The following instructions are used to deploy the PCA into a Microsoft™ Azure cloud-based environment.
It is also recommended to verify that your virtual machines can communicate with each other. Contact your network administrator to make sure that all of the necessary network ports are open for the PCA software, packet forwarders, and packet listeners.
Common website installations in the cloud use a virtual load balancer to distribute web traffic to a dynamically provisioned web server tier that consists of multiple web server instances. Each web server instance requires a packet forwarder to be installed to forward the captured web traffic to a centralized PCA that is running on a virtual machine for processing.
The installation process consists of installing the packet forwarders to your web instances and installing the centralized PCA on your hosted virtual machine.
PCA requirements for a Microsoft Azure virtual machine
Before you install the PCA into a Microsoft Azure virtual machine, make sure that the virtual machine meets the hardware and software requirements for the PCA software. The hardware and software requirements are identified in a pre-installation checklist.
The following items are also required:
- Each server that hosts a web server instance, must have one CPU core that is dedicated to running the packet forwarder service. Minimum core speed is 2.0 GHz.
- If the web server application and packet forwarder instances are installed on Linux™ Red Hat, a minimum version of RHEL 6.4 is required.
- It is recommended to disable SELinux. If it is enabled, configure the firewall settings to allow communication on the ports that are used by the packet forwarders and packet listeners.
- If the web server instance is using a 64-bit version of Linux Red Hat, 32-bit versions of
zlibmust be deployed during the installation process.
- On the PCA server, each packet listener service requires four CPU cores. Each CPU core must be 2.0 GHz or higher and have 8 GB of dedicated memory.
- Configure your firewall settings to allow communication on port 1888. The communication ports incrementally increase by one for each additional packet forwarder that is deployed. If five packet forwarders are deployed, then ports 1888-1892 must be open. The ports are used by the packet forwarders to send information to the packet listeners, which process the data at the PCA.
Installing the packet forwarder
Note: The maximum number of web server instances must be known before the installation process. The number of web server instances is used in the configuration of the packet forwarder to determine the maximum number of active TCP connections that can connect to the destination PCA socket receiver.
Note: You must be logged in as a root user to perform all PCA-related installations. Performing an installation using another account may prevent the necessary permissions that are required to successfully install the software.
Use the installation rpm to install the packet forward on each web instance. The default installation directory is /usr/local/ctccap. You can use the
--prefix option when performing the installation command to install the software to another directory.
To install the software, run rpm -ivh --prefix=/opt/tealeaf tealeaf-pktfwdr-xxxx-1.SUSE11.i586.rpm where xxxx is the version number of the PCA software.
The packet forwarder requires an extra 32-bit library if you are installing the packet forwarder to a 64-bit version of Linux. To install all of the dependent libraries, run the following command:zypper install zlib-32bit-1.2.7-0.10.128
Run zypper clean -a to clear the local rpm cache.
The following files are used to configure and run the packet forwarder.
|/bin/pktfwdr||Packet forwarder daemon|
|/bin/ctcstats||Operational statistics and metrics|
|/etc/fwdr-conf.xml||Packet forwarder configuration file|
|/etc/fwdr-conf-defaults.xml||Default configuration file|
Configure the packet forwarder by editing the /etc/fwdr-conf.xml configuration file.
- Edit the
PrimaryInterfacetag to add the virtual NIC device name that the packet forwarder uses to capture the web server's traffic. In most installations, the NIC device name is
- Locate the
ListenTostag and add any additional ports that you want to capture traffic from to the configuration file. Port 80 and 443 are listed by default.
- Locate the
Deliverytag and edit the
Porttags with the IP address and port number of the virtual machine that is hosting the centralized PCA server.
Note: Each packet forwarder and listener pair uses one port. The default port number is 1888. When multiple pairs are used, the port address defines the first port number that is used to define a block of port numbers. For example, if you are capturing traffic from five web servers, then five packet forwarder and packet listener pairs are used to capture the traffic. In this scenario, ports 1888 - 1892 are used.
