuthLDAPBindDN, AuthLDAPBindPassword, AuthLDAPCharsetConfig, AuthLDAPCompareAsUser, AuthLDAPCompareDNOnServer, AuthLDAPDereferenceAliases, AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern, AuthLDAPSearchAsUser, AuthLDAPUrl). 4. Save the modifications and close this configuration file. 5. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-authz.conf”: 6. Add “ldap-external” at the end of the “AuthFormProvider” line; 7. Uncomment the “SalsaAuthzExternalURL” line and provide your LDAP URL (use the same as provided in the httpd-salsa-externalLDAPAlias.conf file); 8. Uncomment other directives if needed to adapt the authorization module to your LDAP server. In particular use the SalsaAuthzExternalGroupClass directive to specify the object class to use to identify the groups in your LDAP and the SalsaAuthzExternalGroupAttribute directive to specify attribute labels to use to identify the user members of groups; 9. Save the modifications and restart Apache.
Example with an active directory deployed on “my-adserver” with the base directory for the search “DC=mycompany,DC=local”: AuthLDAPURL "ldap://my-adserver/dc=mycompany,dc=local?sAMAccountName? sub?(objectClass=user)" NONE “apache/conf/extra/httpd-salsa-externalLDAPAlias.conf” file AuthFormProvider ldap-internal ldap-external SalsaAuthzExternalURL "ldap://my-adserver/dc=mycompany,dc=local? sAMAccountName?sub?(objectClass=user)" NONE SalsaAuthzExternalGroupClass group SalsaAuthzExternalGroupAttribute member “apache/conf/extra/httpd-salsa-authz.conf” file if you use an active directory, you can speed up the authorization phase by using the matching rule “LDAP_MATCHING_RULE_IN_CHAIN” to retrieve groups of groups. In this case you must have the following lines in your apache/conf/extra/httpd-salsa-authz.conf file: SalsaAuthzExternalMaxSubGroupDepth 1 SalsaAuthzExternalGroupAttribute member:1.2.840.113556.1.4.1941:
3-40
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 5. 2. Using the service Use the login page or provide the credentials in the URL (if the service has been activated, see the previous section). During the authentication phase, credentials are checked using SALSA’s internal LDAP; if the user is not found or the password doesn’t match then the credentials are checked a second time, using the external LDAP. If the second check (external LDAP) is successful then user groups are retrieved in the external LDAP. This list of groups is completed with the SALSA groups defined in ip|uniboss (see 3.6.2. System administration: User Groups) where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-41
Ipanema System
3. 6. 6. External SAML authentication User access types to SALSA resources This service allows authentication using an SAML server (Shibboleth Identity Provider or Microsoft ADFS). This service is not compatible with the user credentials supplied in the URL as described in 3.6.3. User credentials supplied in the URL.
3. 6. 6. 1. Enabling the service Three steps are necessary to enable SAML authentication: ■ ■ ■
1. Provide the identity provider (IdP) metadata to the service provider (SP), 2. Activate the SAML module in SALSA Apache server, 3. Provide the service provider (SP) metadata to the identity provider (IdP). More information on SAML, SP and IdP can be found here:
https://wiki.shibboleth.net/confluence/display/SHIB2 /UnderstandingShibboleth On Windows, Shibboleth SP is not installed, so you have to install it (it is supplied on SALSA installation DVD-ROM). During installation, check "Run as 32-Bit". The installer registers a new service called “Shibboleth 2 Daemon (Default)”. (On Linux, Shibboleth SP is installed with the SALSA web server package (by default in “/opt/salsa/shibboleth-sp”) but it is not started, so you have to start it.) Step 1: provide the identity provider (IdP) metadata to the service provider (SP) One way to configure the Shibboleth SP is described here, but you can find all information at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration To begin, you must save the metadata of the IdP on the disk where the SP has been installed. If you use Shibboleth IdP, metadata are available at this URL: https://IdPHostname:IdPPort/idp/profile/Metadata/SAML ■ ■ ■
■ ■ ■ ■
■
1. Edit “shibboleth-sp\etc\shibboleth\shibboleth2.xml”; 2. Remove the XML tag; 3. Change the “entityID” attribute located in the XML tag to one that is appropriate for your service. An https:// URL is recommended, ideally containing a logical DNS hostname associated with your service that will not change over time as physical servers do. 4. In the XML tag, change the “handlerSSL” attribute value to “true”; 5. In the same tag, change the “cookieProps” attribute value to “; path=/; secure”; 6. Replace the XML tag with SAML2, where "IdP entityID" is the entityID available in the IdP metadata file; 7. After the tag, add a tag to reference the IdP metadata file: ; 8. Save changes to the XML and restart the “Shibboleth 2 Daemon” service.
Step 2: activate the SAML module in SALSA Apache server ■
■ ■ ■
3-42
1. In SALSA installation directory, edit the following configuration file: “apache\conf\extra\httpd-salsa-shibboleth.conf”; 2. Uncomment the “LoadModule” line and save the file; 3. Update the Shibboleth SP path (Windows only). 4. Restart the “SALSA Apache” service.
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Step 3: provide the service provider (SP) metadata to the identity provider (IdP) ■
■ ■ ■
■
1. Save the SP metadata file available at the following URL and copy it on the computer where the IdP is installed: https:///Shibboleth.sso/Metadata; 2. Configure the IdP to reference this file; Steps 3. and 4. are only to be taken if you use Shibboleth IdP. 3. Copy the SP metadata file (salsasp-metadata.xml) in: “C:\Program Files (x86)\Internet2\Shib2IdP\metadata\”. 4. Edit “C:\Program Files (x86)\Internet2\Shib2IdP\conf\relyingparty.xml” to add the following information in <metadata:MetadataProvider id="ShibbolethMetadata" ...>: <metadata:MetadataProvider id="salsa-SPMD" xsi:type="metadata:ResourceBackedMetadataProvider"> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:/Program Files (x86)/Internet2/Shib2Idp/metadata /salsasp-metadata.xml"/>
■
5. Restart the IdP service ("Apache Tomcat").
3. 6. 6. 2. Using the service You can now use the IdP login page to access all SALSA resources. During the authentication phase, the credentials are checked using the SAML server; there is no fallback on SALSA internal LDAP. You can continue to access SALSA resources even if the SAML server is down or if you forgot to add at least one SAML user in a SALSA group (in the “External user” list) by using the “internal” path. All you have to do is to replace “salsa” in the URL by “internal” (example: https://salsa_server/internal/ipuniboss_portal/; see the note at the beginning of section 3.6.). By default SAML attributes are not retrieved so we don’t have the user group list. To determine user permissions we retrieve the list of SALSA groups defined in ip|uniboss where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions. If the IdP server exposes user groups then you can configure the Shibboleth SP to use them: ■
■
You need to know the OID of the attribute exposed by the IdP server that contains the list of user groups (replace ATTRIBUTE_OID in the next step by this OID); Edit shibboleth-sp\etc\shibboleth\attribute-map.xml and add the following information in the XML tag:
■
Restart the Shibboleth SP service ("Shibboleth 2 Daemon").
This list of groups exposed by the IdP server is completed with the SALSA groups defined in ip|uniboss where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-43
Ipanema System
3. 7. SUPERVISION The Supervision menu contains three functions: Inventory, Log and Issues.
3. 7. 1. Inventory In the Toolbar, select
Inventory:
The Inventory window is displayed.
Inventory window This window is made of two frames: ■ ■
Domain inventory, Topology inventory. This frame is contextual: if no Domain is selected in the previous frame, it displays all Domains’ topologies; if one (or several) Domain(s) is (are) selected, it displays its (their) topology(ies) only. The Print button prints all the columns of the selected Domain(s), whereas the Action / Print menu prints the selected columns of all the Domains.
