09-15-2010 07:31 AM
Hi all,
We 'd like to do HTTPS loadbalancing with stickyness ( cookie stickyness).
Is it possible ? how to configure It.
I've tryed to configure as following but it seems that the client does not receive the cookie.
sticky http-cookie INAMI-OWA-PRD INAMI-OWA-STICKY
cookie insert browser-expire
timeout 60
replicate sticky
serverfarm ISA-PRD-EXCHANGE-OWA-SF
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
inservice
rserver ISA-DMZ-PRD-2
inservice
rserver ISA-DMZ-PRD-3
inservice
class-map match-any ISA-VIP-PRD-EXCHANGE-OWA
2 match virtual-address xxx.xxx.xxx.xxx tcp eq https
policy-map type loadbalance first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm INAMI-OWA-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
loadbalance vip inservice
loadbalance policy SLB-PRD-EXCHANGE-OWA
loadbalance vip icmp-reply
nat dynamic 117 vlan 117
Could someone help us on implementing the sticky on https traffic?
Thanks a lot.
Frédéric
09-15-2010 08:29 AM
Hello Frédéric,
If you are load-balaning SSL, then you can not perform sticky via a Cookie (insert / learning). The reason for this is that the SSL data is encrypted and the ACE will not be able to insert a Cookie or learn a Cookie with encrypted data. If you are performing SSL termination or End-to-End SSL (termination and initiation) then you would be able to perform sticky via Cookie (insert / learning). When load-balancing SSL, your sticky options are either sticky via SSL Session ID or via SRC IP.
The one major issue with SSL Session ID sticky is that some older I.E. browsers may re-negotiate SSL Session ID every two minutes which may cause the SSL user to get load-balanced to a different Rserver. This is also explained in via the following knowledge base article http://support.microsoft.com/kb/265369
Here are a couple of examples covering both SSL Session id sticky as well as SRC IP sticky:
SSL Session ID Example:
parameter-map type generic SSLID_PARAMMAP
set max-parse-length 70
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
inservice
rserver ISA-DMZ-PRD-2
inservice
rserver ISA-DMZ-PRD-3
inservice
sticky layer4-payload SSL-STICKY
timeout 30
serverfarm ISA-PRD-EXCHANGE-OWA-SF
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm SSL-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
loadbalance vip inservice
loadbalance policy SLB-PRD-EXCHANGE-OWA
loadbalance vip icmp-reply
appl-parameter generic advanced-options SSLID-PARAMMAP
nat dynamic 117 vlan 117
SRC IP Example::
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
inservice
rserver ISA-DMZ-PRD-2
inservice
rserver ISA-DMZ-PRD-3
inservice
sticky ip-netmask 255.255.255.255 address source SRCIP-STICKY
timeout 30
serverfarm ISA-PRD-EXCHANGE-OWA-SF
policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm SRCIP-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
loadbalance vip inservice
loadbalance policy SLB-PRD-EXCHANGE-OWA
loadbalance vip icmp-reply
nat dynamic 117 vlan 117
I hope this information helps.
Thank you,
Antonios
09-15-2010 10:55 AM
Hi Antonios,
Thanks a lot for your reply that should help me to configure the offloading of the SSL and apply the stickyness.
I come back to you if I have other question related to the SSL termination ( not experienced yet).
Many thanks.
Frederic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide