oracle corente services · lan: the virtual host and the corente virtual services gateway. the...

Oracle® Corente Services

Corente Virtual Services Gateway – Virtual Edition Manual forRelease 9.2

E59952-01February 2015

iii

Table of ContentsPreface .............................................................................................................................................. v1 Introduction .................................................................................................................................... 1

1.1 Virtual Machines .................................................................................................................. 31.2 Hardware Requirements ....................................................................................................... 3

2 Building Virtual Machines ................................................................................................................ 52.1 Software for Virtual Machines ............................................................................................... 5

2.1.1 Guest Operating Systems .......................................................................................... 52.1.2 Application ................................................................................................................ 5

2.2 Planning Your Virtual Machine .............................................................................................. 62.3 Configuring the Guest Operating System .............................................................................. 62.4 Overview of Virtual Machine Creation ................................................................................... 72.5 Distributing Virtual Machines via CD/DVD, USB Device, or Remote Server .............................. 8

3 Planning the Datacenter .................................................................................................................. 93.1 Routing ............................................................................................................................... 93.2 Inbound NAT All CVSG-VE Locations ................................................................................... 93.3 DNS Name Resolution of VMs and their Applications ........................................................... 10

3.3.1 Corente Virtual Services Gateway as DNS Server ..................................................... 103.3.2 Corente Virtual Services Gateway as DNS Updater ................................................... 113.3.3 Registering Applications with the DNS Server ........................................................... 133.3.4 Allow Partner Access to DNS Namespace ................................................................ 133.3.5 How to access VMs from the Datacenter .................................................................. 13

4 Controlling the Virtual Machines with Gateway Viewer .................................................................... 155 Monitoring and Alerts .................................................................................................................... 19

5.1 Internal Monitoring ............................................................................................................. 195.2 Serial Console Access for the Virtual Machines, Virtual Host, and Corente Virtual ServicesGateway Software .................................................................................................................... 195.3 Monitoring .......................................................................................................................... 195.4 Alerts ................................................................................................................................. 20

6 Installation and Configuration of the CVSG-VE Location ................................................................. 216.1 Installation in App Net Manager Lite ................................................................................... 216.2 Installation in App Net Manager .......................................................................................... 226.3 Additional Configuration ...................................................................................................... 34

6.3.1 Location Tab ........................................................................................................... 346.3.2 Network Tab ........................................................................................................... 356.3.3 Applications Tab ...................................................................................................... 356.3.4 Monitored Servers Tab ............................................................................................ 376.3.5 User Groups Tab .................................................................................................... 376.3.6 Routes Tab ............................................................................................................. 396.3.7 Partners Tab ........................................................................................................... 396.3.8 SNMP Tab .............................................................................................................. 416.3.9 User Remote Access Tab ........................................................................................ 426.3.10 High Availability Tab .............................................................................................. 436.3.11 Alerts Tab ............................................................................................................. 446.3.12 Updating Virtual Machines and their Applications ..................................................... 45

7 Accessing Applications on the Virtual Machines ............................................................................. 47A Legal Notices ............................................................................................................................... 49

A.1 Oracle Legal Notices ......................................................................................................... 49A.2 DocBook XSL License ....................................................................................................... 50

Index ............................................................................................................................................... 55

v

PrefaceThis manual provides an explanation of the procedures you must follow to define and provision the servicepolicies for your Corente Virtual Services Gateways, as well as partner your Locations together to create aCorente application network.

Systems Supported

This guide supports Corente Release 9.2.

Related Documentation

Oracle provides several additional manuals that will aid you in using Corente Services.

The following manuals are available from the Corente Services Documentation web page, http://www.oracle.com/technetwork/server-storage/corente/documentation/index.html:

• I. Corente Services Planning

• II A. Corente Virtual Services Gateway Hardware Preparation and Deployment

• II B. Corente Services Policy Definition and Provisioning

• III. Corente Services Administration

• IV. Corente Services Troubleshooting Guide

• VI. Corente Services Client

• VII. Corente Services SSL Client

• VIII. Corente Services Mobile User

The main documentation index for all Oracle products can be found at: http://www.oracle.com/documentation.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visithttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Feedback

Provide feedback about this documentation at:

http://www.oracle.com/goto/docfeedback

Conventions

Hyperlinks can be used to navigate through the guide or the procedures related to an overall activity, or tojump to a cross-referenced topic or Internet URL.

The following text conventions are used in this document:

http://www.oracle.com/technetwork/server-storage/corente/documentation/index.htmlhttp://www.oracle.com/technetwork/server-storage/corente/documentation/index.htmlhttp://www.oracle.com/documentationhttp://www.oracle.com/documentationhttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=infohttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=trshttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=trshttp://www.oracle.com/goto/docfeedback

Document Revision

vi

Convention Meaning

boldface Boldface type indicates graphical user interface elements associated with anaction, or terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, or placeholder variables for whichyou supply particular values.

monospace Monospace type indicates commands within a paragraph, URLs, code inexamples, text that appears on the screen, or text that you enter.

Document Revision

Document generated on: 2015-02-18 (revision: 234)

1

Chapter 1 Introduction

Table of Contents1.1 Virtual Machines .......................................................................................................................... 31.2 Hardware Requirements ............................................................................................................... 3

The Corente Virtual Services Gateway Virtual Environment (CVSG-VE) edition allows applications to bedeployed securely and confidently to your customers worldwide by combining the Corente Virtual ServicesGateway service and virtual application hosting servers in a single device. With the CVSG-VE device (a“CVSG-VE Location”) on each customer’s LAN, application providers at their datacenter can use Corente’swide array of management and monitoring features to maintain the application at each site, as well asprotect their customers’ data and ensure customers have continued access to the application and storeddata even during a network outage.

The CVSG-VE Location is a single x86 server hosting a Corente Virtual Services Gateway and a set ofvirtual machines (VMs), which are themselves hosting user applications. Access between the remotedatacenter and both the LAN and the VMs are mediated, monitored, and secured by the Corente VirtualServices Gateway Software in the CVSG-VE Location.

Figure 1.1 Conceptual Stack

From the remote datacenter and the application point of view, the CVSG-VE Location appears to be aCorente Virtual Services Gateway securing the LAN, with VMs appearing as servers on that LAN. From the

2

local point of view, the CVSG-VE Location appears as a set of servers on the network, with the CorenteVirtual Services Gateway acting as the gateway to the LAN (if installed in the Inline configuration) or actingas another server (if installed in the Peer configuration).

For both Peer and Inline configurations, the CVSG-VE Location appears as two servers on the CustomerLAN: the Virtual Host and the Corente Virtual Services Gateway. The Virtual Host is the entity in theCVSG-VE Location that monitors and manages VMs. Each VM in the CVE appears to be an additionalserver directly on the Customer LAN. The virtual host and each VM are assigned an IP address on thesame subnet as the LAN interface (or WAN/LAN interface, if using the Peer configuration) of the CVSG-VELocation.

Figure 1.2 Internal Network View

The following diagram depicts a typical deployment for the CVSG-VE Location:

Figure 1.3 Typical Deployment

For simplicity, this diagram depicts a single datacenter/customer relationship, but a multi-tiered architectureis easily accommodated. As the diagram shows, each Corente Virtual Services Gateway at the datacenterand each CVSG-VE Location at a customer site maintains a secure connection to the Service Control Point

Virtual Machines

3

(SCP) for monitoring and policy management. The customer’s CVSG-VE Location will also maintain aconnection back to the provider’s Corente Virtual Services Gateway at the datacenter for service as well asapplication updates.

To illustrate how the CVSG-VE Location can benefit an application provider, an example: a company thathosts electronic medical records (EMR) can install CVSG-VE Locations at each participating doctor’soffice. The EMR application is hosted on a virtual server in the CVSG-VE Location and accessible bycomputers on the office’s LAN. Records and other data are stored locally on the CVSG-VE Location, on“disks” in the virtual servers. Each CVSG-VE Location maintains a connection back to the company’sdatacenter, with HIPAA compliant encryption standards, where records are backed up and IT can monitorand manage the application (and even each office’s network performance) with Corente’s monitoring andmanagement features. If connectivity to the datacenter ever goes down, both the application and the storedrecords will continue to be accessible and function as normal, because they are both available locally onthe CVSG-VE Location.

