Subscriber Traffic Redirection

Modified: 2018-10-15

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in the United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

About the Documentation ...... ix Documentation and Release Notes ...... ix Documentation Conventions ...... ix Documentation Conventions ...... x Documentation Feedback ...... xii Requesting Technical Support ...... xiii Self-Help Online Tools and Resources ...... xiii Opening a Case with JTAC ...... xiii

Part 1 Overview Chapter 1 Software Features Overview ...... 3 Traffic Redirection Overview ...... 3 Proxy Request Management ...... 3 HTTP Proxy and DNS ...... 4 HTTPS Traffic Redirection Support ...... 5 Protection Against Denial-of-Service Attacks ...... 5 Redirect Server Redundancy ...... 5

Part 2 Configuration Chapter 2 Configuration Tasks ...... 9 Before You Configure the Redirect Server on a C Series Controller ...... 10 Configuring the Redirect Server (SRC CLI) ...... 10 Configuring the Redirect Server (C-Web Interface) ...... 11 Configuring General Properties for the Redirect Server (SRC CLI) ...... 12 Configuring General Properties for the Redirect Server (C-Web Interface) ...... 14 Configuring a Connection Between the Redirect Server and the Directory (SRC CLI) ...... 14 Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) ...... 15 Defining Traffic to Transmit to the Redirect Server (SRC CLI) ...... 16 Defining Traffic to Transmit to the Redirect Server (C-Web Interface) ...... 17 Changing the Number of Requests That the Redirect Server Accepts (SRC CLI) ...... 17 Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) ...... 19 Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI) . . . . . 19 Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) ...... 20 Configuring the DNS Server for the Redirect Server (SRC CLI) ...... 21

Configuring the DNS Server for the Redirect Server (C-Web Interface) ...... 22 Configuring the Redirect Server to Support HTTP Proxies (SRC CLI) ...... 23 Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) . . . 24 Configuring Redirect Server to Support HTTPS Traffic (SRC CLI) ...... 24 Before You Configure Redundancy for a Redirect Server ...... 26 Configuring a Redundant Redirect Server (SRC CLI) ...... 27 Configuring a Redundant Redirect Server (C-Web Interface) ...... 29 Configuring Logging for the Redirect Server ...... 29 Enabling the Redirect Server ...... 29 Changing the Configuration for the Redirect Server ...... 30 Chapter 3 Configuration Statements ...... 31 Configuration Statements for the Redirect Server (SRC CLI) ...... 31

Part 3 Administration Chapter 4 Management Tasks ...... 35 Verifying Configuration for the Redirect Server (SRC CLI) ...... 35 Assessing Load for Redirect Server (C-Web Interface) ...... 36 Chapter 5 Monitoring the Redirect Server ...... 37 Viewing Statistics for the Redirect Server (SRC CLI) ...... 37 Viewing Statistics for the Redirect Server (C-Web Interface) ...... 37 Viewing Statistics About Filtered Traffic (SRC CLI) ...... 38 Viewing Information for Filtered Traffic (C-Web Interface) ...... 39 Chapter 6 Routine Monitoring ...... 41 Viewing Information About Components Installed (SRC CLI) ...... 41 Viewing Information About Components Installed (C-Web Interface) ...... 42

Part 4 Troubleshooting Chapter 7 Troubleshooting Procedures ...... 45 Collecting Data with the Activity Monitor (SRC CLI) ...... 45 Collecting Data with the Activity Monitor (C-Web Interface) ...... 46 Viewing Graphs (C-Web Interface) ...... 47 Viewing Graphs from a Webpage ...... 47 Viewing Graphs for a Preset Time Period from a Webpage ...... 47 Viewing Graphs for Specified Time Periods from a Webpage ...... 49

Part 1 Overview Chapter 1 Software Features Overview ...... 3 Figure 1: Failover of a Redirect Server ...... 6

Part 3 Administration Chapter 5 Monitoring the Redirect Server ...... 37 Figure 2: C-Web Interface for Monitoring Redirect Server Statistics ...... 38 Figure 3: C-Web Interface for Monitoring Filtered Traffic ...... 40 Chapter 6 Routine Monitoring ...... 41 Figure 4: C-Web Interface for Monitoring SRC Components Status ...... 42

Part 4 Troubleshooting Chapter 7 Troubleshooting Procedures ...... 45 Figure 5: Sample CPU Usage Graph ...... 48 Figure 6: Sample SAE Heap Usage Graph ...... 49

About the Documentation ...... ix Table 1: Notice Icons ...... x Table 2: Notice Icons ...... xi Table 3: Text Conventions ...... xi

Part 3 Administration Chapter 6 Routine Monitoring ...... 41 Table 4: Output Fields for show component ...... 42

• Documentation and Release Notes on page ix

• Documentation Conventions on page ix

• Documentation Feedback on page xii

• Requesting Technical Support on page xiii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page x defines notice icons used in this guide.

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Documentation Conventions

Table 1 on page x defines the notice icons used in this guide. Table 3 on page xi defines text conventions used throughout this documentation.

Table 2: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Table 3: Text Conventions

Convention Description Examples

Bold text like this • Represents keywords, scripts, and tools in • Specify the keyword exp-msg. text. • Run the install.sh script. Represents a GUI element that the user • • Use the pkgadd tool. selects, clicks, checks, or clears. • To cancel the configuration, click Cancel.

Bold text like this Represents text that the user must type. user@host# set cache-entry-age cache-entry-age

Represents information as displayed on your Fixed-width text like this nic-locators { terminal’s screen, such as CLI commands in login { output displays. resolution { resolver-name /realms/ login/A1; key-type LoginName; value-type SaeId; }

Table 3: Text Conventions (continued)

Regular sans serif typeface • Represents configuration statements. • system ldap server{ stand-alone; • Indicates SRC CLI commands and options in text. • Use the request sae modify device failover

• Represents examples in procedures. command with the force option

• Represents URLs. • user@host# . . . • https://www.juniper.net/techpubs/software/ management/sdx/api-index.html

Italic sans serif typeface Represents variables in SRC CLI commands. user@host# set local-address local-address

Angle brackets In text descriptions, indicate optional Another runtime variable is . keywords or variables.

Key name Indicates the name of a key on the keyboard. Press Enter.

Key names linked with a plus sign Indicates that you must press two or more Press Ctrl + b. (+) keys simultaneously.

Italic typeface • Emphasizes words. • There are two levels of access: user and privileged. • Identifies book names. SRC-PE Getting Started Guide. • Identifies distinguished names. • o=Users, o=UMC • Identifies files, directories, and paths in • text but not in command examples. • The /etc/default.properties file.

Backslash At the end of a line, indicates that the text Plugin.radiusAcct-1.class=\ wraps to the next line. net.juniper.smgt.sae.plugin\ RadiusTrackingPluginEvent

Words separated by the | symbol Represent a choice to select one keyword or diagnostic | line variable to the left or right of this symbol. (The keyword or variable may be either optional or required.)

