14.1 Understanding WAN Traffic Manager

Network directories, such as eDirectory, create server-to-server traffic. If this traffic crosses wide area network (WAN) links unmanaged, it can needlessly increase costs and overload slow WAN links during high-usage periods.

WAN Traffic Manager lets you control server-to-server traffic (over WAN links) generated by eDirectory and control eDirectory traffic between any servers in an eDirectory tree. WTM can restrict traffic based on cost of traffic, time of day, type of eDirectory operations, or any combination of these.

For example, you might restrict eDirectory traffic over a WAN link during high-usage times. This shifts high-bandwidth activities to off-hours. You might also limit replica synchronization traffic to times when rates are low to reduce costs.

WAN Traffic Manager controls only periodic events initiated by eDirectory, such as replica synchronization. It does not control events initiated by administrators or users, nor does it control non-eDirectory server-to-server traffic such as time synchronization.

The eDirectory processes listed in the following table generate server-to-server traffic.

Process

Description

Replica synchronization

Ensures that changes to eDirectory objects are synchronized among all replicas of the partition. This means that any server that holds a copy of a given partition must communicate with the other servers to synchronize a change.

Two types of replica synchronization can occur:

  • Immediate sync occurs after any change to an eDirectory object or any addition or deletion of an object in the directory tree.

  • Slow sync occurs for specific changes to an eDirectory object that are repetitive and common to multiple objects, such as changes to login properties. Some examples of this are updates to Login Time, Last Login Time, Network Address, and Revision properties when a user logs in or out.

The slow sync process runs only in the absence of an immediate sync process. By default, immediate sync runs ten seconds after any change is saved and slow sync runs 22 minutes after other changes are made.

Schema synchronization

Ensures that the schema is consistent across the partitions in the directory tree and that all schema changes are updated across the network.

This process runs once every four hours by default.

Heartbeat

Ensures that directory objects are consistent among all replicas of a partition. This means that any server with a copy of a partition must communicate with the other servers holding the partition to check the consistency.

This process runs by default once every 30 minutes on every server that contains a replica of a partition.

Limber

Ensures that a server’s replica pointer table is updated when that server’s name or address is changed. Such changes occur when

  • The server is rebooted with a new server name or IPX™ internal address in the autoexec.ncf file.

  • An address is added for an additional protocol.

When a server is booted, the limber process compares the server’s name and IPX address with those stored in the replica pointer table. If either is different, eDirectory automatically updates all replica pointer tables that contain a listing of that server.

The limber process also checks that the tree name is correct for each server in a replica ring.

Limber runs five minutes after the server boots up and then every three hours.

Backlink

Verifies external references, which are pointers to eDirectory objects that are not stored in the replicas on a server. The backlink process normally runs two hours after the local database is opened and then every 13 hours thereafter.

Connection management

Servers in a replica ring require a highly secure connection for transferring NCP™ packets. These secure connections, called virtual client connections, are established by the connection management process.

The connection management process might also need to establish a virtual client connection for schema synchronization or backlink processes. Time synchronization might also require such a connection, depending on the configuration of time services.

Server status check

Each server without a replica initiates a server status check. It establishes a connection to the nearest server that holds a writable replica of the partition containing the Server object.

The server status check runs every six minutes.

14.1.1 LAN Area Objects

A LAN Area object lets you easily administer WAN traffic policies for a group of servers. After you create a LAN Area object, you can add servers to or remove servers from the LAN Area object. When you apply a policy to the LAN Area, that policy applies to all the servers in the LAN Area.

You should create a LAN Area object if you have multiple servers in a LAN that is connected to other LANs by wide area links. If you do not create a LAN Area object, you must manage each server’s WAN traffic individually.

Creating a LAN Area Object

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > Create LAN Area.

  3. Specify a name and context for the object, then click OK.

  4. When finished, click OK.

Continue with one of the following sections:

Adding Servers to a LAN Area Object

A server can belong to only one LAN Area object. If the server you are adding already belongs to a LAN Area object, the server is removed from that object and added to the new object.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click the LAN Area object you want.

  4. Click Server List, then click the Object Selector button Object Selector button.

  5. Select the server you want, then click Apply.

  6. Repeat Step 4 through Step 5 for each server you want to add.

    To apply a WAN policy to the LAN Area object, thereby applying the policy to all the servers in the group, see Applying WAN Policies.

  7. Click OK.

14.1.2 WAN Traffic Policies

A WAN traffic policy is a set of rules that control the generation of eDirectory traffic. These rules are created as text and are stored as an eDirectory property value on the Server object, the LAN Area object, or both. The policy is interpreted according to a simple processing language.

You can apply policies to individual servers or you can create LAN Area objects and assign several servers to one of these objects. Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object.

