From: lbIZZATrealtime360.com
Date: Mon Jan 05 2004 - 21:11:28 EST
Michael,
We were able to purchase an SSL accelerator through a third party vendor. Once
installed, you have to submit a request for the Authorization code to activate
the thing (authenticates against the two mac addresses), but F5 didn't seem to
care that the box was off the gray market when we contacted them. You might
want to double check with them - they only told me they couldn't sell us a card
unless the box was re-certified, and reluctantly gave us the name of a third
party vendor who was happy to sell us a new card. Once installed, we submitted
the machine id and the mac addresses and they sent back the authorization right
away. Without the card, you shouldn't have any problem passing the HTTPS
traffic to your web servers, but you won't be as efficient in your SSL
transaction processing and as far as I know, you couldn't make it your SSL
endpoint. As for SSL session ID persistence - you should be able to track the
SSL session id from the session ID in the header, but as you mentioned with IE's
SSL re-negotiation "feature" it isn't always reliable.
If you are NAT'ing traffic, you will want to setup the F5 as your primary router
since if you are using NAT, your server shouldn't have an external address and
will need a means to pass traffic back and forth. As for additional ports
besides HTTPS, it is very simple to setup additional port mappings through the
setup utility and it adds an additional feature of requiring that you open the
ports you want open, rather than leaving unnecessary ports completely
vulnerable.
Hope that helps. Good luck,
-Steve
-----Original Message-----
From: Michael Ferraro [mailto:mikeIZZATmyvest.com]
Sent: Monday, January 05, 2004 3:55 PM
To: lb-lIZZATvegan.net
Subject: [load balancing] F5 BigIP HA Questions
Hi,
We're about to buy a pair of F5 BigIPs in the secondary market and I had
a few questions I was hoping somebody could help us with. Since we're
not looking to buy new, we can't really have the F5 sales engineers
helping us out too much...
If the BigIP doesn't have an SSL accelerator, what functionality do we
lose aside from rapid decryption/re-encryption of traffic? Can a BigIP
still function as an SSL endpoint without the card? My impression is
no.
If the BigIP can't be an SSL endpoint w/out an SSL Accelerator card, how
would it function to load-balance HTTPS traffic? My assumption is that
it can read the SSL session ID w/out decrypting the packets, use round
robin (or another method) to distribute the connections among pool
members, and use that SSL session ID to route future requests for that
session to the same pool member. If that's true, what about IE 5.5+'s
habit of changing (renegotiating) SSL IDs periodicially? Can BigIP
v4.2.6 account for that?
When NAT'ing traffic to pool members, is the source IP address unchanged
by the BigIP? If not, I'm assuming that I have to have the BigIP's IP
be the default router for my pool members. Yuck. If the BigIP is the
default router, what about non-HTTPS traffic (e.g., SSH) originating
from the pool members -- will it simply forward that traffic, too?
Thanks in advance!
Regards,
Mike
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Mon Jan 05 2004 - 21:21:37 EST