Timeout settings

Hi Brian, the port numbers themselves do not matter, even though SAP's numbering scheme is unique. As to what your network admin is saying, this is correct, you can not make cookie persistence decisions on encrypted traffic without first terminating the SSL traffic on the BIG-IP itself. I'm assuming here that you are not terminating SSL on the BIG-IP but instead letting the SAP servers take care of SSL termination for you.

 

 

I would highly recommend moving the SSL certificates to the BIG-IP. The SAP deployment guide (http://www.f5.com/pdf/deployment-guides/f5-sap-dg.pdf) details how to configure the BIG-IP for this. Exporting the SSL certificates is done through the J2EE Visual Administrator tool in SAP. It's very straightforward and takes several minutes. You can then import the certificate to the BIG-IP which will allow your SSL traffic to also benefit from cookie persistence.

 

 

If you do this, you would have two options. You can either send the traffic to the NON-SSL SAP instance, in which case traffic would be encrypted all the way to the BIG-IP then unencrypted to the server or you can re-encrypt the traffic after the cookie decision is made and the traffic will be encrypted all the way to the SAP instance. In neither case will the user see anything usual or different. You will see big improvements in server CPU utilization by offloading SSL from the SAP servers and there should be a general improvement in response time as a result. However, the decision is one that you, your network admins and your security team need to make in concert.

 

 

I hope this helps, let us know if you have additional questions. The deployment guide does a fantastic job (I think, but let me know otherwise ;-) ) of describing how to configure SSL off-load in the BIG-IP. For exact instructions on exporting your SSL key and certificate from J2EE Visual Administrator, drop me an email.