3-44
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 7. 1. 1. Domain inventory This frame contains the following information: ■ ■ ■ ■ ■
Name: Name of the Domain Enabled: Yes / No ip|boss server: IP address of ip|boss server Access port: port used by the client on that Domain (0 = dynamic) SNMP agent (refer to the section “Create a Domain” above): – Port – Address – C.N.: Community Name
■
ip|reporter (refer to the section “Create a Domain” above): – – – – –
■
Periods (refer to the section “Create a Domain” above): – – – –
■
Server Manager port Collector port Browser port Portmapper port
Supervision Collect Reporting short Reporting long
User management (refer to the section “Create a Domain” above): – Radius: Yes / No
■
Domain services: shows if the following services are started (Yes) or not (No): – – – – – – – – – –
■
Number of: shows the number of the following objects, with their totals on the last line: – – – – – – – – – –
ip|engines tele|engines Automatic MetaViews On demand MetaViews Automatic reports On demand reports Application Groups Topology subnets User subnets Applications
Storage: shows the Domain’s storage configuration (please refer to the “Storage” tab of the Domain’s configuration window): – – – – –
October 2014
Disk size limit Per minute data lifetime Per minute rtf lifetime Per hour data lifetime Per hour rtf lifetime
Ipanema Technologies
3-45
Ipanema System
– Per day data lifetime (unused in the current version — will always show 0) – Per day rtf lifetime (unused in the current version — will always show 0) ■
Domain name ip|boss server Appliance (software version, model and IP addresses are polled from the ip|engine; if it has not been reachable, the field is blank): – – – – – – – – – – – – – – – – – – –
■
WAN Access: – – – –
■
Total Total Total Total
max ingress bandwidth min ingress bandwidth max egress bandwidth min egress bandwidth
Domain: shows if the following services are started (Yes) or not (No) at the Domain level (in ip|boss’s “Service Activation” menu for most of them): – – – – – – – – –
3-46
Name Main public IP address Main private IP address Auxiliary public IP address Auxiliary private IP address LAN MAC address Type: ip|engine or tele|engine Enabled: Enabled (Yes) or disabled (No) Software version Hardware Custom tag ip|true: Yes / No ip|fast: Yes / No ip|xcomp compress: Yes / No ip|xcomp uncompress: Yes / No ip|xtcp: Yes / No ip|xapp: Yes / No smart|plan: Yes / No smart|path: Yes / No
the list of system events (on ip|uniboss server) with a time stamping, the list of connections/disconnections to/from ip|uniboss with a time stamping.
The events are sorted by antichronological order, by default (the latest event is the first in the list, at the top of the first page), but you can sort them by chronological order by clicking on the column header (Messages). If the list is displayed on several pages, you can select which page you want to see by clicking on the page number at the bottom of the window. You can also use the following arrows to navigate: ■
: displays the previous page of logged events,
■
: displays the next page of logged events.
You can also click on a page number to jump to that page (the current page number is displayed on the left, and underlined in the list of pages). A field allows you to specify how many objects (events) per page you want to display (40 by default); click on the Refresh button next to this field to apply a change:
October 2014
Ipanema Technologies
.
3-47
Ipanema System
3. 7. 3. Issues In the Toolbar, select display):
Issues, when applicable (the icon is greyed when there is no issue to
The Issues window is displayed:
ip|uniboss Log window It contains a list of issues that may require a user’s action: ■
Possible issues for the Domains: – – – – –
■
non non non non non
created Domains, deleted Domains, started Domains, configured Domains, reachable Domains.
Possible issues for ip|boss servers: – non configured servers, – non compatible servers, – non reachable servers.
As long as there is an issue, the Issues icon issue to display, the icon is greyed.
4. 1. CONFIGURATION OVERVIEW Once your Domain has been created (refer to the previous Chapter) and before starting a measurement, Application Control or optimization session, you have to parameter your configuration (one configuration per Domain). This configuration uses: ■
general settings for all functions (measurement, Application Control, redundancy elimination, acceleration and smart plan) ensuring: – configuration of the Domain’s ip|engines and tele|engines, – configuration of the topology subnets associated with the ip|engines and tele|engines, – selection of applications, TOS and User subnets assigned to the session, according to the specific features of the traffic to be measured, controlled, compressed or accelerated,
■
specific settings that depend on customers’ requests, for measurement, Application Control, redundancy elimination and acceleration features: – – – – –
WAN accesses characteristics settings, Quality of Service (QoS profiles) settings, Coloring settings, Application Groups settings, MetaViews settings.
These data are grouped in a configuration file in the directory ~\salsa\ipboss\server\domains\\config named: __active__.ipmconf Two clients are available: ■ ■
a Web client through a Web browser, a CLI client (Command Line Interface).
October 2014
Ipanema Technologies
4-1
Ipanema System
4. 2. IP|BOSS WEB CLIENT 4. 2. 1. Connection to ip|boss To connect to ip|boss server from SALSA client, first select the Domain you want to configure from the drop-down list, then click ip|boss button:
SALSA client
4-2
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 2. ip|boss main window ip|boss graphical user interface is presented hereafter. It gives access to all features of the system.
ip|boss main window ip|boss main window is divided into four parts: ■
■
■ ■
A title bar with the logo of Ipanema Technologies; it closes all opened windows when you click on it. A tool bar, on the left: it is composed of menus and icons which give access to the different functions of the software. It depends on the profile of the connected user. A status bar, at the bottom: it gives the status and statistics on the system. A working space (that displays the main image on login).
October 2014
Ipanema Technologies
4-3
Ipanema System
4. 2. 3. ip|boss tool bar The content of the Tool bar depends on the profile of the connected User.
Toolbar The buttons give a direct access to all functions of the system: Global functions Save/Update: saves/updates the configuration; flashes when an update is necessary, Service activation: allows to activate all services: ■ ■ ■ ■ ■ ■ ■ ■
global Start /Stop of ip|true (measurement) on the ip|engines, global Start/Stop of ip|fast ( Application Control) on the ip|engines, global Start/Stop of ip|xcomp (redundancy elimination) on the ip|engines, global Start/Stop of ip|coop (tele-cooperation), global Start/Stop of ip|xtcp (TCP acceleration), global Start/Stop of ip|xapp (CIFS acceleration), global Start/Stop of smart|plan (Smart planning reports), global Start/Stop of IMA (Ipanema Mobile Agent). Refresh: refreshes the view, Undo: allows to undo last modifications, Help: gives access to the online help, ip|reporter: opens ip|reporter web portal to give access to the reports,
4-4
Ipanema Technologies
October 2014
Configuring services (ip|boss)
About: shows ip|boss version and license information, Quit: quits ip|boss client.
Automatic reporting: gives access to the Automatic reporting function, Security: gives access to the security configuration.
ip|engines: configures the ip|engines, Topology subnets: configures the topology subnets addresses, WAN access: configures the WAN accesses, Coloring: configures the coloring rules, ip|sync: configures the time and synchronization servers, Scripts: launch scripts, Tools: starts the ip|engines management features: ■ ■ ■ ■
software upgrade reboot security status advanced configuration
User subnets: configures the User subnets addresses, Applications: configures the applications, TOS: configures the ToS values, Application Groups: configures the Application Groups, QoS Profiles: configures the QoS Profiles, LTL: configures the limiting rules (LTL),
October 2014
Ipanema Technologies
4-5
Ipanema System
ip|engine status: shows the status of the ip|engines, Status map: shows the status map of the ip|engines within a map, Log: displays the log window, Options: gives access to the different options (mail, SNMP trap) of the system, Configuration history: gives access to the Configuration history.
MetaView: configures the MetaViews, reports: configures the reports of ip|reporter, Alarming: configures alarms.
4-6
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 4. ip|boss status zone Status on session start The status zone gives instantaneous information on the state of the system. It is one source of supervision information: in case of errors, the dedicated indicators are lighted in red or amber. More details can be obtained by clicking on the LEDs.
Status zone The status zone is made of four frames, showing the Domain name, LEDs and bargraphs. Domain: Total throughput (Mbps)
gauge displaying the current total throughput measured by all enabled ip|true agents of the Domain (left figure) over peak throughput measured since the session start-up (right figure).
Active flows
gauge displaying the current active flows (one flow = all sessions of a given application, from a given source to a given destination) measured by all enabled ip|true agents of the Domain (left) over the peak flows measured since the session start-up (right).