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper Networks TechLibrary site, and do one of the following:

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you or if you have suggestions for improvement, and use the pop-up form to provide feedback.

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes: https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum: https://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see https://www.juniper.net/support/requesting-support.html.

• Software Features Overview on page 3

• Traffic Redirection Overview on page 3

• Redirect Server Redundancy on page 5

Traffic Redirection Overview

The redirect server is part of a captive portal system that redirects subscribers’ Web requests to a captive portal page. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP or HTTPS requests to unauthorized Web resources.

Proxy Request Management

The redirect server examines requested paths and detects proxy HTTP requests by the proxy prefix “:” followed by the address of the requested host. If the requested URL is served by the captive portal server:

1. The redirect server opens a TCP connection to the captive portal and forwards the request for the URL. The redirect server adds to the request an X-Forwarded-For header that specifies the IP address of the client.

2. The captive portal server inspects the incoming request for the X-Forwarded-For header for the IP address. The captive portal server uses this address instead of the source IP address to determine the originator of the request.

3. If the captive portal authorizes the client and activates a service that enables a direct connection between the client and the proxy, the redirect server then sends the returned data to the subscriber’s Web browser.

If the requested URL is not served by the captive portal server, the redirect server opens a TCP port and sends the type of response configured to a subscriber’s browser in response to a captured request:

• HTTP 200 OK response with an HTML document that includes the header (default)

• HTTP 302 Found response to a subscriber’s browser in response to a captured request

The subscriber browser follows the redirect request, and the proxied request is served by the redirect server again, which opens a connection to the captive portal.

Support for HTTP proxy requests requires the following:

• A local HTTP proxy server that can handle the traffic from all clients configured with a proxy.

• A location for the local HTTP proxy server that is one IP hop from each access router.

• A proxy service that the captive portal server can activate to send proxy requests to the local HTTP proxy server when the portal server authorizes proxy clients.

• A proxy service activation policy that includes a next-hop policy that points to the local HTTP proxy server, and a classifier that matches the client’s IP address and the address of the proxy server configured on the client.

Services that the client accesses through the proxy server, such as HTTP and FTP, cannot be activated based on destination address.

You must redirect all ports to the redirect server because you cannot know which ports are configured on the client for the proxy. Consequently, the redirect server receives non-HTTP requests as well as HTTP requests. The non-HTTP requests generate error log entries. To reduce overhead, HTTP error messages are logged as system log debug messages.

HTTP Proxy and DNS

Make sure that your network includes a domain name service (DNS) server to resolve unknown names to a fixed IP address. A DNS server is required because proxy servers can be configured with DNS names in private domains that are not valid in the public environment. You can use the DNS server included with the redirect server, or another DNS server on your network.

The DNS server can be configured on a client with DHCP. Alternatively, the service provider can set up a transparent DNS proxy by configuring a next-hop policy on the JunosE router for UDP and TCP port 53 traffic. The policy redirects traffic on these two ports to the redirect server’s DNS server.

Because proxy addresses must be resolved even if general access to the Internet is enabled, the DNS server must continue to resolve all client requests for proxy clients. Nonproxy clients can use their regular DNS server after the initial service has been activated.

The redirect server’s DNS server either forwards the request to a set of configured DNS servers or resolves the request by using the root domain name server. If a request for an IPv4 or IPv6 address cannot be resolved and the request results in an NXDOMAIN error, the DNS server returns a configurable IP address. The redirect server returns an error message to the clients for any other type of request that cannot be resolved.

HTTPS Traffic Redirection Support

The SRC software supports to redirect HTTPS traffic by using the redirect server. The redirect server redirects HTTPS traffic to a configured destination web server. The redirect server requires a Secure Sockets Layer (SSL) certificate.

NOTE: Whenever you open up an HTTPS page, you get a security warning in the browser for the mismatch between common name of the certificate with the domain name of the URL until you add an exception for the certificate in the browser.

Protection Against Denial-of-Service Attacks

The redirect server incorporates a number of properties to protect against denial-of-service attacks. The following list shows the default values set for these properties:

• The redirect server can serve no more than 12,000 requests per minute, with a burst of 18,000 requests.

• The redirect server can serve no more than 25 requests per client per minute, with a burst of 50 requests.

• Incoming requests can be no larger than 4 KB.

• Incoming requests have a time limit of 2 seconds.

You can change the values for any of these properties.

Related • Redirect Server Redundancy on page 5 Documentation • Configuration Statements for the Redirect Server (SRC CLI) on page 31

• Before You Configure Redundancy for a Redirect Server on page 26

• Configuring the Redirect Server (SRC CLI) on page 10

• Configuring the Redirect Server (C-Web Interface) on page 11

Redirect Server Redundancy

You can configure the redirect server to provide redundancy to help ensure that a redirect server is always available. You install the redirect server software on two different hosts; then you configure one redirect server as the primary redirect server, and the other as the redundant redirect server. The active and redundant redirect servers regularly poll each other to confirm each other’s availability. If the primary redirect server becomes unavailable, the redundant server assumes the active role.

When a redirect server assumes the primary role, it configures on the router a static route from the virtual IP address to the server’s real IP address. Clients send requests to the virtual IP address, and the router automatically sends the request to the active redirect server through a static route. The virtual IP address is used only in the static route

configured on the router and the next-hop policy installed by SAE. End users do not see the virtual IP address.

Figure 1 on page 6 shows a configuration in which two redirect servers use the same virtual IP address, 192.168.254.1.

Figure 1: Failover of a Redirect Server

Related • Traffic Redirection Overview on page 3 Documentation • Before You Configure Redundancy for a Redirect Server on page 26

• Configuring a Redundant Redirect Server (SRC CLI) on page 27

• Configuring a Redundant Redirect Server (C-Web Interface) on page 29

• Configuration Tasks on page 9

• Configuration Statements on page 31

• Before You Configure the Redirect Server on a C Series Controller on page 10

• Configuring the Redirect Server (SRC CLI) on page 10

• Configuring the Redirect Server (C-Web Interface) on page 11

• Configuring General Properties for the Redirect Server (SRC CLI) on page 12

• Configuring General Properties for the Redirect Server (C-Web Interface) on page 14

• Configuring a Connection Between the Redirect Server and the Directory (SRC CLI) on page 14

• Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) on page 15

• Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 16

• Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 17

• Changing the Number of Requests That the Redirect Server Accepts (SRC CLI) on page 17

• Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) on page 19

• Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI) on page 19

• Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) on page 20

• Configuring the DNS Server for the Redirect Server (SRC CLI) on page 21

• Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 22

• Configuring the Redirect Server to Support HTTP Proxies (SRC CLI) on page 23

• Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 24

• Configuring Redirect Server to Support HTTPS Traffic (SRC CLI) on page 24

• Before You Configure Redundancy for a Redirect Server on page 26

• Configuring a Redundant Redirect Server (SRC CLI) on page 27

• Configuring a Redundant Redirect Server (C-Web Interface) on page 29

• Configuring Logging for the Redirect Server on page 29

• Enabling the Redirect Server on page 29

• Changing the Configuration for the Redirect Server on page 30

Before You Configure the Redirect Server on a C Series Controller

Before you configure the redirect server on a C Series Controller:

• Configure the connection between the redirect server and the JunosE router by configuring policies on the C Series Controller:

• Configure and enable the HTTP local server on the JunosE router

• On the C Series Controller, configure a policy that includes the following policy actions to define which traffic to send to the redirect server:

• An exception action to specify that an HTTP application receive traffic.

