EP1774440A2 - Autonome servicesicherung und -migration - Google Patents
Autonome servicesicherung und -migrationInfo
- Publication number
- EP1774440A2 EP1774440A2 EP05773408A EP05773408A EP1774440A2 EP 1774440 A2 EP1774440 A2 EP 1774440A2 EP 05773408 A EP05773408 A EP 05773408A EP 05773408 A EP05773408 A EP 05773408A EP 1774440 A2 EP1774440 A2 EP 1774440A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- service
- production server
- appliance
- data
- service appliance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/23—Reliability checks, e.g. acknowledgments or fault reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/59—Providing operational support to end devices by off-loading in the network or by emulation, e.g. when they are unavailable
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/40—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Definitions
- Organizations and business enterprises typically have one or more core service applications that are vital to their operations. For example, many organizations rely on e-mail, contact management, calendaring, and electronic collaboration services provided by one or more service applications. In another example, a database and associated applications can provide the core operations used by the organization. These core services are critical to the normal operation of the organization. During periods of service interruption, referred to as service downtime, organizations may be forced to stop or substantially curtail their activities. Thus, service downtime can substantially increase an organization's costs and reduce its efficiency.
- Critical services may be dependent on other critical or non-critical services to function.
- a failure in another service can cause the critical service application to fail.
- e-mail service applications are often dependent on directory services, such as Active Directory, one configuration of which is called Global Catalog, to function.
- service enhancement applications such as spam message filters and anti-virus applications, can malfunction and disable a critical service application.
- Another source of service downtime is administrative errors. Service administrators might update critical service applications with poorly tested software updates, or patches, that cause the critical service application to fail. Additionally, some service applications require frequent updates to correct for newly discovered security holes and critical flaws. Installing the plethora of patches for these service applications in the wrong order can cause the service application to fail. Additionally, service administrators may misconfigure service applications or issue erroneous or malicious commands, causing service downtime.
- Application data is another source of service downtime. Databases used by critical service applications can fail. Additionally, service application data can be corrupted, either accidentally or intentionally by computer viruses and worms. These can lead to service downtime.
- a system it is therefore desirable for a system to reduce service downtime from a variety of sources. It is further desirable that the system operate transparently so that the configuration and operation of the service application is unchanged from its original condition. It is also desirable that the system detects the service application failure or imminent failure and to seamlessly take over the service so that service users cannot perceive any interruption in service during the period that the service application is not functioning, referred to as a "failover" period. It is desirable that the system detects when a failed service application is restored to normal operation, to update the service application with data handled by the system during the service application downtime, and to seamlessly return the control of the service to the service application so that service users cannot perceive any interruption in service during this "fallback" period. It is desirable that the system require minimal configuration and installation from service administrators. It is also desirable that the system be robust against failure, self-monitoring and self-repairing, and be capable of automatically updating itself when needed.
- the system allows for services to be migrated to new service applications and/or hardware without service users perceiving any interruption in service. It is further desirable that the system be capable of acting in a stand-alone capacity as the sole service provider for an organization or in a back-up capacity as a redundant service provider for one or more service applications in the system. It is still further desirable that the system be capable of providing additional capabilities to the service, thereby improving the quality of the service data received or emitted by the service application. It is also desirable that the system provide administrative safeguards to prevent service administrators from misconfiguring service applications. It is also desirable that the system allow for efficient throughput of network traffic and seamless traffic snooping without complicated packet inspection schemes.
- the invention includes a service appliance that is adapted to be installed between one or more production servers running one or more service applications and at least one service user.
- the production servers and their service applications provide one or more services to the service users, m the event that a production server is unable to provide its service to users, the service appliance can transparently intervene to maintain service availability.
- the service appliance is capable of providing the service using a service application that is differently configured or even a different application than the service applications of the production server. Additionally, embodiments of the service appliance include hardware and/or software to monitor, repair, maintain, and update the service application and other associated software applications and components of service appliance. In an embodiment, the service appliance is configured to have a locked state that prevents local running of additional applications other than those provided for prior to entering the locked state, limiting local and remote user administration of and operational control of the operating system and service application. [0012] Upon being connected with the computer running the service application, an embodiment of the service appliance contacts the production server and/or service application and automatically replicates the service application's configuration and data, potentially including data from internal or external databases, if any exists. As additional data is added to or modified by the service application of the production server, the service appliance automatically updates its replica of the data.
- the service appliance obtains all network traffic sent to the service application. While the service application is operating correctly, the service appliance can forward incoming network traffic to the service application, outgoing network traffic to its destination, and can perform that forwarding transparently at various network layers.
- An embodiment of the service appliance monitors the service application. If the service appliance detects that the service application has failed or is about to fail, the service appliance cuts off the service application of the production server from the service users and takes control of the service. Using the replica of the data, the service appliance responds to service users in essentially the same manner as a fully operational service application and production server. While providing the service to service users, the service appliance updates its copy of the data in accordance with service users' needs. An embodiment of the service appliance monitors the network to detect when a service application provided by the production server or a replacement production server becomes available. Once the service appliance has detected that the service application has resumed functioning, an embodiment of the service appliance automatically updates the service application's copy of the data to reflect the current state of the data. Upon synchronizing the data of the service application of the production server with the service appliance's data, the service appliance reconnects the service application with the service users and simultaneously returns control of the service to the service application and its production server.
- Figure IA illustrates an example installation of the service appliance in a protective configuration according to an embodiment of the invention.
- Figure IB illustrates an example installation of the service appliance in disaster recovery configuration according to an embodiment of the invention.
- Figure 2 illustrates an example installation of the service appliance in a stand-alone configuration according to an embodiment of the invention.
- Figure 3 illustrates an example installation of a first plurality of service appliances in a protective configuration of a second plurality of production servers according to an embodiment of the invention.
- Figure 4 illustrates an example installation of two service appliances in a double protective configuration according to an embodiment of the invention.
- Figure 5 illustrates an example installation of two service appliances in a double stand-alone configuration according to an embodiment of the invention.
- Figure 6 illustrates an example hardware configuration of the service appliance according to an embodiment of the invention.
- Figure 7 illustrates the states of the service appliance according to an embodiment of the invention.
- Figure 8 illustrates a runtime architecture of the service appliance according to an embodiment of the invention.
- Figure 9 illustrates a component architecture of the service appliance according to an embodiment of the invention.
- Figure 10 illustrates the flow of data to a service application and the service appliance while the service appliance is in a transparent wait state according to an embodiment of the invention.
- Figure 11 illustrates the flow of data to a service application and the service appliance while the service appliance is in a failover mode according to an embodiment of the invention.