No Topology alarm
green if there is no Topology alarm (normal state), red otherwise (please refer to the Supervision section).
ip|boss This frame shows the state of the system with three colored LEDs: ■
Connection LED: shows the status of the connection between the client and the ip|boss server:
green red ■
the server is unreachable; it can be due to a network connectivity issue between ip|boss server and ip|boss client, or ip|boss server may be down
License LED: shows the license status:
green red ■
the server is reachable
the license is respected the license is not respected (the number of consumed ISUs exceeds the total ISU credit)
Discovery LED: indicates when Discovery is in process:
grey amber
October 2014
no Discovery agent is running Discovery agents are running on one or more ip|engines
Ipanema Technologies
4-7
Ipanema System
ip|reporter This frame shows the state of ip|reporter with two colored LEDs: ■
Server LED: shows the state of the ip|reporter server (InfoVista):
green
■
the InfoVista’s services (manager, collector and browser) are operational
yellow
one of the InfoVista’s services (manager or browser) is down check the “.../InfoVista/Essentials/log/manager.log” log file
red
all InfoVista’s services are down (or the server is unreachable) check the “.../InfoVista/Essentials/log/manager.log” and “collector.log” log files
grey
ip|reporter is disabled in the Domain’s configuration, or the ip|es on the Domain have not been enabled yet
Database LED: shows the state of the InfoVista Database:
green yellow grey red
the InfoVista’s database is operational synchronization of InfoVista’s database is running (temporary state) error happened during last synchronization of InfoVista’s database no access to the reports description (in the reports_desc.ipmsys file in ~/salsa/ipboss/server/conf on ip|boss server), or the reports description does not match the installed library (VistaViews loaded from ip|reporter DVD-ROM’s ivl directory)
ip|engine This frame shows the status and activity of all ip|engines: ■
Reachable LED and bargraph: display the reachability status of all ip|engines:
green red grey
all ip|engines are reachable some ip|es are unreachable; it can be due to a network connectivity issue between ip|boss and ip|es (firewall, WAN link breakdown,ip|e off or failure) the service is stopped, or the status is not available displays the number of ip|es currently reachable (left) upon the total number of ip|es activated (right).
■
Overload LED and bargraph: display the overload status of all ip|engines:
green red
no ip|engine is overloaded some ip|es are overloaded (the WAN throughput exceeds the capacity of the hardware) displays the number of ip|es currently overloaded (left) upon the total number of ip|es reachable (right).
4-8
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Synchronized LED and bargraph: display the synchronization status of all ip|engines:
green yellow red grey
service start-up and the server is OK (*); all ip|es are synchronized the server is OK (*) but one or several ip|es are not synchronized (synchronization in progress, temporary synchronization loss) the server is down (*) and no ip|e is synchronized service is switched off or the status is not available displays the number of ip|es currently synchronized (left) upon the total number of ip|es reachable (right). (*) ITP case.
■
Measuring LED and bargraph: display the ip|true status of all ip|engines:
green
service start-up and all ip|true agents are operational
yellow
one or several ip|true agents are not operational (not configured yet, configuration refused or failure)
red
none of the ip|true agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently measuring (ip|true agent running) (left) upon the total number of ip|es activated (right).
■
Optimizing LED and bargraph: display the ip|fast status of all ip|engines:
green
service start-up and all enabled ip|fast agents are operational
yellow
one or several enabled ip|fast agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|fast agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently controlling the traffic (ip|fast agent running) (left) upon the total number of measuring ip|es having ip|fast activated (right).
October 2014
Ipanema Technologies
4-9
Ipanema System
■
Limiting LED and bargraph: indicates when a Local Traffic Limiting rule is active on an ip|engine:
yellow grey
a Local Traffic Limiting rule is active on one or several ip|es no Local Traffic Limiting rule is active or the status is not available displays the number of ip|es currently limiting the traffic (Local Traffic Limiting rule active) (left) upon the total number of ip|es controlling the traffic (right).
■
ip|xcomp LED and bargraph: display the ip|xcomp status of all ip|engines:
green
service start-up and all enabled (de)compressing agents are operational
yellow
one or several enabled (de)compressing agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled (de)compressing agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently (de)compressing (ip|xcomp agent running) (left) upon the total number of ip|es having ip|xcomp activated (right).
■
ip|xtcp LED and bargraph: display the ip|xtcp status of all ip|engines:
green
service start-up and all enabled ip|xtcp agents are operational
yellow
one or several enabled ip|xtcp agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|xtcp agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently accelerating TCP traffic (ip|xtcp agent running) (left) upon the total number of ip|es having ip|xtcp activated (right).
■
ip|xapp LED and bargraph: display the ip|xapp status of all ip|engines:
green
service start-up and all enabled ip|xapp agents are operational
yellow
one or several enabled ip|xapp agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|xapp agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently accelerating CIFS traffic (ip|xapp agent running) (left) upon the total number of ip|es having ip|xapp activated (right).
4-10
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 5. ip|boss table view
Typical window with a table view A table view shows a list of objects. All the table views give:
■
A menu bar: A tool bar with two parts:
■
A list of objects.
■
,
, Selection: you can select an object in the list by clicking on its line. To select other objects, you have to click on their lines while pressing the Alt key. To select an interval of objects, you select the first then the last by clicking while pressing the Shift key. The Edit menu (see below) allows to select/unselect all the objects on the list. In the status bar, the number of selected objects and the total number of objects is shown. Sort: you can sort the list according to one column by clicking on this column’s header (by clicking on the header a second time, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available through the Display/Sort menu (see below).
October 2014
Ipanema Technologies
4-11
Ipanema System
The menu bar contains six menus: The File menu allows to:
■ ■ ■ ■
New: create an object, Export: export the list of objects, Import: import a list of objects (Import); this function is not available for all objects, Quit: exit ip|boss.
The Window menu allows to:
■ ■
Close All: close all open windows (tabs) within ip|boss, : select another open window (the active window is marked with a tip).
The Edit menu allows to:
■
Search: open a contextual dialog box which allows finding all the objects with an attribute containing the specified text. The first matching object is highlighted in the table below. Navigation between the found objects is made with the Next / Previous buttons.
Search contextual dialog box
4-12
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■ ■ ■ ■
Next: go to the next found object, Previous: go to the previous found object, Select all: select all objects, Unselect all: unselect all objects.
The View menu allows to:
■
Sort: by clicking on the header of a column, you sort the list according to this column (by clicking again on the column, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available with the menu View > Sort > Sort by. Sort the data (by any field or combination of multiple fields; other features in the Sort menu are Invert sort (global), Sort by status (global) and Invert sort by status (global)),
Sort dialog box
■ ■
The Invert Sort (global) sub-menu allows inverting the sorting criteria. The Sort by Status (global) and Invert Sort by Status (global) sub-menus allow sorting by Status. Group by: allows grouping the data by any criteria. Filter: create filters on the list which display only the filtered objects according to the selected criteria.
October 2014
Ipanema Technologies
4-13
Ipanema System
A radio button allows selecting the Filter type: – A “Simple Filter” works with only one field, – An “Extended Filter” is a combination of simple filters (using AND, OR, NOT logical operators):
Extended filter Select the filter criteria that you need and use the Add, Ok, Apply and Close buttons to perform the corresponding actions. The Modify filter and Active filter sub-menus allow modifying filters and activating/deactivating them. When a filter is active, a tip is displayed before theActive filter sub-menu, and the number of displayed objects and the total number of objects is written on the status bar. You can activate/deactivate a filter by double-clicking on the icon of the status bar:
Active filter icon ■ ■
Choose columns: choose the columns to display. Preferences: save or delete the display mode (filters and selected columns). When you save the preferences, give them a name (“Preference name”, e.g. “my preferred view”) and select whether you want these to be your default view (checking the “Default preference” box), the default view for mobiles (checking the “Default preference for mobile” box), whether you want them to be accessible to other users (checking the “Shared preference” box) and whether you want them to apply to this view only (checking the “on this view” radio button) or to all views of the same type (checking the “on views of the same type” radio button); then a drop-down list appears on the right (if no preference had been previously saved): , allowing selecting these preferences, other saved preferences, or displaying everything with no filter (selecting “All”).
The Actions menu allows to Consult, Clone, Modify, Delete and Change the administrative state of objects. The list of actions is the same as you get through the context menu of the list.
The ? menu gives access to the About menu.
4-14
Ipanema Technologies
October 2014
Configuring services (ip|boss)
The tool bar contains the same icons for most windows: (Consult): to consult an object (without modification capability), (New): to create a new object, (Clone): to create an object from another one, (Modify): to modify one or more objects, (Delete): to delete one or more objects, (Change administrative state): to change the administrative state of one or more objects. (Export): to export in a text file the content of a list. (Import): to import the content of a list from a text file. (Help): to go to the help page.
(search): to search objects matching various criteria (see Edit > Search menu above), (new filter): to filter the data (see View > Filter menu above), (modify filter): to modify filters (see View > Filter menu above), (sort by): to sort the data (see View > Sort menu above), (choose columns): to choose the columns to display, (save preferences): to save the view matching the filters, etc. (see View > Preferences menu above), (delete preferences): to delete previously saved preferences.
