RE: [load balancing] F5 BigIP HA Questions

From: lbIZZATrealtime360.com
Date: Mon Jan 05 2004 - 21:11:28 EST

  • Next message: Winter, R. Stephen: "RE: [load balancing] F5 BigIP HA Questions"

    Michael,

    We were able to purchase an SSL accelerator through a third party vendor. Once
    installed, you have to submit a request for the Authorization code to activate
    the thing (authenticates against the two mac addresses), but F5 didn't seem to
    care that the box was off the gray market when we contacted them. You might
    want to double check with them - they only told me they couldn't sell us a card
    unless the box was re-certified, and reluctantly gave us the name of a third
    party vendor who was happy to sell us a new card. Once installed, we submitted
    the machine id and the mac addresses and they sent back the authorization right
    away. Without the card, you shouldn't have any problem passing the HTTPS
    traffic to your web servers, but you won't be as efficient in your SSL
    transaction processing and as far as I know, you couldn't make it your SSL
    endpoint. As for SSL session ID persistence - you should be able to track the
    SSL session id from the session ID in the header, but as you mentioned with IE's
    SSL re-negotiation "feature" it isn't always reliable.

    If you are NAT'ing traffic, you will want to setup the F5 as your primary router
    since if you are using NAT, your server shouldn't have an external address and
    will need a means to pass traffic back and forth. As for additional ports
    besides HTTPS, it is very simple to setup additional port mappings through the
    setup utility and it adds an additional feature of requiring that you open the
    ports you want open, rather than leaving unnecessary ports completely
    vulnerable.

    Hope that helps. Good luck,

     -Steve

    -----Original Message-----
    From: Michael Ferraro [mailto:mikeIZZATmyvest.com]
    Sent: Monday, January 05, 2004 3:55 PM
    To: lb-lIZZATvegan.net
    Subject: [load balancing] F5 BigIP HA Questions

    Hi,

    We're about to buy a pair of F5 BigIPs in the secondary market and I had
    a few questions I was hoping somebody could help us with. Since we're
    not looking to buy new, we can't really have the F5 sales engineers
    helping us out too much...

    If the BigIP doesn't have an SSL accelerator, what functionality do we
    lose aside from rapid decryption/re-encryption of traffic? Can a BigIP
    still function as an SSL endpoint without the card? My impression is
    no.

    If the BigIP can't be an SSL endpoint w/out an SSL Accelerator card, how
    would it function to load-balance HTTPS traffic? My assumption is that
    it can read the SSL session ID w/out decrypting the packets, use round
    robin (or another method) to distribute the connections among pool
    members, and use that SSL session ID to route future requests for that
    session to the same pool member. If that's true, what about IE 5.5+'s
    habit of changing (renegotiating) SSL IDs periodicially? Can BigIP
    v4.2.6 account for that?

    When NAT'ing traffic to pool members, is the source IP address unchanged
    by the BigIP? If not, I'm assuming that I have to have the BigIP's IP
    be the default router for my pool members. Yuck. If the BigIP is the
    default router, what about non-HTTPS traffic (e.g., SSH) originating
    from the pool members -- will it simply forward that traffic, too?

    Thanks in advance!

    Regards,
    Mike

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com
    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Mon Jan 05 2004 - 21:21:37 EST