Preface This documentation describes how to use the Device Manager to configure the Cisco ACE 4700 Series Application Control Engine Appliance. This section provides the following topics about the documentation: • Audience, pagei • Organization, pagei • Related Documentation, pageiii • Conventions, pagev • Obtaining Documentation, Obtaining Support, and Security Guidelines, pagev • Open-Source Software Included in Cisco ACE Application Control Engine, pagevi • Open Source License Acknowledgements, pagevi Audience This documentation is intended for experienced system and network administrators. Depending on the configuration required, readers should have specific knowledge in the following areas: • Networking and data communications • Network security • Router configuration Organization This documentation contains the following sections: • Chapter1, “Overview” contains an summary of ACE features and the ACE Appliance Device Manager interface, terms, and getting started configuration information. • Chapter2, “Using Homepage” describes how to use the DM Homepage, a launching point for quick access to selected areas within the DM. • Chapter3, “Using DM Guided Setup” describes how to use the guided setup pages to simplify configuration of the DM. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-01 i Preface • Chapter4, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE appliance so that you can effectively and efficiently manage and allocate resources, users, and services. • Chapter5, “Configuring Virtual Servers” contains procedures for configuring virtual servers for load balancing on the ACE. • Chapter6, “Configuring Real Servers and Server Farms” provides an overview of server load balancing and procedures for configuring real servers and server farms for load balancing on the ACE. • Chapter7, “Configuring Stickiness” provides information about sticky behavior and procedures for configuring stickiness with the ANM. • Chapter8, “Configuring Parameter Maps” describes how to configure parameter maps so that the ACE can perform actions on incoming traffic based on certain criteria, such as protocol or connection attributes. • Chapter9, “Configuring SSL” describes the SSL configuration process and details the procedures for configuring SSL on the ACE appliance. • Chapter10, “Configuring Network Access” includes information about configuring virtual context VLAN interfaces, port channel interfaces, and Gigabit Ethernet interfaces. • Chapter11, “Configuring High Availability” contains an overview of the redundancy feature and explains how to configure high available. • Chapter12, “Configuring Traffic Policies” describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the ACE appliance. • Chapter13, “Configuring Application Acceleration and Optimization” describes how to configure application acceleration and optimization options on the ACE appliance. • Chapter14, “Monitoring Your Network” allows you to monitor key areas of system usage. • Chapter15, “Managing the ACE Appliance” describes the administrative tools that manage the ACE appliance. • Chapter16, “Using ACE Appliance Device Manager Troubleshooting Tools” describes the administrator-only diagnostic tools to help troubleshoot ACE appliance management problems. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance ii OL-26645-01 Preface Related Documentation In addition to this documentation, the ACE appliance documentation set includes the following: Document Title Description Administration Guide, Cisco ACE Describes how to perform the following administration tasks on Application Control Engine the ACE: • Setting up the ACE • Establishing remote access • Managing software licenses • Configuring class maps and policy maps • Managing the ACE software • Configuring SNMP • Configuring redundancy • Configuring the XML interface • Upgrading the ACE software Application Acceleration and Describes how to configure the web optimization features of the Optimization Guide, Cisco ACE ACE appliance. This guide also provides an overview and 4700 Series Application Control description of those features. Engine Appliance Cisco Application Control Engine Provides examples of common configurations for load (ACE) Configuration Examples Wiki balancing, security, SSL, routing and bridging, virtualization, and so on. Cisco Application Control Engine Describes the procedures and methodology in wiki format to (ACE) Troubleshooting Wiki troubleshoot the most common problems that you may encounter during the operation of your ACE. Command Reference, Cisco ACE Provides an alphabetical list and descriptions of all CLI Application Control Engine commands by mode, including syntax, options, and related commands. CSS-to-ACE Conversion Tool Describes how to use the CSS-to-ACE conversion tool to Guide, Cisco ACE Application migrate Cisco Content Services Switches (CSS) Control Engine running-configuration or startup-configuration files to the ACE. Hardware Installation Guide, Cisco Provides information for installing the ACE appliance. ACE 4710 Application