First, let me apologize for my lack of knowledge about BES. I am a network engineer and only work peripherally with BigFix products.
We have several BES servers deployed in our enterprise to support our global client base. These servers are currently deployed in across our server network to provide fault tolerance. These servers provide services to many systems on our network that are considered secure and we must control access to and from them. This security requirement includes the use of ACLs and firewall rule sets. Because we are regularly required to perform maintenance on these servers and add to the number of servers, the maintenance of these ACLs and rules has become cumbersome. I am interested in placing these servers behind F5 load balancers as that will permit us to have a single client IP address used as the BigFix target, and the real server IPs will be masked from the end users. I have a few questions about this plan:
Are there any gotchas with putting BES machines behind a SLB appliance?
Do we need to acocunt for client persistence in this configuration? Do clients need to consistently need to contact the same server, or can they hit any of the available servers?
Is there a preferred method of load balancing traffic to the individual servers? Round Robin? Least connections? Server load?
Has anyone else done this and can you share any tips and tricks for this?
Using a load balancer with the BigFix system is extremely rare, but we do believe it is possible (I think maybe 1 customer had tested it and didn’t find any problems)… Our stance on load balancers are that they are expensive and complicated and unnecessary because there often are much better ways to handle the situations.
There are lots of advanced options/configurations that you can consider… I happen to know a lot about your very large and extremely complex environment (based on some work we did with you guys when you first became a customer) and to avoid issues, I would strongly encourage you guys to work with our services team http://support.bigfix.com/services/ to get some onsite expert-level assistance before making too many changes.
Thanks Ben. I’m doing the leg work for our BES team since they are swamped with the upgrade project. Here are my thoughts about putting them behind the F5s:
We already own the F5s, so there is no equipment that needs to be purchased to support this.
Our experience has been that for the most part it is relatively easy to load balance applications, and the benefits outweigh the costs.
By fronting the BES servers with the SLB appliances we can avoid being tied to specific host addresses on the servers. This provides us with additional flexibility in how we deploy and maintain the actual servers.
Not being reliant on individual server IP addresses should eliminate the constant need to update 1000+ ACLs and rule sets.
My goal is implement something that will remove our dependency on the actual server IPs since that is causing the headache in the network space. Obviously, I don’t want to create additional work for the BES team, or break anything else in the process. I will do the basic research and then work with the BES folks to see what is possible in our environment.
Our team lead had indicated that we may need to account for persistence with the the clients, meaning that once a machine contacts a particular BES that it needs to go back to that same server. Is that correct?
The client does expect that when it talks to a specific address that the underlying server/relay is the same during its next interaction… however, in practice, the relays are generally tolerant and smart enough to handle all these interactions (although there might require an agent retry). Here is an example: Agent asks the relay “do you have the newest download files”. Relay replies “yes”. Agent says “Please give me the newest files”.
If the relay was changed out from under the agent because of the load balancer, then the other relay might not have cached the file yet. In practice, this isn’t really a problem because the agent will try just ask the question again, but you might see issues in the log.
But this is probably the extent of the analysis that I can give you at this point in time because I am not entirely clear where you are going to be putting the load balancer and specifically which problems you are trying to solve. I really suggest we find a way to have a discussion directly with you guys on this topic due to your size and complexity.
Thanks Ben. I’ll ask the BF team on my end to set up a call to discuss this in more detail. My initial intent was to confirm that this isn’t a crazy idea. Now that’s out of the way, we can deal with the details.
I am wondering if this was ever implemented… We too are considering going the SLB route, as having two relays (internal/external) for each geographical location has grown to be a pain from logistic and maintenance perspective.
Has anyone successfully load-balanced BF relays? Our goal would be the same as the original poster: have a single host/IP front-end that all clients would hit, where the back-end would consist of X number of BF relays running on Linux, load-balancing the load between them. Is there an official stance on SLB and BigFix?
My official stance is that they are possible to use, but if you use relay autoselection, it will auto-loadbalance, auto-failover, and auto-correct… so load balancers are a waste…