Configuring the Traffic Manager Software

Pulse Secure Virtual Traffic Manager 21.4: Cloud Services Installation and Getting Started Guide

Configuring the Traffic Manager Software

Before you can start the Traffic Manager and use the Web-based Admin UI, you must first run the configure script. The configure script handles the initial settings that must be in place before the software can start. These initial settings include creating passwords and choosing whether the Traffic Manager is a standalone instance or is included in a Traffic Manager cluster.

You can run the configure script at any time to change settings, or to restore your Traffic Manager to its unconfigured state.

You must rerun the configure script whenever the name of the host virtual machine changes.

You can also run the configure script as part of an unattended (automated) installation process. For more information, see Performing an Unattended Traffic Manager Software Installation.

To run the configure script

1.If you are installing the Traffic Manager software, the zinstall script prompts you to complete the initial configuration.

Alternatively, you can complete the initial configuration directly by becoming the system superuser and typing the following at the command line:

$ZEUSHOME/zxtm/configure --<variant>

<variant> must be either ec2 or gce depending on your deployment type.

To become the system superuser (also known as the "root" user), see your host operating system documentation.

2.The license agreement displays. Please read the entire agreement and type accept at the prompt to confirm you agree with its terms. The configuration process stops if you do not accept the license agreement.

3.To register this Traffic Manager to use remote licensing as part of a Pulse Secure Services Director deployment, type “Y” and follow the instructions contained in your Services Director documentation.

To use remote licensing, make sure you are using Pulse Secure Services Director version 2.4 or later.

Type “N” to license this Traffic Manager directly.

4.Enter the full path and file name of your license key. If you do not have a license key, you can leave this entry blank. License keys can also be added to your Traffic Manager through the Admin UI at any time after the script has completed.

If you do not enter a license key, the Traffic Manager defaults to running as the Community Edition. For further information, see The Community Edition.

For information about paid licensing, contact Pulse Secure Technical Support.

5.For new installations only, specify a UNIX user and group to run the Traffic Manager. Although the Traffic Manager must be configured and started as a root user, the Traffic Manager can be run as any user. Ivanti strongly recommends that you specify a user with no privileges, to avoid comprising the Traffic Manager’s system security.

The default user with no privileges is usually called nobody and the default group with no privileges is usually called nogroup or nobody, depending on which version of Linux or UNIX you are using. If you have set up other users and groups on the Traffic Manager host machine you can specify them here.

6.Decide whether or not to restrict the software’s internal management traffic to a single IP address. Management traffic includes access to the Traffic Manager Admin UI, external API access, and internal communications within a Traffic Manager cluster.

If you decide to restrict the software’s internal management traffic to a single IP address, you must specify the IP address. The Traffic Manager you are configuring accepts management traffic destined to this IP address only. Typically, this IP address would reside on a private or dedicated management network.

(For EC2 deployments only) If you restrict management traffic on a Traffic Manager instance inside AWS, administrative access to the Traffic Manager is restricted to clients in the same network or VPC.

You should only choose to use a single IP address for the internal traffic management traffic if you have a dedicated, reliable management network. Each IP address is a single point of failure for an entire Traffic Manager cluster; all IP addresses must always be available.

If you intend to use a single IP address for the internal management traffic, and are running on a Linux machine, Ivanti strongly recommends using the Linux kernel 2.6.12 or later. Earlier 2.6 Linux kernels cannot reliably restrict multicast or heartbeat messages to a single network card.

7.If your DNS system cannot successfully resolve your hostname, you must use an IP address to identify the Traffic Manager to other cluster members. When prompted, enter Y to specify the IP address to use. If you have elected to restrict management traffic to a single IP address, this IP address is automatically selected. Entering N forces the software to use the unresolvable hostname, which could result in connectivity issues until the hostname is resolved.

8.Decide if you want the software to start automatically when the Traffic Manager appliance restarts.

Specify a cluster for the Traffic Manager to join, or create a new cluster with this Traffic Manager as the first member. Select one of the following choices:

Which Pulse Secure Virtual Traffic Manager cluster should this installation be added to?

C) Create a new cluster

S) Specify another machine to contact

Select C to create a new cluster.

When you join an existing cluster, your Traffic Manager automatically receives the configuration settings used by the cluster. Changes that you subsequently make to this Traffic Manager are replicated out to the other cluster members.

To provide front-end fault tolerance, your Traffic Managers must be in the same cluster.

9.If you are creating a new cluster, specify a password for the admin server. The admin server provides the web-based Admin UI and handles communications with the core Traffic Manager software. The password specified is used for the admin user when accessing the Admin UI of your Traffic Manager.

If you choose to join an existing cluster, specify the cluster to join and verify the identity of the other cluster members. The host:port and SHA-1 fingerprint of each instance are displayed as shown:

Joining the cluster containing the following admin servers:

Host:Port SHA-1 Fingerprint

vtm1.mysite.com:9090 72:BC:EE:A1:90:C6:1B:B6:6E:EB 6:3E:4E:22:D8:B6:83:04:F9:57

vtm2.mysite.com:9090 E9:61:36:FE:0B:F5:0A:E4:77:96 3:D8:35:8F:54:5F:E3:2C:71:ED

Have you verified the admin server fingerprints, or do you trust the network between this machine and the other admin servers? Y/N [N]:

10.If the identities are accurate, type Y and specify the Cluster Administrator username and password. This is the user account used to access the Admin UI of each Traffic Manager in the cluster.

The Traffic Manager software starts and displays the following information:

** The SHA-1 fingerprint of the admin server's SSL certificate:

** 09:0F:B6:24:59:AE:CF:03:61:A2:DB:83:DB:DE:42:00:D8:2D:63:29

** Keep a record of this for security verification when connecting

** to the admin server with a web browser and when clustering other

** Pulse Secure Virtual Traffic Manager installations with this one.

** To configure the Pulse Secure Virtual Traffic Manager, connect to the admin server at:

** https://yourmachinename:port/

** and login as 'admin' with your admin password.

Note the URL shown, as you need it to administer the Traffic Manager software. Also notice that the protocol is HTTPS (secure HTTP).

You can rerun the configuration script at any time to change settings or to restore your Traffic Manager to it’s unconfigured state. For more information, see Reconfiguring or Uninstalling the Traffic Manager Software.