- Figure 12 illustrates the flow of data to a service application and the service appliance while the service appliance is in a failback mode according to an embodiment of the invention.
- Figure 13 illustrates a network configuration enabling the service appliance to transparently function between the production server and client systems, according to an embodiment of the invention.
- Figure IA illustrates an example installation of the service appliance in a protective configuration according to an embodiment of the invention.
- the service appliance is installed on an organization's network inline between a production server hosting a service application and the various client systems.
- client systems include any systems dependent upon a given service, including systems operated by users and potentially other dependent services.
- the service application provides a service to client systems.
- the service appliance relays all network traffic between the production server and the client systems.
- the service appliance monitors the operation of the production server and can take control of the service provided by the production server, for example in the event that the production server fails.
- the service appliance can operate transparently, so that neither the production server nor the client systems are affected by the service appliance during normal operation; moreover, neither the production server nor the client systems need to be configured by an administrator to support the service appliance.
- the service appliance is installed by connecting it to a power source and to one or more network connections with each of the production server and the organization's network, respectively.
- the service appliance is initialized by a service administrator using a web-based interface.
- the web-based interface may be located at a static IP address assigned to the service appliance, wherein the static IP address can be embedded in the service appliance at ship time or entered during initialization, hi another embodiment, the IP address of the service appliance is assigned by a DHCP host on the network that provides an indication of the assigned IP address to the service appliance in response to a DHCP request from the service appliance.
- the service appliance can be pre-configured with a fixed MAC address or a MAC address from a prespecified range of MAC addresses or some other set of MAC addresses known to be used for instances of service appliances, hi such embodiments, the service appliance might obtain its IP address via a network sniffer application, running for example within a web-browser of the service administrator, which locates the service appliance on the network using the MAC address(es) and provides an HTTP interface for a matching MAC address known to be associated with a service appliance. In those embodiments, the service appliance does not require an IP address to be assigned by physically interacting with the service appliance. In yet another embodiment, the service appliance is assigned the same network address as the production server.
- the service appliance is initialized with a minimal amount of information, including the network location of the production server and authentication information used to access the service application hosted by the production server. Using this information, the service appliance can access the service application and obtain any additional initialization information needed.
- Figure IB illustrates an example installation of the service appliance in disaster recovery configuration according to an embodiment of the invention.
- the service appliance is intended to serve as a disaster recovery aide in the event of the catastrophic failure or destruction of the production server.
- the functionality of the service appliance in this embodiment is substantially similar to that of other embodiments, including the ability to take control of the service normally provided by the service application running on the production server and the ability to transparently provide service to client and other dependent systems of the service.
- the production server is permanently disabled or destroyed, and so considerations of relaying network traffic intended for the production server are rendered moot. Therefore, in this embodiment, the service appliance may be connected in parallel with the production server, provided that the service appliance can communicate over the network with the production server. This embodiment may also not require as sophisticated or costly a network interface.
- a service appliance operating in a disaster recovery configuration may either act as a router and/or network switch itself or utilize an attached network switch and/or router to facilitate communications with the production server.
- Figure 2 illustrates an example installation of the service appliance in a stand-alone configuration according to an embodiment of the invention.
- This configuration of the service appliance provides the service to the organization, thereby eliminating the need for a production server.
- the service appliance in a stand-alone configuration is essentially identical to the service appliance in a protective configuration, with the exception that in the stand-alone configuration, the service appliance is permanently in the failover state, discussed in detail below.
- Figure 3 illustrates an example installation of a first plurality of service appliances in a protective configuration of a second plurality of production servers according to an embodiment of the invention.
- a first plurality of service appliances are connected between the client systems and an arbitrary number of production servers.
- Each of the production servers hosts one or more service application processes.
- at least a portion of the set of service appliances can protect any arbitrary portion of the set of service application processes.
- the allocation of service application processes to service appliances is independent of the allocation of service application processes to production servers. For example, a single service appliance can protect a plurality of service application process operated by one or more production servers.
- the service application processes of the service appliances may be executed in one or more virtual machines running on one or more CPUs of the service appliances, hi these embodiments, a virtual machine comprises at least one service application and additional attendant processes discussed in detail below.
- the virtual machine operates as a "virtual" server appliance that can be activated, deactivated, and optionally stored for later reactivation,
- Figure 4 illustrates an example installation of two service appliances in a double protective configuration according to an embodiment of the invention.
- the service appliances are connected in series, such that the failure of either service appliance is automatically compensated for by the remaining service appliance.
- the first service appliance in the series perceives the second service appliance in the series as a production server, and protects the second appliance in the identical manner as the second service appliance monitors and protects the actual production server. There is no practical limit to the extent of this protective chaining.
- FIG. 5 illustrates an example installation of two service appliances in a double stand-alone configuration according to an embodiment of the invention.
- each service appliance is capable of providing the service to client systems.
- each service appliance can compensate for its counterpart in the event that the counterpart cannot provide the service to client systems, hi this embodiment, the service appliances can provide the same or different services during normal operation.
- the storage, processing capability, and network processing capability each service appliance may be physically partitioned and multiply redundant as well. This redundancy capability is not limited to the aforementioned embodiment, and may be effected in other embodiments as well.
- FIG. 6 illustrates an example hardware configuration of the service appliance according to an embodiment of the invention.
- a network interface card includes a plurality of Ethernet ports, allowing for redundant network connections to both the production server and the network to which client systems are connected.
- the Ethernet ports are connected with a network processor, which can be any device adapted to examine and coordinate network communications traffic), that is used to analyze and route network packets, ha an embodiment, the network processor provides the functionality of a layer 2 network switch.
- the network processor is connected with an auxiliary CPU.
- the auxiliary CPU supervises the operation of the network processor and provides routing and analysis functions of any combination of networking layers 3 through 7.
- the network processor and the auxiliary CPU are an integrated unit in which the network processor, without a distinct auxiliary CPU, routes and analyzes at any combination of networking layers 2 through 7.
- an embodiment of the auxiliary CPU also performs part or all of the self-monitoring and self-repair functions of the service appliance.
- An embodiment of the network interface further includes an Ethernet cutoff mechanism so that when the service appliance is powered off or otherwise not functioning, the ports are electronically or optically connected together to allow network traffic to flow between the production server and the rest of the organization's network, hi additional embodiments, the server appliance can use other networking protocols besides Ethernet and/or TCP.
- software running on the primary CPU(s) of the service appliance, or on the CPU(s) of another motherboard effectively serving the role of network interface, or in a virtual machine executing on any configuration of such CPU(s), provides the functionality of both the network processor and auxiliary CPU.