• An http redirect policy action to specify the URL to receive packets identified in the exception application action.

NOTE: Alternatively, if the distance between the JunosE routers and the C Series Controller is one hop away, you can configure a next-hop policy on the JunosE router that specifies a destination address that is the virtual IP address of the active redirect server rather than configuring an SRC policy.

• If you plan to configure a redundant redirect server, make sure that you are familiar with the network configuration required.

Related • Before You Configure Redundancy for a Redirect Server on page 26 Documentation • Configuring the Redirect Server (SRC CLI) on page 10

• Configuring the Redirect Server (C-Web Interface) on page 11

• Redirect Server Redundancy on page 5

• Traffic Redirection Overview on page 3

Configuring the Redirect Server (SRC CLI)

The redirect server on a C Series Controller manages IP layer redirection.

To configure the redirect server:

1. Configure general properties for the redirect server.

See “Configuring General Properties for the Redirect Server (SRC CLI)” on page 12.

2. Configure a connection from the redirect server to the directory.

See “Configuring a Connection Between the Redirect Server and the Directory (SRC CLI)” on page 14.

3. (Optional) Define traffic to be forwarded to the redirect server. In most cases you can accept the default values—traffic destined for port 80 (Web requests) and forwarded from all interface on a C Series Controller.

See “Defining Traffic to Transmit to the Redirect Server (SRC CLI)” on page 16.

4. (Optional) Configure the number of requests that the redirect server accepts.

See “Changing the Number of Requests That the Redirect Server Accepts (SRC CLI)” on page 17.

5. (Optional) Configure the types of files for which the redirect server accepts requests.

See “Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI)” on page 19.

6. (Optional) For a configuration to support HTTP proxies, configure DNS. You can configure the DNS server included with the redirect server, or another DNS server on your network. If you use another DNS server, you do not need to configure the DNS server included with the redirect server.

For information about configuring the DNS server included with the redirect server, see “Configuring the DNS Server for the Redirect Server (SRC CLI)” on page 21.

7. (Optional) Configure support for HTTP proxies.

See “Configuring the Redirect Server to Support HTTP Proxies (SRC CLI)” on page 23.

8. (Optional) Configure support for HTTPS traffic redirection.

See “Configuring Redirect Server to Support HTTPS Traffic (SRC CLI)” on page 24.

9. (Optional) Configure a redundant redirect server.

See “Configuring a Redundant Redirect Server (SRC CLI)” on page 27.

10. Enable the redirect server.

See “Enabling the Redirect Server” on page 29.

Related • Configuration Statements for the Redirect Server (SRC CLI) on page 31 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

• Viewing Statistics for the Redirect Server (SRC CLI) on page 37

• Traffic Redirection Overview on page 3

• Redirect Server Redundancy on page 5

Configuring the Redirect Server (C-Web Interface)

Configure the redirect server on a C Series Controller to manage IP layer redirection.

To configure the redirect server:

1. Configure general properties for the redirect server.

See “Configuring General Properties for the Redirect Server (C-Web Interface)” on page 14.

2. Configure a connection from the redirect server to the directory.

See “Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface)” on page 15.

See “Defining Traffic to Transmit to the Redirect Server (C-Web Interface)” on page 17.

4. (Optional) Configure the number of requests that the redirect server accepts.

See “Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface)” on page 19.

5. (Optional) Configure the types of files for which the redirect server accepts requests.

See “Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface)” on page 20.

For information about configuring the DNS server included with the redirect server, see “Configuring the DNS Server for the Redirect Server (C-Web Interface)” on page 22.

7. (Optional) Configure support for HTTP proxies.

See “Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface)” on page 24.

8. (Optional) Configure a redundant redirect server.

See “Configuring a Redundant Redirect Server (C-Web Interface)” on page 29.

Related • Traffic Redirection Overview on page 3 Documentation • Redirect Server Redundancy on page 5

• Configuring the Redirect Server (SRC CLI) on page 10

Configuring General Properties for the Redirect Server (SRC CLI)

Use the following configuration statements to configure general properties for the redirect server:

redirect-server { destination-url destination-url;

tcp-port tcp-port; refresh; } redirect-server ipv6-redirect { tcp-port tcp-port; }

To configure properties for the redirect server:

1. From configuration mode, access the configuration statement that configures the redirect server.

user@host# edit redirect-server

2. Specify the URL to which to send subscriber traffic.

[edit redirect-server] user@host# set destination-url destination-url

3. (Optional) Specify the TCP port on which the redirect server runs. If you do not specify a TCP port, the redirect server runs on the port 8800.

[edit redirect-server] user@host# set tcp-port tcp-port

4. (Optional) Specify whether the redirect server sends an HTTP 200 OK response with an HTML document that includes the header to a subscriber’s browser in response to a captured request.

[edit redirect-server] user@host# set refresh

If you do not use the refresh option, the redirect server sends an HTTP 302 Found response to a subscriber’s browser in response to a captured request.

By setting the refresh option, the load on the Web server is decreased because non-browser (or non-HTML) client applications that use HTTP do not follow this refresh message; however, most client applications do follow HTTP 302 messages.

To configure IPv6 general properties for the redirect server:

1. From configuration mode, access the configuration statement that configures the IPv6 general properties for the redirect server.

user@host# edit redirect-server ipv6-redirect

2. (Optional) Specify the TCP port on which the redirect server runs. If you do not specify a TCP port, the redirect server runs on the port 8900.

[edit redirect-server ipv6-redirect] user@host# set tcp-port tcp-port

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Configuring General Properties for the Redirect Server (C-Web Interface) on page 14

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Traffic Redirection Overview on page 3

Configuring General Properties for the Redirect Server (C-Web Interface)

To configure general properties for the redirect server:

1. Click Configure>Redirect Server.

The Redirect Server pane appears.

