diff --git a/docs/en-US/external-guest-firewall-integration.xml b/docs/en-US/external-guest-firewall-integration.xml
index 0b34dca1065..bd9ac604970 100644
--- a/docs/en-US/external-guest-firewall-integration.xml
+++ b/docs/en-US/external-guest-firewall-integration.xml
@@ -21,23 +21,16 @@
External Guest Firewall Integration for Juniper SRX (Optional)
- Available only for guests using advanced networking.
+ Available only for guests using advanced networking, both shared and isolated.
&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
- enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
- the Juniper device in place of the virtual router for firewall services. You can have one or
- more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
- &PRODUCT; will use the virtual router for these services.
+ enables &PRODUCT; to establish staticNAT mappings from public IPs to guest VMs, and to use the
+ Juniper device in place of the virtual router for firewall services. You can have only one
+ Juniper SRX device per zone. This feature is optional. If Juniper integration is not
+ provisioned, &PRODUCT; will use the virtual router for these services.
The Juniper SRX can optionally be used in conjunction with an external load balancer.
- External Network elements can be deployed in a side-by-side or inline configuration.
-
-
-
-
-
- parallel-mode.png: adding a firewall and load balancer in parallel mode.
-
-
+ External Network elements can be deployed in a side-by-side or inline configuration. For more
+ information, see .
&PRODUCT; requires the Juniper to be configured as follows:
Supported SRX software version is 10.3 or higher.
@@ -58,22 +51,22 @@
Record the public and private interface names. If you used a VLAN for the public
interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
- "ge-0/0/3.301". Your private interface name should always be untagged because the
- &PRODUCT; software automatically creates tagged logical interfaces.
+ "ge-0/0/3.301". Your private interface name should always be untagged because the &PRODUCT;
+ software automatically creates tagged logical interfaces.
- Create a public security zone and a private security zone. By default, these will
- already exist and will be called "untrust" and "trust". Add the public interface to the
- public zone and the private interface to the private zone. Note down the security zone
- names.
+ Create a public security zone and a private security zone. By default, these already
+ exist and are called "untrust" and "trust" zones. Add the public interface to the public
+ zone. &PRODUCT;automatically adds the private interface to private zone (trusted zone). Note
+ down the security zone names.
Make sure there is a security policy from the private zone to the public zone that
allows all traffic.
- Note the username and password of the account you want the &PRODUCT; software to log
- in to when it is programming rules.
+ Note the username and password of the account you want the &PRODUCT; software to log in
+ to when it is programming rules.
Make sure the "ssh" and "xnm-clear-text" system services are enabled.
@@ -124,13 +117,13 @@ filter untrust {
In the left navigation bar, click Infrastructure.
- In Zones, click View More.
+ In Zones, click View All.
Choose the zone you want to work with.
- Click the Network tab.
+ Click the Physical Network tab.
In the Network Service Providers node of the diagram, click Configure. (You might have
@@ -159,10 +152,6 @@ filter untrust {
Private Interface: The name of the private interface on the SRX. For example,
ge-0/0/1.
-
- Usage Interface: (Optional) Typically, the public interface is used to meter
- traffic. If you want to use a different interface, specify its name here
-
Number of Retries: The number of times to attempt a command on the SRX before
failing. The default value is 2.
@@ -180,12 +169,12 @@ filter untrust {
untrust.
- Capacity: The number of networks the device can handle
+ Capacity: The number of networks the device can handle.
Dedicated: When marked as dedicated, this device will be dedicated to a single
account. When Dedicated is checked, the value in the Capacity field has no significance
- implicitly, its value is 1
+ implicitly, its value is 1.
@@ -194,8 +183,8 @@ filter untrust {
Click Global Settings. Set the parameter external.network.stats.interval to indicate how
- often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
- are not using the SRX to gather network usage statistics, set to 0.
+ often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you are
+ not using the SRX to gather network usage statistics, set to 0.
diff --git a/docs/en-US/external-guest-lb-integration.xml b/docs/en-US/external-guest-lb-integration.xml
index 5760f9559e6..acbb514207c 100644
--- a/docs/en-US/external-guest-lb-integration.xml
+++ b/docs/en-US/external-guest-lb-integration.xml
@@ -20,10 +20,12 @@
-->
External Guest Load Balancer Integration (Optional)
+
+ External load balancer devices are not supported in shared networks.
+
&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
balancer in the virtual router.
- To install and enable an external load balancer for &PRODUCT; management:
Set up the appliance according to the vendor's directions.
diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml
index df0568aa2c2..28269cccf31 100644
--- a/docs/en-US/hardware-firewall.xml
+++ b/docs/en-US/hardware-firewall.xml
@@ -22,8 +22,11 @@
Hardware Firewall
All deployments should have a firewall protecting the management server; see Generic
Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
- be the default gateway for the guest networks; see .
+ be the default gateway for the guest networks; see .
