Increasing dependence on the Internet to deliver important information resources requires server infrastructures that can reliably support a burgeoning volume of traffic and an ever-increasing number of client connections. For many network environments, reliance on a single server results in poor response times, or even connection timeouts. Unreliable connectivity with potential or existing customers can mean decreased revenues and lost business opportunities.

The Solution

Check Point FireWall-1 version 3.0 includes the ConnectControl module which incorporates advanced traffic control functionality to ensure the highest degree of network connectivity and optimal server response times. With ConnectControl, a single server providing Web, or any other service, can be replaced with a logical pool of servers sharing a common IP address. Connection requests are balanced among multiple servers.

Network users experience noticeably improved response times and are unaware of any ConnectControl intervention. At the same time, corporations are relieved of the need to continually upgrade to more expensive servers in order to meet the increasing demand for service. Instead, existing hardware can be fully utilized to deliver a completely scaleable traffic management solution.

Flexible Server Load Balancing

ConnectControl supports more than 120 pre-defined applications and an unlimited number of gateway interfaces. Each connection request is directed to a specific server based on one of ConnectControl’s five pre-defined load balancing algorithms.

Server Load

The server load algorithm prevents any server from handling a disproportionate volume of traffic. Each incoming connection request is directed to the server experiencing the lightest load. 

A load measuring agent is installed on each server and automatically reports the current system load to the ConnectControl module. This system information is used to direct incoming connections to the server with the lightest load. Server load is measured at user-defined intervals for maximum flexibility. There is no additional latency or system overhead introduced by the ConnectControl load measuring agent.

ConnectControl also includes a load measuring application programming interface (API) for organizations wishing to write their own agents. The load measuring API uses the UDP transport protocol and supports communication between the load measuring agent and the ConnectControl module.

Domain Name

Because all users do not typically reside in a single Internet domain, ConnectControl allows organizations to disperse their servers throughout their enterprise network and utilize load balancing to optimize response times. This algorithm automatically directs connection requests to the closest server based on domain name.

Round Trip Delay

The round trip delay algorithm directs connection requests to the server with the shortest round trip delay. PING commands are used to determine the round trip delay between the server and ConnectControl. The round trip delay algorithm ensures that incoming requests are handled by the server with the fastest response time.

Round Robin

The round robin algorithm assumes that all servers are equally capable of servicing connection requests regardless of location or server loading. Requests are directed to servers in sequential order (i.e. round robin fashion). ConnectControl continuously checks the availability of each server. If a server fails, or is unreachable, ConnectControl will cease directing connections to that server until it is available.

Random

When all other network variables are deemed equal, ConnectControl will direct connection requests to servers on a random basis. 

Maintaining HTTP Client/Server Sessions

ConnectControl provides a redirection mechanism ensuring that all connections comprising an HTTP session are directed to a single server. This is vital for many Web applications, such as those using HTTP-based forms, which require that a single server process all user data.

The HTTP redirection mechanism works in conjunction with ConnectControl’s load balancing algorithms. The initial HTTP connection is directed to the proper web server based on the chosen algorithm. ConnectControl then notifies the client that subsequent connections should be directed to the IP address of the selected server rather than the IP address of the logical server pool. The remainder of the session is conducted without ConnectControl intervention. All operations are transparent to end users.

The redirection mechanism maintains server connectivity to efficiently balance incoming Web requests without service interruption or loss of information.

ConnectControl addresses the need to deliver optimal server response times with existing hardware. Organizations can provide complete network connectivity while maintaining the integrity of their enterprise security policy.

Product Features 

• Load balance incoming traffic among multiple servers using flexible, pre-defined algorithms
• Scale server infrastructures to meeting increasing traffic demands
• Maintain consistent HTTP sessions with intelligent traffic redirection
• Support more than 120 Internet services and applications

• Improve server response times for network users
• Leverage existing hardware investments to enhance server infrastructures
• Optimize connectivity with geographically dispersed network resources
• Integrate traffic load balancing with enterprise-wide security policies

ConnectControl is a Check Point VPN-1/FireWall-1 module. The ConnectControl module operates on the VPN-1/FireWall-1 Management Server and Enforcement Point and does not have any additional memory or processing requirements beyond those required to support the Management Server or Enforcement Point.

ConnectControl is available for the following systems and platforms.
 

Operating systems	Microsoft Windows NT 4.0 (SP3 & SP4) Sun Solaris 2.6, Solaris 7 (32 bit mode only) HP-UX 10.20, 11. 0 (32 bit mode only) IBM AIX 4.2.1, 4.3.2
Hardware Platforms	Check Point VPN-1 Appliances 330, 440, 650 (Note: Not available on VPN-1 Appliance RL series) ODS SecurCom 8000 family ARN, ASN, BN and System 5000 routers