2. Enter information as described in the Help text in the main pane, and click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Configuring a Connection Between the Redirect Server and the Directory (SRC CLI)

Use the following configuration statements to configure a connection between the redirect server and the directory:

redirect-server ldap { url url; bind-dn bind-dn; bind-password bind-password; base-dn base-dn; }

To configure a connection between the redirect server and the directory:

1. From configuration mode, access the configuration statement that configures the connection.

user@host# edit redirect-server ldap

2. List the URLs for directories employed by the redirect server.

[edit redirect-server ldap] user@host# set url url

For each URL, use the format:

ldap://:

where is the IP address or hostname of the directory host and is the TCP port

3. Specify the DN that the redirect server uses to authorize connections to the directory.

[edit redirect-server ldap] user@host# set bind-dn bind-dn

The DN must have authorization to read from o=network, o=umc in the directory.

4. Specify the password that the redirect server uses to bind to the directory.

[edit redirect-server ldap] user@host# set bind-password bind-password

5. Specify the base DN that is the root of the directory tree.

[edit redirect-server ldap] user@host# set base-dn base-dn

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface) on page 15

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Traffic Redirection Overview on page 3

Configuring a Connection Between the Redirect Server and the Directory (C-Web Interface)

To configure a connection between the redirect server and the directory:

1. Click Configure, expand Redirect Server, then click Ldap.

The Ldap pane appears.

2. Enter information as described in the Help text in the main pane, and click Apply to trigger an automatic commit.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Defining Traffic to Transmit to the Redirect Server (SRC CLI)

You can define traffic to be forwarded to the redirect server by identifying the destination port number (typically, HTTP port 80 and HTTPS port 443 for Web requests) for packets and the physical interface on a C Series Controller from which subscriber traffic is forwarded to the redirect server. In most cases you can accept the default values for configuration for IP redirection. If you do not specify an interface, traffic is accepted on all interfaces.

Use the following configuration statements to define traffic to transmit to the redirect server:

redirect-server ip-redirect{ interface interface; port port; https-port https-port; }

To change the values of the port for traffic and/or the C Series interface on which traffic is forwarded to the redirect server:

1. From configuration mode, access the configuration statement that configures IP redirection for the redirect server.

user@host# edit redirect-server ip-redirect

2. (Optional) Specify one or more interfaces on which subscriber traffic is forwarded from the B-RAS to the C Series Controller.

[edit redirect-server ip-redirect] user@host# set interface interface

If you do not specify an interface, the C Series Controller accepts traffic from all interfaces.

NOTE: The interface configuration is applicable only for the IPv4 traffic. The C Series Controller accepts IPv6 traffic from all interfaces even though you have configured the interface.

3. (Optional) Specify the TCP port of the redirected traffic. If you do not specify a port, the redirect server uses port 80 (HTTP).

[edit redirect-server ip-redirect] user@host# set port port

4. (Optional) Specify the HTTPS port of the redirected traffic. If you do not specify an HTTPS port, the redirect server uses port 443.

[edit redirect-server ip-redirect]

user@host# set https-port https-port

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 17

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Traffic Redirection Overview on page 3

Defining Traffic to Transmit to the Redirect Server (C-Web Interface)

You can define traffic to be forwarded to the redirect server by identifying the destination port number (typically, port 80 for Web requests) for packets and the physical interface on a C Series Controller from which subscriber traffic is forwarded to the redirect server. In most cases you can accept the default values for configuration for IP redirection. If you do not specify an interface, traffic is accepted on all interfaces.

To change the values of the port for traffic and/or the C Series interface on which traffic is forwarded to the redirect server:

1. Click Configure, expand Redirect Server, and then click IP Redirect.

The IP Redirect pane appears.

2. Click the Create button.

The IP Redirect pane reappears.

3. Enter the information as described in the Help text in the main pane, and click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Changing the Number of Requests That the Redirect Server Accepts (SRC CLI)

If you want to change the number of redirection requests that the redirect server accepts, change the values for the request rates and the client rates.

Use the following configuration statements to configure the number of requests that the redirect server accepts:

redirect-server { request-rate request-rate; request-burst-size request-burst-size; client-rate client-rate; client-burst-size client-burst-size; }

To configure the number of redirection requests that the redirect server can accept:

1. From configuration mode, access the configuration statement that configures the redirect server.

user@host# edit redirect-server

2. Specify the number of requests that the redirect server can accept per minute from all clients (global sustained rate).

[edit redirect-server] user@host# set request-rate request-rate

3. Specify the maximum number of requests that the redirect server can accept from all clients (burst size).

[edit redirect-server] user@host# set request-burst-size request-burst-size

This value should exceed the value for the request rate. If the value for the request rate exceeds this value, the redirect server drops the excess requests.

4. Specify the number of requests that the redirect server can accept per minute for a single client (per-client sustained rate).

[edit redirect-server] user@host# set client-rate client-rate

5. Specify the maximum number of requests that the redirect server can accept for a single client (per client burst size).

[edit redirect-server] user@host# set client-burst-size client-burst-size

This value should exceed the value for the client rate.

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface) on page 19

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Traffic Redirection Overview on page 3

Changing the Number of Requests That the Redirect Server Accepts (C-Web Interface)

If you want to change the number of redirection requests that the redirect server accepts, change the values for the request rates and the client rates.

To configure the number of redirection requests that the redirect server can accept:

1. Click Configure>Redirect Server.

The Redirect Server pane appears.

2. Change the values in the following boxes as described in the Help text in the main pane:

• Request Rate

• Request Burst Size

• Client Rate

• Client Burst Size

3. Click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Specifying Extensions for Files That the Redirect Server Accepts (SRC CLI)

If you do not specify the types of files that the redirect server accepts, the redirect server accepts all file types. You can identify file types by specifying the file extensions for the files that the redirect server is to accept.

Use the following configuration statements to configure the file extensions that the redirect server accepts:

redirect-server { check-file-extensions; file-extensions file-extensions; }

To specify the extensions for the types of files accepted by the redirect server:

1. From configuration mode, access the configuration statement that configures the redirect server.

user@host# edit redirect-server

2. Specify whether the redirect server should accept only URLs that point to files that have standard file extensions—, .asp, .htm, .html, .jsp, .php, .shtm, .shtml, and .xml.

[edit redirect-server] user@host# set check-file-extensions

If you enable check-file-extensions and the file does not have a standard file extension, the redirect server returns an HTTP 403 Forbidden message.

3. List file extensions to augment the standard file extensions you configured. Precede each extension with a period. Make sure that you specify the correct case for each character; entries are case-sensitive.

[edit redirect-server] user@host# set file-extensions file-extensions

Separate each file extensions by a comma. For example:

set file-extensions .cgi,.aspx

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface) on page 20

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Traffic Redirection Overview on page 3

Specifying Extensions for Files That the Redirect Server Accepts (C-Web Interface)

To specify the extensions for the types of files accepted by the redirect server:

1. Click Configure>Redirect Server.

The Redirect Server pane appears.

2. To enable or disable checking file extensions, clear or select the Check File Extensions box as described in the Help Text in the main pane.

