Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Creating and Managing ADC Service Templates

 

You can configure the adaptive delivery controller (ADC) software within your router to balance user session traffic among a group of available servers that provide shared services. The ADC software uses Junos OS firewall filters, Junos OS routing instances of type forwarding-instance, and Junos OS logical interfaces and interface address families (units and addresses) defined on the Multiservices-DPCs running the ADC software.

You can perform the following tasks with the Service Designer page for ADC:

  • Create an ADC service template with attributes and settings for load balancing operations.

  • Modify an existing ADC template to meet the network needs and deployment scenarios.

  • Delete an existing template.

Creating an ADC Service Template

To configure a new ADC service template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed. You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or TLB.

    The Service Designer page displays a bar graph in the top pane of the page. The total number of service templates of each type is displayed on the vertical axis and the service type is shown on the horizontal axis. A color-coding format is used to represent the bars on the graph. Published service templates are shown in olive green color and unpublished service templates are shown in blue color. Mouse over each bar in the chart to highlight and display the number of templates published or unpublished for each type of service.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

    Figure 1: Create ADC Service Template Window
    Create ADC Service Template Window
  6. In the Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the ADC Instance Name field, enter a name for the service instance (limit of 63 alphanumeric characters without spaces). Each service instance that you define can be applied to a single SDG or multiple SDGs.
  8. (Optional) Alternatively, instead of creating a new template entirely, click the Import button to clone an existing template by importing it. You can import the parameters defined for a previous ADC service instance and customize only the settings that are necessary.

    Imported templates are created without any device assigned to them. To use these templates, you must associate a device with the policy.

    The Import Services dialog box is displayed. See Importing an ADC Service Template for step-wise details on importing an ADC service template.

  9. The Create an ADC Planning Template window displays the individual elements or components of the service with a graphical icon for each of the service elements and the corresponding names in separate boxes. You can add, edit, or delete these service elements in a template.

    The Property View tab and the Config View tab are displayed on the right pane of the template window. The Property View tab provides a tree-based structure of the parameters defined in a service template. You can expand the tree and view details of each component. A key value pair representation is shown. Each of the components can be treated as categories of the service template shown in the property view.

    The Config View tab displays the elements or components specified for a service template in the form of configuration stanzas and hierarchy levels. This display is similar to the show command that you can use at a certain [edit] hierarchy level to view the defined settings. Each level in the hierarchy is indented to indicate each statement's relative position in the hierarchy. Each level is generally set off with braces, with an open brace ({) at the beginning of each hierarchy level and a closing brace (}) at the end. If the statement at a hierarchy level is empty, the braces are not displayed. Each leaf statement ends with a semicolon (;), as does the last statement in the hierarchy.

    1. Click the green tick mark (✓) displayed at the top-right corner of each of the service element boxes to create a new element. If the green tick mark is not shown, it indicates that the user role does not have the permission to create an element.

    2. Click the red cross mark (x) displayed at the top-right corner of the icons of each element if you want to delete the existing configuration. The user with designer role has permissions to remove or edit elements.

    3. if the red cross mark is not displayed beside a particular icon, it signifies that the element cannot be deleted.

    4. The diamond icon that contains an orange tick mark within it at the top-right corner of the service component name denotes that the particular element can be modified. The absence of this icon denotes that the user does not have permissions to modify the attributes of the service component.

    5. Double-click each icon pertaining to a service element to view or edit its settings. If you do not possess the permission to modify the element, a view-only dialog box with the attributes of the selected element is shown. Otherwise, an editable dialog box enables you to modify the settings.

    6. Click the Maximize icon displayed at the top-right corner of the rectangle or box that shows all of the values or entities of a particular component of a service template. The specified component or attribute is displayed as a separate dialog box, listing all of the values of the particular component. You can add, modify, or delete the listed values.

    7. While creating the new service template, the designer can add or modify service parameter values and also restrict the access level for each service parameter for the operator. The designer can set following access levels for each service parameters to operator in planning template. Click the new icon (cascading files icon) displayed at the top-left corner of each of the element boxes to open the shortcut menu. You can click one of the following radio buttons:

      • Read-only (the configuration parameter is read-only for operator as part of provisioning)

      • Editable (the configuration parameter is editable as part of provisioning)

      • Device-Specific (the configuration parameter value needs to be entered by the operator for each device during deployment)

    8. in the ADC Configuration Parameters box, do the following:

      • Select the Failed Server Loyalty check box to enable failed server protection. If any server in a server group fails, the remaining servers continue to provide access to vital applications and data. The failed server can be brought back up without interrupting access to services.

      • Select the Clear on Tcp Reset check box to clear the adaptive load-balancing mechanism when a Reset flag is received in a TCP packet.