- Edit the
Addresstag to define the IP address or host name of the PCA. This the IP address of the virtual machine.
- Edit the
Porttag to define the port number for the network connection. Each packet forwarder requires a unique port number to identify a unique network connection to the centralized PCA VM instance. The port numbers must be assigned in sequential order. This is required by the PCA's socket receiver when configuring it for the packet forwarders' network connections. If you decide to start with port number 1888 for the first packet forwarder, then defining five of them would be ports 1888 - 1892 explicitly.
- Edit the
MaxRotatePeerstag to define the maximum number of web server instances that are dynamically provisioned. The default value is 1. If you are capturing traffic from five web servers, then set this value to 5.
Note: If you are statically assigning a fixed number of web server instances with associated packet forwarders, then the
MaxRotatePeerswould remain set to the default value of 1. Each packet forwarder would needs to be configured with a unique Port number to identify a unique network connection to the centralized PCA VM instance. The port numbers must be assigned in sequential order. This is required by the PCA's socket receiver when configuring it for the packet forwarders' network connections. If you decide to start with port number 1888 for the first packet forwarder, then defining five of them should be 1888 - 1892 explicitly.
- Save you changes to the /etc/fwdr-conf.xml file.
Installing a centralized PCA in a Microsoft Azure virtual machine
A centralized PCA is used to receive communication from the packet forwarders that are deployed to the web server instances in your cloud environment. Installing the PCA software to a virtual machine is similar to the installation process on a physical server. Use the following process to install the PCA software to a virtual machine.
- Install the PCA software to your virtual machine.
In the native Azure image for Suse 11 SP3 (64 bit), the following 32-bit dependent libraries are needed:
To install the 32-bit libraries, run zypper install zlib-32bit-1.2.7-0.10.128.
After the libraries are extracted to the disk, run zypper clean -a to clear the local rpm cache.
Note: You have already installed the packet forwarders to your web server instances.
- Log on to the PCA web console.
- Go to the Delivery tab and edit the delivery settings for your environment.
- Go to the Pipeline tab and edit the Pipeline Instances setting to configure the number of pipeline instances for your configuration.
- Select Save Changes to save your updated configuration settings.
Note: Do not restart the PCA server.
- Edit the PCA configuration file by opening /usr/local/ctccap/etc/ctc-conf.xml in a text editor.
- Go to the
Capturetag settings and edit the following settings.
Note: If the PCA server is configured to decrypt SSL traffic from the packet forwarders, set
- Go to the
Listenertag settings and edit the following settings.
BasePortto match the port number that is defined in the
ListenTossettings of the packet forward configuration file. The packet forwarder configuration file can be accessed by opening /etc/fwdr-conf.xml on a web server instance.
Instancesto equal the number of packet forwarders that the PCA connects to.
- Save your changes to /usr/local/ctccap/etc/ctc-conf.xml.
- Run tealeaf restart to restart the PCA services.
Starting the PCA server and packet forwarders
It is recommended to start the central PCA server before you start the packet forwarders. If the packet forwarders are started before the PCA server is running, they can experience network timeout conditions that and cause a delay in the time it takes to connect with the PCA server.
To start the PCA server, run /usr/local/bin/tealeaf start all from the virtual machine that is hosting the PCA server.
To start a packet forwarder instance, run service pktfwdr start from each web server instance.
To stop a packet forwarder, run service pktfwdr stop from each web server instance.
To check the operational status of a packet forwarder, run service pktfwdr status from each web server instance.
To view the available metrics of a packet forwarder, run /opt/tealeaf/bin/ctcstats -p from each web server instance.
To test that a packet forwarder is connecting to the PCA server, use the netstat utility. If the port connection is configured for port 1888, run netstat -an|grep 1888. The output returns a status of
ESTABLISHED if the packet forwarder is connected to the PCA server. If a connection is not established, the firewall rules for your network might not be configured to allow communication between the packet forwarders and the PCA server. Check your network configuration settings for the packet forwarders and your PCA server, then make sure that your firewall settings allow communication on those network settings.