October 2014
Ipanema Technologies
4-15
Ipanema System
4. 2. 6. ip|boss creation form
Typical creation form
■
■ ■ ■
■
4-16
): when you move the mouse on the icon, a message is displayed. In Some fields have tips ( case of error, the field is displayed in red. Some fields are related to other objects (example: WAN access). The Ok button creates the object and closes the window. The Apply button creates the object and keeps the window opened. This is useful when you want to create several objects. The Cancel button closes the window without creating any object.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 3. IP|BOSS CLI CLIENT For detailed information concerning ip|boss and ip|uniboss Command Line Interface clients, please refer to the CLI Reference Manual.
4. 3. 1. CLI architecture ip|boss and ip|uniboss have a specific GUI client each, that uses CORBA over SSL to communicate with a dedicated client request handler (called the “Leonardi connector” because of the underlying technology). Quite similarly, there is a CLI client for ip|boss and a CLI client for ip|uniboss. They communicate exclusively with their respective CLI connector using CORBA over SSL. The best image to illustrate what the CLI clients and CLI connectors are is to compare the CLI clients to Telnet clients and the CLI connectors to remote shell services. The CLI client/server protocol relies on three verbs: ■ ■ ■
Login Logout Execute
The client and the server exchange version information prior to the login request. This allows either side to adapt to an older peer. In its current version, the ip|boss CLI connector forwards login and logout requests to the targeted Domain’s Leonardi connector, besides establishing its own session information and setting up a session specific command parser that will process execute requests. If no specific Domain is targeted, the ip|boss CLI connector will use the naming service to get a list of all running Domains and will connect to the first available Domain (in alphabetical order) the provided credentials are valid for. The ip|uniboss CLI connector will forward the login and logout requests to the ip|uniboss Leonardi connector. Once the session is established, the CLI client acts a transparent upstream pipe between the client system’s keyboard or input file and the CLI connector and a transparent downstream pipe between the CLI connector and the client system’s display or output file.
4. 3. 2. CLI language The ip|boss Leonardi connector essentially maps a Domain’s configuration to a set of object classes and objects within each class. The ip|uniboss Leonardi connector does the same at a higher level, where Domains are objects in a class. (This is very much akin to tables and rows we are used to in DBMSes such as Oracle for example.) The CLI language builds on this paradigm. The language basics are the same for ip|boss CLI and ip|uniboss CLI. The difference currently only lies in the underlying schema - names of tables and columns. A CLI script is a (possibly empty) list of statements. A statement is always terminated by a ";" (semicolon) character. The semicolon is not a statement separator but a statement terminator. The difference is important, particularly for parser robustness’ sake. Having the semicolon act as a statement terminator and not anything else makes error recovery much easier: eat and discard input until you see the next semicolon and try to parse more statements from there. CLI statements currently fall into 2 categories: ■ ■
Data Manipulation Language (DML) Session Control Language (SCL)
CLI DML is very much akin to SQL DML.
October 2014
Ipanema Technologies
4-17
Ipanema System
With DML you can perform essentially 4 operations on objects: ■ ■ ■ ■
Create (… or insert), Modify (… or update), Delete, List (… or select).
But there are not only similarities, there are differences too. CLI DML statements act on one table or object class at a time, there is no such thing as a join. Future releases of CLI will make it easy to clone objects, just overriding a few columns with specific values. That is not easy in SQL. CLI offers fine grained control over error handling and logging because it is mainly targeted at procedure automation versus ad hoc queries. For the same reason, CLI not only produces tabular output but can also use tabular input in statements
4. 3. 3. Tabular input and output CLI can be used for procedure automation in environments where the ipanema solution fits into a bigger, centrally managed solution. This means that the primary databases are not inside ip|boss, but somewhere outside, no matter the format. As a consequence, it is important to make it easy to resynchronize the ipanema solution with external databases. Hence the choice of a bulk operation centric approach. With tabular input and output we simply mean that CLI produces output and accepts input such as: name|public_ip_address|virtual Out of domain|240.0.0.0|1 ipe_0001|10.1.1.1|0 ipe_0002|10.1.2.1|0 ipe_0003|10.1.3.1|0 ipe_0004|10.1.4.1|0 ipe_0005|10.1.5.1|0 That is easy to obtain from Excel and easy to feed into Excel, or any database (the ‘|’ (pipe) character can be changed to something else via a command line option, including the semicolon). The CLI language has been designed with bulk operations in mind. Below is an example of a valid statement that creates 5 ip|engines at a time: CREATE ip_engine FROM STREAM name|public_ip_address|virtual ipe_0001|10.1.1.1|0 ipe_0002|10.1.2.1|0 ipe_0003|10.1.3.1|0 ipe_0004|10.1.4.1|0 ipe_0005|10.1.5.1|0 ;
4-18
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 4. OPERATING PROCEDURE The operating procedure consists of the following phases: ■ ■
■
■ ■
choosing a Domain, creating a configuration or using an archived configuration, that is, specifying all ip|engines and Domain settings (topology subnets, applications, Application Groups, Qos Profiles, MetaViews....), running a measurement, control, redundancy elimination or cooperative session, applied to the Domain, analyzing the results in real-time, reporting configuration of measurement and Application Control (optional).
Table: operating procedure The tables below show operations in their chronological order for a Domain.
October 2014
Ipanema Technologies
4-19
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
Making configuration settings Create a new configuration
Manual procedure
X
X
M
Start with an existing configuration
Manual procedure
X
X
M
X
X
O
Define automatic reporting Automatic reporting
X
Configure operator coloring characteristics
Coloring
Configure the WAN accesses
WAN access
Declare ip|engines of the Domain
ip|engines
Declare the topology subnets associated with each ip|engine
X
M
X
X
M
X
X
M
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
Topology Subnets
Define User subnets User Subnets Add, modify or remove TOS in the dictionary
TOS
Add, modify or remove applications in the dictionary
Applications
Define QoS profiles QoS profiles Define Application Groups Application Group Define MetaViews MetaView Define reports Reports Define Alarming Alarming Save the configuration Automatic procedure (1) M = Mandatory, O = Optional, X = Applied
4-20
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
ip|true service: measurement X
Start a session
M
Service activation, ip|engines: on Enable ip|true, for all ip|engines
X
M
Service activation, ip|engines: on X
Analyze real-time flows ip|dashboard Modify the topology subnets associated with each ip|engine
X Topology Subnets X
Modify aggregation rules: • TOS TOS • Applications Applications • User Subnets User Subnets Modify QoS profiles and Application Groups
X QoS profiles Application Group
Modify automatic reporting Automatic reporting X
Modify MetaView settings MetaView
X
Modify reports Reports
X
Modify Alarming settings Alarming
X
Modify the session dynamically
Update
Disable ip|true, for all ip|engines
Service activation, ip|engines: off
X
M
X
Stop a session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-21
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|fast service: Application Control Enable ip|fast for all ip|engines
Service activation, ip|fast: on
Disable ip|fast for all ip|engines
Service activation, ip|fast: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time controlled flows Optimize flow management by adjusting settings: ip|engines, QoS profiles, User subnets and AGs
X ip|dashboard X ip|engines X QoS profiles Application Group User Subnets X
Modify aggregation rules: • TOS TOS • Applications Applications Modify coloring policies characteristics Modify the attached WAN access
X Coloring X WAN access X
Create, modify, delete LTLs LTL Modify the session dynamically
X Update X
Stop the session Service activation, ip|engines: off
4-22
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|coop service: tele-cooperation Enable ip|coop for all ip|engines
Service activation, ip|coop: on
Disable ip|coop for all ip|engines
Service activation, ip|coop: off
X X
Start a session
M
Service activation, ip|engines: on X
Analyze real-time flows for tele|engines Modify the session dynamically
ip|dashboard X Update X
Stop the session Service activation, ip|engine: off Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xcomp service: redundancy elimination Enable ip|xcomp for all ip|engines
Service activation, ip|xomp: on
Disable ip|xcomp for all ip|engines
Service activation, ip|xcomp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time compressed flows
X ip|dashboard
Management by adjusting redundancy elimination settings: Application Group
Application Group
Management by adjusting redundancy elimination direction settings: ip|engines
ip|engines
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-23
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xtcp service: TCP acceleration Enable ip|xtcp for all ip|engines
Service activation, ip|xtcp: on
Disable ip|xtcp for all ip|engines
Service activation, ip|xtcp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time accelerated flows
