SSL, and stickyness

lionellemaire · ‎05-04-2007

Hello,

would it work to load balance with cookies if it's https traffic not terminated on the vip but on the real servers ?

Thanks

Diego Vargas · ‎05-04-2007

Hello,

This is not going to be possible if you are not terminating SSL traffic on the balancer. The layer 5 information is encrypted so the balancer is not going to be able to look at the cookies or urls in order to do balancing or stickiness.

One important thing to mention is that the SSL ID in SSL v3.0 is not encrypted, so the stickiness based on SSL ID will work fine, but then again not based on cookies or URL.

lionellemaire · ‎05-04-2007

The servers are single sign on servers. And the clients are going to be a mix of everything. People will logged on to the same server for hours at a time. A disconnection because of CSS will not be acceptable.

Do you think I can rely on SSLID or shall I push for terminating the SSL on the CSS.

i'm at the beginning of the project so if I have to change something I must do it now.

What do you think ?

Diego Vargas · ‎05-04-2007

You can rely on SSLID if you are sure the client 's application will not be changing the SSL ID within the session.

For example, some versions of IE will be renegotiating the SSLID a few minutes after the session is establish, that will probably cause a disconnecting.

So the key is to be sure the SSL ID will not be renegotiated by the client.