- the network interface card is connected with a data bus of the service appliance. Also connected with the data bus are a main CPU, RAM and distributed or isolated non-volatile memory, hi an embodiment, the service appliance includes one or more storage devices, such as hard disk drives, for storing an operating system, application programs, and/or service data.
- the storage device can be a RAID array of disks for improved reliability.
- an external storage device interface such as a SCSI interface, a FibreChannel interface, or an iSCSI interface running on the same Ethernet ports of the network interface or different Ethernet ports, enables the service appliance to use external storage devices for some or all of its data storage needs. Additional component, such as cooling systems and power supplies, are omitted for clarity.
- system of Figure 3 is intended for illustration and other hardware configurations and/or software configurations known to one of ordinary skill in the art may be used to implement the service appliance, including dual or multiple processors in place of the main CPU and/or the use of virtual machine software to emulate the functionality of one or more of the above hardware components.
- the service appliance shown in Figure 6 can have a variety of physical configurations.
- all of the components of the service appliance can be integrated into a single housing adapted to fit within standard computing equipment racks.
- the network interface card and the remaining portion of the service appliance hardware can be configured as two or more separate units, such as blade computer units Communication between the network interface card and the remaining portion of the service appliance can utilize any type of internal or external data bus standard, including message passing protocols operating on top of a switched Ethernet or similar link layer protocol backplane.
- FIG 7 illustrates the states of the service appliance according to an embodiment of the invention.
- the states of the service appliance are discussed with reference to an example service appliance intended to replicate an electronic mail, contact manager, calendaring, and collaboration service application, such as Microsoft Exchange.
- the service appliance can implement other service applications, including databases, web servers, directory services, and business applications such as CRM (customer relationship management), ERP (enterprise resource planning), SFA (sales force automation), financial applications, and the like.
- Initialization Following the installation of the service appliance, the service appliance is configured and automatically replicates e-mail, calendaring and relevant configuration information from the production server onto itself. 2. Transparent wait — The service appliance passively stays in sync with the production server and is ready to take over servicing of e-mail and calendaring requests in case the production server fails.
- the service appliance detects the production server failure and takes over the servicing of e-mail and calendaring requests from systems and users connected to the production server.
- the service appliance determines that the production server, possibly but for missing service data, is capable of providing the service; the service appliance auto-replicates the e-mail and calendar data back to the production server so that the production server can get e-mails received and handled by service appliance while the production server was down
- the initialization process can start immediately after the physical process of installation, hi the example of a service appliance for electronic mail, contact manager, calendaring, and collaboration software, as long as the customer does not take too long (i.e., more than a few minutes), even clients, connected to a service application at the time of such connection process, should not lock up.
- the worst-case install outcome of the service appliance will be that end-users would have to re-try their last client operation.
- the service appliance can be initialized by the service administrator as discussed above.
- the service appliance can offer a web-based configuration page with few elements, such as text boxes to input the highest-level service application administrator name and password, the unique Active Directory (henceforth referred to as AD) or NT domain identity of the production server hosting the service application (such as Exchange 2000/2003 or Exchange 5.5, respectively), and the fixed IP address, and sub-network (as applicable) of the production server.
- AD Active Directory
- NT domain identity of the production server hosting the service application such as Exchange 2000/2003 or Exchange 5.5, respectively
- the service application administrator will not have to enter some of the information listed above.
- an embodiment of the service appliance will assume the administrative authority using the configured administrator name and password and will follow at least the following steps:
- Step 1 Replicate the service application configuration information relating to connectivity protocols and routing.
- Connectivity protocols include application programming interfaces and/or associated communication format standards typically used to facilitate communications between client systems and/or production servers with service applications.
- Step 2 Replicate the directory information that supports the mail-enabled users served by the service application on the production server (for example, AD-related information for Exchange 00/03 and DS information for Exchange 5.5). hi an embodiment, this information is replicated using a connectivity protocol to retrieve service data from the production server.
- Step 3 Replicate the existing service data of the service application hosted by the production server, such as the e-mail and calendaring information in the mailstore of the production server for every mail-enabled user served by the production server.
- connectivity protocols can be used to replicate this service data on the service appliance
- the service appliance performs additional validation of the service data, for example by checking for corruption, cleansing, transformation, and virus-checking.
- the service appliance can screen service data to ensure compliance with policies set by the network operator, such as corporate privacy, security, and data reporting policies, which can be developed to meet a corporation's specific needs or to comply with laws such as HEPAA and Sarbanes-Oxley.
- Step 4 Replicate the information of the production server's service application necessary for service functioning. Similarly to step 2, an embodiment of the service appliance uses connectivity protocols to replicate this service data.
- the service appliance may additionally support the selection of a portion of the set of service users to be served by service appliance in case of production server failure, hi that case, an additional step 2.5 above will display the list of service users, such as mail-enabled users (obtained in step 2), and will allow the customer to select the users to be served from the list.
- Another embodiment enables the service appliance to allow protection for a selected number of days/megabytes of mail per user. In a further embodiment, policy will automatically dictate these actions.
- the service appliance will use the unused network bandwidth to perform the necessary replications; alternatively, the service administrator will have the choice to opt for the fastest possible initialization where the service appliance appears to the production server as another busy service application client.
- Step 1 the service appliance will issue a series of connectivity protocol requests, such as RPC calls or the like to the production server. These connectivity protocol requests return with information about the configuration and state of the production server.
- the service appliance may elect to ignore service application configuration information that is highly situational.
- the service appliance will issue a series of AD-related connectivity protocol requests to two AD entities, modalities of which include the local Domain Controller (DC) and the nearest Global Catalog (GC), to read user and service- related information.
- AD entities modalities of which include the local Domain Controller (DC) and the nearest Global Catalog (GC), to read user and service- related information.
- DC local Domain Controller
- GC Global Catalog
- the service appliance would make Microsoft Exchange mail database connectivity protocol requests and/or use other methods (e.g., MAPI) to replicate onto itself the complete data of every user mailbox on the production server. The replication will be repeated for all the applicable mailboxes.
- MAPI Microsoft Exchange mail database connectivity protocol
- the initial replication will replicate service data at least up to the time that the initial replication occurs.
- a second replication is used to copy service data added or modified during the initial replication.