3. Click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Configuring the DNS Server for the Redirect Server (SRC CLI)

A DNS server is required to support HTTP proxies to resolve the name of any HTTP proxy, even if the name is valid only in the private domain of the client. You can use an external DNS or the DNS server that is included with the redirect server for this purpose.

If you plan to use an external DNS server, you can skip this section. This section describes how to configure the DNS server that is included with the redirect server.

Use the following configuration statements to configure the DNS server that is included with the redirect server:

redirect-server dns { enable; tcp-port tcp-port; udp-port udp-port; forwarder forwarder; error-ip-address error-ip-address; }

To configure DNS for the redirect server that is included with the redirect server:

1. From configuration mode, access the configuration statement that configures DNS for the redirect server.

user@host# edit redirect-server dns

2. Enable DNS for the redirect server.

[edit redirect-server dns] user@host# set enable

3. Specify the TCP port on which the DNS server listens:

If you set the value to 0, no TCP socket is opened.

[edit redirect-server dns] user@host# set tcp-port tcp-port

4. Specify the UDP port on which the DNS server listens.

[edit redirect-server dns] user@host# set udp-port udp-port

5. Specify the IP addresses of DNS servers to which resolution requests are forwarded; use commas to separate addresses, but do not add a space after the comma.

[edit redirect-server dns] user@host# set forwarder forwarder

For example:

[edit redirect-server dns] user@host# set forwarder 192.0.2.24,192.0.4.25

If you do not specify DNS servers, DNS resolves incoming requests by using the normal DNS method.

6. Specify the IP address that is returned when a DNS request results in an unknown name (NXDOMAIN) error.

[edit redirect-server dns] user@host# set error-ip-address error-ip-address

Related • Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 22 Documentation • Before You Configure the Redirect Server on a C Series Controller on page 10

• Configuring the Redirect Server (SRC CLI) on page 10

• Traffic Redirection Overview on page 3

Configuring the DNS Server for the Redirect Server (C-Web Interface)

NOTE: If you plan to use an external DNS server, do not follow this procedure.

The following procedure describes how to configure the DNS server that is included with the redirect server.

Proxy support must be enabled before configuring the DNS server. See “Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface)” on page 24.

To configure the DNS server that is included with the redirect server:

1. Click Configure, expand Redirect Server, and click DNS.

The DNS pane appears.

2. Enter information as described in the Help text in the main pane, and click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

Configuring the Redirect Server to Support HTTP Proxies (SRC CLI)

Support for proxy requests is an optional feature of the redirect server. If you configure proxy support, you must also have DNS configured. You can use DNS servers already installed on your network, or use the server included with the SRC software.

Use the following configuration statements to configure the redirect server to support HTTP proxies:

redirect-server { proxy-support; proxy-destination-url proxy-destination-url; }

To configure the redirect server to support HTTP proxies:

1. From configuration mode, access the configuration statement that configures the redirect server.

user@host# edit redirect-server

2. Enable HTTP proxy support.

[edit redirect-server] user@host# set proxy-support

3. Specify the URL sent as a response to proxy requests.

[edit redirect-server] user@host# set proxy-destination-url proxy-destination-url

If you do not configure a value, then the URL defaults to the redir.url value. You can use this property to send proxy requests to a page different from the direct request page on the captive portal.

For information about configuring the DNS server included with the SRC software, see “Configuring the DNS Server for the Redirect Server (SRC CLI)” on page 21

Related • Before You Configure the Redirect Server on a C Series Controller on page 10 Documentation • Configuring the Redirect Server (SRC CLI) on page 10

• Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface) on page 24

• Traffic Redirection Overview on page 3

Configuring the Redirect Server to Support HTTP Proxies (C-Web Interface)

To configure the redirect server to support HTTP proxies:

1. Click Configure>Redirect Server.

The Redirect Server pane appears.

2. Clear the Proxy Support checkbox box to disenable HTTP proxy support. Select the checkbox to enable HTTP proxy support. Refer to the information in the Help text in the main pane.

3. In the Destination Url box, type the URL sent as a response to proxy requests.

4. Click Apply.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

• For information about configuring the DNS server included with the SRC module, see Configuring the DNS Server for the Redirect Server (C-Web Interface) on page 22

Configuring Redirect Server to Support HTTPS Traffic (SRC CLI)

The SRC software supports to redirect HTTPS IP traffic to a configured destination Web server by using the redirect server. The SRC software intercepts the IP traffic at port 443 and forward it to the port in which the redirect server is configured to listen for HTTPS IP traffic. The redirect server accepts HTTPS IP traffic only from the ports that you configured by using the https-port option at the [edit redirect-server ip-redirect] hierarchy level.

Before you start with setting up a redirection for HTTPS IP traffic, you must create a certificate with the domain name of the URL.

Use the following statements to configure the redirect server to support HTTPS IP traffic:

redirect-server https { port port; certificate-identifier certificate-identifier ; protocol (SSLv23 | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2); } redirect-server ipv6-redirect https { port port; certificate-identifier certificate-identifier; protocol SSLv23 | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2); }

To configure the redirect server to support HTTPS IPv4 traffic:

1. In configuration mode, enter the configuration statement that enables the SRC redirect server to redirect HTTPS IPv4 traffic to a configured destination Web server.

[edit] user@host# redirect-server https

2. Configure the HTTPS port on which the redirect server runs.

[edit redirect-server https] user@host# set port port

3. Configure the imported Secure Sockets Layer (SSL) certificate. To import the SSL certificate, use the request security import-certificate command.

For information about manually obtaining certificates, see Manually Obtaining Digital Certificates (SRC CLI).

[edit redirect-server https] user@host# certificate-identifier certificate-identifier

4. Configure the secure connection protocol to be used by the redirect server for IPv4 traffic. The default protocol is TLSv1.

[edit redirect-server https] user@host# protocol (SSLv23 | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2)

NOTE: SSLv2 is not supported from SRC 4.12 release. When you upgrade to SRC 4.12 release, you must change this option to a supported version SSLv23, TLSv1, TLSv1.1, or TLSv1.2 if you have configured SSLv2 in the previous SRC release, and then restart the redirect server. We recommend you to configure TLSv1.2 to avoid vulnerabilities.

To configure the redirect server to support HTTPS IPv6 traffic:

1. In configuration mode, enter the configuration statement that enables the SRC redirect server to redirect HTTPS IPv6 traffic to a configured destination Web server.

[edit] user@host# redirect-server ipv6-redirect https

2. Configure the HTTPS port on which the redirect server runs.

[edit redirect-server ipv6-redirect https] user@host# set port port

3. Configure the imported Secure Sockets Layer (SSL) certificate. To import the SSL certificate, use the request security import-certificate command.

For information about manually obtaining certificates, see Manually Obtaining Digital Certificates (SRC CLI).

[edit redirect-server ipv6-redirect https] user@host# certificate-identifier certificate-identifier

4. Configure the secure connection protocol to be used by the redirect server for IPv6 traffic. The default protocol is TLSv1.

