Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
3rd party SSL session ID, back end load balancing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
3rd party SSL session ID, back end load balancing - 21.Nov.2007 12:31:49 AM
|
|
|
Aurrick
Posts: 6
Joined: 20.Nov.2007
Status: offline
|
I know the optimal answers for my questions, but my hands are tied as far as being allowed to use ISA 2006 EE to either load balance incoming requests amongst array members or to load balance to the server farm. It is mandated that the 3rd party load balancers that are in place continue to do the front and back end load balancing (and firewall/NAT). That being said, here is what I have and what I'm trying to do:
Front end firewall
|
Front end load balancer - client source ip method
|
Multiple Win2K3 w/SP2 and ISA 2006 EE in a Single NIC Template (SSL Listener)
|
Back end load balancer - SSL session id method
|
Web farm (SSL)
Everything works great as far as publishing the content of the farm, however, getting the back end load balancing to work is problematic. The publishing rule uses SSL bridging and therefore the only two methods available for backend load balancing (since I can't use ISA) are client IP and SSL Session ID.
** Additional info - The web farm real IPs, web farm load balanced VIP, ISA real IPs, ISA load balanced VIP are all on the same subnet/VLAN with the same Gateway. In fact, the Front End load balancer is the same device as the back end load balancer. Just different VIPs.**
Because I'm forced into the Single NIC Template and the Web Farm members do not have the ISA servers as their Gateway, all requests must "appear to come from the ISA server" otherwise the return packets from the web farm will try to route directly to the original client and get dropped at the front end firewall. This rules out the client source IP method on the web farm load balancer because all requests are from the ISA IP address.
So it's down to SSL Session ID. In order for the web farm load balancer to be able to actually load balance SSL sessions it is implied that there must be SSL sessions with different session IDs. I'm assuming ISA is well engineered to be efficient and reuse the connection from the ISA server to the Web Farm. Is that correct? And if so, is their a way to force individual sessions for each proxied connection? ( I know..it's like taking a step backward, but I don't see any other choice. )
I have done several test and packet captures. From mutliple client IPs the maximum number of SSL session negotions I see between ISA and the web farm is two. Can ISA allow 3rd party load balancing for SSL bridging in a Unihomed setup?
ISA offers a fantastic solution, especially for load balancing and SSO, if we can just get it in house. But in order to do so it must start in 'mini-mode' until the network guys can be pursuaded to let go of some of the load balancing.
Thank you for input.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: 3rd party SSL session ID, back end load balancing - 
) 