    9. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

    10. Click Save & Publish to save and publish the service template configuration. The designer must publish the service templates to the operator to use in the creation of deployment plans. After a filter or policy is published, it goes for peer review and approval. After approval, the filter or policy is deployed to device.

Importing an ADC Service Template

To create a clone of an existing ADC template by importing it:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates. The Manage Service Templates page is displayed.
  4. Click the ADC button. The list of ADC service templates is displayed. You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or TLB.
  5. Click the Add icon. The Create an ADC Planning Template window appears.
  6. Enter the name of the template and the service instance in the respective fields.
  7. Click the Import button. The Import Services dialog box appears.

    You can import the service templates assigned to SDGs or choose from a list of all of the predefined templates in the database. Also, you can either import all of the components of a service or specific components.

  8. Perform one of the following for the Import section:
    • Select the From Existing Service Gateway radio button if you want to import the CGNAT rule from SDGs that are present in the Edge Services Director database.

    • Select the From XML radio button if you want to import the CGNAT rule from an XML configuration file on an external system.

  9. If you selected the option to import the object from SDGs, do the following:
    • Click the Normal View tab to view the list of SDGs. You can search for specific SDGs by entering a search item and clicking the Search icon.

      Alternatively, click the Group View tab to view the list of SDG groups. You can search for specific SDG groups by entering a search item and clicking the Search icon.

    • Click the plus sign (+) next to the All Service Gateways item to expand the tree structure that displays the list of SDGs or SDG groups. If the SDG pair is configured, you can select one of the devices, master or standby, from which you want to import the object.

      Alternatively, if you selected the Group View tab, you can select an SDG from the groups displayed from which you want to import the object.

    • Click Import. The object is added to the database and can be used during configuration of services or policies.

  10. If you selected the option to import from an XML file, do the following:
    • Click Browse beside the File Name field to navigate to the path where an XML file is available to be imported.

    • Click Upload. The service template is added to the database and can be used during configuration of services or policies.

  11. Do one of the following to import all components of a selected template or only a particular component of a template. For the components that are not imported, you need to specify the definitions of the components afresh.
    • Select the check boxes next to all of the service instances that are displayed for the selected SDG or SDG group, or for the XML file that you uploaded. In such a case, all of the elements or parameters of the selected template or instance are imported.

    • Alternatively, select the check box next to a particular or group of service instances to import only a specific component of the selected template

      For example, if the service instance you are importing contains Routing Interface Details from the list of individual service components being retrieved to the service template you are creating, you can import the client-facing and server-facing interface and routing instances. The interface and routing instance where client packets are received from the list of all the items that belong to the devices in the inventory form the client-facing set. The interface and routing instance through which packets traverse to servers from the list of all the items that belong to the devices in the inventory form the server-facing set.

      Note

      Client-facing interfaces—The device interfaces where client traffic is received. Traffic arriving on these interfaces is handled by the ADC software and destined to be routed to the virtual IP addresses and filter destination addresses configured in the instance. At least one client-facing interface must be specified for each adc-instance. A client-facing interface can be shared between instances.

      Server-facing interfaces—The device interfaces where servers are connected, usually through switches or routers. Traffic to the servers is routed to these interfaces. At least one server-facing interface must be specified for each load-balancing instance; a server-facing interface can be shared between instances. The same device interface can be used as a client-facing interface in one (or more) adcinstances, and as a server-facing interface in other instances.

  12. Similarly, you can select other components and import them to the template. Save the imported components to add them to the template you are creating by using the imported template as a base.

Creating a Deployment Plan

You must have previously defined service templates and policy or filter templates before you can create a deployment plan.

To create a deployment plan and assigning devices to it:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Edit. The Manage Service Templates page is displayed.
  4. Click the ADC button. The list of ADC service templates is displayed. You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or TLB.
  5. Select the check boxes next to the SDGs or SDG groups that you want to assign to the plan. Based on your selection of a service or a policy template, the components or attributes are shown for the corresponding device.
  6. From the boxes that show the components of a service template, you can edit, delete, or add elements to it. If you do not have permissions to update a template, the corresponding icons are not shown.
  7. Click the down arrow in the Actions menu and select Send for Deployment to create a deployment plan for the particular service template and save the plan.
    • If you create a deployment plan from Gateway view of Deploy mode, the Deployment Plan Summary dialog box appears, with the service name, type, and status listed.

      Click Send to create a deployment plan.

    • If you create a deployment plan from Service view of Deploy mode, the Edit Service Instance page is displayed. You can modify the SDGs associated with the service instance and also modify the service instance attributes as necessary by either clicking the buttons corresponding to the various settings at the top of the wizard page to directly traverse to the page you want to modify or clicking the navigation buttons at the bottom of the wizard page to go to the different pages of the wizard. Click Finish to create a deployment plan.

    A deploy plan is created for the service template with the devices that are assigned to it when you view the Deployment Plans page.

