Jump to content
Welcome to our new Citrix community!

ssl_bridge for https without LB SSL offloading


Anand Gopinath

Recommended Posts

Dear Community 

 

If LB is not used for ssl  offloading    ( no ssl  certificates on the LB  ) 

 

Apart from the fact that we get to use  " ssl session id"  persistence option  , is there any other benefit of using ssl_bridge  instead of  tcp 443  for https load balancing    ?

 

Similarly are there any cons of using ssl_bridge in the same scenario   ?

 

 

Link to comment
Share on other sites

SSL offloading moves the encryption/decryption burden from the back-end servers to the ADC. This gives you faster responses from back-end (web) servers, and better (web) server performance. Also, because the content is passing encrypted through the ADC, content switching and cache redirection do not work,

Link to comment
Share on other sites

Hello Sam 

4 minutes ago, Sam Jacobs said:

SSL offloading moves the encryption/decryption burden from the back-end servers to the ADC. This gives you faster responses from back-end (web) servers, and better (web) server performance. Also, because the content is passing encrypted through the ADC, content switching and cache redirection do not work,

 We are not using SSL offloading on our LB

 

so what is the difference between  the below 2 options  ?

 

using  a vserver with type tcp & port 443  ( and backend servers also tcp 443 ) 

vserver with type ssl_bridge  port 443   ( and the backend servers also ssl_bridge port 443  ) 

Link to comment
Share on other sites

Well, there is a big difference between an SSL bridge and a TCP load-balancer.

Like all L7 load-balancing methods, an SSL bridge knows about the protocol. So it needs to see a client Hello, a server hello and a certificate as a reply, a change cypher specification message from client to server and from server to client. It would not be possible, to proxy, let's say, SMTP on port 443 through a SSL bridge.

A TCP-load-balancer knows about TCP. It's L4 load-balancing. While it would not proxy UDP packets, it will proxy any TCP packet, no matter what content it has.

There is an other difference: L4 load-balancing is done, when a TCP/SYN packet arrives. L7 load-balancing is only done when the first L7 packet arrives. That's why we can do things like SSL session ID persistence, cookie based persistence and many more.

 

I hope, this brought some light into that matter.

 

Greetings

 

Johannes Norz

CCIO, CTA, CCE-N

https://www.wonderkitchen.network

htttps://blog.norz.at

  • Like 1
Link to comment
Share on other sites

On 12/3/2020 at 9:38 PM, Johannes Norz said:

Well, there is a big difference between an SSL bridge and a TCP load-balancer.

Like all L7 load-balancing methods, an SSL bridge knows about the protocol. So it needs to see a client Hello, a server hello and a certificate as a reply, a change cypher specification message from client to server and from server to client. It would not be possible, to proxy, let's say, SMTP on port 443 through a SSL bridge.

A TCP-load-balancer knows about TCP. It's L4 load-balancing. While it would not proxy UDP packets, it will proxy any TCP packet, no matter what content it has.

There is an other difference: L4 load-balancing is done, when a TCP/SYN packet arrives. L7 load-balancing is only done when the first L7 packet arrives. That's why we can do things like SSL session ID persistence, cookie based persistence and many more.

 

I hope, this brought some light into that matter.

 

Greetings

 

Johannes Norz

CCIO, CTA, CCE-N

https://www.wonderkitchen.network

htttps://blog.norz.at

Thank You Johannes  ,

 

Thank you for providing the clarity what i was looking for :)

 

Much appreciated  . 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...