Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/virt <server number>/service/https
Virtual Server HTTPS Service Configuration Menu
The following menu example is application-specific and includes only the application-specific commands. For all common commands, refer to /cfg/slb/virt <server id>/service/basic-slb Virtual Server Basic SLB Service Configuration Menu.
 
[Virtual Server 33 443 https Service Menu]
name - Set descriptive virtual service name
http - HTTP Load Balancing Menu
tcpopt - TCP Optimization Menu
ssl - SSL Load Balancing Menu
cntrules - Content Based Services Rules Menu
appshape - AppShape++ Menu
action - Set action type of this service
pip - Proxy IP Menu
group - Set real server group number
redirect - Set application redirection URL
group - Set real server group number
rport - Set real port
hname - Set hostname
     namesrvr - Set nameserver group for the domain name
cont - Set BW contract for this virtual service
pbind - Set persistent binding type
thash - Set hash parameter
report - Set report granularity level
tmout - Set minutes inactive connection remains open
ptmout - Set in minutes for inactive persistent connection
     satisrt - Set satisfied response time threshold
dbind - Enable/disable/forceproxy delayed binding
clsrst - Enable/disable send RST on connection close
nonhttp - Enable/disable non-HTTP traffic via HTTP tunnel
nonat - Enable/disable only substituting MAC addresses
apm - Enable/disable apm
direct - Enable/disable direct access mode
mirror - Enable/disable session mirroring
winsize0 - Enable/disable using window size zero in SYN+ACK
ckrebind - Enable/disable server rebalancing when cookie is absent
sesslog - Enable/disable session logging
del - Delete virtual service
cur - Display current virtual service configuration
 
Virtual Server HTTPS Service Configuration Options (/cfg/slb/virt/service/https) 
Command Syntax and Usage
name
 
Sets a descriptive name for the virtual service.
http
 
Displays the HTTP Load Balancing menu. To view this menu, see /cfg/slb/virt <server number>/service/http HTTP Load Balancing Menu.
From this menu, you can enable or disable HTTP redirection for Global Server Load Balancing (GSLB) on a per VIP basis. Disabling HTTP redirection causes GSLB to use a proxy IP address for HTTP.
tcpopt
 
Displays the TCP Optimization menu for adding a TCP optimization policy to the client-side and server-side flows of a virtual service. To view this menu, see /cfg/slb/virt/service/basic-slb/tcpopt TCP Optimization Menu.
ssl <srvrcert|sslpol|cur>
 
Displays the SSL Load Balancing menu. To view this menu, see /cfg/slb/virt <server number>/service/https/ssl SSL Load Balancing Menu.
cntrules
 
Displays the Content-Based Services Rule menu. The maximum number of rules per virtual service is 1024. The rule number defines the rule priority.
Note: Alteon performs HTTP Layer 7 content switching before applying any modifications and is based on the original requests.
appshape++
 
Displays the AppShape++ menu for managing AppShape++ scripts. To view this menu, see /cfg/slb/virt/service/basic-slb/appshape AppShape++ Menu.
action group|redirect|discard
 
Sets the action type of this virtual service. When content rules are configured for the service, this parameter specifies the default action when traffic does not match any of the content rules.
Values:
*group — The traffic is load balanced between the servers of the specified real servers group ID after performing all other actions for the virtual service.
*redirect — Application redirection is performed for HTTP and HTTPS traffic based on the value in the redirect option. This option can be used, for example, to redirect HTTP traffic to HTTPS.
*discard — Traffic is dropped.
Default: group
When the action option is set to redirect, the dbind option is automatically set to forceproxy.
pip
 
Displays the Proxy IP menu. To view this menu, see /cfg/slb/virt/service/basic-slb/pip Proxy IP Menu.
group <real server group ID>
 
redirect
 
Sets the application redirection location of this virtual service.
The redirection location is a string of up to 255 characters with the following format:
<protocol>://<host>[:<port>][/<path>][?<query>]
The protocol and host parameters are mandatory. All other parameters are optional.
For each of the location fields, to access the value in the original request, use token format ($PROTOCOL, $HOST, $PORT, $PATH or $QUERY).
For example:
*To redirect to HTTPS: https://$HOST/$PATH?QUERY
*To change host: $PROTOCOL://NewHost.com/$PATH?$QUERY
rport <real server port (0, 1, 5-65534)>
 
Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number> /service <virtual port>, Alteon maps the virtual port to this real port.
When configuring an SSL-based virtual service, how the rport value is set is usually dependent on whether encryption between Alteon and the back-end servers is enabled (meaning that there is back-end encryption). The back-end encryption setting is part of the associated SSL policy configuration using the bessl (back-end listening port) command (see a description of this command in /cfg/slb/ssl/sslpol SSL Policy Menu). The following describes how rport is set based on the bessl setting:
*When Alteon offloads SSL traffic from the servers, and back-end encryption is not used, the servers are usually configured to listen on port 80. Therefore, rport is automatically set to 80.
*When Alteon offloads SSL traffic from the servers, and back-end encryption is used, the servers are usually configured to listen on port 443. Therefore, rport is automatically set to 443. For more information, see /cfg/slb/virt <server id>/service/basic-slb Virtual Server Basic SLB Service Configuration Menu.
Notes:
You can also configure SSL offloading for other protocols encrypted by SSL by using SSL as the application type. To select the virtual service application type, see /cfg/slb/virt <server number> /service <virtual port or application name> Virtual Server Service Configuration.
When using the SSL application type, HTTP-based capabilities such as setting HTTP redirection conversion, setting the SSL client information, or passing authentication policy information to the back-end servers are not available. Also, this capability is not supported for protocols that include special treatment of SSL, such as FTPS, SMPTS and POPS.
If your network environment requires it, you can change the default back-end listening port.
Notes:
If you have associated an SSL policy to a virtual service but have not yet configured the SSL policy, the default value of the listening port is set as the same value as the virtual service port. When you eventually set the back-end encryption using the bessl command, you receive a message similar to the following, based on how you configure the back-end listening port:

Note: You may want to update rport in the following virtual services associating this SSL policy:

virt 1 service 443 HTTPS
virt 3 service 8080 HTTPS
If you set rport to 0 (meaning that no specific port is defined), Alteon determines the back-end listening port based on the SSL policy definition and dynamically sets the real port as appropriate.
namesrvr <nameserver group>|none
 
Specifies the nameserver group for the domain name.
hname <hostname>|none
 
Specifies the Host header to be used in the health check request.
Maximum characters: 128
If this parameter is not specified, an HTTP 1.0 request is sent; otherwise an HTTP 1.1 request is sent.
When the inherit option is selected the host definition is taken from the virtual service Hostname (hname) and the virtual server domain name (dname) values of the virtual service to which this server group is bound.
When performing an HTTPS health check, if a hostname is available (either configured or inherited), it is inserted as SNI extension in the Client SSL Hello message.
cont <BWM Contract (0-1024), 0 for VIP default>
 
pbind clientip|sslid|disable
 
Specifies the parameter that defines a persistent session.
Values:
*clientip — Uses the client IP address as the session identifier, and associates all connections from the same client with the same real server until the client becomes inactive, and the persistent entry is aged out of the session table.
Different services from the same client may not map to the same server.
The real server connection timeout value (/cfg/slb/real/tmout) controls how long these inactive but persistent connections remain associated with their real servers.
When the client resumes activity after their connection has been aged out, they are connected to the most appropriate real server based on the load balancing metric.
An alternative approach may be to use the /cfg/slb/group/content/metric command to set the minmisses or hash real server group metrics.
With clientip enabled, Alteon maps HTTP and HTTPS traffic from the same client to the same server regardless of the load balancing metric used because the services are related.
For more information, see Server Load Balancing Metrics.
*sslid — Alteon records the SSL session ID and server, and directs all subsequent SSL sessions which present the same session ID to the same real server.
Available only for HTTPS and SSL services without SSL offload.
Alteon does not support the sslid option when you set the virtual service /cfg/slb/virt/service/dbind command to forceproxy.
*disable — Disables persistence for this service.
Default: disable
thash sip|sip+sport
 
report service|real
 
Sets the service reporting level.
Alteon devices can send Device Performance Monitoring (DPM) data to Cyber Controller (or APSolute Vision 4.x). Cyber Controller processes the data and can display the information in the Device Performance Monitoring Web interface.
Values:
*service — Device Performance Monitoring statistics are collected and displayed for each virtual service.
*real — Device Performance Monitoring statistics are collected and displayed for each virtual service per group per real server.
Default: service
tmout <even number of minutes (0-32768)>
 
