Forum Discussion
Wasfi_182818
Altostratus
AltostratusHow to load balance two forward proxy servers that are not transparent?
Hi;
I just wanted to clarify whether I need a firewall sandwich configuration for the above situation? The user's browser explicitly point to the VIP using a proxy pac file.
I want to do le...
Kai_Wilke
MVP
MVPHi Wasfi,
I've investigated CARP-Loadbalancing for HTTP-Proxy Servers a while ago. Unfortunately the F5 does not support a flawless CARP balancing for proxy servers. The problems are...
- Without using OneConnect, just the initial Proxy-Request will getting CARP'ed to the right proxy server node. Subsequent Proxy-Request over the same TCP-Connection will stick to the initial selected proxy server node and may cause redundant cache contents.
- Using a OneConnect Profile in combination with HTTP-Profiles will allow you to CARP subsequent Proxy-Requests accordingly. But on the other hand OneConnect will by default break any form of Session-Based-Proxy-Authentication (e.g. NTLM, Kerbeors, Negotiate).
- Using manual OneConnect-Labels will allow you to perfrom CARP for initial and subsequent Proxy Requests with full Session-Based-Proxy-Authentication support, but this approach will create a lot of (idle) Serverside TCP connections and therefor require somewhat huge OneConnect Connection Pools.
You may take a look to my CARP based HTTP-Proxy load balancing iRule (with Tunnel-SSL and full Session-Based-Authentication support) as a starting point. If this iRule is to rocket science / experimental for you, then I would recommend to skip using CARP and simply use Least-Connection balancing for your Proxy Servers.
https://devcentral.f5.com/questions/need-information-on-oneconnectselect-48701
Cheers, Kai
