Load Balancing proxy based firewalls

mdoyle · ‎02-10-2003

I need to load balance http and ssl traffic through proxy based firewalls (Gauntlet)to a server farm. I've been told I can't use the usual paths through the firewalls but need to load balance the firewalls as if they were servers which would then proxy the session to the Internal content switch which will load balance to the servers.

Any ideas if this will work or how to do it? I need to keep the SSL sessions sticky as well.

Report Inappropriate Content · ‎02-14-2003

When traffic goes through a group of firewalls, the reverse path must include the same firewall as the original path. Each of the Firewall load balancing switches can choose the same firewall for the reverse traffic that the other load-balancing switch chose for the original traffic.

The following link discusses this and I guess it will help solve your problem.

http://www.cisco.com/en/US/products/hw/switches/ps672/products_configuration_guide_chapter09186a008007f234.html

Anybody like to add more to this are most welcome. Thanks

Gilles Dufour · ‎02-17-2003

could you clarify what you mean by proxy firewall.

Is it just a proxy server with some filtering feature ?

If so, what was suggested to you is correct.

You define your proxy servers as services and then you simply configure

a content rule for 8080 or 80 (whatever your proxy listen on) and another content rule for port 443 SSL (or whatever port your proxy is setup for).

If the proxy is setup to use its own ip address to request HTML data, the response all aways come back to the right proxy. No need for the firewall loadbalancing feature.

An example is this

service proxyfw1

ip address x.x.x.x1

active

service proxyfw2

ip address x.x.x.x2

active

owner mycompany

content HTTPproxy

vip address x.x.x.x

add service proxyfw1

add server proxyfw2

proto tcp

port 8080

active

!

content SSLproxy

vip address x.x.x.x

add serv proxyfw1

add serv proxyfw2

proto tcp

port 443

application ssl

advanced-balance ssl

active

!

Then you setup your browser to point to proxy address x.x.x.x port 8080 for http and 443 for ssl.

Gilles.

mdoyle · ‎02-17-2003

Thanks Gilles, I'll have some test gear to try this out in the next few days. By Proxy, I mean the firewall terminates the users session and starts a new session to the server on the inside so there are 2 parts to a users end to end session.

I'm using two CSS11506's, the external one will have a config like you mention here and the firewalls will send the sessions to the VIP address of the internal CSS11506 which will load balance between the servers.

I have been told that I need to have an SSL accelerator in order to guarantee sticky SSL sessions and that it needs to be in the external CSS, any comments on that?

Thanks for your help.

Gilles Dufour · ‎02-18-2003

you can stick based on SSL session id which are in clear text.

So no need for SSL accelerator.

The config I gave you is what you need to do it.

Gilles.

mdoyle · ‎02-18-2003

thanks. Is there not some problem with Internet Exploerer changing the Session ID or resetting it to 0 during a session?

Gilles Dufour · ‎02-18-2003

correct.

Some versions of internet explorer renegotiate the SSL ID very often.

This creates trouble obvsiously with my solution mentioned previously.

This is documented on microsoft website.

So, in this case, the best solution would be a CSS 2generation with an SSL module or an SSL accelerator attached to the CSS.

Gilles.