X ip|dashboard
Management by adjusting acceleration settings: Application Group
Application Group
Management by adjusting acceleration settings: ip|engines
ip|engines
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xapp service: CIFS acceleration Enable ip|xapp for all ip|engines
Service activation, ip|xapp: on
Disable ip|xapp for all ip|engines
Service activation, ip|xapp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time accelerated flows Management by adjusting acceleration settings: ip|engines Modify the session dynamically
X ip|dashboard ip|engines X Update X
Stop the session Service activation, ip|engines: off
4-24
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
DWS Start a session Service activation, ip|engines: on Management by adjusting Dynamic WAN Selection settings: Application Group
Application Group
Management by adjusting Dynamic WAN Selection settings: WAN access
WAN access
Management by adjusting Dynamic WAN Selection settings: ip|engines
ip|engines
Management by adjusting Dynamic WAN Selection advanced parameters: Tools
Tools
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
smart|plan service Enable smart|plan for all ip|engines
Service activation, smart|plan: on
Disable smart|plan for all ip|engines
Service activation, smart|plan: off
X X
Start a session
M
Service activation, ip|engines: on Management by adjusting acceleration settings: ip|engines Modify the session dynamically
ip|engines X Update X
Stop the session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-25
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
IMA service Enable IMA for all ip|engines
Service activation, IMA: on
Disable IMA for all ip|engines
Service activation, IMA: off
X X
Start a session
M
Service activation, ip|engines: on Management by adjusting acceleration settings: ip|engines
ip|engines X
Modify the session dynamically
Update X
Stop the session Service activation, ip|engines: off
Log window Log Configuration history Configuration history Security configuration Security Certificate generation tab enerate the keys and the certificates Configuration tab hoose the encryption algorithm ip|engine status ip|engine status ip|engine status map Security status Tools, Status tab: displays the security status of ip|engines Discovering of applications, subnets..... ip|dashboard Send results of script to Ipanema support
Tools, Script tab
Upgrade ip|engine’s software
Tools, Software Upgrade tab
Reboot ip|engines Tools, Reboot tab Quit the application File/Exit
October 2014
Ipanema Technologies
4-27
Ipanema System
4. 5. CREATE, OPEN, SAVE, UNDO A CONFIGURATION The name of the configuration file is fix. This file is in the directory ~\salsa\ipboss\server\domains\\config and its name is __active__.ipmconf (double underscore before and after). It contains all the configuration parameters of the Domain. During the start and the update, this file is sent to the ip|engines.
4. 5. 1. Create a new configuration Operating procedure table To create a new configuration file from the default parameters, you must: ■ ■ ■ ■
■ ■
Stop the current configuration with the ip|boss client (GUI) Quit the ip|boss client (GUI) Stop ip|boss services in Windows control panel In the directory ~\salsa\ipboss\server\domains\\config, copy the file __new__.ipmconf then name it __active__.ipmconf Start ip|boss services in Windows control panel Start the ip|boss client (GUI) and create your configuration for the Domain
4. 5. 2. Open a configuration Operating procedure table To work with an existing configuration file, you must: ■ ■ ■ ■
■ ■
Stop the current configuration with the ip|boss client Quit the ip|boss client Stop ip|boss services in Windows control panel Copy your file .ipmconf and rename it __active__.ipmconf in the directory ~\ipboss\server\domains\\config Start ip|boss services in Windows control panel Start the ip|boss client then start the session
4. 5. 3. Save a configuration Operating procedure table The configuration file of the Domain (__active__.ipmconf) is automatically applied and saved on the following actions: ■
Update/Save In case of necessity (for backup), you should make the backup of this file from your server to the media of your choice (do not backup the file while an update is pending on the ip|engines).
Important reminder it is advisable to backup your configuration file in a different directory than that used for installation in order to avoid deleting files during subsequent install.
4-28
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 5. 4. Undo a configuration modification Operating procedure table The 50 last configuration modifications can be undone by clicking on ■
By choosing a configuration in the Undo table and clicking on to the selected one is restored.
Undo in the Toolbar. , the configuration previous
Undo table
If a modification has been carried out by another user in the interval, undo will not operate.
October 2014
Ipanema Technologies
4-29
Ipanema System
4. 6. EXPORTING AND IMPORTING OBJECTS 4. 6. 1. Exporting objects Most objects (Sites, Topology subnets, Application Groups, etc.) can be exported (they can also be exported using ip|boss CLI client). Not all of them can be imported via ip|boss web client. They can, however, using the CLI client.
In the window containing the objects you want to export, click on the Export icon File menu, then Export. The following window opens:
or select the
Export window ■
■
■
Select the attributes you want to export by pushing them to the right with the double right-pointing arrow (objects will be exported with all their attributes) or with the single arrow to the right (objects will be exported with the selected attributes only). One attribute at least must be selected (otherwise, there would be no data to be exported, at all; in that case, all of them are exported, as if the double arrow had been clicked). if some objects were selected before using the Export function, an “Export selection” check box allows exporting selection only, If no object was selected or if the “Export selection” box is not checked, all objects are exported. Click OK. A dialog box appears, allowing you to either open the result file (“_exportXXX.res”) or save it.
The first line of the result file (wrapped in the example below) is the description of the fields present, and the subsequent lines are the exported objects with the selected attributes: @ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet _prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state| Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0 Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0
4-30
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 6. 2. Importing objects The following objects can be created by importing them from a configuration file: Coloring rules, WAN accesses, ip|engines and Topology subnets. All objects can be imported using the CLI client.
An existing configuration file in raw format (.res) can be imported. The first line must be the description of the fields (it is present if the file was made with an export, see the previous section), and all the subsequent lines are the objects to be imported (some may be already existing). In the example below, we will import the previously exported file, where we manually added a new object on the last line: @ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet _prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state| Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0 Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0 Lan_Montelimar|10.33.3.0|24|Site\Montelimar|0 ■ ■
In the ip|engines window, click on the Import icon or select the File menu, then Import: In the Import window, select the attributes to be imported and browse to the file where they should be saved, then click Ok.
Import window ■
In the Import window that opens, you can choose which objects to display: – – – –
created (objects of the imported file not found in the actual configuration), modified (objects different in the imported file and in the actual configuration), deleted (objects of the actual configuration not found in the imported file), unchanged (objects identical in the imported file and in the actual configuration).
(Only the created and modified objects are displayed by default.) Click on ’Import all’, or select the objects to import then click on ’Import selection’.
October 2014
Ipanema Technologies
4-31
Ipanema System
Import window
■
■
The symbols before the objects indicate if they already exist (red cross) or if they are new (new icon), etc. Hovering the mouse on these symbols allows reading their exact statuses in a pop-up; clicking them adds or removes the object from the import file, depending on the case (as indicated in the pop-up’s text message). A message tells you how many objects could be successfully imported; click on Ok.
Click on Ok in the Import window to commit the changes. A message tells you how many objects could be successfully committed, and the imported objects are added to the existing ones. Click on Ok.
If objects could not be created (already existing IP address for an ip|engine, for example), an error message warns you.
4-32
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 7. SYSTEM PROVISIONING 4. 7. 1. Configuring Coloring Operating procedure table: settings, ip|fast service The Coloring Policy is used with Application Control. It is the capability to modify the TOS or DiffServ field in the IP header with a new value according to the type and criticality of the packet. The mode used is “Color-Blind” (in this mode, all packets are treated as if they were uncolored: they are marked according to the selected coloring rule, regardless of their initial color). ip|fast must be enabled.
In the System provisioning Toolbar, select
Coloring:
The Coloring window is displayed.
Coloring window
By clicking on the New button
, the creation window of a new coloring rule is displayed.
