<message>

docs/en-US/external-guest-firewall-integration.xml

@@ -21,23 +21,16 @@
 <section id="external-guest-firewall-integration">
   <title>External Guest Firewall Integration for Juniper SRX (Optional)</title>
   <note>
-    <para>Available only for guests using advanced networking.</para>
+    <para>Available only for guests using advanced networking, both shared and isolated.</para>
   </note>
   <para>&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
-    enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
+    enables &PRODUCT; to establish staticNAT mappings from public IPs to guest VMs, and to use the
-    the Juniper device in place of the virtual router for firewall services. You can have one or
+    Juniper device in place of the virtual router for firewall services. You can have only one
-    more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
+    Juniper SRX device per zone. This feature is optional. If Juniper integration is not
-    &PRODUCT; will use the virtual router for these services.</para>
+    provisioned, &PRODUCT; will use the virtual router for these services.</para>
   <para>The Juniper SRX can optionally be used in conjunction with an external load balancer.
-    External Network elements can be deployed in a side-by-side or inline configuration.</para>
+    External Network elements can be deployed in a side-by-side or inline configuration. For more
-  <mediaobject>
+    information, see <xref linkend="inline-config-lb-fw"/>.</para>
-    <imageobject>
-      <imagedata fileref="./images/parallel-mode.png"/>
-    </imageobject>
-    <textobject>
-      <phrase>parallel-mode.png: adding a firewall and load balancer in parallel mode.</phrase>
-    </textobject>
-  </mediaobject>
   <para>&PRODUCT; requires the Juniper to be configured as follows:</para>
   <note>
     <para>Supported SRX software version is 10.3 or higher.</para>
@@ -58,22 +51,22 @@
       <para>Record the public and private interface names. If you used a VLAN for the public
         interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
         ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
-        "ge-0/0/3.301". Your private interface name should always be untagged because the
+        "ge-0/0/3.301". Your private interface name should always be untagged because the &PRODUCT;
-        &PRODUCT; software automatically creates tagged logical interfaces.</para>
+        software automatically creates tagged logical interfaces.</para>
     </listitem>
     <listitem>
-      <para>Create a public security zone and a private security zone. By default, these will
+      <para>Create a public security zone and a private security zone. By default, these already
-        already exist and will be called "untrust" and "trust". Add the public interface to the
+        exist and are called "untrust" and "trust" zones. Add the public interface to the public
-        public zone and the private interface to the private zone. Note down the security zone
+        zone. &PRODUCT;automatically adds the private interface to private zone (trusted zone). Note
-        names.</para>
+        down the security zone names.</para>
     </listitem>
     <listitem>
       <para>Make sure there is a security policy from the private zone to the public zone that
         allows all traffic.</para>
     </listitem>
     <listitem>
-      <para>Note the username and password of the account you want the &PRODUCT; software to log
+      <para>Note the username and password of the account you want the &PRODUCT; software to log in
-        in to when it is programming rules.</para>
+        to when it is programming rules.</para>
     </listitem>
     <listitem>
       <para>Make sure the "ssh" and "xnm-clear-text" system services are enabled.</para>
@@ -124,13 +117,13 @@ filter untrust {
       <para>In the left navigation bar, click Infrastructure.</para>
     </listitem>
     <listitem>
-      <para>In Zones, click View More.</para>
+      <para>In Zones, click View All.</para>
     </listitem>
     <listitem>
       <para>Choose the zone you want to work with.</para>
     </listitem>
     <listitem>
-      <para>Click the Network tab.</para>
+      <para>Click the Physical Network tab.</para>
     </listitem>
     <listitem>
       <para>In the Network Service Providers node of the diagram, click Configure. (You might have
@@ -159,10 +152,6 @@ filter untrust {
           <para>Private Interface: The name of the private interface on the SRX. For example,
             ge-0/0/1. </para>
         </listitem>
-        <listitem>
-          <para>Usage Interface: (Optional) Typically, the public interface is used to meter
-            traffic. If you want to use a different interface, specify its name here</para>
-        </listitem>
         <listitem>
           <para>Number of Retries: The number of times to attempt a command on the SRX before
             failing. The default value is 2.</para>
@@ -180,12 +169,12 @@ filter untrust {
             untrust.</para>
         </listitem>
         <listitem>
-          <para>Capacity: The number of networks the device can handle</para>
+          <para>Capacity: The number of networks the device can handle.</para>
         </listitem>
         <listitem>
           <para>Dedicated: When marked as dedicated, this device will be dedicated to a single
             account. When Dedicated is checked, the value in the Capacity field has no significance
-            implicitly, its value is 1</para>
+            implicitly, its value is 1.</para>
         </listitem>
       </itemizedlist>
     </listitem>
@@ -194,8 +183,8 @@ filter untrust {
     </listitem>
     <listitem>
       <para>Click Global Settings. Set the parameter external.network.stats.interval to indicate how
-        often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
+        often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you are
-        are not using the SRX to gather network usage statistics, set to 0.</para>
+        not using the SRX to gather network usage statistics, set to 0.</para>
     </listitem>
   </orderedlist>
 </section>