1.1 Virtual Machines

The Corente concept of a Virtual Machine (VM) is the combination of the Guest Operating System (OS)and application that is installed as a disk image (or a set of disk images) on the CVSG-VE Location.

Each VM can have access to up to three (3) virtual hard disks, which may be partitioned in any manner tosuit the application. Additionally, a VM can have access to a virtual floppy disk image and a virtual CD/DVDimage. Typically, the primary hard disk image (drive C: or hda) contains the OS and application, while theother virtual disks (such as D: or hdb, and E: or hdc) can be used for persistent or temporary data storage(including configuration information). These disk images may be upgraded independently, as each diskimage is fetched and loaded separately when installed.

The VM creator is responsible for procuring the correct licenses for their chosen guest OS and forproviding application requirements, instructions for configuration, and ensuring that the application startswhen the VM’s guest OS starts.

VMs are permitted to communicate with both the local LAN and the remote datacenter. Each VM appearson the LAN as if it were a physical machine. Thus, VMs may use any protocol to communicate with otherLAN devices (or even other VMs).

1.2 Hardware Requirements

Hardware requirements for the CVSG-VE Location vary greatly, depending on the guest OS andapplication required for each VM you will be installing. The minimum requirement to support the hostOS and Corente Virtual Services Gateway Software is an Intel x86-based i7 system with VT Technologyand a minimum of a 2 GHz 64-bit (x64) processor, 8 GB memory, and a 40 GB hard disk. Like ordinaryCorente Virtual Services Gateways, a Peer configuration requires one (1) Ethernet interface and an Inlineconfiguration requires two (2) Ethernet interfaces.

It is the responsibility of the application developer to determine how these parameters should changebased on guest OS and application requirements. The hardware needed will be roughly the sum of thehardware requirements for each installed VM, in addition to the minimum requirements stated above.

It should also be noted that once a machine has been created as a CVSG-VE Location, it cannot beconverted to an ordinary Corente Virtual Services Gateway (or vice versa) without reformatting the harddrive and performing a new installation onto that machine.

5

Chapter 2 Building Virtual Machines

Table of Contents2.1 Software for Virtual Machines ....................................................................................................... 5

2.1.1 Guest Operating Systems .................................................................................................. 52.1.2 Application ........................................................................................................................ 5

2.2 Planning Your Virtual Machine ...................................................................................................... 62.3 Configuring the Guest Operating System ...................................................................................... 62.4 Overview of Virtual Machine Creation ........................................................................................... 72.5 Distributing Virtual Machines via CD/DVD, USB Device, or Remote Server ...................................... 8

A Virtual Machine (VM) is the combination of the Guest Operating System (OS) and application that isinstalled as a disk image (or set of disk images) on the virtual host of the Corente Virtual Services GatewayVirtual Environment (CVSG-VE) edition.

In addition to supplying your chosen application and guest OS and using them to build the VM, you arealso responsible for procuring the correct licenses for your chosen guest OS and for providing applicationrequirements, instructions for configuration, and ensuring that the application starts when the CVSG-VELocation starts.

Once a VM has been created and made available, it is installed on a CVSG-VE Location via the VirtualMachines tab of the CVSG-VE Location form in App Net Manager.

2.1 Software for Virtual Machines

VMs are created using Oracle’s Virtual Box version 4.3.12 or later, available at

http://www.virtualbox.org.

To begin creating a VM, you must download and install the software of your choice onto a local computeron which you will be building the VM.

Requirements and instructions for Virtual Box is available on the Virtual Box website at:

https://www.virtualbox.org/.

2.1.1 Guest Operating Systems

Corente VMs will support the following guest operating systems:

• Microsoft Windows 7

• Solaris x86

• Linux (2.4 and 2.6) x86

It is the responsibility of the VM creator to procure the correct licenses for each chosen guest OS.

2.1.2 Application

http://www.virtualbox.org/https://www.virtualbox.org/

Planning Your Virtual Machine

6

When developing/modifying an application for use with the CVSG-VE Location, keep in mind the following:

• Startup: The application should be configured to start upon boot of the VM. This could be accomplishedthrough startup scripts on Linux, or enabling the application to run at boot on Windows. Alternately, theapplication startup may be controlled remotely from the partner.

• Shutdown: The VM will be sent the ACPI shutdown signal to allow the application and VM to shut downgracefully. The application should shut itself down gracefully upon receiving notification that its OS isshutting down. This could be accomplished through a shutdown script on Linux, or through the Windowsshutdown mechanism. If the VM does not shutdown within a timeout, it will be aborted. Note that incases like power failure, the VM will not be sent the ACPI shutdown signal.

2.2 Planning Your Virtual Machine

Each VM will have access to up to three (3) virtual hard disks. These disks may be partitioned in anymanner to suit the application. In addition, a VM may have access to a virtual floppy disk image, as well asto a virtual CD/DVD image.

When planning how the application will be arranged on a VM, it is strongly recommended that the primaryhard disk image contain the guest OS and the installed application. The other virtual disks should be usedfor persistent or temporary data storage (including configuration information). Each disk image can beupgraded independently, as each disk image is fetched separately when installed.

Corente makes this recommendation because you may want to update the main virtual hard disk of theVM with a new version or copy of the .vdi file at some point in the future. When a new file is applied toa virtual hard disk, the existing .vdi file for that disk on the VM will be completely overwritten. Therefore,any persistent or temporary data stored on that disk will be deleted permanently. If you have arranged aVM so that you are storing data on a virtual disk that must be updated, you can avoid losing the data bylogging into the VM and copying the data out before updating. However, because entire .vdi files cannotbe retrieved from a CVSG-VE Location once they are installed, it is easier to avoid a time-consuming datacopying process by simply arranging the VM so that persistent or temporary data is stored on anothervirtual disk during normal operation of the VM.

2.3 Configuring the Guest Operating System

The Guest Operating System itself should always be configured to obtain its IP address via DHCP. Thisallows for a single master image of the VM to be deployed at multiple locations without modification.The CVSG-VE Location will intercept the Guest VM’s DHCP requests and may satisfy them, if the VMwas assigned a static IP address in the App Net Manager configuration or if the internal Corente VirtualServices Gateway Software is configured as a DHCP server for the LAN. If the CVSG-VE Location has notbeen configured as a DHCP server and the Guest VM addresses are configured in App Net Manager to beobtained via DHCP, the DHCP requests will be forwarded to the Customer LAN where they will be satisfiedby the customer’s DHCP server. In all cases, the CVSG-VE Location will automatically set the default routeof the Guest VM to point to the internal Corente Virtual Services Gateway Software. To summarize:

Table 2.1 Guest Operating System Configuration

Guest VM Created toObtain Its IP AddressVia

CVSG-VE LocationConfigured As

Configuration in AppNet Manager for GuestVM to Obtain Its IPAddress Via

Behavior

DHCP DHCP Server Static Static address specifiedin App Net Manager willbe assigned to Guest VM

Overview of Virtual Machine Creation

7

Guest VM Created toObtain Its IP AddressVia

CVSG-VE LocationConfigured As

Configuration in AppNet Manager for GuestVM to Obtain Its IPAddress Via

Behavior

DHCP DHCP Server DHCP Address from CVSG-VELocation’s DHCP pool willbe assigned to Guest VM

DHCP Not DHCP Server Static Static address specifiedin App Net Manager willbe assigned to Guest VM

DHCP Not DHCP Server DHCP DHCP request will beforwarded to Customer’sDHCP server; theresponse address will beassigned to Guest VM

Static (notrecommended)

Guest VM will have thespecified address; thedefault gateway of theGuest VM will not beset by the CVSG-VELocation

2.4 Overview of Virtual Machine CreationAfter installing and configuring your chosen virtualization software on your local computer, the procedurefor creating VMs and their disk images is as follows:

1. Start your virtualization software and create a new VM.

2. Create the necessary empty virtual disk images, remembering to keep the application and data storageon separate virtual disks.

3. Install the guest OS onto the VM.

4. Configure the guest OS networking to use DHCP to obtain an IP address.

5. Install the application onto the VM.

6. Perform necessary configuration and adjustments to ensure that the application can run and functioncorrectly on the VM. Ensure that ICMP is accepted by the application for traffic originating from theCorente Gateway service in the CVSG-VE Location, as it is necessary for Corente monitoring.

Note

Applications can be pre-configured in the VM prior to deployment or beconfigured after installation remotely via either SSH or RDP, depending on theguest OS.