Coloring rule creation window (unspecified by default)
October 2014
Ipanema Technologies
4-33
Ipanema System
Coloring directory with TOS and DiffServ selections This window defines the coloring policies to apply at the access to WAN (you can create as many Colorings as you want). The coloring parameters specify the type of service, the “TOS” or “DSCP” values function of the traffic type and criticality level. It comprises: ■
input fields: – Name: to identify the coloring policy (string of characters). By default , the name none is defined associated with an unspecified service type. The name is used to identify the Coloring policy, – Service type: to select the type of coloring policy to set-up. The service is selected from a drop-down list. The values offered are: • TOS: the TOS field of the frame is set to the value specified by the Code point setting. It then contains the value of the IP PRECEDENCE and the TOS specified for the Class of Service, • DiffServ: "Differentiated Service" type service. The TOS field of the frame is set at the value specified by the PHB Group (DSCP) setting, in accordance with RFC 2474 (definition of the Differentiated Services Fields (DS Field) in the IPv4 and IPv6 headers), RFC 2597 (Assured Forwarding PHB group), RFC 2598 (Express Forwarding PHB group) • unspecified: not specified,
■
a Coloring zone: to define or modify the coloring for type of Traffic and Criticality level: – PHB Group (DSCP): when DiffServ is the Service Type selected, the value for each peer (type of Traffic and criticality level) is selected with drop-down list, – Precedence/TOS (b0–b7): when ToS is the Service Type selected,
■
4-34
a display zone in the form of a table corresponding to the data previously entered.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Type of traffic & Criticality level Type of traffic Real time
Service type
PHB group
DSCP value
TOS value
Top
Express Forwarding
EF
101110
6
EF
101110
6
Medium
EF
101110
6
Low
EF
101110
6
AF11
001010
3
AF12
001100
3
Medium
AF21
010010
3
Low
AF22
010100
3
BE
000000
0
High
BE
000000
0
Medium
BE
000000
0
Low
BE
000000
0
Top High
Background
“ToS” default setting
Criticality level High
Transactional
“DiffServ” default setting
Top
Assured Forwarding
Best Effort
Configuration: “DiffServ” and “TOS” default setting By default, the coloring is named “none” and the Service Type is “unspecified”. The entered values should correspond with the Class of Service of the Operator.
Coloring rules can also be created by importing them from a configuration file. Refer to section Importing objects.
October 2014
Ipanema Technologies
4-35
Ipanema System
4. 7. 2. Configuring WAN Accesses Operating procedure table: settings, ip|fast, DWS. The WAN access describes the WAN line(s) connected to the CPE on the WAN side of an ip|engine. In the System provisioning Toolbar, select
WAN access:
The WAN access window is displayed:
WAN access window
By clicking on the New button
, the creation window of a new WAN access is displayed:
WAN access creation window
4-36
Ipanema Technologies
October 2014
Configuring services (ip|boss)
This window contains the following input fields: ■
Name: character string used to identify the WAN access. The same WAN access can be used on many different Sites. It is therefore advisable to mention the type of link in its name (e.g.: ”MPLS...”, ADSL...”) — and not the name of a Site where it is used.
■ ■
■ ■
Ingress (LAN to WAN) max Bandwidth: maximum ingress throughput allocated at the WAN interface of the CPE (in kbps), Ingress (LAN to WAN) min Bandwidth: minimum ingress throughput that the tracking function (see below) can track down (in kbps); if no value is entered, it is automatically set to half of the max value, Egress (WAN to LAN) max Bandwidth: maximum egress throughput allocated at the WAN interface of the CPE (in kbps), Egress (WAN to LAN) min Bandwidth: minimum egress throughput that the tracking function (see below) can track down (in kbps); if no value is entered, it is automatically set to half of the max value,
■
Coloring: selection, from a drop-down list, of the Coloring policy created in the Coloring directory, to be applied. If there is no specific coloring (LS, Best effort), select "none". The default is “none”.
■
Trust level: Routine or Business: in case of Dynamic WAN Selection (DWS), defines which type of traffic is allowed to go through the Network Access Point (Routine and Business sensitivity levels are also defined for each Application Group, where they are used in the path decision to route traffic to a NAP with at least the same Trust Level).
■
Network Report key: this field allows ip|engines to be “network aware” in case of DWS: all WAN accesses with the same Network Report key are attached to the same network, thus allowing ip|engines to “know” which networks they have in common with the remote Sites (equipped or tele-managed). A WAN access which does not have the same Network Report key as the remote Site where traffic is to be sent to (in the diagram below, the WAN access to Network 2 on ip|engine A, which has to send traffic to B) will be classified as “impossible”, so the connectivity to this remote Site via this WAN access will not even be tested (thus both simplifying the configuration and avoiding errors — for instance if a probing packet is forwarded to another WAN access).
Network Report key usage In this diagram, ip|engine A can test connectivity and send traffic to B via Network 1 (where its WAN access has Network Report key “Net1”), as B also has Network Report key “Net1”. But A cannot send traffic to B via Network 2 (where its WAN access has Network Report key “Net2”), because B does not have a Network Report key called “Net2”. This field is optional, but its usage is highly recommended in case of DWS. If no Network Report key is defined, the WAN accesses of the local Site will all be tested (with probing packets if the remote Site is equipped, based on the received traffic if the remote Site is tele-managed), regardless the existence of a link to the same network on the remote SIte. The WAN access is a key parameter for Application Control, so it should be set very carefully.
October 2014
Ipanema Technologies
4-37
Ipanema System
Bandwidth tracking Congestion detection is key to know when and where to manage flows. Network available capacity may also vary in time (DSL link, Frame Relay access, secondary link with a bandwidth different from that of the primary link, etc.). The purpose of Bandwidth Tracking is to automatically and dynamically estimate the available network capacity:
One independent BW tracker per potential congestion point. Fast increase (real time), slow decrease (20 seconds steps; for example, it takes approximately 5 minutes to detect an HSRP switch from a 2 Mbps line to a 1 Mbps backup line). Inputs: – Always: Usage profile (throughput) at potential congestion points. – When available: end-to-end QoS (delay, jitter, loss).
■
Output: – Available bandwidth for each potential congestion point.
ip|engines manage three potential congestion points between any pair of sites:
4-38
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Potential congestion points between any pair of sites Bandwidth tracking activation: ■
By setting a minimum bandwidth lower than the maximum bandwidth, the tracking function will automatically and dynamically estimate the actual value of the bandwidth between those two values:
Bandwidth tracking activated (between 1000 and 2000 kbps)
A minimum of 0 is not recommended.
■
By setting a minimum bandwidth equal to the maximum bw, the tracking function will not execute:
Bandwidth tracking deactivated (constant bandwidth of 2000 kbps)
WAN accesses can also be created by importing them from a configuration file. Refer to section Importing objects.
October 2014
Ipanema Technologies
4-39
Ipanema System
4. 7. 3. Configuring ip|engines and tele|engines Operating procedure table, ip|fast, ip|xcomp, ip|xtcp, ip|xapp, IMA, smart|plan, DWS. In this section, the term “ip|engines” also embraces tele|engines (unless otherwise specified). Indeed, a tele|engine (that is: there is no ip|engine installed on site) is created via the ip|engine creation window, by simply checking the “tele|engine” box. In the System provisioning Toolbar, select displayed:
ip|engines. The ip|engines list window is
ip|engines list window
ip|engines can be created as described below, or by importing them from a configuration file. Refer to section Importing objects. The number of ip|engines and tele|engines that can be created is limited by the license. This number is displayed in the About window.
