Forum Discussion

thunderbird_920's avatar
thunderbird_920
Icon for Nimbostratus rankNimbostratus
Jul 15, 2011

SSL persistence with F5

We are having the sharepoint portal. There are some users connected from 1 source ip remotely

 

If SSL persistence is enabled, all the connection will go to 1 reverse proxy server.

 

If there is no SSL persistence, the connection will load balanced to both reverse proxy server.

 

 

How to justify this? If there a way make it load balanced with SSL persistence enabled?

 

  • Exactly what persistence method is being used? Is it really SSL persistence method? If so, that should not break load-balancing distribution. Are you terminating SSL on F5?
  • If you're decrypting the SSL on LTM you could use cookie insert persistence instead. This is generally a better method than SSL session ID persistence as it is not subject to the browser using a new session ID.

     

     

    But I'm surprised to hear that all requests get persisted to the same pool member with SSL session ID persistence. Each browser, even if connecting from behind the same proxy, should negotiate an SSL handshake with a separate SSL session ID. Or are you using server SSL also? If so, see SOL3062 for the requirements for using SSL persistence:

     

     

    sol3062: Using SSL (Session ID) persistence

     

    http://support.f5.com/kb/en-us/solutions/public/3000/000/sol3062.html

     

     

    Aaron
  • I understand that each browser, even if connecting from behind the same proxy, should negotiate an SSL handshake with a separate SSL session ID. If we put 1 machine with 1 source IP that simulate 200 users login to the page at the same time (load testing), do you think the load still will be balanced?
  • Yes, theoretically that should work. However, in real life, browsers renegotiate SSL SessionID every few minutes, and that is going to break your persistence.