Control Engine Appliance Quick Start Guide, Cisco ACE 4700 Describes how to use the ACE appliance Device Manager GUI Series Application Control Engine and CLI to perform the initial setup and VIP load-balancing Appliance configuration tasks. Regulatory Compliance and Safety Regulatory compliance and safety information for the ACE Information, Cisco ACE 4710 appliance. Application Control Engine Appliance Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-01 iii Preface Document Title Description Release Note, Cisco ACE 4700 Provides information about operating considerations, caveats, Series Application Control Engine and command-line interface (CLI) commands for the ACE Appliance appliance. Routing and Bridging Guide, Cisco Describes how to perform the following routing and bridging ACE Application Control Engine tasks on the ACE: • (ACE appliance only) Configuring Ethernet ports • Configuring VLAN interfaces • Configuring routing • Configuring bridging • Configuring Dynamic Host Configuration Protocol (DHCP) Security Guide, Cisco ACE Describes how to perform the following ACE security Application Control Engine configuration tasks: • Security access control lists (ACLs) • User authentication and accounting using a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server • Application protocol and HTTP deep packet inspection • TCP/IP normalization and termination parameters • Network Address Translation (NAT) Server Load-Balancing Guide, Describes how to configure the following server load-balancing Cisco ACE Application Control features on the ACE: Engine • Real servers and server farms • Class maps and policy maps to load balance traffic to real servers in server farms • Server health monitoring (probes) • Stickiness • Dynamic workload scaling (DWS) • Firewall load balancing • TCL scripts SSL Guide, Cisco ACE Application Describes how to configure the following Secure Sockets Layer Control Engine (SSL) features on the ACE: • SSL certificates and keys • SSL initiation • SSL termination • End-to-end SSL System Message Guide, Cisco ACE Describes how to configure system message logging on the ACE. Application Control Engine This guide also lists and describes the system log (syslog) messages generated by the ACE. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance iv OL-26645-01 Preface Document Title Description User Guide, Cisco Application Describes how to use Cisco Application Networking Manager Networking Manager (ANM), a networking management application for monitoring and configuring network devices, including the ACE. Virtualization Guide, Cisco ACE Describes how to operate your ACE in a single context or in Application Control Engine multiple contexts. Conventions This documentation uses the following conventions: Item Convention Commands and keywords boldface font Variables for which you supply values italic font Displayed session and system information screen font Information you enter boldface screen font Variables you enter italic screen font Menu items and button names boldface font Selecting a menu item in paragraphs Option> Network Preferences Selecting a menu item in tables Option> Network Preferences Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Ciscodocuments, see the monthly What’sNew in CiscoProduct Documentation, which also lists all new and revised Ciscotechnical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-01 v Preface Open-Source Software Included in Cisco ACE Application Control Engine • Cisco ACE Application Control Engine includes the following open-source software, which is covered by the Apache 2.0 license (http://www.apache.org/): Ant, Apache Axis, Avalon Logkit, Commons, Ehcache, Globus Toolkit, Jetty, Log4J, Oro, Tomcat. • Cisco ACE Application Control Engine includes the following open-source software, which is covered by The Legion of the Bouncy Castle (http://www.bouncycastle.org/licence.html) license: BouncyCastle. • Cisco ACE Application Control Engine includes the following open-source software, which is covered by the GNU Lesser General Public License Version 2.1 (http://www.gnu.org/licenses/lgpl.html): c3p0-0.9.0.2.jar, Enterprise DT, Jasperreports 1.2, Jcommon 1.2, Jfreechart 1.0.1 • Cisco ACE Application Control Engine includes the following open-source software, which is covered by the Mozilla Public License Version 1.1 (http://www.mozilla.org/MPL/MPL-1.1.html): Itext 1.4. Open Source License Acknowledgements The following acknowledgements pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). License Issues The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. OpenSSL License: © 1998-1999 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance vi OL-26645-01 Preface 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)” 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)” THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). Original SSLeay License: © 1995-1998 Eric Young ([email protected]). All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])”. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-01 vii Preface The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License]. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance viii OL-26645-01 1 C H A P T E R Overview This chapter contains the following sections: • ACE Appliance Device Manager Overview, page1-1 • Information About the ACE No Payload Encryption Software Version, page1-2 • Finding Information on CLI Tasks, page1-3 • Logging into ACE Appliance Device Manager, page1-4 • Changing Your Account Password, page1-6 • ACE Appliance Device Manager Interface Overview, page1-6 • Configuration Overview, page1-18 • Understanding ACE Features, page1-19 • IPv6 Considerations, page1-20 • Understanding ACE Appliance Device Manager Terminology, page1-22 For more information on how to get started quickly, see the Quick Start Guide, Cisco ACE 4700 Series Application Control Engine Appliance. ACE Appliance Device Manager Overview The ACE Appliance Device Manager, which resides in flash memory on the ACE appliance, provides a browser-based interface for configuring and managing the ACE appliance. Its intuitive interface combines easy navigation with point-and-click provisioning of services, reducing the complexity of configuring virtual services and multiple feature sets. ACE Appliance Device Manager menus and options: • Supports end-to-end service provisioning of the ACE appliance and any associated virtual contexts, including network access, port management, application acceleration and optimization, load-balancing, SSL management, resource management, and fault tolerance. Note Device Manager uses SSH and XML over HTTPS to communicate with the ACE appliance and applying exec mode configuration changes (such as, checkpoint, SSL certificate, license, copy, and backup and restore configurations) to the appliance. By default, SSH is enabled on the appliance. However, ensure that the ssh key rsa 1024 force command is applied on the appliance. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-02 1-1 Chapter1 Overview Information About the ACE No Payload Encryption Software Version • Helps you manage ACE appliance licenses and role-based access control (RBAC). • Provides a monitoring interface with a flexible choice of statistics and graphs. • Enables you report any problem with the ACE appliance using the Lifeline feature, which allows you to forward critical information about the problem to Cisco Technical Support. • Offers task-based context-sensitive help from each screen, providing information about fields on the screen and related procedures. For more information on how to get started quickly, see the Getting Started Guide, Cisco ACE 4700 Series Application Control Engine Appliance. Information About the ACE No Payload Encryption Software Version Beginning with ACE software Version A5(2.0), Cisco makes available the following two ACE software versions: • ACE Payload Encryption (PE)—CLI commands related to payload encryption protocols are enabled. The ACE uses the payload encryption protocols to encrypt through-the-box traffic, such as IPsec, SSL VPN, and other secure voice protocols. The ACE PE software version contains the same payload encryption functionality found in previous ACE software versions. • ACE No Payload Encryption (NPE)—CLI commands related to payload encryption protocols are either removed or do not function because the key encryption configuration commands have been removed. The new ACE NPE software version supports customers located in countries where the United States has imposed export restrictions on crypto functions. Without the use of payload encryption protocol commands, you cannot configure the ACE to perform data encryption tasks, such as configuring it as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. Modifications made to the ACE NPE software version do not affect management protocols, such as SSH, which is required to access the Device Manager GUI. For more information, see the “Using the Setup Script to Enable Connectivity to the Device Manager” section in the Cisco 4700 Series Application Control Engine Appliance Administration Guide. When using the ACE NPE software version, Device Manager includes the following modifications: • The SSL configuration tab (Config > Virtual Contexts > SSL) is removed to prevent access to the main SSL configuration windows. • In GUI sections that typically contain encryption-related configuration attributes, the attributes are either removed or you are not permitted to configure them. If you attempt to configure an encryption-related attribute, Device Manager does not allow you to deploy the configuration. • In GUI sections that display monitored attributes that include encryption-related attributes (such as SSL connection rate), the encryption-related attributes may be listed but do not show any values associated with them. This guide and the Device Manager online help contain notes where information about encryption-related attributes is affected when using the ACE NPE software version. Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 1-2 OL-26645-02