- Each succeeding replication will address a smaller and smaller set of possible changes to the mailboxes, over a smaller and smaller latency window, until the mailbox is deterministically in sync. For example, during an initial three-minute replication of a 2GB mailbox, a user might receive 10MB of new e-mails and alter the metadata of or, alternatively, delete fifty messages. To replicate those changes is generally a matter of seconds, and to cover any changes possible in those few seconds in yet another replication is a matter of fractions of a second, and so forth.
- the service appliance will perform three tasks:
- Task 1 Pass traffic through to the production server without performance degradation
- Task 2 Maintain synchronization of the service data of the service appliance with the service data of the service application hosted by the production server.
- Task 3 Keep the service appliance up using its value added software (includes self-maintenance, self-applied best-practice heuristics and patch application processes)
- Task 3 is built into the overall lifecycle of the service appliance operation that includes the five states of the service appliance described in the beginning of this document.
- the service appliance will pass through all network traffic, (including potentially lethal transactions) to the production server.
- An exception to this is administrator traffic that is screened and optionally blocked or altered by the administrative safeguards feature discussed below.
- an embodiment uses a "snooping" method that clones Ethernet frames using the spanning-port-like functionality present in a number of gigabit Ethernet networking chips, including controllers and switches.
- An alternative software-only approach will be a zero-buffer-copy at the lowest possible level of the network stack on the service appliance (via a filter driver).
- an RPC API is used to periodically access the service data stored by the service application and to retrieve service data modified or added since the previous synchronization access. Any one or more of these methods may be combined.
- Task 2 ensures that the data stored in the service appliance remains in lock-step with that of the production server, hi other words, when the service appliance assumes authority for the production server's service, end-users should not see missing or incorrectly represented messages out of the service appliance's data. This task will be performed using a combination of two or more different approaches.
- an "over the wire” synchronization is achieved using the traffic snooping done in Task 1.
- the service appliance will copy in-flight administrative transactions on the wire as well as the message transaction traffic (commands which apply to messages as well as the message data itself.)
- the service appliance will do this to maintain the in-process transaction cache that will primarily be used to "play" to the service appliance in the event that the production server dies without completing transactions in flight.
- Each incomplete transaction queued in the cache will be flushed when the service appliance sees the transaction completion signal pass through it from the production server.
- the service appliance gets sufficient state information about messages from snooping that it may also be able to make better determinations of which messages on the production server need to be replicated (or can be skipped). This approach is applicable to a large class of service applications, such as relational databases.
- the snooped message traffic could be "played" on the service appliance to mimic the same actions undertaken by the production server with that traffic.
- This "playing" solves many synchronization issues in a non-intrusive fashion. For example, determining what should happen when a user on Outlook (e.g., via MAPI RPC interaction with Exchange) or Outlook Web Access deletes a message, or when a Eudora user gets unread messages waiting for them out of the mailstore via POP3. Since the production server sees every single packet it would normally see, the ultimate behavior of the production server with regard to altering message state in response to user or to other external stimuli is no different than it would be if the service appliance were not there in the first place.
- the service appliance through snooping, will be capable to receive the net identical stimuli. Again, with event handlers, the service appliance can take whatever action deemed appropriate. But if it chooses to simply pass on the stimuli through its appropriate Exchange processes, then when a message is read, deleted, edited, or moved to a folder, the state of the message on the service appliance and the production server will be identical.
- the service appliance can augment the production server in a load balancing configuration.
- the service appliance selectively serves up read requests (for example, 60%+ of the production server's actual load).
- the production server can then be reached to "touch" the service application meta-data (e.g., message meta-data) for the service application data item (e.g., message) that the service appliance handled to reflect its new state.
- This post-fix of the data store on the production server is in fact much less CPU, disk, and network intensive than if the production server actually handled the read, so there should still be a large net gain in performance.
- a second embodiment for synchronization does not require examination and processing of service application data (e.g., message traffic) bound through the service appliance for the production server and is an extension of the initialization code, using connectivity protocol requests, such as MAPI, to replicate service application data (e.g., messages) on a granular basis (e.g., mailbox by mailbox) periodically.
- service application data e.g., message traffic
- connectivity protocol requests such as MAPI
- maintaining synchronization with the routing and mail processing configuration of the production server is not a network or processing intensive task. Because this information is a) not likely to change frequently and b) is not sizeable, an hourly replication process (which will not involve that much information transfer) may be sufficient. Also in regard to task 2, maintaining sync for the service appliance with the DC and the GC is neither a frequent nor intensive process. Because many users and entities are unlikely to be added or deleted on a daily basis, let alone hourly, even in a large organization, re-invoking the original DC and GC sync code some small number of times a day is typically sufficient. [0066] Under an embodiment of synchronization, the service appliance "sweeps" the production server every so often.
- the sweeping will help keep the service appliance in sync with the production server in the event that autonomous processes on the production server (such as, security, backup or Exchange-resident auto-archive process) move service application data (e.g., messages) off the production server, perhaps via a storage area network, or perform some other operation which would not be visible to the service appliance snooping on the wire.
- service application data e.g., messages
- the service appliance is constantly replicating to itself, at an object level or granularity (e.g., mail object, database record, other atom of data), it is in fact performing a service similar to that of a backup service.
- object level or granularity e.g., mail object, database record, other atom of data
- the service appliance is capable of inspecting service data, (e.g., for signs of database corruption) and improving the quality of service data (e.g., virus cleansing or database transformation operations).
- an embodiment of the service appliance intrinsically has the capability to transfer all the objects under its jurisdiction - both those originally copied during installation and initialization from the production server, and those modified or instantiated during transparent wait and/or failover and/or failback states — as a consequence of its synchronization technology (as described herein). Therefore, it is in fact capable of doing both incremental and wholesale restoration of the service data under its jurisdiction to either the original production server or any replacement thereof.
- Wholesale restoration is simply the case of failback from the service appliance to a production server which has no, or a severely diminished, service application database.
- the service appliance facilitates migration of a service from an existing production server to a new production server potentially running new service application(s) as follows. First, the service appliance is connected with the existing production server in a manner permitting the service appliance's synchronization to operate, thereby replicating the existing service application data and any eventuating changes thereto. Once the service appliance is synchronized with the service application on the existing production server, the service appliance is disconnected from the existing production server and connected to the new production server. During this period of disconnection, the service appliance continues to handle any on-going service duties requested by the client systems. After being connected with the new production server, the service appliance is instructed to failback to the new production server. Using its failback synchronization mode, the service appliance restores all of the service application data to the new production server.
- An embodiment of task 3 of the transparent wait state includes several features.
- the service appliance will protect itself from the vulnerability to error of a standard Windows server, including indeterminate downtime from patch applications, using a "system reliability manager.”