  8. Alternatively, you can select Discard changes from the Actions menu to ignore the modifications done to a policy or filter template.
  9. From the Deployment plans page, you can select Reject or Approve from the Actions drop-down list to reject or approve the deployment plan and make it available for commissioning to the devices.

Creating a Real Server

To create a real server as a component for the ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates. The Manage Service Templates page is displayed.
  4. Click the ADC button. The list of ADC service templates is displayed.
  5. Click the Add icon. The Create an ADC Planning Template window appears.
  6. Enter the name of the template and the service instance in the respective fields.
  7. Click the green plus sign in the Real Servers box. The Addition of Real Server dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  8. In the Name field, enter the name to identify the real server. Make sure the servers are connected via a router interface that is defined as a server-facing interface for the adc-instance. For each real server, you must assign a real-server name and specify its actual IP address.
  9. In the Address Family field, select IPv4 to specify an IPv4 address, or select IPv6 to enter the IPv6 address of the real server.
  10. In the IP Address field, specify the IP address of the real server.
  11. In the Health check section, select the check box and specify the following:
    • In the Interval field, specify the amount of time, in seconds, between polls of the real server by the router.

      Note

      The ADC software monitors the servers in the real-server group and the load-balanced applications running on them. If a router detects that a server or application has failed, it does not direct any new connection requests to that server. When a service fails, the ADC software can remove the individual service from the load-balancing algorithm without affecting other services provided by that server. By default, the router checks the status of each service on each real server every five (5) seconds. Sometimes, the real server can be too busy processing connections to respond to health checks. If a service does not respond to four consecutive health checks, the router, by default, declares the service unavailable. You can modify both the health check interval and the number of retries.

    • In the Failure-retries field, specify the number of times the router attempts its check on the real server before marking the server as unavailable. In the Recovery-retries field, specify the number of times the router attempts to recover the real-server connection.

    • In the Recovery Retries field, set the number of recovery retries to attempt to determine server recovery. The range is from 1 through 63.

  12. In the Listing Ports section, click the plus sign to add as many ports as needed for the real server. Enter the port number in the Port field. For example, you might require ports for the common application ports and the applications that use them, such as 8080 for HTTP and 443 for HTTPS.
  13. In the Content String section, click the plus sign to add as many content strings as neded to be added for the real server. Enter the string for matching traffic to be sent to the real server in the String field. ADC software supports two content-string methods (URL hashing and URL pattern matching) and all Layer 4 load-balancing methods. If you do not add a defined string (or add the defined string any), the server handles any request. Content string handling applies to the DNS, RTSP, HTTP services, and to filters.

    You can assign one or more content strings to each real server. When more than one URL string is assigned to a real server, requests matching any string are redirected to that real server. There is also a special string known as "any" that matches all content.

  14. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating a Group for Real Servers

Define the group and assign real servers to it. The real servers in any given group must have an IP address accessible to the module that performs the SLB functions. This IP routing is most easily accomplished by placing the servers on a network local to the router. Routing to the server can be used as long as it does not violate the topology rules outlined.

A group is a collection of multiple servers with the same content, so that client requests can be load-balanced between them.

To create a group of real servers:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Server Groups box. The Addition of Group dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, enter the name for the real servers group.
  10. In the Group Unit field, specify the unit on a group. In general, the unit is used when the traffic is going out from the ADC software to the server. To support virtual routers on the server side, each server is assigned a unit. When the traffic is going out from the ADC software to this server, the traffic goes out from the matching Multiservices-DPC NPU IFL (ms-x/y/z.#, where # is the unit). This allows you to attach the relevant IFL to a virtual router and attach the server to this virtual router. If the unit is not configured on the server, the unit is taken from the group configuration. If the unit is not configured in the group, the unit is taken from the adc-instance configuration. If no unit is configured, the ADC software uses the default unit (unit 0).

    For example, if you specify the unit as 40, it sets all servers inside this group to use unit 40, unless a unit is configured on a specific server inside the group.

  11. From the Load Balance Method list, select the method of load balancing for the real servers group. Load-balancing methods are used for selecting which real-server in a group receives the next client connection. The available metrics include hash, least connections, round-robin, response (response time), and bandwidth.
  12. In the Real Servers section, assign the real servers to be part of the group. Select the real servers from the Available column and click the right arrow to move the server to the Selected column.
  13. In the Health Check section, do one of the following:

    The ADC software monitors the servers in the real-server group and the load-balanced applications running on them. If a router detects that a server or application has failed, it does not direct any new connection requests to that server. When a service fails, the ADC software can remove the individual service from the load-balancing algorithm without affecting other services provided by that server. By default, the router checks the status of each service on each real server every five (5) seconds. Sometimes, the real server can be too busy processing connections to respond to health checks. If a service does not respond to four consecutive health checks, the router, by default, declares the service unavailable. You can modify both the health check interval and the number of retries.