docs/en-US/external-guest-lb-integration.xml

@@ -20,10 +20,12 @@
 -->
 <section id="external-guest-lb-integration">
   <title>External Guest Load Balancer Integration (Optional)</title>
+  <note>
+    <para>External load balancer devices are not supported in shared networks.</para>
+  </note>
   <para>&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
     balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
     balancer in the virtual router.</para>
-  <para>To install and enable an external load balancer for &PRODUCT; management:</para>
   <orderedlist>
     <listitem>
       <para>Set up the appliance according to the vendor's directions.</para>

docs/en-US/hardware-firewall.xml

@@ -22,8 +22,11 @@
   <title>Hardware Firewall</title>
   <para>All deployments should have a firewall protecting the management server; see Generic
     Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
-    be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para>
+    be the default gateway for the guest networks; see <xref
+      linkend="external-guest-firewall-integration"/>.</para>
   <xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-  <xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="external-guest-firewall-integration.xml"
-  <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+    xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="lb-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="inline-config-lb-fw.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
 </section>

docs/en-US/inline-config-lb-fw.xml

@@ -0,0 +1,173 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<section id="inline-config-lb-fw">
+  <title>Configuring Network Devices in Inline and Side by Side Modes</title>
+  <para>The external network elements, such as load balancer and firewall devices, supported in
+    &PRODUCT; can be deployed in either of the following modes: Side by Side and Inline. Inline mode
+    was originally supported in &PRODUCT; 2.2.x versions, and is now added back in the 3.0.6
+    release.</para>
+  <para>In Inline mode, one firewall device is placed in front of a load balancing device. The
+    firewall acts as the gateway for all incoming traffic, then redirect the load balancing traffic
+    to the load balancer behind it. The load balancer in this case will not have the direct access
+    to the public network. Deploying network devices in Inline mode ensures that the resources are
+    protected.</para>
+  <mediaobject>
+    <imageobject>
+      <imagedata fileref="./images/parallel-inline-mode.png"/>
+    </imageobject>
+    <textobject>
+      <phrase>parallel-inline-mode.png: external networks in different deployment modes</phrase>
+    </textobject>
+  </mediaobject>
+  <para>In Side by Side mode, a firewall device is deployed in parallel with the load balancer
+    device. So the traffic to the load balancer public IP is not routed through the firewall, and
+    therefore, is exposed to the public network. </para>
+  <mediaobject>
+    <imageobject>
+      <imagedata fileref="./images/parallel-mode.png"/>
+    </imageobject>
+    <textobject>
+      <phrase>parallel-mode.png: adding a firewall and load balancer in side by side mode</phrase>
+    </textobject>
+  </mediaobject>
+  <para>The following table gives you an overview of the supported services and devices for inline
+    and side by side mode.</para>
+  <informaltable>
+    <tgroup cols="4" align="left" colsep="1" rowsep="1">
+      <colspec colwidth="1.08*" colname="c1" colnum="1"/>
+      <colspec colwidth="1.2*" colname="c2" colnum="2"/>
+      <colspec colnum="3" colname="c3" colwidth="1.0*"/>
+      <colspec colnum="4" colname="c4" colwidth="5.15*"/>
+      <thead>
+        <row>
+          <entry><para>Mode</para></entry>
+          <entry><para>Firewall</para></entry>
+          <entry><para>Load Balancer</para></entry>
+          <entry><para>Supported</para></entry>
+        </row>
+      </thead>
+      <tbody>
+        <row>
+          <entry><para>Side by Side</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>F5</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Side by Side</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Side by Side</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>NetScaler</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Side by Side</para></entry>
+          <entry><para>Juniper SRX</para></entry>
+          <entry><para>F5</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Side by Side</para></entry>
+          <entry><para>Juniper SRX</para></entry>
+          <entry><para>NetScaler</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Inline</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>F5</para></entry>
+          <entry><para>No</para></entry>
+        </row>
+        <row>
+          <entry><para>Inline</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>NetScaler</para></entry>
+          <entry><para>No</para></entry>
+        </row>
+        <row>
+          <entry><para>Inline</para></entry>
+          <entry><para>Juniper SRX</para></entry>
+          <entry><para>F5</para></entry>
+          <entry><para>Yes</para></entry>
+        </row>
+        <row>
+          <entry><para>Inline</para></entry>
+          <entry><para>Juniper SRX</para></entry>
+          <entry><para>NetScaler</para></entry>
+          <entry><para>No</para></entry>
+        </row>
+        <row>
+          <entry><para>Inline</para></entry>
+          <entry><para>Juniper SRX</para></entry>
+          <entry><para>Virtual Router</para></entry>
+          <entry><para>No</para></entry>
+        </row>
+      </tbody>
+    </tgroup>
+  </informaltable>
+  <para>To configure SRX and F5 in Inline mode:</para>
+  <orderedlist>
+    <listitem>
+      <para>Configure F5 Big IP and Juniper SRX.</para>
+      <para>See the respective product documentation for more information.</para>
+    </listitem>
+    <listitem>
+      <para>Add SRX and F5 to the same zone in &PRODUCT;.</para>
+      <note>
+        <para>Ensure that you select per zone sourceNAT when creating the network offering. When
+          adding F5 BigIP, do not make it a dedicated device.</para>
+      </note>
+    </listitem>
+    <listitem>
+      <para>Enable both the devices.</para>
+    </listitem>
+    <listitem>
+      <para>Create a network offering:</para>
+      <para>Use SRX as provider for Firewall, Port Forwarding, SourceNAT, and StaticNat. Select F5
+        BigIP as the service provider for Load Balancing. Use Virtual Router as the service provider
+        for DNS, DHCP, user data.</para>
+    </listitem>
+    <listitem>
+      <para>Select Inline mode.</para>
+      <para>For more information, see <phrase condition="admin"><xref
+            linkend="creating-network-offerings"/>.</phrase>
+        <phrase condition="install">Creating Network Offerings in the Administration Guide.</phrase>
+      </para>
+    </listitem>
+    <listitem>
+      <para>Start a new VM with this new network offering.</para>
+    </listitem>
+    <listitem>
+      <para>Add firewall and load balancing rules. For more information, see <phrase
+          condition="admin"><xref linkend="add-load-balancer-rule"/></phrase>
+        <phrase condition="install">Adding a Load Balancer Rule</phrase> and <phrase
+          condition="admin"><xref linkend="firewall-rules"/>.</phrase>
+        <phrase condition="install">IP Forwarding and Firewalling in the Administration
+          Guide.</phrase>
+      </para>
+    </listitem>
+  </orderedlist>
+</section>