Specifies the length of time, in minutes, that an inactive session remains in the session table.
Every client-to-server session being load balanced is recorded in the session table. When the client ends the session, the session table entry is removed.
In certain circumstances, such as when a client application is abnormally terminated by the client’s system, TCP and UDP connections remain registered in the session table. In order to prevent table overflow, these orphaned entries must be aged out of the session table.
Values:
*0 — The service uses the inactivity timeout value of the real server, which is 10 minutes by default. The inactivity timeout value is set at /cfg/slb/real/tmout.
*2 – 32768 (in even numbered increments)
Default: 0
ptmout
 
satisrt <inherit, [1-999999]>
 
Sets the application satisfied response time threshold.
You can configure the application satisfied response time threshold globally at /cfg/slb/adv/satistr (default is 500 ms) or locally per service at /cfg/slb/virt/service/satisrt (default is inherit the global setting).
Based on this threshold, Alteon calculates the frustrated threshold as 4 times the satisfied latency threshold. When a transaction response is above the frustrated threshold, its event log will be marked as exception.
dbind disable|forceproxy
 
When the action option is set to redirect, the dbind option is automatically set to forceproxy.
Note: The enable option is supported for backward compatibility only. The enable option still displays after upgrade for existing services and filters configured with it, but the option is not available for new virtual services or filters. Radware recommends moving such virtual services and filters to forceproxy mode.
clsrst disable|enable
 
Specifies how Alteon closes client-side and server-side sessions.
Values:
*disable — When Alteon receives a FIN message from the client, Alteon performs a graceful closure of both client-side and server-side sessions.
*enable — When Alteon receives a FIN message from the client, Alteon closes the server-side session entry using RST for fastage.
Default: disable
Note: To enable session reset on connection close, full proxy mode (forceproxy) must be enabled.
nonhttp enable|disable
 
Specifies whether to enable or disable processing of non-HTTP connections.
Values:
*enable — Alteon processes non-HTTP traffic according to the default service action.
*disable — Alteon terminates non-HTTP connections with an error message.
Default: disable
nonat disable|enable
apm enable|disable
 
Note: APM is no longer supported. Keep APM disabled to eliminate any undesired performance impact.
Enables or disables application performance monitoring (APM) on this service traffic. Relevant only for HTTP and HTTPS services (SSL offload must be performed by Alteon for HTTPS).
Alteon gathers HTTP application performance data and sends it to the APM server. The APM server gathers all information, analyzes and displays application performance and SLA data. The APM server is situated on the Cyber Controller (or APSolute Vision 4.x) server. An APM license must be installed on Alteon, and the APM server must be configured before attempting to activate it as a service. When APM is activated on a service, Alteon attempts to configure the new monitored application on the APM server. If this attempt fails, the event is reported and the APM is disabled on the service.
Default: disabled
Notes:
*Before enabling APM at service level, make sure that the APM server to which the performance data must be sent is configured.
*When you enable APM, Alteon must configure this service on the APM server before completing the APM activation. If the configuration fails (that is, Alteon receives an error or the connection times out), Alteon issues an error message to the syslog and APM remains disabled.
direct disable|enable
 
mirror disable|enable
 
winsize0 disable|enable
 
ckrebind disable|enable
 
When this parameter is enabled, Alteon searches for the persistent cookie session in each request by lookup on the persistent SP. If the persistent cookie session is found, it selects the server that the cookie value points to. If it is not found, the server is selected based on the metric and the cookie value is inserted or updated on response.
When this parameter is disabled, Alteon searches for the persistent cookie session in each request by lookup on the designated SP only. If the persistent cookie session is found, it selects the server that the cookie value points to. If it is not found in the first HTTP request, the server is selected based on the metric and the cookie value is inserted or updated on response. If not found in the subsequent HTTP requests, the server used for the first HTTP request is selected.
Default: disable
sesslog disable|enable
 
Specifies whether to enable or disable session logging.
Session logs are sent to the syslog servers via the data port when the sessions are deleted or aged out. The Alteon switch processor sends the buffered session logging data to the syslog server at regular intervals (every 30 seconds) if the buffer is not completely filled. There will be no session syslog if no sessions have aged out during this duration of 30 seconds.
Note: Syslog servers configured on Alteon must be accessible via the data ports.
Default: disable
del
 
cur