Jump to content
Welcome to our new Citrix community!

SSL protocol on GSLB site IP


Recommended Posts

9 minutes ago, Carl Stalhood1709151912 said:

Check Traffic Management > Load Balancing > Services. On the right is a tab named Internal Services.

Thanks Carl
I've found that and set out pre-prod site IP to TLS 1.2 only
Should this not have any impact on GLSB services if setting all GSLB site IPs to TLS 1.2?  All other internal services have been left as they are

 

Link to comment
Share on other sites

The GSLB is only evaluated in the DNS resolution. So the protocol of a GSLB vserver/service does not impact the DNS decision during the client resolution.

The protocol only exists on the gslb service (partly as an artificat of lb) but so the gslb service can go up/down based on the appropriate traffic managemen entity.  Your LB vserver/lb services determine the protocols in use for actual client and server connections. The gslb protocol doesn't; it just there to make sure the GSLB for VIP:PORT is going up/down due to the associated traffic management entity (lb vserver) and that monitor probes if used can be properly associated.

Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

The GSLB is only evaluated in the DNS resolution. So the protocol of a GSLB vserver/service does not impact the DNS decision during the client resolution.

The protocol only exists on the gslb service (partly as an artificat of lb) but so the gslb service can go up/down based on the appropriate traffic managemen entity.  Your LB vserver/lb services determine the protocols in use for actual client and server connections. The gslb protocol doesn't; it just there to make sure the GSLB for VIP:PORT is going up/down due to the associated traffic management entity (lb vserver) and that monitor probes if used can be properly associated.

Thanks Rhonda
Our GSLB site IP has been scanned and detected as high risk due to using SSLv3 and TLS1.0 protocols only.  All GSLB services back-end are all TLS 1.2.
From what you are saying, TLS 1.2 can be set on the GSLB site IPs without impacting back-end services?

Link to comment
Share on other sites

GSLB SIte IPs are used in adc to adc communication to exchange GSLB  MEP information.  (I either misread your statement as GSLB VIPs earlier or was just focused on the GSLB Services part of that conversation.)

Changing the GSLB Site IP protocols/ciphers affects the MEP and GSLB status communication and should be done consistently across all participating gslb members (same settings on all gslb site ips on all gslb participants).  But these settings still have no impact on the gslb vserver/gslb services or lb vserver/services delivered by GSLB....just the adc to adc communication for gslb peers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...