Re: NAT and Websphere load balancers

["Alexander Bolante" <alexander.bolante () gmail com>]

Hi Brian,

WAS documentation is usually abstract in that regard. I would highly
recommend contacting WAS Support (via phone, e-mail, IBM forums, etc.)
or if you're a Customer, opening a PMR to seek more detailed technical
advice. From my experience, I assure you WAS Support is highly
qualified to resolve your issues in a timely manner.

Good luck!


On 4/13/06, Brian Loe <knobdy () gmail com> wrote:
> I sent this to a cow-orker and I'm hopeful I'm not way of base - and
> more hopeful that someone here can tell regardless. In fact, if
> someone here has - or knows someone who has - experience with this,
> PLEASE SPEAK UP!!
>
> Indicates that at least in one version, it wasn't possible to use NAT
> - but the article is from 1999:
>
> http://www.networkworld.com/reviews/0614rev.html
>
> Seems to indicate that NAT IS possible and has some configuration
> examples or some such crap:
> http://www-128.ibm.com/developerworks/library/i-mexch12/
>
> The load balancer does the NAT forwarding?
> http://www-306.ibm.com/software/webservers/appserv/doc/v51/ec/infocenter/index.html
>
> Hmmm...this flat-out says, "The Web server plug-in supports Network
> Address Translation (NAT) firewalls"
> http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/ctop_httptrans.html
>
> Whoops - call the developers now?!
> Supports Network Address Translation (NAT). A firewall product that
> runs NAT receives packets for one IP address, and translates the
> headers of the packet to send the packet to a second IP address. In
> environments with firewalls employing NAT, avoid configurations
> involving complex protocols in which IP addresses are embedded in the
> body of the IP packet, such as Java Remote Method Invocation (RMI) or
> Internet Inter-Orb Protocol (IIOP). These IP addresses are not
> translated, making the packet useless.
> http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/ctop_httptrans.html
>
>
>
> What this seems to come down to is, "what do we mean by NAT?" In some
> of this documentation - and that found elsewhere - it would appear
> that Websphere's load balancer can work with NATed addresses. In still
> more documentation it appears as though it can't. However, in both
> cases, its not clear if they're addressing NAT from a firewall -
> something not performing load balancing - or NAT from the load
> balancer itself. One document even complains about the administrative
> overhead of using NAT load balancers!
>
> Given that I think we have to look at how traffic is supposed to flow
> with our current load balancer. A request comes into our network at a
> public address - received from our DNS via a hostname/nslookup lookup
> - which is then routed via several routers, at least one PIX and at
> least one switch to the Websphere load balancer. That machine then
> hands the request off to the appropriate server to be processed. Once
> the request has been processed, the server which received it from the
> load balancer replies directly to the requesting client, again
> traversing all of that network equipment - same as the load balancer.
> If a session is created then those two hosts will continue to
> communicate directly.
>
> If you throw NAT, as I have envisioned it, into the mix then it is
> only on the PIX which ALL of our traffic is going through anyway. The
> requestor will send a packet to the looked-up address as it did
> before. The firewall will eventually receive that packet but this time
> it will look up the address it has - the xlate translation - for that
> public IP and then pass it back to the appropriate load balancer. The
> load balancer, just as before, will receive that packet, just as
> before and attempt to communicate with the requestor. Nothing here
> should have changed that I can see. MAC addresses aren't effected, so
> how the Websphere and the client and the Internet in general deals
> with them is not effected. The only possible issue I can see is when
> the server at the end responds back to the requester - even then,
> though, it will go out the same address it would have if it were not
> being NATed. The real difference here - and what we have not yet tries
> - is NATing ALL of the pieces. Neither the sprayer/load balancer or
> any of the target servers would have a 'real" IP address - they would
> all be NATed.
>
> This isn't rocket science either, perhaps simply calling IBM would be
> appropriate?
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------------------


--
Alexander.Bolante () gmail com
abolante.blogspot.com

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------