- the system reliability manager monitors the performance of the service appliance and can terminate and restart any processes or applications that have failed, including rebooting the operating system if necessary.
- the system reliability manager includes a number of heuristic-based "watchdog" processes running on the service appliance will ensure that the service appliance itself stays up.
- the protection server's or customer's network-based anti-virus protection fails, it is possible that one of the Outlook clients served by the service appliance would be infected by a virus or worm.
- the service appliance will monitor its own SMTP queues to detect the kind of intense mail-traffic from a single client typical of virus or worm infections. Such monitoring will also prevent the service appliance from being compromised (no matter how small the chance might be) and used as an outbound spam emitter.
- the service appliance runs anti-virus, anti-spam, or other security or value-added functionality applications or services.
- the service appliance's system monitoring layer and system reliability manager enables such additional applications to be provided by the service appliance in a stable and robust fashion not typically possible outside of the context of the service appliance.
- the service appliance will also monitor a number of its own performance and functionality metrics, compare them to its best practices heuristics list, and make adjustments if necessary. For example, if the service appliance notices that certain storage performance limits on the service appliance are being exceeded, it will alter its storage methodology.
- the service appliance is a closed system. Because of this the service appliance can be preconfigured with a list of valid processes. By monitoring the active processes and comparing them to the list of valid processes, the service appliance can readily identify and terminate an unauthorized process, such as one introduced by a virus or worm, hi a further embodiment, the service appliance keeps an exact byte count and checksum of every piece of code on disk, updated if and when patched. Any change in size or checksum will indicate a Trojan horse attempt, and the offending file can be purged and reloaded from a volume only accessible to the service appliance supervisory kernel.
- system reliability manager is executed on the auxiliary CPU associated with the network interface card discussed above, hi another embodiment, the system reliability manager is run on a separate CPU independent of the network interface card discussed above, hi another embodiment, the system reliability manager is run underneath or parallel to a virtual machine application or supervisory kernel, either on the primary CPU(s) or another processor.
- the second aspect of the third task of the transparent wait state ensures that the operating system and service application processes inside the service appliance are properly patched.
- the service appliance includes a specially-configured version of the service application that is capable of providing the service to service users in the event the production server fails.
- an embodiment of the service appliance receives an optimal patch configuration from a central network operations center.
- the network operations center tests software patches extensively on its own set of service appliances to determine whether software patches are to be included in the optimal patch configuration. Because the service appliance is a closed system, the configuration of each service appliance is essentially identical. Therefore, patches that operate correctly during testing at the network operations center are also ensured to work correctly on service appliance deployed by customer organizations.
- the network operations center can communicate approved software patches over an SSL connection to the service appliance in need of the patch.
- the SSL connection for the service appliance will be created by the service appliance polling over an outbound SSL connection to the set of network operations center servers hosting the patches.
- the service appliance will use multiple layers of certificates that have been independently certified for security.
- a dual CPU service appliance runs one copy of its processes on one CPU, while evaluating the patched "stack" on the other CPU. If any errors (including production server failure) are detected during patching or significant performance degradation immediately after patching, it will restore the operating image from an untainted copy it will maintain.
- the service appliance will likely keep the restoration image on a volume not accessible to the primary file system (e.g., NTFS), but only to the supervisory kernel. This approach will be one more defense against bugs or corruption, as well as against attacks by viruses operating even at the system level of the primary kernel (e.g., NT).
- the patched processes run on the primary CPU(s) of the service appliance while being evaluated and controlled, as described above, by the system reliability manager running on the auxiliary CPU.
- the third aspect of the third task of the transparent wait state enables the service appliance to process "over the wire" administrative traffic (copied during Task 1) to prevent erroneous or debilitating administrative instructions from reaching the service application on the production server.
- the stateful inspections of administrator interactions with the service application on the production server are referred to as administration safeguards.
- the service appliance examines the snooped administrative instructions both in vacuum, and in context of a transaction log of all prior such instructions, both compared against its heuristic map of best practices for maintaining a fault-tolerant service application server.
- the service appliance will examine the network traffic passing through and understand the administrative requests destined for the production server to ensure it does not mimic something disastrous upon the production server (e.g., replicating mass user deletions).
- a user may do something entirely legitimate with the production server that the service appliance will take into account. For example, they may delete a single user who is leaving the organization, or they may shut off OWA services in response to a security threat.
- the failover state includes two steps:
- Step 1 The service appliance detects a failure condition on the production server and prepares to take over the servicing of e-mail and calendaring requests from the production server
- Step 2 The service appliance proxies for the production server and serves e-mail and calendaring requests masquerading as the production server to the end users
- Step 1 of the first task of the failover state includes:
- Task 1 Identify failure modalities of the production server without either jumping the gun (i.e., false positives) or letting key events go by (i.e., false negatives)
- Task 2 React appropriately to the failure and prepare the service appliance to take over from the production server
- task 1 detects failure modalities on the production server through at least one of three approaches.
- the first approach will be to allow the human administrator of the production server to click a button on the service appliance administration UI signaling that the production server is down and the service appliance should take over.
- the second approach will be for the service appliance to use existing health detection mechanisms possibly further enriched using the service appliance's value-add detection code.
- existing health detection mechanisms will be required to 1) probe the state of the service application, such as an Exchange 5.5 production server; and, 2) handle improperly configured service applications or non-existent health detection mechanisms.
- An embodiment of this approach uses a WMI service running on the production server for the most sophisticated failure detection.
- service applications such as Windows Server (including Active Directory), and even in minimal customer configurations, service application process behavior and health can be extracted at a fairly frequent time interval without major performance impact on the production server and its service application; and, b) similar detection codes are implemented and in use by most existing service application clustering and other solutions.
- the service appliance will be able to tell fairly quickly and deterministically if a number of failure conditions are occurring on the production server.
- Some examples of such failure conditions on the production server include 1) service application data errors; 2) the storage below a critical threshold; 3) major processes are stopped or non-responsive for a significant period of time; and 4) Network connections to the production server break and a number of retries to reestablish connection fails.
- Such failure conditions could be considered deterministic and binary in nature - if one or more of them are true, then any external observer would agree that the production server is failing or has already failed in its function.
- an embodiment of the service appliance includes a failure heuristics module that emulates, for example using a Bayesian analysis based on a set of predefined policies, the decision process that a set intersection of customers would be likely to make.
- service administrators can select a set of heuristics from a library of heuristics includes with the service appliance to be used to determine the production server failure.
- Service administrators can also select Boolean combinations and weightings of failure conditions, or alternatively, a set of slider bars ranging from "aggressive" to "lax", the setting of which determines how the service appliance would behave in detecting and responding to failure on the production server.