By clicking on the New button , the creation window of a new ip|engine is displayed. It contains two tabs, General and Advanced:
4-40
Ipanema Technologies
October 2014
Configuring services (ip|boss)
ip|engine creation window
October 2014
Ipanema Technologies
4-41
Ipanema System
The General tab contains five frames: Site ■
■
Site name: character string used to identify the site the ip|engine belongs to (50 alphanumeric characters max); if it is left blank, it is automatically filled in with the name of the ip|engine (see below). Several ip|engines can belong to the same site (in case of clusters) — so the Site name does not have to be unique —; in this case, creating a report for the Site will automatically create reports at the Site level (aggregating all the data from all ip|engines belonging to that site) and on each individual ip|engine. Local Internet Access: check the box if the Site provides an access to the Internet (avoids having to use Out of Domain or to declare the 30 subnets of the Internet address space),
Reporting Hierarchy Folders and Tags ■ ■
Folder: allows defining a first hierarchical level in the sites reports and in ip|dashboard’s flows map, Subfolder: allows defining a second hierarchical level in the sites reports and in ip|dashboard’s flows map. These two fields allow navigating in the reports (in ip|reporter) in two different ways: – The first browsing method does not use these two fields: by selecting “Folders” in the drop-down list in ip|reporter’s main window, you can access the reports with the following file system tree (4 hierarchical levels): • / / / 2010/05/04 15:00:00default <metaview>Site: Paris ingress throughput L3 - L4 value>02010/05/04 14:59:00default <metaview>Site: Paris ingress throughput L3 - L4 value>26660 2010/05/04 14:59:00default <metaview>Site: Paris ingress throughput L3 - L4 value>0 ... ■
10. 1. IPANEMA SOFTWARE LICENSE AGREEMENT Important - Please read carefully this license agreement (the “License”) before continuing. By installing and using the Software (as defined below), you accept all the terms and conditions of this License. To use the Ipanema software modules (the “Software”) part of the Ipanema’s Autonomic Networking System® (“Ipanema System”), the End User must be granted a License directly by Ipanema Technologies SA (“Ipanema”) or through a duly authorized partner (the “Partner”). This License is defined by the following terms:
10. 1. 1. Grant – Right of Use 1. Ipanema grants to the End User (the “Licensee”) a non-exclusive and non-transferable right of use of the Software under the following terms and provided the payment of the fees. 2. The right of use is restricted to the use of the Software for the exclusive purpose of installation and operation of the Ipanema System in accordance with the recommendations and instructions of Ipanema, issued in any form including the Ipanema technical documentation (the “Documentation”). 3. According to Software modules, the right of use is associated either with either a specific Ipanema System configuration or by a certain number of ISUs (“Ipanema Software Units”) as described in the commercial proposal or the contract. The right to use Software modules bound to ISUs within an Ipanema System can be transferred by the End User to other such modules in the same Ipanema System as long as the corresponding total number of ISUs is not exceeded. Any other modification of the configuration will modify the already granted right to use and must be described in a subsequent commercial proposal or contract. 4. The Licensee is not allowed hereunder to copy, modify, disassemble, decompile, decode, translate, analyze, and perform reverse engineering. The End User is not authorized to sell, lease, sublicense or distribute the Software in any form whatsoever. End User has no right to use the Software for performing comparisons or other "benchmarking" activities and to publish corresponding results without written authorization of Ipanema. Ipanema expressly reserves the right to intervene in the Software to enable it to be used for its intended purpose and in particular to correct the errors, and that under conditions of support service offered independently hereof. The Licensee may make one copy of the Software for back-up or archival purposes. This copy may be used only in case of failure of the copy of the Software provided to Licensee.
10. 1. 2. Intellectual Property 1. Ipanema owns and shall retain all rights in particular the intellectual property rights, title and interest in and to the Software and the Documentation, including any copies, customized versions, corrections, bug fixes, updates, enhancements, new versions, or other modifications to the Software. Except for the license rights granted herein, no intellectual property rights are transferred. 2. Some components of the Software may be covered under one or more of the open source licenses below. The Ipanema warranty for these modules apply as they are used embedded in
October 2014
Ipanema Technologies
10-1
Ipanema System
the Ipanema System. For licenses that require it, machine readable copies of modifications made by Ipanema are available upon request. List of open source software used in the Software and related copyright or license is available on the License Information page at the following address: https://support.ipanematech.com/.
10. 1. 3. Term and Termination 1. The License is effective on the shipment date of the Software license key for the duration of the intellectual property rights protection granted by French law, subject to the payment of the Initial Software License Fee and of Software support fees. 2. Should the End User fail to comply with any of the terms and conditions of this License, Ipanema or its Reseller shall be entitled to terminate the License. Such termination shall be effective fifteen (15) days after formal demand requiring correction of the breach shall have been sent by registered post with return receipt requested without the breach having been so corrected. In the event of termination of this license, the End User shall: ■ ■ ■
Cease immediately all use of the Software; De-install the Software within eight calendar days; Pay to Ipanema or its Reseller all sums remaining due as at the date of termination.
10. 1. 4. Warranty 1. Ipanema warrants that the Software performs substantially according to its documentation for a period of thirty (30) days date of shipment of the Software license key. If the Software does not function as warranted during the Warranty Period, the End-User remedy shall be, at Ipanema’s option, to correct the Ipanema Software or to replace it free of charge with a corrected version. The warranty shall not apply to any non-conformity that is caused by: (a) the End User’s misuse or improper use of the Software, including, without limitation, the use or operation of the Software with an application or in an environment other than that specified by Ipanema, or introduction of data into any data structures or tables used by the Software by any means other than use of the Software; (b) any third party software or hardware; (c) any modifications or additions to the Software performed by parties other than Ipanema; or (d) the End User’s failure to implement all problem corrections and new releases. 2. EXCEPT FOR THE WARRANTIES SET FORTH IN SECTION 1. ABOVE, NEITHER IPANEMA NEITHER ANY PERSON ON IPANEMA’S BEHALF HAS MADE OR MAKES ANY OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, NON-INTERRUPTION OF USE OR FREE OF BUGS, ERRORS OR OTHER DEFECTS, TITLE, AND OF NON-INFRINGEMENT.
10. 1. 5. Liability 1. The Licensee is responsible for selecting the Software, for the use that is made and the results that will be obtained. It assumes all liabilities relating to the qualification and competence of its staff. The Licensee and End User must take all precautions to prevent the loss or destruction of its data, including, but not limited, backups and regular audits. Licensee shall comply with all export laws and regulations in particular but not limited to French and United States export restrictions. 2. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR PARTNERS (OR THEIR REPRESENTATIVES) BE LIABLE FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL DAMAGES, LOST PROFITS, LOSS OF DATA OR CLIENTS ARISING OUT OF OR RELATING TO ANY BREACH OF THIS LICENSE OR THE USE OF IPANEMA SYSTEM, EVEN IF SUCH DAMAGES WERE FORESEEABLE. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR PARTNERS (OR THEIR REPRESENTATIVES) AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO ANY BREACH OF THIS LICENSE, TORT (INCLUDING NEGLIGENCE OR OTHERWISE, EXCEED (i) 250.000€ OR (ii) THE AMOUNT PAID TO IPANEMA PURSUANT TO THIS LICENSE IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, WHICHEVER IS LESS.
10-2
Ipanema Technologies
October 2014
Software License Agreement
10. 1. 6. Miscellaneous 1. This License may be amended only by written agreement of the parties. 2. If any provision hereof is held invalid, the remainder shall continue in full force and effect. 3. A failure or delay in exercising any right, power or privilege in respect of this License will not be presumed to operate as a waiver, and a single or partial exercise of any right, power or privilege will not be presumed to preclude any subsequent or further exercise, of that right, power or privilege or the exercise of any other right, power or privilege. 4. Parties expressly agree that this License is governed by French law and any proceedings arising out of or in connection with this license shall be submitted to the court of Paris, France.
10. 2. LICENCE D’UTILISATION DU LOGICIEL IPANEMA (FRENCH) Avertissement : Lisez attentivement ce contrat de Licence avant de poursuivre. En installant et utilisant le logiciel tel que défini ci-après, vous acceptez les conditions et dispositions de cette License. Pour avoir le droit d’utiliser tout ou partie des modules logiciels Ipanema (le « Logiciel ») composant l’« Autonomic Networking System »® d’Ipanema, (« Système Ipanema »), l’Utilisateur Final doit obtenir une licence d’utilisation (la “Licence”) soit directement auprès d’Ipanema Technologies (« Ipanema ») soit auprès d’un revendeur agréé par Ipanema (le « Revendeur »).
