SSL in NLB Web Farm -- & Server Affinity

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello

I have a quick question

In order to use SSL for a site running on a webfarm w/ NLB - do I need to have Server Affinity activated? I don't want a new ssl "handshake"/certificate to be performed on every request. So, what configuration would I need to use in my application to disable server affinity in my farm but still have optimized performance of SSL process

Any suggestions/advice greatly appreciated

Thanks in advance

Cheers!
 
Hi -

Admittedly, NLB does not currently do a great job with SSL. It does not
guarantee SSL session affinity explicitly. So long as subsequent SSL
connections that are part of the same same session are handled by the same
NLB host, SSL will be "optimized"; i.e., the session will not have to be
re-negotiated. If you remove affinity in NLB, then each TCP connection of
an SSL session may be handled by a different host - this will not explicitly
BREAK SSL, but as you point out, it will incur a potentially unacceptable
overhead. However, by using Single Affinity, NLB usually does a decent job
preserving SSL - all SSL connections from the same client IP address will be
handled by the same NLB node.

There is nothing that you can do in your application to preserve SSL
affinity, while disabling client affinity in NLB. Note that there is
nothing inherently WRONG with enabling client affinity in NLB, so long as
your client population contains enough entropy to guarantee good
load-balancing. Do you have reason to believe that client affinity will be
unacceptable in your environment?

Hope this helps.

Cheers, Sean

--
Sean (MS)

This posting is provided "AS IS" with no warranties, and confers no rights.


Q said:
Hello,

I have a quick question -

In order to use SSL for a site running on a webfarm w/ NLB - do I need to
Click to expand...
have Server Affinity activated? I don't want a new ssl
"handshake"/certificate to be performed on every request. So, what
configuration would I need to use in my application to disable server
affinity in my farm but still have optimized performance of SSL process?
 
Back
Top