Sample Control API Applications

The Control API can perform almost any configuration task that can be accomplished using the Traffic Manager Administration UI. Its strength comes from how it can be driven by other management applications elsewhere in the network.

Blocking Traffic from an IP Address

An Intrusion Detection System (IDS) or a live log analysis tool might identify remote hosts which are sending undesired traffic – malicious requests, port scans, or simply excessive numbers of requests in an attempt to mount a denial-of-service attack.

The IDS may be located behind the Traffic Manager cluster, for example, if it needs to inspect SSL traffic that has been decrypted by the Traffic Manager. In this case, the IDS can use the Control API to update the Traffic Manager cluster to prevent it from accepting any more traffic from the suspected IP address.

The following Control API application modifies a named Service Protection policy, adding an IP address to the list of banned IP addresses. The Service Protection policy should be assigned to the appropriate Virtual Servers managing traffic in the cluster.

Perl Example

#!/usr/bin/perl -w

 

use SOAP::Lite 0.60;

 

# This is the url of the Traffic Manager Admin Server

my $admin_server = 'https://username:password@host:9090';

 

# The protection policy to edit, and the node to add

my $name = "My protection class";

my $badIP = "10.100.1.10";

 

my $conn = SOAP::Lite

-> uri('http://soap.zeus.com/zxtm/1.0/Catalog/Protection/')

-> proxy("$admin_server/soap")

-> on_fault( sub {

my( $conn, $res ) = @_;

die ref $res ? $res->faultstring :

$conn->transport->status; } );

 

$conn->addBannedAddresses( [ $name ], [ [ $badIP ] ] );

Notes

This code sample accesses the “/Catalog/Protection” URI to edit a Service Protection class. With a WSDL-based interface, you instead use the “Catalog.Protection.wsdl” interface.

The sample then uses the addBannedAddresses() function with a series of arrays as arguments:

1.A list of Service Protection policies.

2.A list of lists of banned IP addresses.

This means that the function can perform bulk updates, modifying several objects simultaneously.

This example also includes a basic on_fault handler, called if an error occurs. The handler reports a transport error if the SOAP application could not connect to the remote SOAP server. Otherwise, it reports a SOAP error.

For more a more sophisticated example of a Perl fault handler, see Fault Handling with SOAP::Lite.

C# Example

using System;

using System.Net;

using System.IO;

using System.Security.Cryptography.X509Certificates;

 

public class AllowSelfSignedCerts : ICertificatePolicy {

public bool CheckValidationResult(

ServicePoint sp, X509Certificate cert,

WebRequest request, int problem )

{ return true; }

}

 

public class addBannedAddress {

 

public static void Main( string [] args )

{

System.Net.ServicePointManager.CertificatePolicy =

new AllowSelfSignedCerts();

 

string url= "https://host:9090/soap";

string username = "username";

string password = "password";

 

string name = "My protection class";

string badIP = "10.100.1.10";

 

try {

         CatalogProtection p = new CatalogProtection();

p.Url = url;

p.Credentials = new NetworkCredential(

username, password );

 

p.addBannedAddresses( new string[] { name },

new string[][] { new string[]{ badIP } } );

} catch ( Exception e ) {

Console.WriteLine( "{0}", e );

}

}

}