- the value of the slider bar is a natural input to the kind of weighting algorithms the service appliance can use in its failure heuristics modeling.
- an embodiment of the service appliance includes a mechanism to: 1) warn the administrator up front about the consequences of their actions; 2) send the administrator an e-mail with a record of the settings they changed, along with any warnings they engendered; 3) keep a non-volatile record of all such transactions to record changes to the set of heuristics for the purposes of reviewing administrator actions.
- the second task of step 1 of the failover mode prepares the service appliance to take over the service of e-mail and calendaring requests from the production server, after the service appliance has determined the production server failure. Since the service appliance is already in-line with the network traffic (part of State 2 - Transparent wait), the only additional work that service appliance needs to do are 1) stop forwarding only e-mail and calendaring traffic to the production server; 2) allow the natural responses of the service appliance's service application process to go out to the network; and, 3) pass through administrative traffic to/from the production server (e.g., Telnet, Windows terminal server traffic, administrative probes and, SNMP) so that the remote administrator(s) can bring the production server back up. In other embodiments, such as ones intended to assist with disaster recovery, this step is simplified because the production server is assumed to be destroyed or otherwise effectively destroyed. Therefore, in these embodiments, not all of these tasks are necessary.
- step 2 of the failover state the service appliance will service the e-mail and calendaring requests on behalf of the production server.
- the service appliance will already have (as a result of Initialization and Transparent wait states tasks) a complete copy of every item of service application data (e.g., all message items including notes, calendar items, etc.) that a user would need to see from the production server.
- the service appliance will also have all the free/busy data necessary to conduct calendaring transactions. It will also already be running all the service application processes (e.g. OWA) necessary for the service appliance to communicate with the same entities with which the production server was previously communicating.
- OWA service application processes
- one of the first things that the service appliance will do in Step 2 is to "play" the incomplete transactions from its transaction cache up through the service application process "stack" on the service appliance. This activity essentially will complete these transactions from the user's perspective, since the service appliance will now be their mail server.
- the service appliance will continue to update its internal representations of external data sources, such as the GC and DC during this state.
- the service appliance is a sealed, locked-down entity. It is not subject to administrative instructions or interrogation from the outside world, nor is it likely to be "entangled" to other service application servers in the same organization.
- the service appliance AD will not be replicating to other ADs.
- the production server possibly including the DC or GC process
- Step 1 Detect that the production server is once again functional
- Step 2 Back-synchronize, from the service appliance to the production server, the service application data (e.g., messages) received by the service appliance on behalf of the production server during the production server's down-time
- the service application data e.g., messages
- step 1 can be performed using two approaches.
- the service appliance could require the administrator of the production server click a button on the configuration/administration screen of the service appliance to indicate to the service appliance that the production server is live (to that administrator's satisfaction).
- the second approach would be for the service appliance to in essence run the failure heuristics module in reverse. If all the deterministic failure conditions are false, the production server could be considered to be up again. The information to reach this conclusion would come from the service appliance intermittently probing the production server while the service appliance is in the failover state.
- the service appliance would back-synchronize from itself to the production server all of the service application data (e.g., message data) that the service appliance received on behalf of the failed production server.
- Some combination of techniques for replication from the Transparent wait state can be applied in reverse (from service appliance to production server, instead of vice versa).
- the service appliance would be back-synchronizing two classes of information in embodiments that relate to service applications concerning electronic mail, calendaring, and collaboration: 1) the state of any message that was touched by an end-user served by the production server during the service appliance's down-time (e.g., read, deleted, forwarded, replied to, edited, changed in priority, etc.); and, 2) messages received and processed by the service appliance on behalf of the production server during the service appliance's downtime.
- a reductionist approach to back-synchronization takes any message received by the service appliance during the production server's down-time, stuffs it into an ESMTP-format file, and write that file into the appropriate queue directory of the production server.
- the production server would then pick up the file and process the message all the way through into the mailstore, with the same net effect (from a user perspective) as if the production server had been up all along.
- the service appliance would use some combination of the initialization and transparent wait synchronization approached discussed previously; however applied in reverse to synchronize the production server with the service appliance.
- the service appliance would still be servicing e-mail and calendaring requests. And, as long as the service appliance continues to handle requests, the state of its mailstore would potentially be changing (e.g. users deleting, forwarding, or otherwise operating on old or new mail), and the production server theoretically would never be in true synchronization with the service appliance.
- the service appliance would likely use a staggered approach to break the tie, as described below.
- the failback state of the service appliance returns to the Transparent wait state, as described above.
- the failback state can be applied on a granular level, for example on a per user or per account basis, with the service appliance returning control of the service to the production server for specific users as the associated service data becomes synchronized on the service appliance and the production server, while the service appliance continues to control the service for users with unsynchronized data.
- the service appliance simply reverses the "stutter step" approach for synchronization of service data for the service application hosted by the production server with the service data maintained by the service appliance during the failover and failback states, and at the end of such process, the service appliance returns control of the service to the service application of the production server for some or all of the client systems.
- Figure 8 illustrates a runtime architecture of the service appliance according to an embodiment of the invention.
- the service appliance is configured to provide an electronic mail service.
- the runtime architecture includes modules for implementing the states described above.
- the runtime module includes an operating system and a service application to be used to provide the service to service users in the event the production server fails.
- Figure 9 illustrates a component architecture of the service appliance according to an embodiment of the invention.
- the software components of the service appliance include an operating system, a production server health monitor, and a service application and supporting modules (for example, Microsoft Exchange and a directory service).
- the service application receives service data from the synchronization engine, which is used to synchronize data from the production server.
- the policy manager assists in enforcing proper operational policy, including security and operational configuration, on the service appliance and in some embodiments can extend this role to the production server.
- the production server health monitor monitors the health of the production server to determine if the service appliance should take control of the service.
- the high availability manager assists in supervising and coordinating availability across service appliances and/or constituent components thereof, any or all of which may be in a distributed configuration.
- the patch manager supervises the retrieval, installation, verification, and if necessary, the removal of software updates for the service appliance.
- a local/remote administrative service and user interface enables service administrators to control the service appliance.
- the service appliance component architecture includes a service appliance monitor, which monitors the software processes and hardware of the service appliance, and a service appliance monitoring manager, which responds to monitoring information to maintain the service appliance's performance, for example by terminating and restarting components and software processes on the service appliance, restoring storage partitions, and changing hardware operation on the service appliance.