    • Select the DNS radio button to configure DNS health checking. Enter the hostname for which health verification needs to be performed..

    • Select the HTTP radio button to configure HTTP-based health check. HTTP-based health checks can include the hostname for Host headers. The Host header and health check URL are constructed from the Virtual server hostname, domain name, and the server group health check field. Enter the URL for which health check is needed and the HTTP header method, such as GET, PUT, POST, DELETE , and. PATCH. Select the Use Head Method that causes the HTTP Head method to retrieve HTTP headers only.

    • Select the PING radio button to configure ping-based health checking. Ping health checks verify if the real server is alive.

    • Select the SSLHELLO radio button to sets Secure Sockets Layer (SSL) hello health-check parameters. SSL version 2 (SSLv2) is used for the SSL health check

    • Select the SCRIPT radio button to create a custom-based health check. From the Custom Health Check field, specify tcp or udp as the protocol for the script to use in a custom health check. A script is made up of one or more TCP or UDP command containers. A script can contain any number of these containers, up to the allowable number of characters that a script supports.

  14. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Load-Balancing Methods for Real-Server Groups

The following methods for real server groups are supported:

  • Hash—The hash load-balancing method uses IP address information in the client request to select a server. For virtual-services, the client source IP address is used. All requests from a specific client are sent to the same server. This is useful for applications where client information must be retained between sessions. When selecting a server, a mathematical hash of the relevant IP address information is used as an index into the list of currently available servers. Any given IP address information always has the same hash result, providing natural persistence, as long as the server list is stable. When a configured server becomes unavailable, clients bound to operational servers continue to be bound to the same servers for future sessions and clients bound to unavailable servers are rehashed to select an operational server. Some services allow you to hash using the client-ip and port. This is done using the source-port-inhash parameter. There are more hash options in filters, that are set using the load-balancing-hash parameter.

  • Least Connections—With the least-connections load-balancing method, the number of connections currently open on each real server is measured in real time. The server with the fewest current connections is considered to be the best choice for the next client connection request. This option is the most self-regulating, with the fastest servers typically getting the most connections over time.

  • Round-Robin—With the round-robin load-balancing method, new connections are issued to each server in turn; that is, the first real server in the group gets the first connection, the second real server gets the next connection, followed by the third real server, and so on. When all the real servers in this group have received at least one connection, the issuing process starts over with the first real server.

  • Response Time—The response-time load-balancing method uses real-server response time to assign sessions to servers. The response time between the servers and the load-balancing module is used as the weighting factor. The router monitors and records the amount of time it takes for each real server to reply to a health check to adjust the real-server weights. The weights are adjusted so they are inversely proportional to a moving average of response time. In such a scenario, a server with half the response time as another server receives a weight twice as large. Note: The effects of the response-time or bandwidth weighting apply directly to the real servers and are not necessarily confined to the group. When response-time or bandwidth-metered real servers are also used in other groups that use the least connections, round-robin, or hash methods, the response-time or bandwidth weights are applied on top of the method calculations for the affected real servers. Since the response-time or bandwidth weight changes dynamically, this can produce fluctuations in traffic distribution for the groups that use the least-connections, round-robin, or hash load-balancing methods.

  • Bandwidth The bandwidth load-balancing method uses real-server octet counts to assign sessions to a server. The load-balancing module monitors the number of octets sent between the server and the module. Then, the real-server weights are adjusted so they are inversely proportional to the number of octets that the real server processes during the last interval. Servers that process more octets are considered to have less available bandwidth than servers that have processed fewer octets. For example, the server that processes half the amount of octets over the last interval receives twice the weight of the other servers. The higher the bandwidth used, the smaller the weight assigned to the server. Based on this weighting, the subsequent requests go to the server with the highest amount of free bandwidth. These weights are automatically assigned.

    Note

    The effects of the response-time or bandwidth weighting apply directly to the real servers and are not necessarily confined to the group. When response-time or bandwidth-metered real servers are also used in other groups that use the leastconnections, round-robin, or hash methods, the response-time or bandwidth weights are applied on top of the method calculations for the affected real servers. Since the response-time or bandwidth weight changes dynamically, this can produce fluctuations in traffic distribution for the groups that use the least-connections, round-robin, or hash load-balancing methods.

Creating a Client-Facing Interface and Routing Instance

Clients and servers can be connected through the same router port. Each port in use on the router can be configured to process client requests, server traffic, or both:

Client-facing interfaces—Router ports through which client requests to the virtual server are received.

Server-facing interfaces—Router ports to which servers are connected (directly or through routing). Responses to clients are received on the router through these ports.