docs/en-US/lb-services.xml

@@ -0,0 +1,25 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<section id="lb-services">
+  <title>Load Balancing Services</title>
+  <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+</section>

docs/en-US/management-server-lb.xml

@@ -19,12 +19,12 @@
   under the License.
 -->
 <section id="management-server-lb">
-  <title>Setting Zone VLAN and Running VM Maximums</title>
+  <title>Management Server Load Balancing</title>
-  <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management
+  <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management Servers.
-    Servers. The administrator is responsible for creating the load balancer rules for the
+    The administrator is responsible for creating the load balancer rules for the Management
-    Management Servers. The application requires persistence or stickiness across multiple sessions.
+    Servers. The application requires persistence or stickiness across multiple sessions. The
-    The following chart lists the ports that should be load balanced and whether or not persistence
+    following chart lists the ports that should be load balanced and whether or not persistence is
-    is required.</para>
+    required.</para>
   <para>Even if persistence is not required, enabling it is permitted.</para>
   <informaltable>
     <tgroup cols="4" align="left" colsep="1" rowsep="1">

docs/en-US/network-setup.xml

@@ -20,16 +20,16 @@
 -->
 <chapter id="network-setup">
   <title>Network Setup</title>
-  <para>Achieving the correct networking setup is crucial to a successful &PRODUCT;
+  <para>Achieving the correct networking setup is crucial to a successful &PRODUCT; installation.
-    installation. This section contains information to help you make decisions and follow the right
+    This section contains information to help you make decisions and follow the right procedures to
-    procedures to get your network set up correctly.</para>
+    get your network set up correctly.</para>
   <xi:include href="basic-adv-networking.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="vlan-allocation-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="hardware-config-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="layer2-switch.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="hardware-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-  <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-  <xi:include href="guest-nw-usage-with-traffic-sentinel.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> 
+  <xi:include href="guest-nw-usage-with-traffic-sentinel.xml"
+    xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="set-zone-vlan-run-vm-max.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-  </chapter>
+</chapter>