Jump to content
Welcome to our new Citrix community!

Why do we deploy tcp 443 instead of ssl_bridge on vserver ?


Amar Aditya

Recommended Posts

Hi Everyone,

 

I was working with an user request . In the user request they mentioned that they need to create a TCP 443 vserver.

So i checked with them they insisted to use tcp 443 neither ssl_bridge nor full ssl mode.

Currently VServer is up & running fine (similar to ssl_bridge) but from this i got into few question.

Why do we use tcp 443?

what is difference between this two deployment ?

 

 

 

 

Link to comment
Share on other sites

In SSL_BRIDGE, the SSL traffic is sent untouched to the back-end server. Since the NetScaler only sees the encrypted traffic, SSL_BRIDGE cannot take advantage of advanced features (Content switching, for example). It's used mostly when all you need is load-balancing. You don't need an SSL certificate on the NetScaler (since SSL processing is done by the web server).

In SSL (tcp 443 or SSL offload), the connection is terminated at the NetScaler, and a new connection is made to the back-end server. You need to bind an SSL certificate to the vServer.

Link to comment
Share on other sites

14 minutes ago, Sam Jacobs said:

In SSL_BRIDGE, the SSL traffic is sent untouched to the back-end server. Since the NetScaler only sees the encrypted traffic, SSL_BRIDGE cannot take advantage of advanced features (Content switching, for example). It's used mostly when all you need is load-balancing. You don't need an SSL certificate on the NetScaler (since SSL processing is done by the web server).

In SSL (tcp 443 or SSL offload), the connection is terminated at the NetScaler, and a new connection is made to the back-end server. You need to bind an SSL certificate to the vServer.

 

TCP 443 does not need a Certificate. 

For SSL_BRIDGE as well SNIP initiates the connection. (Just forwards the request it gets as it cannot modify any SSL parameters)

Link to comment
Share on other sites

In answer to your original question: Why TCP 443 over SSL_BRIDGE? It's because (as mentioned above) you can't take advantage of advanced NetScaler features with SSL_BRIDGE.

So the question now is: Why TCP 443 rather than SSL? Other than not requiring an SSL certificate on NetScaler, I'm not sure (since HTTPS supports all persistence types supported by TCP).

  • Like 1
Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...