To assign a client-facing instance and interface to an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Client-Facing box. The Client facing dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. From the Service Gateway Name field, select the SDG group with which the service element must be associated.
  10. From the Host Name field, select the SDG in the SDG high-availability pair of active and standby SDGs.
  11. In the Device Inventory Routing Instances section, select the check box next to the routing instance of the SDG that must be used for packets arriving from clients or users. All the routing instances from the inventory of devices are listed.
  12. In the Device Inventory Interfaces section, select the check box next to the interface instance of the SDG that must be used for packets arriving from clients or users. All of the interfaces from the inventory of devices are listed.
  13. Click OK to save the settings. Else, click Cancel to discard the configuration.

Creating a Server-Facing Interface and Routing Instance

Clients and servers can be connected through the same router port. Each port in use on the router can be configured to process client requests, server traffic, or both:

Client-facing interfaces—Router ports through which client requests to the virtual server are received.

Server-facing interfaces—Router ports to which servers are connected (directly or through routing). Responses to clients are received on the router through these ports.

To assign a server-facing instance and interface to an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Client-Facing box. The Client facing dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. From the Service Gateway Name field, select the SDG group with which the service element must be associated.
  10. From the Host Name field, select the SDG in the SDG high-availability pair of active and standby SDGs.
  11. In the Device Inventory Routing Instances section, select the check box next to the routing instance of the SDG that must be used for packets traversing to the servers. All the routing instances from the inventory of devices are listed.
  12. In the Device Inventory Interfaces section, select the check box next to the interface instance of the SDG that must be used for packets to be sent to the servers. All of the interfaces from the inventory of devices are listed.
  13. Click OK to save the settings. Else, click Cancel to discard the configuration.

Creating a Services PIC for an ADC Service Template

Multiservices (ms-) interfaces are the physical multiservices interfaces of a device that are used to run the load-balancing instance application. The more multiservices interfaces used for a loadbalancing instance, the more capacity and processing power the instance has. At least one MS interface must be specified for each adc-instance, up to eight interfaces can run the same instance. A multiservices interface is associated exclusively to a single load-balancing instance (it cannot be shared between instances).

To assign a services interface to an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. Enter the name of the template and the service instance in the respective fields.
  7. Click the green plus sign in the Service Pic box. The Service Pic dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  8. From the Service Gateway Name field, select the SDG group with which the service element must be associated.
  9. From the Host Name field, select the SDG in the SDG high-availability pair of active and standby SDGs.
  10. Select the check box next to the ms- interface of an SDG that must be assigned to the ADC template.
  11. Click OK to save the settings. Else, click Cancel to discard the configuration.

Creating a Health Check for an ADC Service Template

The ADC software does health checking on each defined server (see Health Checking, page 183). In order for the traffic to get from the ADC software to the server, a source IP with the same subunit as the server must be defined. Usually all subunits that are in use in a certain adc-instance must have a matching IP address with the same subunit defined in the instance.

The health check itself is defined at the group parameter. Select a health check based on the application running on the real server in question. If the real server is an LDAP server, for example, use the LDAP health check method. It is important to make sure that the server can answer connections from the IP address configured. This source IP address must be “routable” back to the router. Each server in the load-balancing instance has a sub-unit attached to it. Before the ADC software sends a health check to a server, it checks the sub-unit attached to the server, then chooses the source IP address to use for this server health check according to the address configured under the same unit in the health-check-source configuration. As a result, each sub-unit attached to a server must have a matching address in the healthcheck- source configuration. This way the ADC software can send health checks to servers using this sub-unit. When no health check address is defined for the unit, all servers with this unit are in a failed status. Family inet is the only supported family under the health-check-source configuration.

To configure a health check source for an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Health Check box. The Addition of Health Check dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. Specify the unit of the health check source in the Unit field. as part of the auto-configuration, the ADC software defines IFLs and IFAs (units and addresses) on the Multiservices-DPC. These IFLs require a unique unit number that is used later in auto-configured filters to direct traffic. By default, the units used by the ADC software for automatic configuration are in the range of 10,000 to 11,032.
  10. Select the IPv4 Family check box to specify IPv4 as the address protocol family.
  11. Specify the IPv4 address of the source for health verification in the IP Address field.
  12. Select the IPv6 Family check box to specify IPv6 as the address protocol family.
  13. Specify the IPv6 address prefix of the source for health verification in the IP Address field.
  14. Click Save to save the settings. Else, click Cancel to discard the configuration.

Creating a Custom Health Check for an ADC Instance

You can configure the ADC software to send a series of health-check requests to real servers or real-server groups and monitor the responses. Health checks are supported for TCP and UDP protocols, using either binary or ASCII content.

Health check scripts dynamically verify application and content availability by executing a sequence of tests based on send and expect commands. You can configure the ADC software to send a series of health check requests to real servers or realserver groups and monitor the responses. Both ASCII and binary-based scripts, for TCP and UDP protocols, can be used to verify application and content availability.

