Options

Balance HTTPS traffic(without decryption)

vknyazhevvknyazhev Member
edited July 2022 in ADC - Application Delivery 
Hi all!
The task is to balance HTTPS traffic to 2 servers (TLS1 + TLS2), without decryption. How to configure the virtual server correctly in this case?
The TLS|SSL processing itself will continue on TLS1+TLS2, i.e. you only need to do balancing

1.slb virtual-server VIP_HTTPS 192.168.195.2
  port 443 https
    source-nat pool tls_srcnat
    service-group TLS_HTTPS
OR
2.slb virtual-server VIP_HTTPS 192.168.195.2
  port 443 tcp
    source-nat pool tls_srcnat
    service-group TLS_HTTPS
Please help
изображение.png


Comments

  • Options
    mmartinez@a10networks.commmartinez@a10networks.com Member ✭✭

    Hi @vknyazhev ,

    The easiest is to use your 2nd option with a tcp vPort :

    slb virtual-server VIP_HTTPS 192.168.195.2

     port 443 tcp

      source-nat pool tls_srcnat

      service-group TLS_HTTPS


    By design SLB is done on a per TCP connection basis so you'll still see load balancing happening and connection correctly spread across your servers/service without creating a mess from a user/client prospective, except with some web browsers which may be picky about handling multiple TCP connections to the same FQDN service without maintaining the same encryption level.

    So in this situation you may need to bind a SourceIP persistence template as well, to allow you setup to work.

    Best Regards

Sign In or Register to comment.