WAN Traffic Manager comes with several predefined policy groups. You can use these policies as they are, modify them to meet your needs, or write new policies.

Predefined Policy Groups

The following table lists groups of predefined policies with similar functions:

Policy Group

Description

1-3am.wmg

Limits the time traffic is sent to between 1 a.m. and 3 a.m.

7am-6pm.wmg

Limits the time traffic is sent to between 7 a.m. and 6 p.m.

costlt20.wmg

Allows only traffic that has a cost factor below 20 to be sent.

ipx.wmg

Allows only IPX traffic.

ndsttyps.wmg

Provides sample policies for various eDirectory traffic types.

onospoof.wmg

Allows only existing WAN connections to be used.

opnspoof.wmg

Allows only existing WAN connections to be used but assumes that a connection that hasn't been used for 15 minutes is being spoofed and should not be used.

samearea.wmg

Allows traffic only in the same network area.

tcpip.wmg

Allows only TCP/IP traffic.

timecost.wmg

Restricts all traffic to between 1 a.m. and 1:30 a.m. but allows servers in the same location to talk continuously.

For detailed information on the predefined policy groups and their individual policies, see WAN Traffic Manager Policy Groups.

Applying WAN Policies

You can apply WAN policies to an individual server or to a LAN Area object. Policies applied to an individual server manage eDirectory traffic for that server only. Policies applied to a LAN Area object manage traffic for all servers that belong to the object.

WAN Traffic Manager looks in wanman.ini for a WAN policy groups section, which contains a key = values statement. Key is the policy name displayed in the snap-in and value is the path to the text files containing delimited policies.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click a LAN Area object.

    or

    Click View NCP Servers, then click an NCP Server object.

  4. Click Add Policy, then select the policy group you want.

    See Predefined Policy Groups for more information.

  5. Click OK.

    A list of the policies loaded from the policy group is displayed.

  6. Click OK.

    You can read what the policy does, make changes to the policy, or click Check Policy to check for errors in the policy.

  7. To remove a policy that you don't want, select the policy from the Policy Name drop-down list, then click Delete Policy.

  8. Click Apply, then click OK.

Modifying WAN Policies

You can modify any of the predefined policy groups included with WAN Traffic Manager to meet your own needs. You can also modify a policy you wrote yourself.

Modifying WAN Policies Applied to a Server

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.

  3. Click the Server object that contains the policy you want to edit.

  4. Select the policy you want to edit from the Policy Name drop-down list.

  5. In the Policy field, edit the policy to meet your needs.

    To understand the structure of a WAN policy, see WAN Policy Structure.

    To understand the syntax of a WAN policy, see Construction Used within Policy Sections.

  6. Click Check Policy to identify errors in syntax or structure.

    WAN Traffic Manager will not run policies with errors.

  7. Click Apply if you made any changes.

  8. To remove a policy that you don't want, select the policy from the Policy Name drop-down list, then click Delete Policy.

  9. Click Apply, then click OK.

Modifying WAN Policies Applied to a LAN Area Object

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas.

  3. Click the LAN Area object that contains the policy you want to edit.

  4. Select the policy you want to edit from the Policy Name drop-down list.

  5. In the Policy field, edit the policy to meet your needs.

    To understand the structure of a WAN policy, see WAN Policy Structure.

    To understand the syntax of a WAN policy, see Construction Used within Policy Sections.

  6. Click Check Policy to identify errors in syntax or structure.

    WAN Traffic Manager will not run policies with errors.

  7. Click Apply if you made any changes.

  8. To remove a policy that you don't want, select the policy from the Policy Name drop-down list, then click Delete Policy.

  9. Click Apply, then click OK.

Renaming an Existing Policy

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click a LAN Area object.

    or

    Click View NCP Server, then click an NCP Server object.

  4. Select the policy you want to rename from the Policy Name drop-down list.

  5. Click Rename Policy, then specify the new name.

    The name must be a fully distinguished name.

  6. Click OK, click Apply, then click OK.

Creating New WAN Policies

You can write a WAN policy for a Server object or a LAN Area object. Policies written for an individual server manage eDirectory traffic for that server only, while policies written for a LAN Area object manage traffic for all servers that belong to the object.

Creating a WAN Policy for a Server Object

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.

  3. Click the Server object you want to create a new policy for, then click Create Policy.

  4. Specify a name for the new policy, then click OK.

    The name you provide should be a fully distinguished name.

  5. Specify the necessary information in the Policy text box.

    To understand the structure of a WAN policy, see WAN Policy Structure.

    To understand the syntax of a WAN policy, see Construction Used within Policy Sections.

  6. Click Apply, then click OK.

Creating a WAN Policy for a LAN Area Object

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas.