To configure a custom health-check script for an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Custom Health Check box. The Addition of Custom Health Check dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. Specify the name of the script to be used for health-check in the Script Name field. A script is made up of one or more TCP or UDP command containers. A script can contain any number of these containers, up to the allowable number of characters that a script supports.
  10. Select the type of protocol for custom health-check from the Command Type list. You can select either TCP or UDP. Commands exist to open a connection to a specific TCP or UDP port, send a request to the server, and expect an ASCII string or binary pattern. Only one protocol can be configured per script.
  11. Specify the name of the command for custom health-check in the Command Name field.

    The name of the TCP or UDP command for script-based health-check is a container for one or more commands.

  12. Click the Add icon to create a health-check command. The Health Check Command dialog box is displayed.

    You can also select the check boxes beside existing commands from the list of previously configured commands from the Custom Health Check dialog box if you want to assign them to the health-check script. Click Save to save the settings.

  13. In the Health Check Command dialog box, enter the unique identifier for the command to be used for diagnosing and monitoring the health of servers or URLs using script-based checking in the Command ID field.
  14. Select the type of command for script-based health monitoring from the Command Type list.

    The following are the currently available commands for building a script-based health check:

    • open—Specifies which destination real-server UDP port to use; for example, OPEN 9201. After entering the destination port, you is prompted to specify a protocol; choose udp.

    • send—Specifies the send content in raw hexadecimal format.

    • binary-send (for binary content only)—Used to specify binary content (in hexadecimal format) for the request packet.

    • expect—Specify the expected content in raw hexadecimal format.

    • binary-expect (for binary content only)—Used to specify the binary content (in hex format) to be expected from the server response packet.

    • offset (for binary content only)—Specifies the offset from the beginning of the binary data area to start matching the content specified in the binary-expect command. The offset command is supported for both UDP and TCP-based health checks. Specify the offset command after a binary-expect command if an offset is desired. If this command is not present, an offset of zero is assumed.

    • depth (for binary content only)—Specifies the number of bytes in the IP packet that should be examined. If no offset value is specified, depth is specified from the beginning of the packet. When depth is not specified, it is the length of the content. This means that the content is expected exactly at the offset specified (or 0 when the offset is not specified).

    • wait—Specifies a wait interval before the expected response is returned. The wait window begins when the send string is sent from the ADC. If the expected response is received within the window, the wait step passes. Otherwise, the health check fails. The wait window is in units of milliseconds. When the wait value is not specified the script waits according to the realserver configured interval.

  15. Enter a value corresponding to the command type selected in the Value field. You can enter one of the following types of values based on the command type:
    • binary-expect and binary-send hexadecimal-value—Specifies the content to expect from the server response packet using hexadecimal format.

    • depth number—Specifies the number of bytes in the IP packet that should be examined. If no offset value is specified, depth is specified from the beginning of the packet. Default: The default value is the length of the content.

    • offset number—Specifies the offset from the beginning of the binary data area to start matching the content specified in the binary-expect command. The offset command is supported for both UDP-based and TCP-based health checks. If you require an offset, specify the offset command after a binary-expect command. Default: 0

    • binary-expect, binary-send, and expect wait interval—Specifies a wait interval before the expected response is returned. The wait interval begins when the send string is sent from the ADC software. If the expected response is received within the interval, the wait step passes. Otherwise, the health check fails. The wait interval is expressed in units of milliseconds. When the wait interval is not specified, the script waits according to the real server configured interval. Range: 0 through 65535

    • send text—Specifies the send content in raw hexidecimal format.

    • open port—Specifies which destination real-server UDP port to use; for example, open 9201.

  16. Click Save to save your settings in the Health Check Command dialog box. You are returned to the Custom Health Check dialog box and the newly configured command is added to the list shown.
  17. Click OK to save the settings in the Custom Health Check dialog box. Else, click Cancel to discard the configuration.

Creating a Virtual Service for an ADC Service Template

A virtual service is a service that is being load-balanced across the servers in the group; for example, dns-virtual-service. The service belongs to a virtual server, that defines the IP address through which the service is accessible to the client. The service is accessed through one or more predefined application ports (TCP or UDP). The virtual server defines the IP address to which client requests are sent. The virtual service defines a destination port within the virtual-server IP address. The virtual service configuration includes parameters relevant to the processing of client requests to this service. The service is actually provided by the real servers in the group defined in the virtual service.

To configure a virtual service for an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Virtual Service box. The Addition of Virtual Service dialog box appears.Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, specify the name of the virtual service (limit of 128 characters).
  10. In the Address field, specify the IP address of the virtual server.
  11. From the Service Type list, select DNS to set up the DNS service for the virtual server. You can also select other service types such as plain, HTTP, or SSL.

