A One-Stop Web Appliance

ClickArray's Array 1000 device ably consolidates hardware functions but lacks VPN capabilities.

Companies that want to get a handle on the front-end building blocks of their Web sites should look to ClickArray Networks Inc.s Array 1000, an integrated Web service device that can save money and IT resources by consolidating hardware into a single, easy-to-set-up and managed device.

Array 1000 is the first appliance eWeek Labs has seen that integrates Web traffic acceleration, management and security components in a single device. It provides server load balancing, reverse proxy caching, firewall functionality, SSL (Secure Sockets Layer) acceleration and content rewrite in a 5.25-inch appliance.

Array 1000 is priced at $25,000—which is not cheap, compared with hardware server load balancers such as Radware Inc.s $24,500 Web Server Director Pro. However, Array 1000 offers a lot more features without the added cost. For example, when purchased separately, a typical hardware server load balancer can cost about $20,000; a firewall/VPN (virtual private network) appliance costs $10,000 to $15,000; a stand-alone SSL Accelerator and caching appliance costs $5,000 to $10,000.

However, because Array 1000 integrates essential Web services into a single device, it can create a single point of failure if the appliance is not clustered. And clustering can quickly become expensive. Array 1000 is also not designed to replace enterprise-class firewall, caches and load balancing hardware. IT managers should evaluate their sites carefully before implementation.

Array 1000 is best suited for service providers or small to midsize networks where an integrated Web appliance will be able to effectively reduce hardware costs, save space and simplify management. Array 1000 might not be a good fit for large enterprises with complex Web architectures that are optimized for running custom applications and that require high levels of security and redundancy.

The device runs a home-grown BSD-based operating system and uses standard PC hardware with 1GB of RAM (upgradable to 4GB). It supports two Gigabit Ethernet interfaces for high-speed networks. A lower-end Array 500 is available for smaller sites with a limited budget; it comes with dual 10/100M-bps interfaces and 256MB of memory in a 1.75-inch form factor for $6,995. Array 500 has the same integrated Web features as the 1000 box but doesnt support clustering. Both Array appliances are available now; Version 2.04 of the software was released in August.

Array 1000 provides standard server load balancing with standard rules such as weighted round robin and least connections. We also easily set up content-aware load balancing capabilities to map content requests to different server groups. For example, we configured the load balancer to send all dynamic requests to one server group and to forward GIF file requests to another server.

Array 1000s reverse proxy cache enhances the Server Load Balancer performance by caching static contents such as images and text files to RAM. After a client made a successful request, the cache fulfills subsequent requests, freeing up server CPU cycles to handle other tasks.

We tested the Array 1000s server load balancing performance using the WebBench 4.0 benchmark from Ziff Davis Media Inc., which measures server response to Web client requests. Using a static HTTP 1.0 workload, Array 1000, with the reverse proxy cache enabled, delivered more than 4,600 transactions per second. As expected, the performance drops by a large margin when the cache is turned off.

The appliance provides a simple stateful inspection packet-filtering firewall. The firewall uses access control lists to define a set of rules to deny or permit traffic and also can detect Syn-Flood and denial-of-service attacks, detecting illegitimate traffic and dropping it to protect the network.

We were disappointed that Array 1000 offers no VPN capabilities, since most firewall appliances provide this service. VPN management capabilities will be added to the next product release, slated for next quarter, ClickArray officials said.

The built-in SSL acceleration hardware offloads encryption processing of 128-bit SSL transactions from the servers. The SSL proxy decrypts incoming requests and forwards them to the servers as clear text through the cache and the server load balancer. When the servers respond, the SSL proxy re-encrypts the packets and sends them back to the client. The SSL accelerator is a good addition to help enhance performance at e-commerce sites.

However, we were also disappointed that the device lacks redundant power supplies, because redundancy is crucial if the box is the main device directing and managing traffic at the front end of the network.

It supports clustering for redundant failover and up to 32 Array 1000s can be clustered to scale the performance, but that means a significant increase in the cost of implementation.

Most hardware appliance vendors do not offer redundant power supplies, forcing companies to buy another box for failover. We think that shouldnt be the case, especially if the purpose of buying the appliance is to save money.

Array 1000 can be managed through a command-line interface accessible via console or remotely over Secure Shell. The box can also be managed with a Web user interface over SSL.