Jump to content
Welcome to our new Citrix community!

Performance impact of SSL LB vserver vs HTTP vserver behind Content Switching vServer ?


Recommended Posts

Working on an Exchange setup behind Netscaler. All the Exchange services are provided behind a Content Switching virtual server following the https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/ guidelines.

 

The configuration guide implements SSL LB vservers behind the CS vServer. This SSL setup for the non-adressable vserver is quite confusing as this vserver is never directly accessed by users.

 

add lb vserver lb_vsrv_ex2016_owa SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP

add lb vserver lb_vsrv_ex2016_rpc SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_ews SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_oab SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_mapi SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_ecp SSL 0.0.0.0 0 -persistenceType NONE

 

Bind SSL certificate

#Replace certificate name

bind ssl vserver lb_vsrv_ex2016_owa -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_activesync -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_rpc -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_ews -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_autodiscover -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_oab -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_mapi -certkeyName 'Wildcard-Flashmob'

bind ssl vserver lb_vsrv_ex2016_ecp -certkeyName 'Wildcard-Flashmob'

 

#Create Content Switch

#Replace IP address of Content Switch

add cs vserver cs_exchange2016_http HTTP 192.168.1.20 80

add cs vserver cs_exchange2016_ssl SSL 192.168.1.20 443

#Replace certificate name

bind ssl vserver cs_exchange2016_ssl -certkeyName 'Wildcard-Flashmob'

 

Why do we have to configure SSL LB vservers behind the SSL CS vserver ?

Is there a performance impact compared with HTTP LB vservers ? If yes, why is this setup authorized by Netscaler ?

 

 

Link to comment
Share on other sites

hi!

 

You configure SSL LB if your services/servers attached to the LB are expecting a secure connection .

That means the the netscaler will connect to the servers in the backend via a SSL. So the traffic between Netscaler and servers is secured.

 

If you services/servers are not expecting a secure connection you can use an HTTP lb with HTTP services.

 

On the front-end you have SSL in both cases.

 

Client->Netscaler->Server

 

you have one session in the front-end and one in the back-end.

Sessions in the front-end is usually secured (SSL) as this is in most caeses exposed to the internet.

The back-end session can be in your case http or ssl. SSl if you want to secure the back-end session also.

 

 

Link to comment
Share on other sites

Hello,

I had the same question a year or so ago.  At our site, we require SSL on the front end and also on the back end, but we don't require SSL for traffic "inside" the NetScaler.  We have a Content Switching vServer set up only for our OWA traffic, not all the available Exchange "types" you have above, but for OWA, our picture used to look like this:

SSL -> SSL -> SSL

After consulting with folks on this forum and others, our picture is now this:

SSL -> HTTP -> SSL

 

Everything works fine, so you don't "have to configure SSL LB vservers behind the SSL CS vserver," it seems.  :)

Link to comment
Share on other sites

42 minutes ago, Robert Blissitt said:

Hello,

I had the same question a year or so ago.  At our site, we require SSL on the front end and also on the back end, but we don't require SSL for traffic "inside" the NetScaler.  We have a Content Switching vServer set up only for our OWA traffic, not all the available Exchange "types" you have above, but for OWA, our picture used to look like this:

SSL -> SSL -> SSL

After consulting with folks on this forum and others, our picture is now this:

SSL -> HTTP -> SSL

 

Everything works fine, so you don't "have to configure SSL LB vservers behind the SSL CS vserver," it seems.  :)

Thanks for your answer ;-)

 

Have you noticed a difference in terms of performance between the SSL -> SSL -> SSL and the SSL -> HTTP -> SSL patterns under heavy load?

 

It would be great to have a better understanding from Citrix of trafic flow inside netscaler to understand the impact of both configurations (Does the SSL -> SSL -> SSL pattern use SSL resource from the SSL acceleration board of a Netscaler MPX ? Does Netscaler ignore the "inside" SSL requirement if the vserver is non-adressable and just forward the HTTP payload between modules ? Can we capture internal trafic between modules ?....)

Link to comment
Share on other sites

As far as i know these are 3 scenarios:

 

SSL -> HTTP -> HTTP  - front-end session is ssl, and the back-end is http, also called ssl offloading. This takes the load form the servers as the ssl encryptio/decription is done on the                                                    netscaler

 

SSL -> HTTP -> SSL  -  this  is similar as the one above , but it add extra security  by ussing ssl sessions to the back-end servers.  this scenario might have an impact on performance as it needs ssl sessions in front-end and back-end. But from my experience i haven't seen any impact.

 

SSL -> SSL->SSL   - this is when you use SSL_Bridge  vip, the ssl sessions does not terminate on the vip like on the other 2 scenarios, but on the servers themselves. 

                                  The certificate must be on the servers. Because the netscaler can't look in the ssl sessions it can't do content-switching, responder policies etc.

                                  The heavy load will be on the servers as they will terminate the ssl sessions.

 

 

It really depends what mpx you have  and what it is heavy load for you. Netscalers have hardware ssl cards , so everything is done by a dedicated hardware  not in software. If those ssl cards fail , then the ssl offload will be done by the netscalers cpu , in this case you will see an impact.

Link to comment
Share on other sites

@Mihai Cziraki1709160741 : TThe SSL -> HTTP -> HTTP and SSL -> HTTP -> SSL  scenarios are cristal clear and well described in Netscaler documentation (https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-setup.html)

 

The reference to SSL_BRIDGE in the SSL -> SSL->SSL  would have been a great explanation of the pattern but Netscaler documentation states that SSL_BRIDGE is not supported as a valid CS service type (https://developer-docs.citrix.com/projects/netscaler-command-reference/en/12.0/cs/cs-vserver/cs-vserver/)  or LB vserver type behind a CS vserver (https://support.citrix.com/article/CTX215462)

 

Quote

serviceType

Protocol used by the virtual server.

Possible values: HTTP, SSL, TCP, FTP, RTSP, SSL_TCP, UDP, DNS, SIP_UDP, SIP_TCP, SIP_SSL, ANY, RADIUS, RDP, MYSQL, MSSQL, DIAMETER, SSL_DIAMETER, DNS_TCP, ORACLE, SMPP

 

Quote

Q: Is it possible to bind an SSL_BRIDGE Load Balancer to a Content Switch?

A: No, due to how content switches on the NetScaler operate, it is not possible to bind an SSL_BRIDGE load balancer to a content switch. This is because NetScaler content switches require to look into the HTTP headers of packets and switch them based on the contents of these headers. In an SSL_BRIDGE connection, the NetScaler would not be able to decrypt the traffic and therefore would not be able to operate correctly. Generally, this is done by using Content Switching policies which check for Host header and URL part of the request.

You can configure an SSL load balancer for the content switch which would allow the traffic to be sent to the backend to be encrypted.

 

The last "You can configure an SSL load balancer for the content switch which would allow the traffic to be sent to the backend to be encrypted" statement is strange compared with the https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-setup.html documentation which states that the SSL Service type has to be used for encrpted communications with backend servers.

 

SSL -> SSL -> SSL use case still not clear reading Citrix doc ;-)

image.png

Link to comment
Share on other sites

hi!

 

I already said in my last post that if you use SSL-Bridge you can't do content switching.

That means you need a lb vserver. I thought this was clear.

 

The Citrix documentation is not always clear.

 

Here you have how to configure ssl_bridge:

https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/how-to-articles/ssl-bridging.html

you use this scenario when you want the ADC only to load balance the connections and  and you don't need the offloading of ssl to be done by ADC,

in this case the certificate is on the servers behind the vip.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...