ServerIron ADX Server Load Balancing Guide
Release 12.0.00
June 15, 2009

Table of Contents Previous Next Print


Server Load Balancing > SSL Accelerators

SSL Accelerators
The ServerIron ADX features enhanced support for SSL accelerators by allowing the ServerIron ADX to send return traffic from a real server back to the SSL accelerator from which it was sent.
Normally, when the ServerIron ADX supports SLB for some services and TCS for others, the cache server uses the original client’s IP address as the source IP address for SLB traffic sent from the cache server to the ServerIron ADX. When the ServerIron ADX sends return traffic from the real server back to the client, it goes directly to the original client (bypassing the cache server).
Some configurations however (such as those using an SSL accelerator as a cache server) may require that traffic from a real server first go back to the cache server before going to the original client. Using a technique called VIP spoofing, the ServerIron ADX, when it receives traffic from a real server on a specified port, forwards it not to the original client, but to the cache server where the SLB traffic was initiated.
The following diagram illustrates a configuration that uses VIP spoofing to direct SLB traffic from a real server to the SSL accelerator that originated the traffic.
Figure 2.13
Using VIP spoofing with an SSL accelerator
In this configuration, SSL traffic travels from the client to the real server as follows:
1.
The client sends an SSL packet to a ServerIron ADX VIP on port 443.
2.
The ServerIron ADX directs the packet to the SSL accelerator on port 443
3.
4.
The ServerIron ADX directs the packet to the real server on port 80.
5.
The real server sends a packet to the ServerIron ADX on port 80.
6.
The ServerIron ADX sends packet to the SSL accelerator on port 80.
Normally, the ServerIron ADX would send the packet directly back to the original client on port 80. However, with the VIP spoofing feature enabled, the ServerIron ADX instead sends the packet to the cache server that initiated the traffic (in this case the SSL accelerator).
7.
8.
The ServerIron ADX sends the packet to the client on port 443.
To implement a configuration like the one in Figure 2.13, enter the following commands.
SLB Configuration
You can configure a ServerIron ADX so that the client’s request to the VIP is translated to the real IP address of the cache server (that is, the SSL Accelerator) and then sent there. In this case, the port ssl cache-enable command is not used in the VIP's configuration. Instead, the cache server is bound to the SSL port on the VIP. In the example above, VIP vip1 would have the following configuration:
ServerIron(config)# server virtual-name-or-ip vip1 10.10.1.100
ServerIron(config-vs-vip1)# port http
ServerIron(config-vs-vip1)# port http spoofing
ServerIron(config-vs-vip1)# port ssl
ServerIron(config-vs-vip1)# port ssl sticky
ServerIron(config-vs-vip1)# bind ssl cs1 ssl
ServerIron(config-vs-vip1)# bind http rs1 http
ServerIron(config-vs-vip1)# exit
Syntax: port http spoofing
TCS Configuration
ServerIron(config)# server cache-name cs1 10.10.1.10
ServerIron(config-rs-cs1)# port ssl
ServerIron(config-rs-cs1)# port ssl no-health-check
ServerIron(config-rs-cs1)# port http
ServerIron(config-rs-cs1)# port http no-health-check
ServerIron(config-rs-cs1)# port http url "HEAD /"
ServerIron(config-rs-cs1)# exit
ServerIron(config)# server real rs1 10.10.1.40
ServerIron(config-rs-rs1)# port http
ServerIron(config-rs-rs1)# port http url "HEAD /"
ServerIron(config-rs-rs1)# exit
ServerIron(config)# server virtual-name-or-ip vip1 10.10.1.100
ServerIron(config-vs-vip1)# port http
ServerIron(config-vs-vip1)# port http spoofing
ServerIron(config-vs-vip1)# port ssl
ServerIron(config-vs-vip1)# port ssl sticky
ServerIron(config-vs-vip1)# port ssl cache-enable
ServerIron(config-vs-vip1)# bind http rs1 http
ServerIron(config-vs-vip1)# exit
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# cache-name cs1
ServerIron(config-tc-1)# exit
ServerIron(config)# ip address 10.10.1.1 255.255.255.0
ServerIron(config)# ip default-gateway 10.10.1.3
ServerIron(config)# ip policy 1 cache tcp 0 global
ServerIron(config)# ip policy 2 cache tcp ssl global

Server Load Balancing > SSL Accelerators

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.