- the component architecture of the service appliance includes a supervisory kernel, for example an embedded Linux kernel executing on an auxiliary CPU.
- the supervisory kernel interfaces with the reliability modules to monitor and control the operation of the service appliance, and can kill and restart any of the software processes, including for example the Microsoft Windows operating system, if an error occurs.
- Figure 10 illustrates the flow of data to a service application and the service appliance while the service appliance is in a transparent wait state according to an embodiment of the invention.
- the flow of data in the transparent wait state is described in detail above, hi summary of a first embodiment, service traffic 1005 received by service appliance 1010 is forwarded to the production server 1015.
- the service appliance 1010 polls the production server 1015 to retrieve updated service data from the production server's 1015 data store 1020.
- the updated service data is stored in service appliance's 1010 data store 1025.
- a copy of the service traffic 1005 is stored in transaction cache 1030.
- the contents of the transaction cache 1030 are presented to a service application executing on the service appliance 1010, which updates the contents of data store 1025 accordingly. Assuming the outputs of the service applications on the service appliance 1010 and production server 1015 are deterministic, the contents of the data stores 1020 and 1025 will be the same.
- Figures 11 and 12 illustrate the flow of data to a service application and the service appliance while the service appliance is in failover mode and failback modes according to embodiments of the invention.
- the flow of data in these modes is described in detail above, hi summary, service traffic 1105 is intercepted by the service appliance 1110 in both modes.
- the service traffic is processed by one or more service applications 1115 running on the service appliance.
- Service applications 1115 update data store 1120 with service data.
- Administrative traffic 1125 directed to the production server 1130 is selectively passed through the service appliance 1110 to the production server 1130. This enables administrators to control the production server to attempt to restore its functionality while the service appliance 1110 provides uninterrupted service to client systems.
- the service appliance 1110 Upon determining that the production server 1130 is operational, the service appliance 1110 enters failback mode, shown in Figure 12. hi this mode, the service appliance 1110 provides updated service data 1205 from its data store 1120 to the production server 1130.
- FIG. 13 illustrates a network configuration enabling the service appliance to transparently function between the production server and client systems according to an embodiment of the invention
- a feature of the networking protocol such as virtual LANs enabled by 802. Iq is used to create a first virtual network that redirects IP addresses normally associated with client systems to the service appliance.
- a second virtual network redirects IP addresses normally associated with the production server to the service appliance.
- the service appliance can then redirect the network traffic to its intended destination by swapping packets' network identities. This can be done automatically with layer 2 switch hardware, eliminating the need for more complicated stateful packet inspection systems in many cases, although this technique can be combined effectively with packet processing at layer 3 and higher, both stateful and stateless.
- the service appliance includes additional features to ensure accurate replication and maintenance of service data. Even though an embodiment of the service appliance is replicating at the object level, instead of the bit level, there is the possibility that it is replicating corrupt objects. For example, a RAID controller failure (perhaps of the write-back cache) could corrupt the meta-data or even the contents of a given message object in the store of the production server's service application.
- An embodiment of the service appliance addresses this problem.
- the first is that there are some simple heuristics to detect corrupted objects.
- Bad or nonsensical meta-data (a creation or modification date with negative numbers, text data in a numerical field, etc) can be detected to some degree.
- the service appliance can hash the non-volatile meta-data and comparing it to a hash of the meta-data of the in-bound objects to indicate if something is amiss.
- tests can detect overwrites of the content of objects that do not have the modification flag set. For example, if the service appliance hashes the contents of an object, and then get a hash-match failure, and the meta-data indicates that the inbound object has not been edited, then that object would be suspicious.
- Whether an object is corrupt can never be programmatically determined in an absolute sense for all classes of service applications.
- a rating could be applied based on whatever panel of tests to which that object is subjected. For example, on a scale of 1-100, with 100 being uncorrupted, an object that failed all of the tests might merit a "10". An object that passed all tests might rate a 90 or higher.
- the service appliance would keep a history of these ratings, and do a rolling look-back across them. Numerous low ratings across an hour, day, week, or similar interval would indicate a high probability of corruption on the production server.
- the service appliance can express its suspicions to a human administrator; and, depending on a slider bar setting, it could elect to terminate replication between the service appliance and the production server. [0118]
- the service appliance maintains a cache containing the last few replications of an object, perhaps restricting entries in the cache to those objects that were at a high confidence level. In the event of detected corruption, the service appliance could offer to the administrator a roll-back of the corrupted objects to some prior point in time.
- the service appliance can maintain a hash of meta-data, body data, and total data for all individual objects which the service appliance replicates or otherwise commits to its store (as discussed above), an embodiment of the service appliance checks these hashes against on-the-fly hashes for a random sample of objects retrieved from the service appliance's store during the normal course of operations. A certain number of comparison failures would indicate corruption in the service appliance's own store, and the service appliance could take action, including alerting the administrator and running a full diagnostic. The service appliance would be able to determine to some reasonable degree the extent of corruption and either i) purge and resynchronize the corrupt objects only or ii) purge the entire service application database (e.g. Microsoft Exchange's Jet DB) and resynchronize the entire set of service data.
- a service application database e.g. Microsoft Exchange's Jet DB
- the service appliance includes a "hidden" object store, for example constrained to objects updated within thirty days or some other period, in a version of the service application database file (e.g. the Exchange EDB) not accessible to the service appliance's primary file system itself (e.g. NTFS) and only accessible to the service appliance's supervisory kernel.
- the service appliance would be maintaining an abbreviated mirror of the primary service application, created with separate write transactions (so corruption would not propagate.)