-
-
+
+
+
diff --git a/docs/en-US/images/add-netscaler.png b/docs/en-US/images/add-netscaler.png
new file mode 100644
index 00000000000..53c1344b9dd
Binary files /dev/null and b/docs/en-US/images/add-netscaler.png differ
diff --git a/docs/en-US/images/parallel-inline-mode.png b/docs/en-US/images/parallel-inline-mode.png
new file mode 100644
index 00000000000..c0c1555365e
Binary files /dev/null and b/docs/en-US/images/parallel-inline-mode.png differ
diff --git a/docs/en-US/inline-config-lb-fw.xml b/docs/en-US/inline-config-lb-fw.xml
new file mode 100644
index 00000000000..dada3ff0f89
--- /dev/null
+++ b/docs/en-US/inline-config-lb-fw.xml
@@ -0,0 +1,173 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Configuring Network Devices in Inline and Side by Side Modes
+ The external network elements, such as load balancer and firewall devices, supported in
+ &PRODUCT; can be deployed in either of the following modes: Side by Side and Inline. Inline mode
+ was originally supported in &PRODUCT; 2.2.x versions, and is now added back in the 3.0.6
+ release.
+ In Inline mode, one firewall device is placed in front of a load balancing device. The
+ firewall acts as the gateway for all incoming traffic, then redirect the load balancing traffic
+ to the load balancer behind it. The load balancer in this case will not have the direct access
+ to the public network. Deploying network devices in Inline mode ensures that the resources are
+ protected.
+
+
+
+
+
+ parallel-inline-mode.png: external networks in different deployment modes
+
+
+ In Side by Side mode, a firewall device is deployed in parallel with the load balancer
+ device. So the traffic to the load balancer public IP is not routed through the firewall, and
+ therefore, is exposed to the public network.
+
+
+
+
+
+ parallel-mode.png: adding a firewall and load balancer in side by side mode
+
+
+ The following table gives you an overview of the supported services and devices for inline
+ and side by side mode.
+
+
+
+
+
+
+
+
+ Mode
+ Firewall
+ Load Balancer
+ Supported
+
+
+
+
+ Side by Side
+ Virtual Router
+ F5
+ Yes
+
+
+ Side by Side
+ Virtual Router
+ Virtual Router
+ Yes
+
+
+ Side by Side
+ Virtual Router
+ NetScaler
+ Yes
+
+
+ Side by Side
+ Juniper SRX
+ F5
+ Yes
+
+
+ Side by Side
+ Juniper SRX
+ NetScaler
+ Yes
+
+
+ Inline
+ Virtual Router
+ F5
+ No
+
+
+ Inline
+ Virtual Router
+ NetScaler
+ No
+
+
+ Inline
+ Juniper SRX
+ F5
+ Yes
+
+
+ Inline
+ Juniper SRX
+ NetScaler
+ No
+
+
+ Inline
+ Juniper SRX
+ Virtual Router
+ No
+
+
+
+
+ To configure SRX and F5 in Inline mode:
+
+
+ Configure F5 Big IP and Juniper SRX.
+ See the respective product documentation for more information.
+
+
+ Add SRX and F5 to the same zone in &PRODUCT;.
+
+ Ensure that you select per zone sourceNAT when creating the network offering. When
+ adding F5 BigIP, do not make it a dedicated device.
+
+
+
+ Enable both the devices.
+
+
+ Create a network offering:
+ Use SRX as provider for Firewall, Port Forwarding, SourceNAT, and StaticNat. Select F5
+ BigIP as the service provider for Load Balancing. Use Virtual Router as the service provider
+ for DNS, DHCP, user data.
+
+
+ Select Inline mode.
+ For more information, see .
+ Creating Network Offerings in the Administration Guide.
+
+
+
+ Start a new VM with this new network offering.
+
+
+ Add firewall and load balancing rules. For more information, see
+ Adding a Load Balancer Rule and .
+ IP Forwarding and Firewalling in the Administration
+ Guide.
+
+
+
+
diff --git a/docs/en-US/lb-services.xml b/docs/en-US/lb-services.xml
new file mode 100644
index 00000000000..3bb79dbd335
--- /dev/null
+++ b/docs/en-US/lb-services.xml
@@ -0,0 +1,25 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+ Load Balancing Services
+
+
+
diff --git a/docs/en-US/management-server-lb.xml b/docs/en-US/management-server-lb.xml
index 85a86221c80..f4275786be7 100644
--- a/docs/en-US/management-server-lb.xml
+++ b/docs/en-US/management-server-lb.xml
@@ -19,12 +19,12 @@
under the License.
-->
- Setting Zone VLAN and Running VM Maximums
- &PRODUCT; can use a load balancer to provide a virtual IP for multiple Management
- Servers. The administrator is responsible for creating the load balancer rules for the
- Management Servers. The application requires persistence or stickiness across multiple sessions.
- The following chart lists the ports that should be load balanced and whether or not persistence
- is required.
+ Management Server Load Balancing
+ &PRODUCT; can use a load balancer to provide a virtual IP for multiple Management Servers.
+ The administrator is responsible for creating the load balancer rules for the Management
+ Servers. The application requires persistence or stickiness across multiple sessions. The
+ following chart lists the ports that should be load balanced and whether or not persistence is
+ required.
Even if persistence is not required, enabling it is permitted.
diff --git a/docs/en-US/network-setup.xml b/docs/en-US/network-setup.xml
index ceee190d4ca..192c8e23d2f 100644
--- a/docs/en-US/network-setup.xml
+++ b/docs/en-US/network-setup.xml
@@ -20,16 +20,16 @@
-->
Network Setup
- Achieving the correct networking setup is crucial to a successful &PRODUCT;
- installation. This section contains information to help you make decisions and follow the right
- procedures to get your network set up correctly.
+ Achieving the correct networking setup is crucial to a successful &PRODUCT; installation.
+ This section contains information to help you make decisions and follow the right procedures to
+ get your network set up correctly.
-
-
+
-
+