[edit redirect-server ipv6-redirect https] user@host# protocol (SSLv23 | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2)

Related • Configuration Statements for the Redirect Server (SRC CLI) on page 31 Documentation • Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 16

• Commands to Manage Digital Certificates

Before You Configure Redundancy for a Redirect Server

If you plan to use a redundant configuration for the redirect server, ensure that:

• If you use a next-hop address for policies that capture Web traffic and send it to the redirect server, that the virtual IP address to be used is also the next-hop address.

• The redirect server has SNMP write access to the virtual routers connected to it. Each VR must have at least a write community configured. (The static route from the virtual IP address to the server’s real IP address is installed on the router through SNMP.)

• If additional access controls are enabled on the JunosE router, the hosts on which the redirect server runs must be included.

Related • Configuring a Redundant Redirect Server (SRC CLI) on page 27 Documentation • Configuring a Redundant Redirect Server (C-Web Interface) on page 29

• Traffic Redirection Overview on page 3

• Redirect Server Redundancy on page 5

Configuring a Redundant Redirect Server (SRC CLI)

Although configuration of a redundant redirect server is optional, we recommend that you configure redundancy to maintain high availability for the server.

Before you configure the redirect server, review configuration prerequisites. See “Before You Configure Redundancy for a Redirect Server” on page 26.

Use the following configuration statements to configure redundancy for the redirect server:

redirect-server { redundancy; } redirect-server monitor { redundant-host-ip-address redundant-host-ip-address; virtual-ip-address virtual-ip-address; real-ip-address real-ip-address; primary-server; check-interval check-interval; virtual-routers virtual-routers; }

To configure redundancy for the redirect server:

1. From configuration mode, access the configuration statement that configures the redirect server.

user@host# edit redirect-server

2. Enable redundancy for the redirect server.

[edit redirect-server] user@host# set redundancy

3. Configure redundancy properties for the redirect server.

[edit redirect-server] user@host# edit redirect-server monitor

4. Configure the IP address or hostname of the redundant redirect server.

[edit redirect-server] user@host# set redundant-host-ip-address redundant-host-ip-address

5. Configure the virtual IP address of the redirect server.

[edit redirect-server] user@host# set virtual-ip-address virtual-ip-address

6. Configure the real IP address of the redirect server.

[edit redirect-server] user@host# set real-ip-address real-ip-address

When a primary redirect server is started, it dynamically establishes and maintains a static route on the client router to which it connects. The static route directs traffic destined for the virtual IP address of the server to the real IP address of the active redirect server.

7. (Optional) Set the system on which you enter the command as the primary redirect server.

[edit redirect-server] user@host# set primary-server

8. (Optional) Set the interval at which the redirect server polls the redundant redirect server.

[edit redirect-server] user@host# set check-interval check-interval

A shorter time in the range leads to faster detection of problems and results in higher consumption of CPU resources.

9. List of virtual routers to which the redirect server connects.

[edit redirect-server] user@host# set virtual-routers vrName@routerName, vrName@routerName ...

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Configuring the Virtual IP Address (SRC CLI)

• Configuring a Redundant Redirect Server (C-Web Interface) on page 29

• Traffic Redirection Overview on page 3

• Redirect Server Redundancy on page 5

Configuring a Redundant Redirect Server (C-Web Interface)

Although configuration of a redundant redirect server is optional, we recommend that you configure redundancy to maintain high availability for the server.

Before you configure the redirect server, review configuration prerequisites. See “Before You Configure Redundancy for a Redirect Server” on page 26.

To configure redundancy for the redirect server:

1. Click Configure>Redirect Server.

The Redirect Server pane appears.

2. To enable or disable redundancy for the redirect server, clear (or select) the Redundancy checkbox as described in the Help text in the main pane.

Related • Traffic Redirection Overview on page 3 Documentation • Redirect Server Redundancy on page 5

• Configuring the Redirect Server (C-Web Interface) on page 11

• Configuring a Redundant Redirect Server (SRC CLI) on page 27

Configuring Logging for the Redirect Server

The redirect server logs incoming HTTP and HTTPS requests through system log with a priority of INFO and log facility of LOCAL7.

Related • Configuring an SRC Component to Store Log Messages in a File (SRC CLI) Documentation • Configuring System Logging (SRC CLI)

Enabling the Redirect Server

To enable the redirect server:

user@host> enable component redir

Related • Before You Configure the Redirect Server on a C Series Controller on page 10 Documentation • Configuring the Redirect Server (SRC CLI) on page 10

• Traffic Redirection Overview on page 3

Changing the Configuration for the Redirect Server

When you change the configuration for the redirect server and commit that configuration, the redirect server is automatically restarted.

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Traffic Redirection Overview on page 3

• Configuration Statements for the Redirect Server (SRC CLI) on page 31

Configuration Statements for the Redirect Server (SRC CLI)

Use the following configuration statements to configure the redirect server at the [edit] hierarchy level.

redirect-server { tcp-port tcp-port; destination-url destination-url; proxy-support; proxy-destination-url proxy-destination-url; refresh; request-rate request-rate; request-burst-size request-burst-size; client-rate client-rate; client-burst-size client-burst-size; check-file-extensions; file-extensions file-extensions; redundancy; } redirect-server https { port port; certificate-identifier certificate-identifier; protocol (SSLv2 | SSLv23 | SSLv3 | TLSv1); } redirect-server ip-redirect { interface interface; port port; https-port https-port; } redirect-server ipv6-redirect { tcp-port tcp-port; } redirect-server ipv6-redirect https { port port; certificate-identifier certificate-identifier; protocol (SSLv2 | SSLv23 | SSLv3 | TLSv1); } redirect-server ldap {

url url; bind-dn bind-dn; bind-password bind-password; base-dn base-dn; } redirect-server dns { enable; tcp-port tcp-port; udp-port udp-port; forwarder forwarder; error-ip-address error-ip-address; } redirect-server monitor { redundant-host-ip-address redundant-host-ip-address; virtual-ip-address virtual-ip-address; real-ip-address real-ip-address; primary-server; check-interval check-interval; virtual-routers virtual-routers; }

For detailed information about each configuration statement, see the SRC PE CLI Command Reference.

Related • Traffic Redirection Overview on page 3 Documentation • Configuring the Redirect Server (SRC CLI) on page 10

• Management Tasks on page 35

• Monitoring the Redirect Server on page 37

• Routine Monitoring on page 41

• Verifying Configuration for the Redirect Server (SRC CLI) on page 35

• Assessing Load for Redirect Server (C-Web Interface) on page 36

Verifying Configuration for the Redirect Server (SRC CLI)

Purpose Verify the configuration for the redirect server.