7. Test the application/OS combination in your local VirtualBox environment.

8. Once you are satisfied that the VM is functioning correctly, save your work, exit the application, andbrowse to the location on your hard drive where the VM disk image files have been stored. Hard diskimages are saved as .vdi files, while floppy disk images are saved as .img files and CD/DVD diskimages are saved as .iso files.

Distributing Virtual Machines via CD/DVD, USB Device, or Remote Server

8

9. If you are using a server to distribute the VM, copy the VM disk images to the server so they areavailable for download by CVSG-VE Locations. Otherwise, load the VM disk images to a USB flashdrive or CD/DVD for installation on CVSG-VE Locations.

10. Perform final integration and system test of this VM on a CVSG-VE Location before final release.

2.5 Distributing Virtual Machines via CD/DVD, USB Device, orRemote Server

The disk images for VMs are distributed to CVSG-VE Locations locally (using a CD, DVD, or USB device)or remotely, over the network. Installation of VMs is described in Chapter 6, Installation and Configurationof the CVSG-VE Location. Note that you can install each disk image for a VM separately, using whicheverdistribution method you would like for each image.

Local distribution requires the disk image files to be loaded onto a CD/DVD or USB device, and that deviceto be inserted into the new CVSG-VE Location during installation.

Remote distribution requires the disk image files to be loaded onto a server that will function as theApplication Distribution Server. This server can be located anywhere that is accessible by the CVSG-VE Location and use rsync, http, https, or ftp to distribute files. If the server is not located on the CVSG-VE Location’s LAN, then it must be behind a Corente Virtual Services Gateway that is partnered with theCVSG-VE Location (remote access to the server must always be made over a secure connection). If theserver is at a remote site, remember that the partnership between its gateway and CVSG-VE Locationmust be configured with tubes that permit the CVSG-VE Location itself to contact the server. This servercan be reachable via DNS name; however, the DNS name/address combination will not be stored andserved by Corente DNS servers and updaters (as described in Section 3.3, “DNS Name Resolution of VMsand their Applications”.

9

Chapter 3 Planning the Datacenter

Table of Contents3.1 Routing ....................................................................................................................................... 93.2 Inbound NAT All CVSG-VE Locations ........................................................................................... 93.3 DNS Name Resolution of VMs and their Applications ................................................................... 10

3.3.1 Corente Virtual Services Gateway as DNS Server ............................................................. 103.3.2 Corente Virtual Services Gateway as DNS Updater ........................................................... 113.3.3 Registering Applications with the DNS Server ................................................................... 133.3.4 Allow Partner Access to DNS Namespace ........................................................................ 133.3.5 How to access VMs from the Datacenter .......................................................................... 13

There are several considerations you must plan for when configuring your datacenter to function with theCorente Virtual Services Gateway Virtual Environment (CVSG-VE) edition.

3.1 Routing

All head-end Corente Virtual Services Gateways in the datacenter must be able to connect to the CorenteServices Control Point (SCP) and receive incoming connections from the CVSG-VE Locations (i.e., be ableto reach the Internet).

In the datacenter, routing must be configured to route traffic from the participating data center machinesto the gateways so that traffic can reach the virtual machines (VMs) of the CVSG-VE Locations. You havetwo choices for providing routes to the VMs:

• You can configure static routes on your routers to reach each VM. If Inbound NAT is being used at thedatacenter, all routes must be configured using the NATed addresses of the VMs.

• You can enable RIPv2, OSPF, and/or BGP on the Corente Virtual Services Gateways and routers at thedatacenter to automatically broadcast and receive routes.

3.2 Inbound NAT All CVSG-VE Locations

To ensure that all CVSG-VE Locations have unique address spaces for their LANs, it is recommended thatthe head-end gateway(s) at the datacenter perform inbound NAT on all CVSG-VE Location partners totranslate the VM addresses into address that are unique at the datacenter. Inbound NAT is configured onthe Partners tab of the Location form for each Corente Virtual Services Gateway.

If you have more than one (1) head-end gateway at the datacenter, you must maintain consistent addressmapping of the CVSG-VE Locations among those head-end gateways. This will require you to identify apool of unique addresses that you can use for inbound NATing at the datacenter. Each CVSG-VE Locationmust be assigned a set of addresses out of the NAT pool that cannot be assigned to any other CVSG-VE Location, and this particular set of addresses must be used for this particular CVSG-VE Location onall of the head-end gateways. You must maintain a record of how each CVSG-VE Location has been re-mapped, and each time you create a new CVSG-VE Location that is partnered with your datacenter, youmust take a set of addresses out of the NAT pool and configure the head-end gateways to inbound NATthe new CVSG-VE Location’s virtual LAN to this set of addresses.

Note that the addresses used for inbound NAT must be consistent within a single datacenter, but ifanother datacenter or Location is partnered with the CVSG-VE Locations and is also using inbound NAT to

DNS Name Resolution of VMs and their Applications

10

translate their addresses, the addresses used do not have to be consistent with the inbound NATing of anyother Location partners or datacenters.

To view the addresses of the CVSG-VE Locations and their LANs once they have been remapped, theCorente NAT table on each head-end gateway is available through SNMP poll and traps. These NATtables map the NAT’ed address space to the actual customer network. You can also access the CorenteGateway Viewer application of any of the head-end gateways and open the NAT page, which will alsoshow the mapping of NAT’ed addresses.

When inbound NAT is used to ensure unique address spaces, and the Corente DNS server or updater isconfigured, DNS queries at the datacenter will return the NATed addresses.

3.3 DNS Name Resolution of VMs and their Applications

Corente DNS services are designed to provide name resolution of applications across partner networks.Each Location may be placed in a separate DNS domain, or each site can be a subdomain of a centrallocation’s DNS domain. When a partner is not in the same DNS domain or in a subdomain of the samedomain, you can still share DNS records with that partner by selecting the Allow Partner Access to DNSNamespace option on the Partners tab.

You can use DNS to help organize the datacenter and make it easier to locate, manage, and access VMsand their applications. Corente DNS services tie DNS names to applications and are designed to providename resolution of these applications across partner networks. Corente DNS is configured on the DNSServer tab of each CVSG-VE Location (and Location) in your domain.

A CVSG-VE Location may be configured as a DNS Server or as a DNS Updater:

• If configured as a DNS Server, the CVSG-VE Location will answer DNS requests for applications thatare configured locally, forward DNS requests to partner Locations for resolution, and forward all otherDNS queries to the DNS servers configured on its Network tab.

• If configured as a DNS Updater, the CVSG-VE Location will register the DNS names and addresses ofthe applications that you specify in third-party DNS servers. You must provide a list of the DNS serversthat the Updater will be updating. These DNS servers must be configured to accept updates from theCVSG-VE Location and have the proper zone structure in place. These servers must also be reachableby the LAN interface of the CVSG-VE Location and be a member of its default User Group.

3.3.1 Corente Virtual Services Gateway as DNS Server

If configured as a DNS server, the CVE Location will answer queries for the applications registered in theDNS Zone it is assigned to serve. It will also answer reverse queries for the IP addresses corresponding tothose applications.

Corente Virtual Services Gateway as DNS Updater

11

Figure 3.1 DNS Server tab for Gateway as DNS Server

On this screen, choose DNS Server and fill out the screen as follows:

Key: Updates to the DNS server must be sent and received securely, using the same key for all DNSservers and updaters that are used in your domain.

• If you have already generated an HMAC-MD5 key for your domain, enter that key in the Key field.

• If you have not yet generated an HMAC-MD5 key for your domain, generate a key using either theadjacent Generate Key button or your own key generator, and enter the key in the Key field. Copy thiskey and use it for all DNS servers and updaters in your domain.

DNS Zone: Enter a name for the zone for which this CVSG-VE Location’s DNS server will beresponsible (for example, “zone.corente.com”, or an outlying zone, such as “here.zone.corente.com”,“there.zone.corente.com”, etc.).

Serve DNS to LAN: When this option is selected, any computer on the LAN that receives its addressinginformation via DHCP from the CVSG-VE Location (even those computers not participating in the Corentenetwork) will be passed the LAN IP address of this CVSG-VE Location as its DNS server in the DHCPlease. The CVSG-VE Location will attempt to resolve any DNS query it receives. If it cannot answer a DNSquery, the query will be forwarded to the other means that you have specified on the Network tab (i.e., athird-party primary or secondary DNS server whose IP address you supply, or a third-party DNS Serverwhose address is served dynamically to the CVSG-VE Location via DHCP).