- the service appliance could even cross-check objects from the hidden store against the primary store to be extra-safe.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Marketing (AREA)
- Physics & Mathematics (AREA)
- Economics (AREA)
- Computer Security & Cryptography (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Data Mining & Analysis (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer And Data Communications (AREA)
- Hardware Redundancy (AREA)
- Telephonic Communication Services (AREA)
- Stored Programmes (AREA)
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US58778604P | 2004-07-13 | 2004-07-13 | |
US11/166,334 US20060015764A1 (en) | 2004-07-13 | 2005-06-24 | Transparent service provider |
US11/166,043 US7363365B2 (en) | 2004-07-13 | 2005-06-24 | Autonomous service backup and migration |
US11/165,837 US20060015584A1 (en) | 2004-07-13 | 2005-06-24 | Autonomous service appliance |
US11/166,359 US7363366B2 (en) | 2004-07-13 | 2005-06-24 | Network traffic routing |
PCT/US2005/024395 WO2006017199A2 (en) | 2004-07-13 | 2005-07-06 | Autonomous service backup and migration |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1774440A2 true EP1774440A2 (de) | 2007-04-18 |
Family
ID=35839718
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05769105A Withdrawn EP1766900A2 (de) | 2004-07-13 | 2005-07-06 | Transparenter dienstanbieter |
EP05769435A Withdrawn EP1782237A2 (de) | 2004-07-13 | 2005-07-06 | Autonome dienstanwendung |
EP05773408A Withdrawn EP1774440A2 (de) | 2004-07-13 | 2005-07-06 | Autonome servicesicherung und -migration |
EP05764428A Withdrawn EP1769380A2 (de) | 2004-07-13 | 2005-07-06 | Routen von netzwerkverkehr |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05769105A Withdrawn EP1766900A2 (de) | 2004-07-13 | 2005-07-06 | Transparenter dienstanbieter |
EP05769435A Withdrawn EP1782237A2 (de) | 2004-07-13 | 2005-07-06 | Autonome dienstanwendung |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05764428A Withdrawn EP1769380A2 (de) | 2004-07-13 | 2005-07-06 | Routen von netzwerkverkehr |
Country Status (4)
Country | Link |
---|---|
EP (4) | EP1766900A2 (de) |
MY (1) | MY139075A (de) |
TW (4) | TW200608222A (de) |
WO (4) | WO2006017104A2 (de) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7363366B2 (en) | 2004-07-13 | 2008-04-22 | Teneros Inc. | Network traffic routing |
US9130967B2 (en) | 2010-11-17 | 2015-09-08 | Alcatel Lucent | Method and system for network element service recovery |
CN113157615B (zh) * | 2021-02-02 | 2023-05-23 | 浙江大华技术股份有限公司 | 一种服务总线通信方法、电子设备以及计算机存储介质 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5157663A (en) * | 1990-09-24 | 1992-10-20 | Novell, Inc. | Fault tolerant computer system |
US5978565A (en) * | 1993-07-20 | 1999-11-02 | Vinca Corporation | Method for rapid recovery from a network file server failure including method for operating co-standby servers |
US6751674B1 (en) * | 1999-07-26 | 2004-06-15 | Microsoft Corporation | Method and system for replication in a hybrid network |
US6735717B1 (en) * | 2000-04-13 | 2004-05-11 | Gnp Computers, Inc. | Distributed computing system clustering model providing soft real-time responsiveness and continuous availability |
US20030005350A1 (en) * | 2001-06-29 | 2003-01-02 | Maarten Koning | Failover management system |
US7409420B2 (en) * | 2001-07-16 | 2008-08-05 | Bea Systems, Inc. | Method and apparatus for session replication and failover |
US20030037133A1 (en) * | 2001-08-15 | 2003-02-20 | Thomas Owens | Method and system for implementing redundant servers |
US7178050B2 (en) * | 2002-02-22 | 2007-02-13 | Bea Systems, Inc. | System for highly available transaction recovery for transaction processing systems |
US20040034807A1 (en) * | 2002-08-14 | 2004-02-19 | Gnp Computers, Inc. | Roving servers in a clustered telecommunication distributed computer system |
US7293201B2 (en) * | 2003-01-17 | 2007-11-06 | Microsoft Corporation | System and method for active diagnosis and self healing of software systems |
-
2005
- 2005-07-06 EP EP05769105A patent/EP1766900A2/de not_active Withdrawn
- 2005-07-06 WO PCT/US2005/024006 patent/WO2006017104A2/en active Application Filing
- 2005-07-06 WO PCT/US2005/024395 patent/WO2006017199A2/en active Application Filing
- 2005-07-06 WO PCT/US2005/024005 patent/WO2006017103A2/en active Application Filing
- 2005-07-06 EP EP05769435A patent/EP1782237A2/de not_active Withdrawn
- 2005-07-06 EP EP05773408A patent/EP1774440A2/de not_active Withdrawn
- 2005-07-06 EP EP05764428A patent/EP1769380A2/de not_active Withdrawn
- 2005-07-06 WO PCT/US2005/024004 patent/WO2006017102A2/en active Application Filing
- 2005-07-12 TW TW094123531A patent/TW200608222A/zh unknown
- 2005-07-12 MY MYPI20053192A patent/MY139075A/en unknown
- 2005-07-12 TW TW094123552A patent/TW200617693A/zh unknown
- 2005-07-12 TW TW094123533A patent/TW200607275A/zh unknown
- 2005-07-12 TW TW094123550A patent/TW200613963A/zh unknown
Non-Patent Citations (1)
Title |
---|
See references of WO2006017199A2 * |
Also Published As
Publication number | Publication date |
---|---|
TW200608222A (en) | 2006-03-01 |
EP1766900A2 (de) | 2007-03-28 |
EP1769380A2 (de) | 2007-04-04 |
WO2006017102A3 (en) | 2007-03-01 |
WO2006017199A2 (en) | 2006-02-16 |
TW200613963A (en) | 2006-05-01 |
WO2006017103A3 (en) | 2009-04-16 |
MY139075A (en) | 2009-08-28 |
TW200617693A (en) | 2006-06-01 |
WO2006017103A2 (en) | 2006-02-16 |
EP1782237A2 (de) | 2007-05-09 |
WO2006017104A2 (en) | 2006-02-16 |
WO2006017104A3 (en) | 2007-02-01 |
WO2006017102A2 (en) | 2006-02-16 |
TW200607275A (en) | 2006-02-16 |
WO2006017199A3 (en) | 2007-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9448898B2 (en) | Network traffic routing | |
US7363365B2 (en) | Autonomous service backup and migration | |
US20060015764A1 (en) | Transparent service provider | |
US20060015584A1 (en) | Autonomous service appliance | |
US7426652B2 (en) | System and method for application monitoring and automatic disaster recovery for high-availability | |
US7370336B2 (en) | Distributed computing infrastructure including small peer-to-peer applications | |
Pertet et al. | Causes of failure in web applications | |
US7870416B2 (en) | Enterprise service availability through identity preservation | |
US20100138395A1 (en) | Enterprise Service Availability Through Identity Preservation | |
US20070143373A1 (en) | Enterprise server version migration through identity preservation | |
JP2009507280A (ja) | Id保存を介するエンタープライズサービス利用可能性 | |
US12093141B2 (en) | Systems and methods for directory service backup and recovery | |
EP1774440A2 (de) | Autonome servicesicherung und -migration | |
WO2008054388A1 (en) | System and method for network disaster recovery |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070129 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK YU |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN |
|
18W | Application withdrawn |
Effective date: 20091127 |