Action At the [edit redirect-server] hierarchy level, enter the show command:

[edit redirect-server] user@host# show client-burst-size 5000; client-rate 3000; destination-url http://www.mycompany.com/default.html; https { certificate-identifier certificate1; port 8443; protocol TLSv1; } ip-redirect { https_port 443; port 80; } ipv6-redirect { https { certificate-identifier certificate2; port 8600; protocol TLSv1; } tcp-port 8900; } refresh; refresh-document etc/refresh.html; request-burst-size 18000; request-rate 12000; tcp-port 8800;

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Viewing Statistics for the Redirect Server (SRC CLI) on page 37

• Viewing Statistics About Filtered Traffic (SRC CLI) on page 38

• Traffic Redirection Overview on page 3

Assessing Load for Redirect Server (C-Web Interface)

Purpose View the number of requests sent to the redirect server, and whether the requests reach the configured limit for the server and for server users. You can then use this information to fine-tune the properties for redirect server.

Action 1. Click Monitor>Redirect Server>Statistics.

The Redirect Server Statistics pane appears.

2. From the Output Style list, select an output style as described in the Help text in the main pane.

3. Click OK. The Redirect Server pane displays the following statistics:

• Uptime

• Accepted requests

• Rejected requests

• Number of user-limit leaky buckets

• Number of user limits reached

• Number of global limits reached

You can also obtain statistics for redirect server through SNMP. The name of the MIB for redirect server is Juniper-SDX-REDIRECTOR-MIB.

Related • Configuring General Properties for the Redirect Server (SRC CLI) on page 12 Documentation • Viewing Statistics for the Redirect Server (C-Web Interface) on page 37

• Viewing Information for Filtered Traffic (C-Web Interface) on page 39

• Traffic Redirection Overview on page 3

• Viewing Statistics for the Redirect Server (SRC CLI) on page 37

• Viewing Statistics for the Redirect Server (C-Web Interface) on page 37

• Viewing Statistics About Filtered Traffic (SRC CLI) on page 38

• Viewing Information for Filtered Traffic (C-Web Interface) on page 39

Viewing Statistics for the Redirect Server (SRC CLI)

Purpose View statistics for redirect server.

Action user@host> show redirect-server statistics

Redirect Server Uptime: 1270724.713 s Accepted Requests: 25 Rejected Requests: 0 User limit leaky buckets: 0 User limits reached: 0 Global limits reached: 0

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Viewing Statistics About Filtered Traffic (SRC CLI) on page 38

• Viewing Statistics for the Redirect Server (C-Web Interface) on page 37

• Traffic Redirection Overview on page 3

Viewing Statistics for the Redirect Server (C-Web Interface)

Purpose View statistics for the redirect server.

Action 1. Click Monitor>Redirect Server>Statistics.

The Statistics pane appears.

Figure 2: C-Web Interface for Monitoring Redirect Server Statistics

2. Select a style from the Output Style list.

3. Click OK.

The Statistics pane displays the redirect server statistics.

Related • Configuring General Properties for the Redirect Server (C-Web Interface) on page 14 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

• Viewing Statistics for the Redirect Server (SRC CLI) on page 37

• Viewing Information for Filtered Traffic (C-Web Interface) on page 39

• Traffic Redirection Overview on page 3

Viewing Statistics About Filtered Traffic (SRC CLI)

Purpose You can obtain information about the packets filtered on a C Series Controller by accessing statistics for the iptables Linux tool. You can also reset the counters for this tool.

Action To view information about packet filtering on a C Series Controller:

user@host> show iptables

Where:

• nat—Displays information for the nat table for the iptables tool. The nat table provides rules for rewriting packet addresses.

• filter—Displays information for the filter table for the iptables tool. The filter table provides rules for defining packet filters.

• mangle—Displays information for the mangle table for the iptables tool. The mangle table provides rules for adjusting packet options, such as quality of service.

For example:

user@host> show iptables

Chain INPUT (policy ACCEPT 25M packets, 9401M bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24M packets, 4506M bytes) pkts bytes target prot opt in out source destinationreset-counters

To reset the values in the output for the show iptables command:

user@host> show iptables reset counters

Related • Configuring the Redirect Server (SRC CLI) on page 10 Documentation • Defining Traffic to Transmit to the Redirect Server (SRC CLI) on page 16

• Viewing Statistics for the Redirect Server (SRC CLI) on page 37

• Viewing Information for Filtered Traffic (C-Web Interface) on page 39

• Traffic Redirection Overview on page 3

Viewing Information for Filtered Traffic (C-Web Interface)

Purpose View information about filtered traffic with the iptables Linux tool when you are using C-Web to monitor the C Series Controller.

Action To view information about the filtered traffic:

1. Click Monitor>Iptables.

The Iptables pane appears.

Figure 3: C-Web Interface for Monitoring Filtered Traffic

2. Select the type of table that you want to display from the Table list:

• nat—Displays information for the iptables NAT table

• filter—Displays information for the iptables filter table

• mangle—Displays information for the iptables mangle table

3. Select the Reset Counters check box to rest the counters of items in the output.

4. Click OK.

The Iptables pane displays information about filtered traffic.

Related • Defining Traffic to Transmit to the Redirect Server (C-Web Interface) on page 17 Documentation • Configuring the Redirect Server (C-Web Interface) on page 11

• Viewing Statistics About Filtered Traffic (SRC CLI) on page 38

• Viewing Statistics for the Redirect Server (C-Web Interface) on page 37

• Traffic Redirection Overview on page 3

• Viewing Information About Components Installed (SRC CLI) on page 41

• Viewing Information About Components Installed (C-Web Interface) on page 42

Viewing Information About Components Installed (SRC CLI)

Purpose View release and status information for SRC components installed on a system.

Action user@host> show component

Installed Components Name Version Status acp Release: 7.8 Build: ACP.A.MAIN.1480 disabled activity Release: 7.8 Build: ACTIVITY.A.MAIN.1480 running agent Release: 7.8 Build: SYSMAN.A.MAIN.1480 disabled appsvr Release: 7.8 Build: JBOSS.A.MAIN.1480 disabled cli Release: MAIN Build: CLI.A.MAIN.1480 running diameter Release: 7.8 Build: DIAMETER.A.MAIN.1480 running dsa Release: 7.8 Build: GATEWAYAPPS.A.MAIN.1480 disabled editor Release: 7.8 Build: EDITOR.A.MAIN.1480 running extsubmon Release: 7.8 Build: MONAGENT.A.MAIN.1480 disabled gw-3gpp Release: 7.8 Build: 3GPPGW.A.MAIN.1480 disabled gy-3gpp Release: 7.8 Build: 3GPPGY.A.MAIN.1480 running ims Release: 7.8 Build: IMS.A.MAIN.1480 disabled jdb Release: 7.8 Build: DIRXA.A.MAIN.1480 running licSvr Release: 7.8 Build: LICSVR.A.MAIN.1480 disabled naming Release: 7.8 Build: NAMING.A.MAIN.1480 running nic Release: 7.8 Build: GATEWAY.A.MAIN.1480 running redir Release: 7.8 Build: REDIR.A.MAIN.1480 disabled sae Release: 7.8 Build: SAE.A.MAIN.1480 running sic Release: 7.8 Build: SICCLI.A.MAIN.1480 disabled vta Release: 7.8 Build: VTA.A.MAIN.1480 disabled webadm Release: 7.8 Build: WEBADM.A.MAIN.1480 disabled

Meaning Table 4 on page 42 describes the output fields for the show component command. Output fields are listed in the order in which they appear.

