Exclusive: Juniper DX3680 boosts Web sites' speed and reliability

Transparent acceleration, protection, and encryption make this pricey load balancer worth the money

The days of the proprietary client are waning fast, as more and more enterprise applications become Web-enabled or entirely Web-based. Critical applications from e-mail to CRM to custom internal apps are all running on either internal or external Web sites, and they need both quick response times and fault tolerance.

[ The Juniper DX3680 received an InfoWorld Technology of the Year award. See the slideshow of all winners in the networking category. ]

That's where load balancers come in. Adding redundancy and scalability to Web applications, load balancers create a cluster of Web servers, over which they distribute incoming requests, sending new requests to the server with the least load at any given moment. If a Web server goes offline, the other servers in the cluster take up the slack. Geographic load balancers create clusters at different physical locations so that applications will still be available even if an entire datacenter loses connectivity.

The Juniper DX3680 goes well beyond the relatively simple task of creating clusters of Web servers – it can accelerate Web applications with several methods, including by compressing the HTTP sent between the Web server and the client, caching static parts of the Web page, and offloading SSL processing from the Web server. It will also optimize the network traffic so that the viewing of a Web page, which might normally take 100 back-and-forth messages between the Web server and client, can be accomplished with only a few messages.

In addition, the DX3680 shields applications running on Web servers from Internet-based attacks, preventing hackers from issuing unauthorized commands or taking advantage of known bugs in the Web server software, and it can handle user authentication via RADIUS or LDAP.

Cluster call

Click for larger view.
Bucking the trend of cramming load balancers with switches and as many as 20 Ethernet ports, Juniper decks out the DX3680 with a total of 4 ports, which should be enough in most cases – one in and one out is all a load balancer really needs. Initial setup of the system is straightforward, via serial terminal, though it’d be nice to see a default IP address allowing for initial configuration via browser.

Once the basic networking information is set, you can begin creating virtual clusters, as well as rules for how each cluster will be used. There are three types of clusters: a basic cluster, a forwarder, or a redirector.

A basic cluster defaults to high security and allows only basic HTTP functions – anything more has to be explicitly allowed through a rule. The DX3680 has predefined rules for a number of standard Web applications, including Microsoft Outlook Web Access (OWA) and SharePoint, PeopleSoft, and IBM/Lotus Domino. Most of the rules have to be applied at the command line rather than through the Web GUI. If you want to create your own rules, there are examples to work with, but it's not a simple process – be prepared to test and debug your new rules. This is equally true with similar load balancer products, such as F5’s application rules.

For non-HTTP traffic, a forwarder simply passes all traffic to the server cluster without processing it or accelerating the outgoing traffic. A redirector takes traffic addressed to a given address and sends it to a different one, without processing it at all.

A basic load balancing cluster can be set up quickly and easily. Adding functions such as encryption, server application protection, "sticky" sessions for e-commerce or other stateful transactions, and acceleration of Web traffic will make the cluster as complex as you like.

Balancing acts
To test this system, I set up a standard Web site and simulated lots of clients accessing the site. The DX3680 should be able to handle large amounts of traffic without problems; in my testing, I had to use artificially small requests to generate any load on the system, but with normal requests, the system can handle more users than the network connection will support. (As for the DX3680's basic stats, it handles up to 256 HTTP proxy clusters; 1,024 server load balancing clusters; 64 servers per application cluster; 7,300 SSL transactions per second; 80,000 concurrent SSL connections; and 1.1 million concurrent SLB connections.)

Characterizing acceleration is more difficult – the amount of noticeable acceleration a user sees will vary greatly, depending on the type of application, how many users are on the system, which browser the user has, and many other factors. I tested response times for several types of Web transactions, including OWA, the serving of static pages, and a basic Java application, and found that applications were 30 to 400 percent faster than without the load balancer in place. One process that is simplified is converting a Web site from HTTP to HTTPS. Instead of rewriting all of the code on the site, the DX3680 handles the conversion automatically, and it takes care of the SSL processing, too.

The standard ruleset available when the DX3680 box is initially configured is called the Nitro.apprule. This set of rules protects against common attacks, causes clients to cache images, enables active acceleration of Web pages, and more. It's a simple starting point for getting acceleration working without having to do any programming.

The DX3680 can offload quite a bit of processing to reduce the load on the Web servers. In addition to SSL processing, it will cache images and other static content – even JavaScript so that requests from browsers are served by the DX3680 rather than by the Web servers in the cluster. This is intended to reduce loads on the servers, but it may increase performance for end-users as well.

Logging and reporting functionality is broad and deep, covering all aspects of cluster operations, and offers up as much detail as you want. The system provides detailed logs for all the clusters it serves (it pushes them to a central log server), including real-time performance logging for every user connection, if desired. The reporting tools provide a wealth of information, and I found them well organized and easy to follow.

Click for larger view.

Additional features include quality of service, which can be specified separately for each cluster, and ActiveN clustering that makes adding more DX systems a simple process.

Pricey, but worth it
The Juniper DX3680 is not a system that someone would buy for simple load balancing. With a price as tested of $70,485 and a base price of $49,995, there are many less expensive load balancers out there that will create clusters of Web servers.

However, the system's sophisticated rules engine and acceleration features, as well as its ability to provide authentication, to protect Web servers and application servers, and to transparently add SSL encryption to a Web site without redoing code, will not be found on inexpensive load balancers. The DX3680 should allow even a small company to provide enterprise-class Web applications without a big investment in recoding.

InfoWorld Scorecard
Features (20.0%)
Management (25.0%)
Ease of use (20.0%)
Value (10.0%)
Performance (25.0%)
Overall Score (100%)
Juniper DX3680 v. 5.2 9.0 9.0 8.0 8.0 9.0 8.7