If this option is not selected, then the DNS behavior for computers on the LAN receiving their addressinginformation via DHCP is determined by the settings on the Network tab.

3.3.2 Corente Virtual Services Gateway as DNS Updater

You can also configure a CVSG-VE Location to be a DNS Updater. If configured as a DNS updater,the CVSG-VE Location will send DNS updates to a third-party DNS server concerning the applicationsregistered on this CVSG-VE Location. It will not answer DNS queries itself.

Corente Virtual Services Gateway as DNS Updater

12

Important

The IP address of all DNS servers being updated by this DNS Updater must beincluded on the User Groups tab of this CVSG-VE Location and reachable by theCVSG-VE Location’s LAN (or WAN/LAN, if in the Peer configuration) IP address.

Figure 3.2 DNS Server tab for Gateway as DNS Updater

On this screen, choose DNS Updater and fill out the screen as follows:

Key: Updates to a DNS server should be sent securely, using the same key for all DNS servers andupdaters that are used in your domain.

• If you have already generated an HMAC-MD5 key for your domain, enter that key in the Key field.

• If you have not yet generated an HMAC-MD5 key for your domain, generate a key using either theadjacent Generate Key button or your own key generator, and enter the key in the Key field. Copy thiskey and use it for all DNS servers and updaters in your domain.

DNS Zone: Enter the name of the zone about which this CVSG-VE Location will be updating theDNS server (for example, “zone.corente.com”, or an outlying zone, such as “here.zone.corente.com”,“there.zone.corente.com”, etc.).

Serve DNS to LAN: When this option is selected, any computer on the LAN that receives its addressinginformation via DHCP will be passed the IP addresses of the third-party DNS servers that are specifiedbelow in the DNS Server IP Addresses to update table as its DNS server(s) in the DHCP lease. Theseservers will be responsible for answering the DNS queries of those computers.

If this option is not selected, then the DNS behavior for computers on the LAN receiving their addressinginformation via DHCP is determined by the settings on the Network tab.

DNS Server IP Addresses to update: This table captures the IP addresses of DNS server(s) to which thisCVSG-VE Location will be sending DNS updates. To add a new DNS server to this table, click Add and

Registering Applications with the DNS Server

13

enter the DNS server’s IP address. You can Edit or Delete any entry in this table. Remember that any DNSserver listed in this table must share the same secure key as this DNS Updater.

3.3.3 Registering Applications with the DNS Server

If you have configured your CVSG-VE Location as a DNS Server or DNS Updater, you should register anyapplication that your CVSG-VE Location is distributing across the Corente network with Corente DNS.

To do this for an existing application, access the Applications tab and Edit an existing application. On thescreen that is displayed, make sure the Register Application Name in DNS option is selected. After clickingOK twice on this page, then clicking OK on the next page and Saving your changes, the application namewill registered in Corente DNS.

The DNS name of the application will be the DNS zone name of the application’s CVSG-VE Locationprepended by the application name (for example, an application named “fileserver” in a zone named“here.corente.com” could be accessed by computers in partner Locations using the DNS name“fileserver.here.corente.com”).

If you would like a VM itself (and not just its applications) to be reachable via DNS name, you can registerthe VM as an application on this Applications tab and select the Register Application Name in DNS optionfor it.

3.3.4 Allow Partner Access to DNS Namespace

On the Partner tab, you can elect to share the DNS records of this CVSG-VE Location with a remotepartner, when this CVSG-VE Location is configured as a DNS Server or a DNS Updater and the partneris configured as a DNS Server or DNS Updater. Select the Allow Partner Access to DNS Namespaceoption to share the DNS records of this CVSG-VE Location with the partner. The partner will be allowed toperform lookups for the DNS names registered with this CVSG-VE Location even when the partner is not inthe same DNS zone.

When the partner is configured as a DNS Updater:

• If the Locations are in separate DNS domains, the DNS records must be manually forwarded from theDNS Updater to the DNS servers it is updating.

• If one is in a subdomain of the other (e.g., this CVSG-VE Location is configured as a DNS Server and isin the subdomain of its partner, which is configured as a DNS Updater), Corente DNS will automaticallyforward the DNS records from the DNS Updater to the DNS servers it is updating.

Important

If any NAT (Outbound or Inbound) is being performed for this partner, then thePerform DNS/WINs Fixup option must be selected on the Network tab of thisCVSG-VE Location.

3.3.5 How to access VMs from the Datacenter

To access VMs from the datacenter, you can enable access to a VM via an RDP application. This option isselectable for each VM on a CVSG-VE, configurable on the Virtual Machines tab of the CVE Location form.

To connect to a VM via RDP, use the IP address of this CVE Location's Virtual Environment Host Interfaceand the port number that you specify for the Console Display Port for that specific VM.

For more information about the Console Display Port feature, refer to the Installation section of thisdocument (Section 6.2, “Installation in App Net Manager”).

15

Chapter 4 Controlling the Virtual Machines with Gateway Viewer

Like ordinary Corente Virtual Services Gateways, the Gateway Viewer application is accessed bymachines on the same LAN as the Corente Virtual Services Gateway Virtual Environment (CVSG-VE)edition by typing the LAN (or LAN/WAN) IP address of the CVSG-VE Location into a web browser.Note that the application can also be accessed remotely over a secure tunnel when the appropriateconfiguration is performed (for more information, see “Appendix B: Additional Tube Configurations” in theCorente Services Policy Definition and Provisioning manual.

The Virtual Machine Status page in Gateway Viewer displays the status of each virtual machine (VM) thatis installed on the CVSG-VE Location and allows an administrator to stop or start each VM. This pageis the front page of Gateway Viewer when accessed on a CVSG-VE Location, and is also available byaccessing the Monitoring button and selecting Virtual Machine from the menu that is displayed.

If a user accesses the Gateway Viewer application of a CVSG-VE Location without logging in as anadministrator, the Virtual Machine Status page will appear as the front page of the application. This pagewill display the name, IP address, current status, and date/time of the last status change of each VM that isinstalled on that CVSG-VE Location.

Figure 4.1 Virtual Machine Status Page

When a user logs in to Gateway Viewer as an administrator, the page will provide controls over the VMsin addition to status information. By default, the information on this page will refresh automatically everyminute. You can modify the refresh interval for this page by selecting the refresh icon at the top of thispage or manually refresh the page at any time by right-clicking your mouse and selecting Refresh from themenu that appears.

16

Figure 4.2 Virtual Machine Status Administrator page

In addition to the name, IP address, current status, and date/time of last status change of each VM, threebuttons will be displayed for each VM: Start, Stop, and Restart. The availability of these buttons will dependon the current status of the VM. When a VM is Running, you can Stop or Restart it. When a VM is Stopped,you can Start it. Whatever control you choose, a page will be displayed to confirm your choice.

Figure 4.3 Virtual Machine Control Confirmation page

17

On this page, click Continue to continue with your chosen selection or Cancel to cancel your selection.Each control may take up to several minutes to complete its operation, but you can view the current statusas it changes on the Virtual Machine Status page.

VMs start up automatically when the CVSG-VE Location is started. However, when you Stop a VM on thispage, the stop will remain persistent through subsequent restarts of the CVSG-VE Location.

Two default VMs will be displayed on this interface: Gw and Host. Gw represents the Corente VirtualServices Gateway service that is running on the CVSG-VE Location, while the Host is entity in the CVSG-VE Location that monitors and manages VMs. You will be unable to Start, Stop, or Restart these twodefault services with this page (although you can Start, Stop, or Restart the gateway service on the Controlpage in Gateway Viewer).

19

Chapter 5 Monitoring and Alerts

Table of Contents5.1 Internal Monitoring ..................................................................................................................... 195.2 Serial Console Access for the Virtual Machines, Virtual Host, and Corente Virtual ServicesGateway Software ............................................................................................................................ 195.3 Monitoring .................................................................................................................................. 195.4 Alerts ......................................................................................................................................... 20

Corente provides extensive monitoring and alerting capabilities to facilitate management of the CorenteVirtual Services Gateway (CVSG-VE) edition.

