Pulse Secure Virtual Traffic Manager: Software Installation and Getting Started Guide

Configuring the Traffic Manager Software

This chapter describes how to configure a newly installed Traffic Manager software instance. It assumes you have already performed the installation procedure described in Installing the Traffic Manager Software

This chapter also documents further configuration tasks such as reconfiguring, uninstalling, and upgrading the software.

Configuring the Traffic Manager Software

Before you can start the Traffic Manager and use the Web-based Admin UI, you must first run the configure script. The configure script handles the initial settings that must be in place before the software can start. These initial settings include creating passwords and choosing whether the Traffic Manager is a standalone instance or is included in aTraffic Manager cluster.

You can run the configure script at any time to change settings, or to restore your Traffic Manager to its unconfigured state.

You must rerun the configure script whenever the name of the host virtual machine changes.

You can also run the configure script as part of an unattended (automated) installation process. For more information, see Performing an Unattended Traffic Manager Software Installation.

To run the configure script

1.If you are installing the Traffic Manager, the zinstall script prompts you to complete the initial configuration.

Alternatively, you can complete the initial configuration directly by becoming the system superuser and typing the following at the command line:

$ZEUSHOME/zxtm/configure

To become the system superuser (also known as the "root" user), see your host operating system documentation.

2.If this is a first time configuration, or a reconfiguration following a factory reset, you must agree to the Ivanti Terms and Conditions of Sale to continue, available from the URL shown. Read the agreement fully, then type accept at the prompt to confirm you agree with its terms. The configuration process stops if you do not accept the license agreement.

3.Enter the full path and file name of your license key. If you do not have a license key, you can leave this entry blank. License keys can also be added to your Traffic Manager through the Admin UI at any time after the script has completed.

If you do not enter a license key, the Traffic Manager defaults to running as the Community Edition. For further information, see The Community Edition.

For information about paid licensing, contact Technical Support.

4.For new installations only, specify a UNIX user and group to run the Traffic Manager. Although the Traffic Manager must be configured and started as a root user, the Traffic Manager can be run as any user. Ivanti strongly recommends that you specify a user with no privileges, to avoid compromising the Traffic Manager’s system security.

The default user with no privileges is typically called “nobody” and the default group with no privileges is typically “nogroup” or “nobody”, depending on which version of Linux or UNIX you are using. If you have set up other users and groups on the Traffic Manager host machine, specify them here.

5.Decide whether or not to restrict the software’s internal management traffic to a single IP address. Management traffic includes access to the Traffic Manager Admin UI, external API access, and internal communications within a Traffic Manager cluster.

If you decide to restrict the software’s internal management traffic to a single IP address, you must specify the IP address. The Traffic Manager you are configuring accepts management traffic destined to this IP address only. Typically, this IP address would reside on a private or dedicated management network.

You should only choose to use a single IP address for the internal traffic management traffic if you have a dedicated, reliable management network. Each IP address is a single point of failure for an entire Traffic Manager cluster; all IP addresses must always be available.

To later modify the management IP address, either rerun the configure script or use the System > Traffic Managers page of the Admin UI. A software restart is required for this procedure.

6.If your DNS system cannot successfully resolve your hostname, you must use an IP address to identify the Traffic Manager to other cluster members. When prompted, enter Y to specify the IP address to use. If you have elected to restrict management traffic to a single IP address, this IP address is automatically selected. Entering N forces the software to use the unresolvable hostname, which could result in connectivity issues until the hostname is resolved.

7.Decide if you want the software to start automatically when the Traffic Manager restarts.

8.Specify a cluster for the Traffic Manager to join.

If this is the first Traffic Manager you are setting up, you are given the following choices:

Searching for Pulse Secure Virtual Traffic Manager clusters ... done

Which Pulse Secure Virtual Traffic Manager cluster should this installation be added to?

C) Create a new cluster

S) Specify another machine to contact

R) Refresh the cluster list

Select C to create a new cluster.

However, if you have already set up one or more other Traffic Managers, you are given the following additional choices:

C) Create a new cluster

1) Cluster 1: vtm1.mysite.com:9090

vtm2.mysite.com:9090

2) Cluster 2: vtm-test.mysite.com:9091

S) Specify another machine to contact

R) Refresh the cluster list

To provide front-end fault tolerance, your Traffic Managers must be in the same cluster. The new Traffic Manager automatically shares the configuration settings already chosen for the cluster.

9.If you are creating a new cluster, specify a password for the admin server. The admin server provides the Web-based Admin UI and handles communications with the core Traffic Manager software. The password specified is used for the admin user when accessing the Admin UI of your Traffic Manager.

10.If you choose to join an existing cluster, verify the identity of the other cluster members. The host:port and SHA-1 fingerprint of each instance are displayed as shown:

Select option [C] : 1

Joining the cluster containing the following admin servers:

Host:Port SHA-1 Fingerprint

vtm1.mysite.com:9090 72:BC:EE:A1:90:C6:1B:B6:6E:EB

vtm2.mysite.com:9090 E9:61:36:FE:0B:F5:0A:E4:77:96

Have you verified the admin server fingerprints, or do you trust the network between this machine and the other admin servers? Y/N [N]:

11.If the identities are accurate, type Y and specify the cluster administrator username and password. This is the user account used to access the Admin UI of each Traffic Manager in the cluster.

The Traffic Manager starts and the installer displays the following information:

** The SHA-1 fingerprint of the admin server's SSL certificate:

** 09:0F:B6:24:59:AE:CF:03:61:A2:DB:83:DB:DE:42:00:D8:2D:63:29

** Keep a record of this for security verification when connecting

** to the admin server with a web browser and when clustering other

** Pulse Secure Virtual Traffic Manager installations with this one.

** To configure the Pulse Secure Virtual Traffic Manager, connect to the admin server at:

** https://yourmachinename:port/

** and login as 'admin' with your admin password.

Note the URL shown, as you need it to administer the Traffic Manager software. Also notice that the protocol is HTTPS (secure HTTP).

You can rerun the configuration script at any time to change settings or to restore your Traffic Manager to it’s unconfigured state. For more information, see Reconfiguring or Uninstalling the Traffic Manager Software.