General f5 SAP questions

Question

Hello, 
&nbsp;  
&nbsp; I am an SAP Basis guy and not the administrator of the f5.  However, the administrators of the f5 (Big-IP LTM) at my company are not SAP guys, so we are trying to collaborate.  
&nbsp;  
&nbsp; I have a few questions to ask.  We have some configuration done with the f5 that is working and this is based on the f5 with Netweaver SOA guide, but I am interested in some more advanced load balancing. 
&nbsp;  
&nbsp; Can the f5 Big-IP LTM (assuming no other add-ons) actually balance based on load?  We currently have a simple health monitor that checks to get an http GET response, but can it detect the load on the server, whether by CPU usage, or even better, SAP work process usage or java http thread usage? 
&nbsp;  
&nbsp; Is there an advantage from an ABAP stack perspective of using the f5 over the SAP message server?  The message server can tell which app servers are up or down and do some load balancing based on actual load and logon groups.  Do I lose my logon group functionality by using the f5 to send me to an app server from SAPGUI for example? 
&nbsp;  
&nbsp; Can the f5 do everything that the SAP Web Dispatcher can do from an http perspective?  I know that the f5 can handle SSL, but can it handle J2EE logon groups like the web dispatcher can?  Also, the web dispatcher can load balance based on capacity (generally the number of server nodes on the app server). 
&nbsp;  
&nbsp; We prefer to have users enter on port 80 and keep ports transparent and be sent seamlessly to the correct Java http port.  The web dispatcher can do this easy enough because it functions as more of a passthrough.  Also, for some functionality like web service calls, they cannot handle a redirect (301 or 302) and the web dispatcher takes care of this.  Can the f5 do the same, listening on port 80 and seamlessly redirecting to the correct port without an actual redirect?  
&nbsp;  
&nbsp; Also, we currently have it set up so that there is a switch from http to https and the correct port using an iRule when end users come in.  When this happens, the port is visible in the browser. Is there anyway to keep this completely transparent, so that if I type in http://abc.def.com I get redirected to https://abc.def.com:port but still show http://abc.def.com or https://abc.def.com in the browser? 
&nbsp;  
&nbsp; I hope I don't sound too ignorant as I have tried to do some research on these topics.   
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Brian

nojan_moshiri_4 · Answer

Hi Brian,     
&nbsp;        
&nbsp;    You have a lot of interesting and exciting questions.  You're hitting all the correct points in regards to SAP and high availability.  My approach to the architecture of the NetWeaver platform is to simplify, offload and accelerate, I think this will be clear as I go into some more detail.    
&nbsp;        
&nbsp;    First, I see you're referring to both the SAP Messaging server and Web Dispatcher, if you are in a decision making point between the two, let me start off by saying that SAP, "...recommends that you use the SAP Web Dispatcher as the entrance point for your Web queries. This is then used as the access point for your network and also executes load balancing for HTTP requests."  (1) (Link below) Please also see SAP Note 1040325 which describes exactly what decision process you should use to decided between Web Dispatcher and SAP Message Server. (2) (Link below)    
&nbsp;        
&nbsp;    To summarize, and please refer to the SAP documentation I've linked to for specific and exact wording, Web Dispatcher is the better software solution in the cases were you are doing redirects, when you're running applications through the portal and when your applications are state-full.  SAP recommends a hardware solution such as BIG-IP LTM for offload, security and acceleration.    
&nbsp;        
&nbsp;    The SAP Landscape can be simplified and offloaded by using BIG-IP LTM instead of the Web Dispatcher. You've already mentioned many of the reasons, including SSL Off-Load, the use of iRules and there are many others which revolve around our full proxy architecture.    
&nbsp;        
&nbsp;    Getting more specific about your questions, in regards to balancing on load, we do have one solution with using Dynamic Ratio Load Balancing with SNMP (3) (link below). However, this does not go to the level of checking Java thread usage or SAP work process to the same extent of the Messaging Server.  As F5 becomes more integrated with SAP this may certainly happen in the future.    
&nbsp;        
&nbsp;    In regards to logon groups, again, LTM does not have the same level of introspection that Web Dispatcher does.  We can initiate persistence through cookies (inserted by LTM or by the server) which will insure that a user returns to the same Java instance, which improves Java performance.    
&nbsp;        
&nbsp;    Finally, in regards to your port redirection questions. On the first part, what you're describing is a very easy setup for LTM.  With our full proxy architecture, you would setup the Virtual Server on an IP Address and port 80 and have the pools mapped to the instance of the Java on whichever port they are on.  The client would only connect to port 80 and be seamlessly mapped to the proper port on the back.  There is no redirect in this setup, but a full proxy communication.    
&nbsp;        
&nbsp;    In regards to the switch from http to https, it sounds like the iRule you already have could be tweaked to provide the URI to the client without the the port number visible, unless of course the HTTPS port is something under than the default 443 (in which case it needs to be there for the client to know where to send the request).  I would have to look at the iRule to comment further. There are many creative solutions to such problems with Stream Profiles and iRules.    
&nbsp;        
&nbsp;        
&nbsp;    I've included the links for the items I was reference above:    
&nbsp;    -----------------------------------------    
&nbsp;   (1) SAP NetWeaver Library: "HTTP Load Distribution Using SAP Message Server" - http://help.sap.com/saphelp_nw2004s/helpdata/en/40/c235c15ab7468bb31599cc759179ef/content.htm    
&nbsp;        
&nbsp;   (2) SAP Service Note  1040325 https://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=1040325 
&nbsp;        
&nbsp;   (3) Implementing monitors for Dynamic Ratio load balancing: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/LTM_config_guide_943/ltm_AppendixA.html1185064.    &nbsp;

