Forum Discussion
NimbostratusHTTPS load balancing
Hi there and thanks in advancing.
I'm trying to enable a load balacing including two server that use https and the access is by port 8443.
https://server01.myco.net:8443/SSFservice/SSFservice https://server02.myco.net:8443/SSFservice/SSFservice
That servers are configured in a Pool:
server01.myco.net:8443 172.16.57.32 1 0 (Active) 0 Common server02.myco.net:8443 172.16.57.34 1 0 (Active) 0 Common
Also I've configured a Virtual Server for load balancing:
General Properties
Name VS_SX32 Partition / Path Common Type Standard Source 0.0.0.0%1/0 Destination: 192.168.223.164%1 Type: Host Address: Service Port: 8443 Link None
Syncookie Status Off State inside Resources of the Virtual Server, the Default Pool is pointed OK.
Inside the generic policy I have configured : required -> http - tcp controls -> forwarding
And the rule on the next way:
NAME CONDITIONS RULE servers.myco.net:8443 http-host host equals servers.myco.net:8443 forward select pool /Common/Pool_SX32_8443
Alredy added a DNS record to name 192.168.223.164 with servers.myco.net
All seems to be OK, but when i try to load https://servers.myco.net:8443/SSFservice/SSFservice I get no response, nothing loads..
What I'm doing wrong?
8 Replies
pete_71470Cirrostratus
Is source-address-translation for VS_SX32 set to automap or a snatpool? If not, nodes will return traffic directly to the client instead of the F5.
carlos2tone_240Thanks for you answer Pete
I've tried to set it on Automap but having the same result. Maybe SNAT is required ? Have no Pools configured.
- Brad_Parker
Cirrus
If you have an http profile assigned, you will be require to have a client ssl profile attached and since you are doing https to the pool members you will also need a server ssl profile to re-encrypt the traffic. When you assign an http profile to an https VS without a client ssl profile it will always issue a RST to the client.
Amine_KadimiMVP
Hi,
As mentioned in the previous answers, you'll need client ssl and server ssl profiles added to the VS, and the SNAT configured correctly. I have a small remark, though it has no impact apparently, why aren't you using Pool_SX32_8443 as the VS default pool, do you really need a traffic policy?
- carlos2tone_240
Hi guys and many thanks for the replies.
Did not configure any ssl client/server certificate for this VS. In this case, the certificates on Pool servers were installed by a 3rd partner (it's requested by the way)
Do I have to set up client, server or both?
Do I have to configure SNAT Pool ?
I have a small remark, though it has no impact apparently, why aren't you using Pool_SX32_8443 as the VS default pool, do you really need a traffic policy?Don't need traffic policy, but I configured it for testing purposes.
Cheers
- Brad_ParkerYou will need both a client and server SSL profile if you are going to use https all the way to the pool members. SNAT pool is up to you. If you are using the LTM as the default route on you pool members there's no need for SNAT at all. If you expect more than 64,000 concurrent connections then you should plan on using a SNAT pool. If not, you can just use SNAT automap.
- carlos2tone_240
Hi!
As I understood, the SSL profile for server and client on F5 MUST be the same cert installed on my 2 servers on the pool?
Am I correct ?
Thank you!
- Brad_ParkerYou don't configure a cert in the server profile. And no the cert on the pool members doesn't actually have to match the cert in the client ssl profile. This is the beauty of a full proxy architecture. You can configure you client ssl profile with a public CA certificate and use self signed on the pool members if you so wish. The default server ssl is sufficient to get you up and going as it ignores the cert presented by your pool members by default.