    IP server load balancing allows you to configure your ADC software for server load balancing based on the client's IP address only. Typically, the client IP address is used with the client port number to produce a session identifier. When the Layer 3 option is enabled, the ADC software uses only the client IP address as the session identifier.

  12. In the Server Listening Port field, specify the port number the server uses to listen or receive connection requests. The range is from 0 through 65,534. You can change the destination port of traffic to a specific port by using this field setting.
  13. From the Protocol list, select TCP or UDP to specify the application type of virtual service.
  14. From the Group list, select the name of a real server group configured to be used for this virtual service.
  15. In the Service Timeout field, configure the service-timeout parameter to the amount of time that idle connections should remain in the connection table before being removed, in minutes (0 to 32768). The default, when the parameter is not set, is to use the timeout configured for the real server, typically 10 minutes.
  16. Select the Fast Load Balancing check box to specify the connection table needs to be used for requests only.

    Traffic to virtual services is managed using the connection table. Each connection is recorded in the table. Usually, the connection table is used both for the request processing and for reply processing. In request processing, the ADC software looks for a corresponding entry to check persistency information, finds the appropriate real-server address and listening port, and uses it to send the request to the server. In reply processing, the ADC software looks for a corresponding entry to know how to change the source address from a real-server address and listening port back to the virtualserver address and service port. In some cases, faster traffic processing can be achieved by not checking the connection table for the response path, but by using another, more efficient, mechanism for the address and port translation.

  17. Select the Send Traffic to VIP check box to redirect the packets to the virtual IP address configured for the virtual server associated with the virtual service. When a certain VIP is available, the route to this VIP exists in the routing-instance. This allows the dynamic protocol to publish the VIP as owned by the router. When the virtual IP address is not available (i.e., all the servers for this VIP are down), the route is redrawn using the routing-instance. This causes the routing protocol to redraw the route to this IP from its publications. In turn, traffic to this VIP is no longer be routed to this specific router.
  18. Click Save to save the settings. Else, click Cancel to discard the configuration.

Creating a Virtual Server for an ADC Service Template

Each virtual server can be configured to support up to 8 service ports and is limited to a total of 1023 services per router. If more than eight service ports are required for a virtual address, you can define multiple virtual servers with the same address. The protocol setting specifies whether this virtual service is a TCP or UDP application. The port setting specifies the application port for this application.

To configure a virtual server for an ADC template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the ADC button.

    The list of ADC service templates is displayed.

  5. Click the Add icon.

    The Create an ADC Planning Template window appears.
  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Virtual Server box. The Addition of Virtual Server dialog box appears.Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, enter the name of the virtual server. The virtual server defines the IP address to which client requests are sent.
  10. In the Address field, specify the IP address of the virtual server.
  11. From the Type list, select DNS to set up the DNS service for the virtual server. You can also select other service types such as LDAP, HTTP, or SNMP.
  12. In the Virtual Services section, select a virtual service from the Available column and click the right arrow to move the service to the Selected column,
  13. Click Save to save the settings. Else, click Cancel to discard the configuration.

Creating a Firewall Rule for an ADC Service Template

ADC filter terms are an ordered list of terms. Each filter term is composed from a match clause (ADC Filter Terms—“from” Clause) that defines the match criteria, and a then clause (ADC Filter Terms—“then” Clause) that defines the action and behavior with traffic that matches the term. An ADC filter term name can contain letters, numbers, and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose the entire name in quotation marks (" "). Each term name must be unique within a filter. You can specify multiple terms in the ADC filter, effectively chaining together a series of match action operations to apply to the packets. You can also use the go-to action so that, when a match condition is met, the evaluation continues from the go-to term, rather than terminating. ADC filter terms are evaluated in the order in which you specify them in the configuration. To reorder terms, use the configuration mode insert command. For example, the command insert term up before term start places the term up before the term start. Up to 2048 filter terms can be configured on the module. Descriptive names can be used to define filter terms. Each filter can be set to perform from or then actions, based on any combination of the filter options.

ADC Filter Terms—“from” Clause

In the from statement in the ADC filter term, you specify conditions that the packet must match for the action in the then statement to be taken. All conditions in the from statement must match for the action to be taken. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur. If you specify no match conditions in a term, that term matches all packets. In the from clause you can indicate Layer 4 information to match traffic:

  • source-address—Source IP address or range.

  • destination-address—Destination IP address or range (dip and dmask).

  • protocol tcp | udp—Match using either TCP or UDP protocol. By default, both are matched.

  • source-port—TCP/UDP application or source port or source port range (such as 31000 to 33000). The service number specified on the module must match the service specified on the server.

  • destination-port—TCP/UDP application or destination port or destination port range (such as 31000 to 33000).