5.1 Internal Monitoring

The Corente Virtual Services Gateway Software in the CVSG-VE Location monitors each virtual machine(VM) through the startup, running, and shutdown states. Each VM is monitored by verifying its statuswith the VM system, as well as by ping to the VM’s IP address. Recovery is performed automatically byrestarting the VM. If the VM fails to respond to ping within 10 minutes of being launched, or fails to respondto ping for 10 minutes after it has been running, it is presumed dead and is restarted.

Furthermore, as is the case for ordinary Corente Virtual Services Gateways, the CVSG-VE Location ismonitored by itself and remotely by the SCP.

5.2 Serial Console Access for the Virtual Machines, Virtual Host, andCorente Virtual Services Gateway Software

During normal operation of the CVSG-VE Location, when a monitor/keyboard is attached to the CVSG-VELocation, the main serial console of the virtual host on the CVSG-VE Location will be displayed by default.Pressing Alt-F1 will always return you to the main serial console of the virtual host. Alt-F2 through Alt-F7are used for the additional serial consoles of the virtual host (like most Linux machines, the virtual host hassix serial consoles).

In order to access the serial console for the Corente Virtual Services Gateway Software on the CVSG-VELocation, and view the current status of operations for the gateway, you must use the vmcon commandfrom the host operating system.

5.3 Monitoring

The Reports feature of App Net Manager provides graphs that allow you to monitor the performance ofthe applications, CVSG-VE Locations, and Locations in your Corente domain (including bandwidth usage,latency, and loss measurements over time) and logs that allow you to monitor various activities (suchas administrator activity, Corente Client activity, etc.). This monitoring is automatically performed on alltraffic that is routed through a Corente Location or CVSG-VE Location. For more information on Corentemonitoring, refer to the “Reports” chapter of the III. Corente Services Administration manual.

Additionally, monitoring can be enabled for each VM on a CVSG-VE Location as if the VM were astandalone server on the LAN. This includes application monitoring for the application(s) on a VM, whichprovides insight into the functionality and performance of each application, and server monitoring, whichallows you to verify that resource consumption on the VM (i.e., CPU, disk, swap space, and memory

Alerts

20

usage) falls within specified limits (note that the availability of server monitoring is subject to the Guest OSof the VM having the appropriate SNMP agent and MIBs installed).

You can also use SNMP v1, v2, or v3 to remotely monitor your CVSG-VE Locations and each of theirtunnel connections. For more information on setting up and using SNMP monitoring with Corente, refer tothe “SNMP” chapter of the III. Corente Services Administration manual.

5.4 Alerts

Corente provides alarm notifications for specific conditions of the CVSG-VE Location and VMs, including:

• VM is up

• VM is down (due to administration)

• VM is down (due to a failure)

• VM is experiencing an error

These alerts can be sent via email/pager notification, provided the appropriate configuration has beenperformed on the Virtual Machines tab of the CVSG-VE Location form for the VM (by enabling theSend_alarm_emails parameter).

21

Chapter 6 Installation and Configuration of the CVSG-VELocation

Table of Contents6.1 Installation in App Net Manager Lite ........................................................................................... 216.2 Installation in App Net Manager .................................................................................................. 226.3 Additional Configuration .............................................................................................................. 34

6.3.1 Location Tab ................................................................................................................... 346.3.2 Network Tab ................................................................................................................... 356.3.3 Applications Tab .............................................................................................................. 356.3.4 Monitored Servers Tab .................................................................................................... 376.3.5 User Groups Tab ............................................................................................................ 376.3.6 Routes Tab ..................................................................................................................... 396.3.7 Partners Tab ................................................................................................................... 396.3.8 SNMP Tab ...................................................................................................................... 416.3.9 User Remote Access Tab ................................................................................................ 426.3.10 High Availability Tab ...................................................................................................... 436.3.11 Alerts Tab ..................................................................................................................... 446.3.12 Updating Virtual Machines and their Applications ............................................................. 45

The Corente Virtual Services Gateway Virtual Environment (CVSG-VE) edition is installed and configuredin a similar manner as an ordinary Corente Virtual Services Gateway, but with several differences dueto the presence of the virtual host and virtual machines (VMs). The CVSG-VE Location installation andconfiguration procedures are outlined in this section.

6.1 Installation in App Net Manager Lite

If you do not yet have any active Locations in your domain, you can use App Net Manager Lite to installyour first CVSG-VEs. These CVSG-VEs will have a very basic configuration—only the essentials neededto get the CVSG-VE up, running, and active with the SCP. More advanced configuration is available onlythrough App Net Manager, which is accessible once the CVSG-VE on your LAN is active.

To begin creating a CVSG-VE Location in App Net Manager Lite:

• Select the File menu and choose Add CVE Location; or

• Right-click the Locations category in the domain directory and choose Add CVE Location.

This will launch the Add a New CVE Location wizard, which will take you step-by-step through the CVSG-VE creation process. This wizard is identical to the Add a New Location wizard, which is documented in theI. Corente Services Planning guide, except for one additional step at the end of the wizard:

Installation in App Net Manager

22

Figure 6.1 Virtual Environment Host Interface Type

On the Virtual Environment Host Interface Type step, choose how an IP address will be assigned to thevirtual host in the CVSG-VE Location. If the address will be assigned dynamically by a DHCP server,choose DHCP and click Next. If you would like to assign a specific address to the virtual host, chooseStatic and click Next, then enter an IP address in the next step and click Next. For both options, rememberthat any address assigned to the virtual host must be on the same subnet as the LAN interface (or WAN/LAN interface) of the CVSG-VE Location.

Once you have completed the wizard, downloaded the configuration to your hardware, and activatedthe new CVSG-VE, you can access App Net Manager and Edit the CVSG-VE to access the advancedconfiguration form that is described in the next section.

6.2 Installation in App Net Manager

To begin creating a CVSG-VE Location in App Net Manager:

• Select the File menu and choose Add CVE Location; or

• Right-click the Locations category in the domain directory and choose Add CVE Location.


23

Figure 6.2 Add CVSG-VE Location

The Location form will be displayed for the CVSG-VE Location. CVSG-VE Location forms capture settingssimilar to the settings available on the ordinary Location form, but due to differences in functionality, someoptions and tabs are not available.

1. On the first tab of the form, the Location tab, fill in the name, physical location, time zone, maintenance,Zero Touch Installation, and advanced performance tuning preferences for the CVSG-VE Location.


24

Figure 6.3 Location Tab

2. On the Network tab of the Location form, you must define a LAN/WAN Interface (for a CVSG-VELocation in the Peer configuration) or a LAN and a WAN interface (for a CVSG-VE Location in the Inlineconfiguration).


25

Figure 6.4 Network Tab

To define the interface(s), select the Add button in the Network Interfaces section.

Figure 6.5 Select Interface

A. Peer Configuration

26

On the window that is displayed, select the interface you would like to define and click OK.

A. Peer Configuration

A Peer CVSG-VE Location uses a single Ethernet interface and can reside in any location on the LAN.To define a Peer CVSG-VE Location, select WAN/LAN Interface and click OK.

Figure 6.6 Add WAN/LAN Interface

On the window that is displayed, select the method by which the CVSG-VE Location will be assignedaddressing information for this interface (either a Static address assignment or a dynamic assignmentvia DHCP). A typical configuration would use DHCP.

Use the DNS section to identify the DNS servers that will be used by this CVSG-VE Location to resolveDNS names. If you are using DHCP to assign addressing information to one or more interfaces ofthe CVSG-VE Location, you can select Get DNS Dynamically to obtain the addresses of the serversdynamically. Complete the Proxy Server section if this CVSG-VE must connect to the Internet via aproxy server.

Use the options in the DHCP Servers section to configure the CVSG-VE Location as a DHCP serverfor VMs and computers on its LAN or for its Corente Client partners. For more information, refer tothe “LAN DHCP Server” and “RAS Client DHCP Server” sections in the II B. Corente Services PolicyDefinition and Provisioning manual.

Use the Interface Aliases section to define alias address(es) for this interface to use when configuringport forwarding for VMs or servers on the LAN. For more information, refer to the “Port Forwarding”section of “Appendix B: Additional Tube Configurations” in the II B. Corente Services Policy Definitionand Provisioning manual.

B. Inline Configuration

27


An Inline CVSG-VE Location uses two Ethernet interfaces (one that connects to your LAN, and onethat connects to an external network, e.g. the Internet) and acts as the gateway device for a LAN. Todefine an Inline CVSG-VE Location, begin by selecting LAN Interface and clicking OK.