10. 2. 1. Etendue des Droits Concédés 1. Par le présent contrat de Licence, Ipanema concède à l’Utilisateur Final (le Licencié) le droit d’usage non exclusif et non cessible du Logiciel, dans les conditions ci-après développées en contrepartie du paiement du prix. 2. Le droit d’usage concédé à l’Utilisateur Final pour le Logiciel est restreint à l’utilisation du Logiciel Ipanema dans le but exclusif de faire fonctionner le Système Ipanema suivant les recommandations et instructions d’Ipanema, émises sous quelque forme que ce soit, y compris le manuel d’utilisation (la « Documentation »). 3. La proposition commerciale ou le contrat précise l’association du droit d’usage de certains modules du Logiciel à la configuration spécifique du Système Ipanema, et celui des autres modules du Logiciel à un certain nombre d’ISUs (« Ipanema Software Units »). Le droit d’utiliser les modules du Logiciel associés à des ISUs au sein d’un même Système Ipanema peut être modifié par l’utilisateur final au profit d’autres modules du Logiciel également associés à des ISUs au sein du même Système Ipanema, pourvu que le nombre total d’ISUs dans le Système Ipanema ne soit pas dépassé. Toute autre modification de configuration doit entraîner la modification du droit d’utilisation déjà concédé tel que décrit dans la proposition commerciale ou le contrat. 4. En dehors des droits concédés ci-dessus et sans préjudice de ceux-ci, le Licencié n’est pas autorisé au titre des présentes à copier, modifier, désassembler, dé-compiler, décoder, le traduire, l’analyser, procéder à l’ingénierie inverse vis-à-vis du Logiciel à moins d’y avoir été expressément autorisé par une disposition légale d’ordre public. L’Utilisateur Final n’est pas autorisé à vendre, louer, sous-licencier ou distribuer le Logiciel sous quelque forme que ce soit. L’Utilisateur Final n’a pas le droit d’utiliser le Logiciel dans le but de mener des comparaisons ou d’autres activités de « benchmarking » ni d’en publier les résultats sans un accord formel préalable d’Ipanema. Ipanema se réserve expressément le droit exclusif d’intervenir sur le Logiciel pour lui permettre d’être utilisé conformément à sa destination et notamment pour en corriger les erreurs, et ce dans des conditions de la prestation de maintenance offerte indépendamment des présentes. Le Licencié est autorisé à effectuer une unique copie du Logiciel à usage de sauvegarde. Cette copie ne pourra être utilisée qu’en cas de défaillance de l’exemplaire du Logiciel remis au Licencié.
October 2014
Ipanema Technologies
10-3
Ipanema System
10. 2. 2. Propriété Intellectuelle 1. Tous les droits de propriété industrielle et intellectuelle relatifs au Logiciel (incluant les copies, adaptations, modifications, améliorations et toute future version), la Documentation demeurent la propriété entière et exclusive d’Ipanema. 2. Le droit d’usage de certains composants du Système Ipanema est accordé par une ou plusieurs des licences « Open Sources » suivantes. La garantie Ipanema s’applique pour ces modules dans le cadre de leur utilisation au sein du Système Ipanema. Pour les licences qui le stipulent, Ipanema fournira sur simple demande les modifications qui ont pu être réalisées. Liste des logiciels open source utilisés ainsi que les licences y afférentes est disponible à l’adresse suivante https://support.ipanematech.com/.
10. 2. 3. Durée 1. La Licence prend effet à compter de mise à disposition de la clé de licence Logiciel et ce pour la durée de protection légale des droits d’auteur pour les logiciels. Elle est soumise au paiement de la redevance initiale du Logiciel et de la maintenance du Logiciel pendant toute la durée d’effet. 2. En cas de manquement de l’Utilisateur Final aux obligations mentionnées dans la Licence, Ipanema ou le Revendeur pourra résilier la Licence. Cette résiliation sera effective quinze (15) jours après envoi avec Accusé Réception d’une demande de correction du manquement aux obligations restée sans effet. En cas de résiliation de la licence, l’utilisateur final devra : ■ ■ ■
Cesser immédiatement d’utiliser le Logiciel, Désinstaller le Logiciel dans les huit jours calendaires, Payer à Ipanema ou à son Revendeur toute somme restant due à la date de résiliation.
10. 2. 4. Garantie 1. Ipanema garantit que le Logiciel se comporte conformément à la Documentation pendant une période de trente (30) jours suivant la mise à disposition de la clé de licence Logiciel. Dans le cas où le Logiciel ne se comporterait pas selon la Documentation, la garantie correspond uniquement, au choix d’Ipanema, à la correction des problèmes rencontrés ou à l’envoi d’une version corrigée du Logiciel. Cette garantie ne s’applique pas aux problèmes causés par : a) la mauvaise utilisation du Logiciel, incluant entre autre l’utilisation du Logiciel avec une application ou dans un environnement autre que celui spécifié par Ipanema ou l’introduction de données dans les tables utilisées par le Logiciel par un autre moyen que le Logiciel ; b) tout autre logiciel ou matériel externe à Ipanema ; c) toute modification ou addition au Logiciel non effectuée par Ipanema; d) la non installation par l’Utilisateur Final d’une solution de contournement ou d’une version corrigée. 2. LA GARANTIE ENONCEE CI-DESSUS EST LA SEULE GARANTIE A LAQUELLE LE LICENCIE ET L’UTILISATEUR FINAL PEUVENT PRETENDRE. AUCUNE GARANTIE D’EVICTION, AUCUNE GARANTIE RELATIVE A L’ADEQUATION DU LOGICIEL A UN BESION SPECIFIQUE, DE NON CONTREFACON DE DROITS DE PROPRIETE INTELLECTUELLE, D’ABSENCE D’ANOMALIES OU D’ERREUR, OU DE FONCTIONNEMENT ININTERROMPU N’EST ACCORDE.
10. 2. 5. Responsabilité 1. Le Licencié est responsable du choix du Logiciel, de l’utilisation qui en est faite et des résultats qui en seront obtenus. Il assume toutes les responsabilités en ce qui concernent la qualification et la compétence de son personnel. L’Utilisateur Final doit prendre toutes les précautions pour éviter la perte ou la destruction de ses données, incluant notamment des sauvegardes et vérifications régulières. Par ailleurs, il est de la responsabilité du Licencié de respecter les lois et règlements en matière d’exportation en vigueur notamment en France et aux Etats-Unis. 2. LES PARTIES CONVIENNENT EXPRESSEMENT QUE LA PERTE DE PROFIT, PERTE DE CLIENTELE OU D’ECONOMIE ESCOMPTEES, PERTE DE COMMANDE, PERTE
10-4
Ipanema Technologies
October 2014
Software License Agreement
OU DETERIORATION DE DONNEES SUBIES PAR L’UTILISATEUR FINAL SUITE A L’INSTALLATION OU L’UTILISATION D’UN SYSTEME IPANEMA CONSTITUE DES DOMMAGES INDIRECTS DONT IPANEMA NE POURRA ETRE TENU RESPONSABLE. EN TOUT ETAT DE CAUSE, LA RESPONSABILITE D’IPANEMA POUR QUELQUE RAISON QUE CE SOIT ET QUEL QUE SOIT SON FONDEMENT JURIDIQUE, SERA EXPRESSEMENT LIMITEE A LA PLUS FAIBLE DES DEUX SOMMES SUIVANTES : (i) 250.000 EUR OU (ii) LE TOTAL DES SOMMES PAYEES AU TITRE DE LA LICENCE DE LOGICIEL PAR L’UTILISATEUR FINAL A IPANEMA OU AU REVENDEUR DURANT LES 12 DERNIERS MOIS PRECEDANT LA DATE DE L’EVENEMENT CAUSE DU DOMMAGE.
10. 2. 6. Dispositions Générales 1. Les présentes ne peuvent être modifiées que par voie d’avenant signé par les deux parties. 2. Si l’une quelconque des stipulations du contrat est nulle au regard d’une règle de droit ou d’une loi en vigueur, elle sera réputée non écrite, mais n’entraînera pas la nullité des présentes. 3. Le fait pour l’une des parties de ne pas se prévaloir ou de tarder à se prévaloir de l’application d’une clause du présent contrat ne saurait être interprété comme une renonciation à ladite clause ou comme une modification du présent contrat. 4. De convention expresse entre les parties, la présente Licence est soumise au droit français. Tous les litiges relatifs à l’exécution ou à l’interprétation de cette Licence seront soumis au tribunal compétent de Paris, France.
October 2014
Ipanema Technologies
10-5
CHAPTER 11. TECHNICAL SUPPORT Document organization Do not attempt to repair the equipment yourself. Do not remove ip|engine covers and casings. This would void any warranty.
Please refer to the support and maintenance contract for specific information about these services. Should you have any problem with your system, please contact your supplier for technical assistance. In any case, you can get support and information by logging on Ipanema’s Support web site: https://support.ipanematech.com/, where you can access the Public Knowledge Database, find Technical notes and FAQs, be informed of the latest developments and updates, download all the Ipanema software, create and track tickets, and find other relevant information relating to the Ipanema System. An account will be created on demand. Other contact information: E-mail: [email protected] Phone: +(33)1 55 52 15 22 Fax: +(33)1 55 52 15 01 In the event of a technical problem, please supply as much information as possible, in particular: ■ ■ ■ ■ ■ ■
your name, address, telephone number and the name of your company, your Ipanema Technologies license number, see window “about” in ip|boss field “reference”, the names, versions and serial numbers of the products you are using, the version of ip|boss server’s Operating System, a description of the installed configuration and the configuration files, a detailed description of the problem you have encountered.