    Note

    Advanced filtering options such as TCP flags are available. Using these filter criteria, you could create a single filter that blocks external Telnet traffic to your main server except from a trusted IP address. Another filter could warn you if FTP access is attempted from a specific IP address. Another filter could redirect all incoming e-mail traffic to a server where it can be analyzed for spam. The options are nearly endless

ADC Filter Terms—“then” Clause

A filter term then statement instructs the filter what to do once the filtering criteria are matched. These actions are defined in the then clause of the filter term. You can specify one of the following filter actions:

  • accept—Allows the frame to pass (by default). It is processed according to its destination: either handled by ADC virtual services or by the router and sent to its destination.

  • discard—Discards frames that fit this filter’s profile. They are not processed further.

  • go-to term—Match to the specified term and continue classification from there. Note: The target term must appear further down the list than the currently evaluated term.

  • http-redirect—Allows you to specify a target term name that the filter search should jump to when a match occurs. The http-redirect causes filter processing to jump to a designated filter, effectively skipping over a block of filter terms. Filter searching then continues from the designated filter term. To specify the new filter, use the http-redirect command.

  • load-balance—Redirects frames that fit this filter's profile, such as for web cache redirection. In addition, Layer 4 processing must be used.

  • content-term—Traffic is further matched against content strings, when matched. The content term then clause is effective. When the content-term is not matched there is no further filter term matching.

  • log—Generates system log messages when the filter term is hit. This option can be used in conjunction with other term actions.

  • per-packet-load-balancing—To improve efficiency, by default, filter processing is performed only on the first frame in each session. Subsequent frames in the session are assumed to match the same criteria and are automatically treated in the same way as the initial frame. Sessions that match a filter term are logged in the connection table for immediate processing of subsequent frames, rather than a full search to find a matching term. Some types of filtering (such as TCP flag) require each frame in the session to be filtered separately. To set this behavior, set per-packet-load-balancing for the relevant filters.

To configure a virtual server for an ADC template:

  1. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  2. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  3. Click the ADC button.

    The list of ADC service templates is displayed.

  4. Click the Add icon.

    The Create an ADC Planning Template window appears.

  5. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  7. Click the green plus sign in the Firewall Rules box. The Addition of Firewall Rule dialog box appears.Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  8. Select the element for the from clause that specifies the match criterion or filter condition.
  9. Select the element for the then clause that specifies the action modifier to be performed.
  10. Click Save to save the settings. Else, click Cancel to discard the configuration.

Modifying ADC Service Templates

On the Service Designer page, you can view the collection of service templates defined for several applications, such as stateful firewall or CGNAT.

To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Deploy Service > Service Edit.

    The Service Instances page is displayed in the right pane, listing all the previously defined service templates.

  4. From the View pane, perform one of the following tasks:
    • Click the ADC button.

      The list of ADC service templates is displayed. You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or TLB.

    • Click the SFW button.

      The list of SFW templates is displayed.

    • Click the TLB button.

      The list of TLB templates is displayed.

    • Click the CGNAT button.

      The list of CGNAT templates is displayed.

  5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree and view the pair of devices in the SDG group or pair. Select the check box next to the SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you can select a single SDG or both the SDGs in the in the redundancy pair of devices.Note

    Alternatively, you can also modify service templates from Service View in Build Mode by selecting the Service Templates > Manage Service Templates from the task pane, selecting a service instance, and clicking the Modify button. You can also modify ADC and TLB service templates from Gateway View in Deploy mode by selecting the SDG pair or SDG from the View pane, selecting Service Edit from the task pane, and selecting the TLB service from the main window that displays all the previously configured template instances to lock and modify it.

  6. Click the Lock icon above the table of listed packet filters. The Select Reference Config dialog box is displayed.
    Figure 2: Select Reference Config Dialog Box
    Select Reference Config Dialog Box
  7. From the Service Gateway Name drop-down list, select the SDG group to which the packet filter must be applied.
  8. From the Host Name drop-down list, select the hostname of the SDG.
  9. In the Select Common Components section, select the check boxes beside the service modules or components, such as packet filters, SFW rules, or CGNAT rules, that are displayed. The displayed components depend on the attributes that are previously defined for that selected packet filter. For example, if the service policy is for stateful firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config Category to select all the service components.
  10. Click Save to save the modified association.
  11. Select the check box beside the template you want to modify.
  12. Open the Modify menu above the list of templates to modify an existing template, and select the component or service attribute, such as application or rule, that you want to edit.
  13. Perform one of the following from the drop-down menu displayed for each component:
    • To retrieve the service component and import into the database of Edge Services Director, select Import Object. The Import Services dialog box appears. You can import the service templates assigned to SDGs or choose from a list of all of the predefined templates in the database. Also, you can either import all of the components of a service or specific components.

    • To create the component afresh, select Create New. The Create page corresponding to the service component appears. You can define the attributes for the service component in the same manner as you define the elements during the creation of a service template.