bls9701_10560 · Answer

Hi Nojan, 
&nbsp;  
&nbsp; Thank you for your reply and all of your good information. I have read lots of documentation on the pros and cons of the web dispatcher.  My main issue with the web dispatcher is that it is not an HA solution in itself because it has to reside on a server which could go down at any time.  The only way to make it HA is to either run it on a clustered server or install multiple web dispatchers and us an HLB like the f5 to load balance to those servers.  Assuming you choose the latter option, then that adds another stop along the way and another point of failure and it requires its own maintenance and upkeep.  Also, load balancing to multiple web dispatchers when using SSL cannot work in a pass through (ROUTER) mode because they will always be sourced from the same IP of the load balancer and so be sent to the same app server every time (SAP Note 1026191).  In this case you must terminate the SSL connection at the web dispatcher, which is an extra step along the way. 
&nbsp;  
&nbsp; Also, the default SSL port for SAP is the J2EE http port +1 so if your J2EE port is 50000, your defualt SSL port is 50001.  So I suppose in this case, since it is not 443, hiding the port number would not be feasible. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Brian

nojan_moshiri_4 · Answer

In regards to SSL, in the typical setup, you would create a Virtual IP listening on port 443 and add to it a pool of servers which are listening on their SSL port, lets say 50001, and that way the client's URI just displays https://VIP-HOST-NAME/  When switching from HTTP to HTTPS, you can just redirect to the SSL Virtual IP on the BIG-IP, if I'm understanding your situation properly. 
&nbsp;  
&nbsp; Back to the topic of Web Dispatcher, I would say all the points you make are good reasons to outsource the job to a hardware load balancer.  You will off load CPU cycles from the SAP server to the hardware load balancer, and you'll reduce hops and individual pieces to manage.  
&nbsp;  
&nbsp; Hopefully this is somewhat helpful.

ron_carovano_75 · Answer

Hi Brian, 
&nbsp;  
&nbsp; I'm Nojan's teammate on the SAP Alliance Team here at F5 and your post has attracted some interest within SAP.  In fact, SAP would be interested in chatting with you directly. 
&nbsp;  
&nbsp; If you are interested, as well, please send me a brief e-mail message to r.carovano@f5.com. 
&nbsp;  
&nbsp; Ron

carl_brothers · Answer

This is great information, as I am more the F5 guy and certainly not a SAP Basis guy.  so learning the lingo from that perspective is really refreshing. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; CarlB

Forum Discussion

General f5 SAP questions

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Securing Generative AI: Defending the Future of Innovation and Creativity

Generate API SDK for F5 Distributed Cloud

Protect multi-cloud and Edge Generative AI applications with F5 Distributed Cloud

Health monitor question