Figure 6.7 Add LAN Interface

On the window that is displayed, enter the addressing information for the LAN interface. The LANaddress of an Inline CVSG-VE Location must always be static. You must manually enter an IP addressand subnet mask for this interface.

Use the options in the DHCP Servers section to configure the CVSG-VE Location as a DHCP server forVMs or computers on its LAN or for its Corente Client partners. For more information, refer to the “LANDHCP Server” and “RAS Client DHCP Server” sections in the II B. Corente Services Policy Definitionand Provisioning manual.

After defining the LAN interface for the Inline CVSG-VE Location, you must also define the WANInterface.


28

Figure 6.8 Add WAN Interface

Select the method by which the CVSG-VE Location will be assigned addressing information for theWAN interface (either a Static address assignment, a dynamic assignment via DHCP, or by usingPPPOE). A typical configuration would use DHCP.

Use the DNS section to identify the DNS servers that will be used by this CVSG-VE Location to resolveDNS names. If you are using DHCP to assign addressing information to one or more interfaces ofthe CVSG-VE Location, you can select Get DNS Dynamically to obtain the addresses of the serversdynamically. Complete the Proxy Server section if this CVSG-VE must connect to the Internet via aproxy server.

Use the Interface Aliases section to define alias address(es) for this interface to use when configuringport forwarding for VMs or servers on the LAN. For more information, refer to the “Port Forwarding”section of “Appendix B: Additional Tube Configurations” in the II B. Corente Services Policy Definitionand Provisioning manual.

3. When you define a static address for the WAN/LAN interface or LAN interface of your CVSG-VELocation on the Network tab, a dialog box will appear that asks if you would like to add the entiresubnet of that IP address to the Default User Group for your CVSG-VE Location. The Default UserGroup contains all of the local addresses that will be participating in the secure network, including bothaddresses on the CVSG-VE Location’s LAN and the addresses of the CVSG-VE Location’s VMs.


29

Figure 6.9 Add Address Range

When you click Yes, the entire subnet will be added to the Default User Group. You can access theUser Group tab in the CVSG-VE Location form later to add additional addresses to the Default UserGroup or exclude certain addresses, if you would like.

When you click No, the Default User Group will remain undefined. You must manually add addresses tothe Default User Group on the User Group tab. Remember that if you want to share the application(s)on any VM in the CVSG-VE Location with other Locations in your secure network, you must add the IPaddress(es) of the VM(s) to the Default User Group.

4. After completing the basic Location and Network configuration for the CVSG-VE Location, access theVirtual Machines tab.

Figure 6.10 Virtual Machines Tab

5. In the Virtual Environment Host section, choose how an IP address will be assigned to the virtual hostin the CVSG-VE Location. If the address will be assigned dynamically by a DHCP server, chooseDHCP. If you would like to assign a specific address to the virtual host, choose Static and enter an IPaddress in the adjacent field. For both options, remember that any address assigned to the virtual hostmust be on the same subnet as the LAN interface (or WAN/LAN interface) of the CVSG-VE Location.

When DHCP is enabled, the MAC address of the interface will be displayed in the MAC Address field.


30

6. Any existing VMs that are currently installed on the CVSG-VE Location will be listed on this tab. Clickthe Add button to add a new VM. In this example, we are adding a VM named VM_1.

Figure 6.11 Add Virtual Machine

7. Fill out the Add Virtual Machine window as follows:

• Name: Enter a name for the VM in this field. This name will function like a host name for the VM.

• General Settings:

• Memory (MB): This sets the amount of RAM that is allocated and given to the VM when it isrunning. The amount of memory specified in this field will be requested from the CVSG-VELocation, so it must be available or made available as free memory when attempting to start theVM and will not be available to the CVSG-VE Location while the VM is running. Remember thatthe amount of memory that is available for your all of the VMs on this CVSG-VE Location is limitedby the amount of memory on the CVSG-VE Location hardware itself. The default is 1 GB (1024MB), but you may modify this parameter if necessary. The maximum amount of memory that canbe assigned to a VM is 3584 MB.

• Send Alarm Emails: If you would like to be alerted via email when alarms are generatedconcerning this VM, select this checkbox. Notifications will be sent to the email addresses specifiedon this CVSG-VE's Location Alerts tab and/or the default email addresses specified for this domainon the Alerts tab of the Domain Preferences window. If you do not select this checkbox, no emailswill be sent; however, the alarms will be displayed on the Alarms and Events interface of App NetManager.


31

• Console Display Port: Select this option to enable access to the VM via a the RDP application. Inthe adjacent field, enter the port number on the CVE Location that will be used by the applicationto contact the VM. The default port for the first VM is 3389. Each subsequent VM will incrementthis default port by one, so that each VM is contacted via a different port. To connect to a VMvia RDP, use the IP address of this CVE Location's Virtual Environment Host Interface and theConsole Display Port number for that specific VM.

• Virtual Machine Interfaces: Click Add to add a new interface to this VM. On the screen that isdisplayed, select the method with which this VM will be assigned its IP addressing information:

• DHCP: If you would like this VM to receive its IP address via DHCP from the CVSG-VE or a DHCPserver on your LAN, select DHCP. The VM will receive an address on the same subnet as the LANaddress (if Inline) or WAN/LAN address (if Peer) of the CVSG-VE.

Figure 6.12 Add Virtual Machine Interface: DHCP

DNS Settings: Select DNS from DHCP if the IP addresses of the DNS server(s) will be providedby the DHCP server when it serves the VM's IP address.

Adapter Type: Select a specific network adapter to be used by the interface. This is neededspecifically for VMs made in Virtual Box that use the Windows 7 or Windows Vista operatingsystems so that the network will come up properly. You can choose from the PCnet-PCI II(Am79C970A), PCnet-FAST III (Am79C973), Intel PRO-1000 MT Desktop (82540EM), IntelPRO/1000 T Server (82543GC), or Intel PRO/1000 MT Server (82545EM) interfaces.

• Static: If you would like to assign a static address to this VM, select Static.


32

Figure 6.13 Add Virtual Machine Interface: Static

IP Address: Enter the IP address that you would like assigned to this VM. This address must beon the same subnet as the LAN address (if Inline) or WAN/LAN address (if Peer) of the CVSG-VE.

DNS Settings: Enter the IP address(es) of the primary (and secondary, if applicable) DNS serversthat will be used by this VM to resolve DNS names.

Adapter Type: Select a specific network adapter to be used by the interface. This is neededspecifically for VMs made in Virtual Box that use the Windows 7 or Windows Vista operatingsystems so that the network will come up properly. You can choose from the PCnet-PCI II(Am79C970A), PCnet-FAST III (Am79C973), Intel PRO-1000 MT Desktop (82540EM), IntelPRO/1000 T Server (82543GC), or Intel PRO/1000 MT Server (82545EM) interfaces.

• Virtual Machine Disks: Select Add to add a new disk to the VM. One of each of the following typesof disks can be added to a VM: hda, hdb, hdc (for VMs using Linux or Solaris), C, D, E (for VMs usingWindows), floppy, and dvd.

Figure 6.14 Add Virtual Machine Disk

Click OK when you are finished to store this VM on the CVSG-VE.

8. If you are installing any disk images for a VM remotely via a remote distribution server, you mustmake sure that the CVSG-VE Location will have access to the appropriate server(s) supplying the diskimages. This might mean that you need to access the Partners tab and partner the CVSG-VE Locationwith the Corente Virtual Services Gateway on the distribution server’s LAN. For more information aboutpartnering a CVSG-VE Location, refer to Section 6.3.7, “Partners Tab”.


33

9. Click OK on the Location form to store the new CVSG-VE Location’s basic configuration. Save yourchanges to App Net Manager by clicking the Save button on the toolbar.

10. If installing a disk image via a remote distribution server that is behind another Corente Virtual ServicesGateway, access the Partners tab of that gateway’s Location form and partner it with the CVSG-VELocation, granting the appropriate permissions that will allow the CVSG-VE Location to download filesfrom the server. Complete this configuration for as many distribution servers behind as many gatewaysor CVSG-VE Locations as the CVSG-VE Location will need to access.