Table 4: Output Fields for show component

Field Name Field Description

Name Name of the component

Version Version of the component

Status State of the component, running or disabled

Related • Viewing Information About Components Installed (C-Web Interface) on page 42 Documentation • Viewing C Series Controller Information

• Directories on the C Series Controller

Viewing Information About Components Installed (C-Web Interface)

Purpose View the installed SRC components.

Action Click Monitor>Component.

The Component pane displays the status of each installed component.

Figure 4: C-Web Interface for Monitoring SRC Components Status

Related • Viewing Information About Components Installed (SRC CLI) on page 41 Documentation • Viewing C Series Controller Information

• Directories on the C Series Controller

• Troubleshooting Procedures on page 45

• Collecting Data with the Activity Monitor (SRC CLI) on page 45

• Collecting Data with the Activity Monitor (C-Web Interface) on page 46

• Viewing Graphs (C-Web Interface) on page 47

• Viewing Graphs from a Webpage on page 47

Collecting Data with the Activity Monitor (SRC CLI)

You can collect data with the Activity Monitor for specific components over a specified time and save them to a tar.gz file in the /opt/UMC/activity/var/diagnostic/* directory. You can view the exact file name and path after you execute the request support information command. Before you perform data collection with the Activity Monitor, make sure the filter for the specific components is enabled.

To perform data collection with the Activity Monitor:

• user@host> request support information

Some of the information retrieved includes:

• System log messages from the /var/log/messages/* directory.

• The configuration in text format, XML format, and set format.

• The hostname in the name of the diagnostic file.

To perform data collection for specific components:

• user@host> request support information component

where component is one of the following:

• acp—SRC Admission Control Plug-In

• activity—Activity Monitor

• agent—SNMP agent

• appsvr—Application server

• cli—SRC CLI

• diameter—Diameter application

• dsa—Dynamic Service Activator

• extsubmon—External Subscriber Monitor

• ims—IP multimedia subsystem

• jdb—Juniper Networks database

• licSvr—License server

• nic—Network information collector

• redir—Redirect server

• sae—SAE

• webadm—C-Web interface

To perform data collection for a specified number of days:

• user@host> request support information days

where days is in the range of 1–36500.

Related • Before You Load a Configuration Documentation • Viewing Graphs (C-Web Interface) on page 47

• Viewing Graphs from a Webpage on page 47

• Monitoring Activity on C Series Controllers

Collecting Data with the Activity Monitor (C-Web Interface)

You can collect data with the Activity Monitor for specific components over a specified time. Before you configure data collection for the Activity Monitor, make sure the Activity Monitor (activity), CLI (cli), and C-Web interface (webadm) components are enabled.

To perform data collection with the Activity Monitor:

1. Click Manage>Request>Support>Information.

The Support Information pane appears.

2. From the Components list, select the components you want to monitor, and click OK.

3. (Optional) Enter the number of days for which you want to collect data, and click OK.

Related • Viewing Graphs (C-Web Interface) on page 47 Documentation • Viewing Graphs from a Webpage on page 47

• Monitoring Activity on C Series Controllers

Viewing Graphs (C-Web Interface)

You can display graphs for components for which the Activity Monitor has collected data.

To display graphs from the Activity Monitor with the C-Web interface:

1. Click Graphs.

2. In the side pane, select the component and the graph that you want to display.

The pane for selecting the time period displayed by the graph appears.

3. Select one of the preset values or enter the time range in the From and To boxes, and click OK.

The graphs appear.

Related • Collecting Data with the Activity Monitor (C-Web Interface) on page 46 Documentation • Viewing Graphs from a Webpage on page 47

• Monitoring Activity on C Series Controllers

Viewing Graphs from a Webpage

You can display graphs for components for which the Activity Monitor has collected data from a webpage. Before you display these graphs, make sure the Activity Monitor (activity) and C-Web interface (webadm) components are enabled. For more secure displays, configure the C-Web interface to use HTTPS and use POST requests.

• Viewing Graphs for a Preset Time Period from a Webpage on page 47

• Viewing Graphs for Specified Time Periods from a Webpage on page 49

Viewing Graphs for a Preset Time Period from a Webpage

To display graphs with preset time periods from the Activity Monitor from a webpage:

http://ip-address/graph?&id=username&pw=password&name=graph-name&time=time-period

where

• ip-address—IP address of the C Series Controller

• username—Username used to log in to the C Series Controller

• password—Password used to log in to the C Series Controller

• graph-name—Name of graph to display in the format -, where is the name of the graph as specified in the C-Web interface in all lowercase letters with hyphens separating words

• time-period—Period of time that data was collected for display in a graph in the format

The is the number of , which are specified as one of the following values:

• m—minutes

• h—hours

• d—days

• w—weeks

• M—months

• y—years

For example, to view the CPU graph for the System component for the past 10 minutes on the C Series Controller called c2000 for the user admin:

http://c2000/graph?&id=admin&pw=secret&name=system-cpu&time=10m

The CPU Usage graph appears.

Figure 5: Sample CPU Usage Graph

Viewing Graphs for Specified Time Periods from a Webpage

To display graphs for specified time periods from the Activity Monitor from a webpage:

http://ip-address/graph?&id=username&pw=password&name=graph-name&start=date-time &end=date-time

where

• ip-address—IP address of the C Series Controller

• username—Username used to log in to the C Series Controller

• password—Password used to log in to the C Series Controller

• graph-name—Name of graph to display in the format -, where is the name of the graph as specified in the C-Web interface in all lowercase letters with hyphens separating words

• date-time—Date and time that data was collected for display in a graph in the format yyyyMMddHHmm, where:

• yyyy—year

• MM—month

• dd—day

• HH—hour

• mm—minute

For example, to view the heap usage graph for the SAE component from January 15 to January 28 on the C Series Controller called c2000 for the user admin:

http://c2000/graph?&id=admin&pw=secret&name =sae-heap&start=200901150000&end=200901280000

The SAE Heap Usage graph appears.

Figure 6: Sample SAE Heap Usage Graph

Related • Collecting Data with the Activity Monitor (SRC CLI) on page 45 Documentation • Collecting Data with the Activity Monitor (C-Web Interface) on page 46

• Viewing Graphs (C-Web Interface) on page 47

• Monitoring Activity on C Series Controllers