From: Chuck Adkins (Chuck.AdkinsIZZATtheice.com)
Date: Tue Jan 06 2004 - 10:27:53 EST
About SSL endpoint w/o SSL hardware - if your license allows for proxies
of type "SSL" instead of just "Akamize" - then you can certainly use it
to break SSL. I know this to be true for at least the 4.2-code. All
the hardware buys you is the initial SSL handshake, the bulk-crypto is
still done on the CPU - which may or may not be important depending on
you app/traffic/etc.
Chuck
-----Original Message-----
From: Lotter, Rick [mailto:Rick.LotterIZZATqg.com]
Sent: Monday, January 05, 2004 10:45 PM
To: 'lb-lIZZATvegan.net'
Subject: RE: [load balancing] F5 BigIP HA Questions
Hello! My answers are below.
-----Original Message-----
From: Michael Ferraro [mailto:mikeIZZATmyvest.com]
Sent: Monday, January 05, 2004 5:55 PM
To: lb-lIZZATvegan.net
Subject: [load balancing] F5 BigIP HA Questions
>Hi,
>
>We're about to buy a pair of F5 BigIPs in the secondary market and I
had
>a few questions I was hoping somebody could help us with. Since we're
>not looking to buy new, we can't really have the F5 sales engineers
>helping us out too much...
>
>If the BigIP doesn't have an SSL accelerator, what functionality do we
>lose aside from rapid decryption/re-encryption of traffic? Can a BigIP
>still function as an SSL endpoint without the card? My impression is
>no.
This is my understanding as well.
>If the BigIP can't be an SSL endpoint w/out an SSL Accelerator card,
how
>would it function to load-balance HTTPS traffic? My assumption is that
>it can read the SSL session ID w/out decrypting the packets, use round
>robin (or another method) to distribute the connections among pool
>members, and use that SSL session ID to route future requests for that
>session to the same pool member. If that's true, what about IE 5.5+'s
>habit of changing (renegotiating) SSL IDs periodicially? Can BigIP
>v4.2.6 account for that?
Not very well, no. SSL ID is renegotiated as you know which will break
persistence. Even ClientIP or hashing may not work based on megaproxies
like AOL's.
>When NAT'ing traffic to pool members, is the source IP address
unchanged
>by the BigIP? If not, I'm assuming that I have to have the BigIP's IP
>be the default router for my pool members. Yuck. If the BigIP is the
>default router, what about non-HTTPS traffic (e.g., SSH) originating
>from the pool members -- will it simply forward that traffic, too?
Nope, SourceIP should be changed, which does mean your default
gateway/router needs to be the "internal" interface on the F5. If you
enable the feature on the F5 it will forward all other traffic as well,
without molesting it. You can configure it as "one-armed", but not
suggested (you lose a lot of features and capabilities.)
>Thanks in advance!
>
>Regards,
>Mike
No problem! We happen to have a pair of F5s with SSL accelerators we
will
be getting rid of in a couple weeks... interested? :)
Rick Lotter
I/S - Web Systems Support
Quad/Graphics
Sussex, Wisconsin
www.QG.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Tue Jan 06 2004 - 10:42:24 EST