  3. Click the LAN Area object you want to create a WAN policy for, then click Create Policy.

  4. Specify a name for the new policy, then click OK.

    The name you provide should be a fully distinguished name.

  5. Specify the necessary information in the Policy text box.

    To understand the structure of a WAN policy, see WAN Policy Structure.

    To understand the syntax of a WAN policy, see Construction Used within Policy Sections.

  6. Click Apply, then click OK.

14.1.3 Limiting WAN Traffic

WAN Traffic Manager comes with two predefined WAN Policy groups that limit traffic to specific hours. You can modify these policies to limit traffic to any span of hours you select. For more information, see 1-3am.wmg and 7am-6pm.wmg.

The instructions below are for modifying the 1:00 a.m. to 3:00 a.m. group, but you can use the same steps to accomplish the same thing with the 7:00 a.m.to 6:00 p.m. group.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click a LAN Area object.

    or

    Click View NCP Server, then click an NCP Server object.

  4. Click Add Policy.

  5. Select 1-3am.wmg from the list of predefined policies, then click OK twice.

    The policy is displayed in the Policy text box, which lets you make changes. For example, if you want to limit traffic to 2:00 a.m. to 5:00 p.m. rather than from 1:00 a.m. to 3:00 a.m., make the following changes:

    /* This policy limits all traffic to between 2 and 5 pm */
LOCAL BOOLEAN Selected;
SELECTOR
  Selected := Now.hour >= 2 AND Now.hour < 17;
  IF Selected THEN
    RETURN 50; /* between 2am and 5pm this policy has a
 high priority */
  ELSE
    RETURN 1;  /* return 1 instead of 0 in case there are
 no other policies */
               /* if no policies return > 0, WanMan assumes
 SEND */
  END
END
PROVIDER
  IF Selected THEN
    RETURN SEND; /* between 2am and 5pm, SEND */
  ELSE
    RETURN DONT_SEND; /* other times, don't */
  END
END

    In the comment lines (set off with /* and */), the hour can be designated using a.m. and p.m. In the active code, however, it must be designated using 24-hour format. In that case, 5:00 p.m. becomes 17.

    To better understand the structure of a WAN policy, see WAN Policy Structure.

    To better understand the syntax of a WAN policy, see Construction Used within Policy Sections.

  6. After modifying the syntax of the policy, click Check Policy to identify errors in syntax or structure.

    The results of the policy check are displayed.

    WAN Traffic Manager will not run policies with errors.

  7. If you want to keep the original 1-3 am policy, add the new policy under a different name.

    1. Click Rename Policy.

    2. Enter a name for the edited policy, then click OK.

  8. Click Apply, then click OK.

14.1.4 Assigning Cost Factors

Cost factors let WAN Traffic Manager compare the cost of traffic with certain destinations, then manage the traffic using WAN policies. WAN policies use cost factors to determine the relative expense of WAN traffic. You can then use this information in determining whether to send traffic.

A cost factor is expressed as expense per unit of time. It can be in any units as long as the same units are used consistently in each WAN traffic policy. You can use dollars per hour, cents per minute, yen per second, or any other ratio of expense to time, as long as you use that ratio exclusively.

You can assign destination cost factors representing the relative expense of traffic to particular address ranges. Therefore, you can assign cost for an entire group of servers in one declaration. You can also assign a default cost factor to be used when no cost is specified for a destination.

If no cost is assigned for the destination, the default cost is used. If you have specified no default cost for the server or LAN Area object, a value of -1 is assigned.

For information about a sample policy that restricts traffic based on cost factor, see Costlt20.wmg.

For information about how to modify a policy, see Modifying WAN Policies.

Assigning Default Cost Factors

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic Management > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click a LAN Area object.

    or

    Click View NCP Server, then click an NCP Server object.

  4. Click Costs, then specify a cost in the Default Cost field.

    The cost must be a nonnegative integer. If supplied, the default cost will be assigned to all destinations in the Server or LAN Area object that do not fall within a destination address range with an assigned cost. For example, you might specify the cost in monetary units, such as dollars, or in packets per second.

  5. Click Apply, then click OK.

Assigning a Cost to a Destination Address Range

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click WAN Traffic Management > WAN Traffic Manager Overview.

  3. Click View LAN Areas, then click a LAN Area object.

    or

    Click View NCP Server, then click an NCP Server object.

  4. Click Costs.

  5. Click the Add button Add button.

  6. In the Create Wanman Cost window, select TCP/IP Address Type or IPX Address Type.

  7. Specify the start address and stop address of the range, in the appropriate format for TCP/IP or IPX.

  8. In the Cost text field, specify the cost as a nonnegative integer.

  9. Click OK, click Apply, then click OK.