Re: Loadbalancing HTTPS with stickyness

riziv · ‎09-15-2010

Hi all,

We 'd like to do HTTPS loadbalancing with stickyness ( cookie stickyness).

Is it possible ? how to configure It.

I've tryed to configure as following but it seems that the client does not receive the cookie.

sticky http-cookie INAMI-OWA-PRD INAMI-OWA-STICKY
cookie insert browser-expire
timeout 60
replicate sticky
serverfarm ISA-PRD-EXCHANGE-OWA-SF

serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
    inservice
rserver ISA-DMZ-PRD-2
    inservice
rserver ISA-DMZ-PRD-3
    inservice

class-map match-any ISA-VIP-PRD-EXCHANGE-OWA
2 match virtual-address xxx.xxx.xxx.xxx tcp eq https

policy-map type loadbalance first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm INAMI-OWA-STICKY

policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117

Could someone help us on implementing the sticky on https traffic?

Thanks a lot.

Frédéric

adakopou · ‎09-15-2010

Hello Frédéric,
If you are load-balaning SSL, then you can not perform sticky via a Cookie (insert / learning). The reason for this is that the SSL data is encrypted and the ACE will not be able to insert a Cookie or learn a Cookie with encrypted data. If you are performing SSL termination or End-to-End SSL (termination and initiation) then you would be able to perform sticky via Cookie (insert / learning). When load-balancing SSL, your sticky options are either sticky via SSL Session ID or via SRC IP.

The one major issue with SSL Session ID sticky is that some older I.E. browsers may re-negotiate SSL Session ID every two minutes which may cause the SSL user to get load-balanced to a different Rserver. This is also explained in via the following knowledge base article http://support.microsoft.com/kb/265369

Here are a couple of examples covering both SSL Session id sticky as well as SRC IP sticky:

SSL Session ID Example:

parameter-map type generic SSLID_PARAMMAP
set max-parse-length 70

serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
    inservice
rserver ISA-DMZ-PRD-2
    inservice
rserver ISA-DMZ-PRD-3
    inservice

sticky layer4-payload SSL-STICKY
timeout 30
serverfarm ISA-PRD-EXCHANGE-OWA-SF
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"

policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm SSL-STICKY

policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    appl-parameter generic advanced-options SSLID-PARAMMAP
    nat dynamic 117 vlan 117

SRC IP Example::

serverfarm host ISA-PRD-EXCHANGE-OWA-SF
description Serverfarm used for Exchange OWA (portal.inami.be) in production
probe ICMP-PROBE-ALL
probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
rserver ISA-DMZ-PRD-1
    inservice
rserver ISA-DMZ-PRD-2
    inservice
rserver ISA-DMZ-PRD-3
    inservice

sticky ip-netmask 255.255.255.255 address source SRCIP-STICKY
timeout 30
serverfarm ISA-PRD-EXCHANGE-OWA-SF

policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
class class-default
sticky-serverfarm SRCIP-STICKY

policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117

I hope this information helps.

Thank you,
Antonios

riziv · ‎09-15-2010

Hi Antonios,

Thanks a lot for your reply that should help me to configure the offloading of the SSL and apply the stickyness.

I come back to you if I have other question related to the SSL termination ( not experienced yet).

Many thanks.

Frederic