11. If you do not have Zero Touch Installation enabled for this CVSG-VE, download the CVSG-VE Locationconfiguration to a USB flash drive. All other configuration file installation options that are used byordinary Corente Virtual Services Gateways will be unavailable; you must install the configuration fileon a CVSG-VE Location using a USB flash drive. For more information on downloading a Locationconfiguration to a USB flash drive, refer to the “Download the Configuration File to a Floppy Disk orUSB Flash Drive” section of the II A. Corente Virtual Services Gateway Hardware Preparation andDeployment manual. For more information about Zero Touch Installation, refer to the “Enable ZeroTouch Installation” section of the II B. Corente Services Policy Definition and Provisioning manual.

12. Create a vmhost installation DVD or USB flash drive.

• The image file for the installation DVD can be downloaded from the following location: http://www.corente.com/pub/release/current/iso/ and then burned to a DVD. The file name is or-vmhost,followed by the current version number. Make sure to physically label the DVD that you create, asbooting any machine with this DVD in the DVD drive will reformat the machine’s hard drive.

• Prepare a portable USB flash drive that uses the FAT format and has 2 GB of free space. The .zipfile for the executable to create an installation USB flash drive can be downloaded from the followinglocation: http://www.corente.com/pub/release/current/tsg/VmUsbKeydriveInstall.zip. When the .zipfile has downloaded, extract it into a new directory. When it has finished extracting, there will be an.exe file inside the new directory. Double-click this .exe file to open the USB flash drive installer.Click Next to move through the screens and create the bootable USB flash drive. When prompted,insert your flash drive into a USB port on your computer. The installer will automatically detect theremovable drive on which to install the bootable USB flash drive files.

Caution

Make sure this is the correct drive. You could damage your system if theinstaller loads the files onto your hard drive. Make sure to physically label theUSB flash drive that you create, as booting any machine with this drive in theUSB port will reformat the machine’s hard drive.

13. Attach a monitor/keyboard to the host machine and boot it from the vmhost installation DVD or USBflash drive. This will format the hard disk and install the CVSG-VE Location software. There will be nowarnings or confirmations that this is taking place, so, again, make sure this DVD/USB flash drive isnever loaded in machine that you do not want to turn into a CVSG-VE Location.

14. If requested, insert the USB memory device containing the CVSG-VE Location configuration into theUSB drive of the new CVSG-VE Location. The initial configuration of the CVSG-VE Location takesabout 30 minutes. After this time period, if the CVSG-VE Location is connected to the Internet, theCVSG-VE Location will activate with the SCP and appear as Active in App Net Manager.

15. If the VM was configured to use either USB or CD/DVD media for any of the disk image file fetches of aVM, it will be requested by a message emitted to the CVSG-VE Location console. Follow the on-screeninstructions to install the disk image.

http://www.corente.com/pub/release/current/iso/http://www.corente.com/pub/release/current/iso/http://www.corente.com/pub/release/current/tsg/VmUsbKeydriveInstall.zip

Fetch Behavior

34

If the VM was configured to fetch any of the disk image files from a remote server, it will attempt todownload the disk image(s) via the path you specified on the Virtual Machines tab. Follow the on-screen instructions to install the disk image.

Fetch Behavior

Depending on how you fill out the fetchlocal, fetchremote, and fetchseed parameters when ainstalling a VM’s disk image onto the CVSG-VE Location, the CVSG-VE Location will install the disk imagein the following manner:

Table 6.1 Fetch Behavior

FetchRemote FetchLocal FetchSeed Result

Invalid configuration

seed.vdi If no app.vdi file, copyfrom seed

usb, cd or dvd If version mismatch, orno local app.vdi file, copyfrom media

usb, cd, or dvd seed.vdi Copy from media toapp.vdi and also createseed

rsync://sss, http://sss,https://sss or ftp://sss

If version mismatch, orno app.vdi file, fetchremotely


seed.vdi If no app.vdi file, copyseed as initial state, thendo rsync, http, https or ftpto update


usb, cd or dvd If no app.vdi file, copyfrom media as initialstate, then do rsync, http,https or ftp to update


usb, cd or dvd seed.vdi Copy file to seed. If noapp.vdi file, copy seed,then do rsync. If versionmismatch, fetch remotely

6.3 Additional Configuration

After installing the CVSG-VE Location, you should return to its CVSG-VE Location form in App NetManager to configure additional functionalities of the CVSG-VE Location and to partner the CVSG-VELocation with other Corente Locations (for example, the head-end gateways at your datacenter), CVSG-VE Locations, or Corente Clients. Whenever the procedure for configuring these tabs is the same for aCVSG-VE Location as it is for an ordinary Corente Virtual Services Gateway, this guide will provide a crossreference to the appropriate section or chapter of the Corente manual that explains the fields and optionson the tab.

6.3.1 Location Tab

Network Tab

35

In addition to the Identity and Location and Maintenance sections that are explained in the Installationsection (Section 6.2, “Installation in App Net Manager”) of this guide, the Location tab provides two otheroptions:

• If you would like this CVSG-VE Location to send system log messages to be captured by another server,use the options provided in this section. For more information on remote logging with Corente, refer tothe “Location” section in the II B. Corente Services Policy Definition and Provisioning manual.

• This tab also includes a Notes field if you would like to save any notes about this CVSG-VE Location.

6.3.2 Network Tab

The Network tab allows you to:

• Enable OSPF, RIPv2, or BGP to automate routing if you have more than one subnet on your LAN thatyou would like to participate in your secure network, and one or both of these services are enabled onyour LAN routers;

• Enable backhaul to aggregate your Internet traffic and have it exit outbound to the Internet and enterinbound to your network via a single Location (or multiple locations, if you prefer); and

• Allow or deny nested subnets between this CVSG-VE Location and its partners.

For more information on the features available on this tab, refer to the “Network” section in the II B.Corente Services Policy Definition and Provisioning manual.

6.3.3 Applications Tab

The Applications tab allows you to register applications installed on VMs or local servers, which canthen be shared by the CVSG-VE Location with the head-end Corente Virtual Services Gateways at yourdatacenter (or any other partner), registered with Corente DNS, and monitored via the Reports feature ofApp Net Manager and Gateway Viewer.

Applications Tab

36

Figure 6.15 Applications tab

Figure 6.16 Add Application

Once you complete the application definition, it can be used to create tube definitions on the Partners tabbetween this CVSG-VE Location and its partners (see Section 6.3.7, “Partners Tab”).

Monitored Servers Tab

37

Additionally, if you would like a VM itself (and not just its applications) to be reachable via DNS name, youcan register the VM as an application on this Applications tab and select the Register Application Name inDNS option for it.

For information on creating an application definition and completing the fields and options available onthis tab, refer to the “Applications” section in the II B. Corente Services Policy Definition and Provisioningmanual.

6.3.4 Monitored Servers Tab

The Monitored Servers tab allows you to register servers with this CVSG-VE Location in order to monitorthe availability of these servers and the usage of certain resources on these servers (CPU, physicalmemory, disk space, and/or swap space).

This feature can also be used to monitor each VM that is installed in a CVSG-VE Location as if it were anordinary server on the LAN, as long as the appropriate SNMP MIBs have been installed on the VM.

Figure 6.17 Monitored Servers tab

Figure 6.18 Add Server

For more information registering a local server or VM to be monitored with this feature, refer to the“Monitored Servers” section in the II B. Corente Services Policy Definition and Provisioning manual.

6.3.5 User Groups Tab

User Groups Tab

38

The User Groups tab lets you identify groups of VMs and machines on the CVSG-VE Location’s localnetwork (computers, servers, printers, etc.) that will be allowed to participate in your secure network.

Figure 6.19 User Groups Tab

The IP addresses of all secure network participants must be included in the Default User Group. To editthe Default User Group, select Default User Group and click the Edit button. When assigning an address tothe WAN/LAN or LAN interface of your CVSG-VE Location, you may have added the entire subnet of thataddress to the Default User Group by clicking Yes on the Add Address Range dialog box.

In order to share a VM application across the secure network, the IP address of that VM must be includedin the Default User Group.

Figure 6.20 Edit Default User Group

For policy purposes and tube configuration, you can click the Add button to create additional User Groupsthat are subsets of the Default User Group.

For more information on creating User Groups, refer to the “User Groups” section in the II B. CorenteServices Policy Definition and Provisioning manual.

Routes Tab

39

6.3.6 Routes Tab

If your local network is organized into different subnets of computers and you would like more than one ofthese subnets to be included in your secure network, you can use OSPF, RIPv2, or BGP to automaticallymanage these routes (enabled on the CVSG-VE Location using the Network tab of the Location form) oradd static routes from your CVSG-VE Location to these computers with the Routes tab of the Locationform.

Figure 6.21 Routes Tab

For more information on registering local routes with the CVSG-VE Location, refer to the “Routes” sectionin the II B. Corente Services Policy Definition and Provisioning manual.

6.3.7 Partners Tab

The Partners tab is used to partner the CVSG-VE Location with any Corente Virtual Services Gateway,CVSG-VE Location, or Corente Client in your Corente domain or extranet (for example, the head-endgateways at your datacenter). You will also use this tab to create tubes to refine the access between theapplications/User Groups of the CVSG-VE Location and those of its partners.

Partners Tab

40

Figure 6.22 Partners Tab

This tab also contain two access partners that automatically appear in the Partner list: LAN to InternetAccess and LAN to Location Access. These partners can be used to configure firewalls on differentconnections that your CVSG-VE Location provides.

• The LAN to Internet Access partner allows you to enable a Corente Virtual Services Gateway-basedInternet firewall and to enable port forwarding for your LAN.

• The LAN to Gateway Access partner allows you to limit the local machines on a the LAN that areallowed to access the CVSG-VE Location's IP address for such services as monitoring via SNMP orusing the Corente Gateway Viewer application.

When either of these partners is selected, Tubes can be defined for the connection. For more informationabout the purpose of these access partners and how to use them, refer to “Appendix B: Additional TubeConfigurations” in the II B. Corente Services Policy Definition and Provisioning manual.

To add a new partner, click the Add button. To edit an existing partnership, select the name of the partnerand click Edit.

SNMP Tab

41

Figure 6.23 Add Partner

The Add Partner screen for CVSG-VE Locations will be displayed. This screen is similar to the Add Partnerscreen for Locations, but contains fewer options due to the differences in functionality of the devices. Youcan use this screen to configure several parameters for the partnership, including NAT settings, connectionsharing, and failover specifications when you would like the partner to be a Backup partner only.

You can also create tubes for this partnership in the Tubes section.

Remember that all Location partnerships are based on mutual consent—not only must the partnership beenabled and configured for this CVSG-VE Location on its CVSG-VE Location form, but it must be enabledand configured for the partner on that partner’s form.

For more information on these fields and on creating tubes, refer to the “Partners” section of the II B.Corente Services Policy Definition and Provisioning manual.

6.3.8 SNMP Tab

The Simple Network Management Protocol (SNMP) is a protocol used to monitor network performance andcertain aspects of network devices. With the options on the SNMP tab, you can configure how SNMP willbe used to retrieve information about this CVSG-VE Location and its tunnel connections.

User Remote Access Tab

42

Figure 6.24 SNMP Tab

For more information on the features available on this tab, refer to the “SNMP” section in the III. CorenteServices Administration manual.

6.3.9 User Remote Access Tab

The User Remote Access tab allows an administrator to manage remote access to this CVSG-VELocation. Corente Clients, SSL Clients, and Mobile Users can be granted access to the VMs, local servers,and their applications.

High Availability Tab

43

Figure 6.25 User Remote Access Tab

For information on how Corente Client and SSL Client access to a CVSG-VE Location is configured, referto the section “User Remote Access” in the VI. Corente Services Client and VII. Corente Services SSLClient manuals.

6.3.10 High Availability Tab

The High Availability tab allows you to enable failover for the CVSG-VE Location, allowing you to redirectpartner traffic that is bound for VMs on this CVSG-VE Location or to servers on the CVSG-VE Location’s sLAN to other Backup Locations in your domain.

Important

Because VMs reside in the CVSG-VE Location itself, VMs themselves areunavailable if the connection to the CVSG-VE Location fails. Traffic failover for UserGroups containing VMs or applications served by VMs can only be used when theBackup Location provides access to a subnet where these VMs are mirrored.

Alerts Tab

44

Figure 6.26 High Availability Tab

For more information on configuring traffic failover for a CVSG-VE Location, refer to the section “HighAvailability” in the II B. Corente Services Policy Definition and Provisioning manual.

6.3.11 Alerts Tab

The Alerts tab allows you to enable email notifications and SNMP traps for alerts generated by the CorenteVirtual Services Gateway Software in the CVSG-VE Location.

Updating Virtual Machines and their Applications

45

Figure 6.27 Alerts Tab

For more information on configuring alerts for a CVSG-VE Location, refer to the section “Alerts” in the II B.Corente Services Policy Definition and Provisioning manual.

.

6.3.12 Updating Virtual Machines and their Applications

VMs and their applications are updated by overwriting the current disk images on the VM with new diskimage files. To update a VM on a CVSG-VE Location, ensure that the new virtual disk image(s) have beenplaced on the Rsync Application Deployment Server used by your CVSG-VE Locations (if the disk imagesare supplied remotely) and/or that you have a USB flash drive or CD/DVD with the new disk images (if thedisk images are supplied locally).

In App Net Manager, on the CVSG-VE Location form for each CVSG-VE Location, access the VirtualMachines tab and Edit the VM you want to update. In the window that is displayed, locate the disk(s) youwant to update and enter higher value(s) for their Version parameter(s). Click OK on this window and theCVSG-VE Location form window, then Save your changes in App Net Manager. Make sure that a monitorand keyboard are connected to the CVSG-VE Location. The SCP will contact the CVSG-VE Location andnotify it that new version(s) of the virtual disk file(s) are available for the virtual disk(s) you want to update.The CVSG-VE Location will fetch the new file(s) by the method that is specified for the disk(s) on theVirtual Machines tab (i.e., fetchlocal or fetchremote) and overwrite the current virtual disk image(s)on the VM.

Because updating a virtual disk completely overwrites the previous disk image file, any persistent ortemporary data previously stored on the disk will be deleted permanently. If the VM is arranged so that you

Updating Virtual Machines and their Applications

46

are storing data on a virtual disk that you would like to update, you can avoid losing the data by logginginto the VM and copying the data out before updating. However, because entire disk image files cannotbe retrieved from a CVSG-VE Location once they are installed, it is easier to avoid a time-consumingdata retrieval process by simply having the VM arranged so that persistent or temporary data is stored onanother virtual disk during normal operation of the VM.

47

Chapter 7 Accessing Applications on the Virtual MachinesThe Corente Virtual Services Gateway Software in the Corente Virtual Services Gateway VirtualEnvironment (CVSG-VE) edition enforces and secures all remote access to the virtual machines (VMs)and their applications. Policy rules may be configured to allow access to the VMs from partner Locations,CVSG-VE Locations, or Corente Clients. The VMs and their applications are accessible by these partnersonly via tubes through secure Corente tunnels.

Each VM appears on the CVSG-VE Location’s local network in exactly the same manner as a physicalmachine. Thus, VMs and their applications are accessible by machines on the CVSG-VE Location’s LANwhen those machines are on the same subnet as the CVSG-VE Location or routing is in place that allowsthe machines to access the CVSG-VE Location. VMs may use any protocol to communicate with otherLAN devices (or even other VMs).

49

Appendix A Legal Notices

Table of ContentsA.1 Oracle Legal Notices ................................................................................................................. 49A.2 DocBook XSL License ............................................................................................................... 50

This appendix contains the legal notices that apply to this document.

A.1 Oracle Legal NoticesCopyright © 2014, 2015, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictionson use and disclosure and are protected by intellectual property laws. Except as expressly permittedin your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast,modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by anymeans. Reverse engineering, disassembly, or decompilation of this software, unless required by law forinteroperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free.If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing iton behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,any programs installed on the hardware, and/or documentation, delivered to U.S. Government end usersare "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of theprograms, including any operating system, integrated software, any programs installed on the hardware,and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information managementapplications. It is not developed or intended for use in any inherently dangerous applications, includingapplications that may create a risk of personal injury. If you use this software or hardware in dangerousapplications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and othermeasures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damagescaused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarksof their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarksare used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of AdvancedMicro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content,products, and services from third parties. Oracle Corporation and its affiliates are not responsible for andexpressly disclaim all warranties of any kind with respect to third-party content, products, and servicesunless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and itsaffiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of

Documentation Accessibility

50

third-party content, products, or services, except as set forth in an applicable agreement between you andOracle.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program websiteathttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My OracleSupport. For information, visithttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pl

oracle corente services · lan: the virtual host and the corente virtual services gateway. the...

Documents