How IIS7 session Persistence works when no SSL offloading
We have single server IIS7.5 (with ARRv2 x64) & weblogic 10 at backend. We have successfully done SSL termination at Weblogic 10 not at IIS 7.5 level using ARR. Now we want scale the solution. so before adding multiple weblogic servers I wanted to understand
how SSL session persistence works with ARR.
Will IIS 7.5 maintain SSL ID session table like normal load balancer do?
is there any documentation that tell me in detail how this will work as I can't seem to find it on forums or technet. All I have found is this article which we have already done.
Since all requests will go through the ARR server and ARR will proxy requests, the certificate still needs to be installed on the ARR node. Client afinity will ensure that requests are sent to the same backend node.
I have read this article before. ARR uses cookie for client Affinity. Now I think this cookie can only be inserted if SSL is offloaded at ARR as after this traffic is HTTP based. If the traffic is SSL than cookie can't be inserted as everything is encrypted.
Now to the interesting part where I need clarification.
ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it
might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.
If someone can confirm this if this understanding is correct.
ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might
be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.
Yes, that's correct. ARR proxies all requests, so there's really no benefit to passing HTTPS traffic to the backend nodes. All requests will be decrypted on the ARR node, and it will then proxy the request to the backend node. If you're concerned that the
application on the backend node would see the traffic as non-SSL, have a look at ARRHelper which will trick IIS on the backend node to seeing the original headers:
ARR acts as a proxy, so this might not be possible using ARR. SSL will always terminate at ARR, but ARR can re-encrypt the request to the backend node using SSL. The cookie used with client affinity will be decrypted at ARR which will allow it to know which
backend node to send the traffic to.
If you need the request to stay in-tact all the way to the web-server, you will need to look at a hardware load balancer or using NLB.
I think I have not explain it clearly. Sorry my mistake.
But I think this will work.
The setup is like this
Cisco CSM Load balancer ( with SSL ID stickiness) -> IIS with ARR (doing some URL filtering on source IP,reverse proxying with no SSL offloading) -> Backend Weblogic Application servers.
1) Now CSM has SSL stickiness so it will pass traffic to correct IIS server with ARR (reverse proxy)
2) As discussed IIS with ARR (reverse proxy with no SSL offloading) will decrypt at this layer look at the cookie and reencrypt traffic back to correct backend weblogic server.
What do you think is the flow correct?
Marked as answer by bashirkashif on May 03, 2011 02:01 PM
bashirkashif
10 Posts
How IIS7 session Persistence works when no SSL offloading
Apr 26, 2011 05:23 PM|LINK
How IIS7 session Persistence works when no SSL offloading
We have single server IIS7.5 (with ARRv2 x64) & weblogic 10 at backend. We have successfully done SSL termination at Weblogic 10 not at IIS 7.5 level using ARR. Now we want scale the solution. so before adding multiple weblogic servers I wanted to understand how SSL session persistence works with ARR.
Will IIS 7.5 maintain SSL ID session table like normal load balancer do?
is there any documentation that tell me in detail how this will work as I can't seem to find it on forums or technet. All I have found is this article which we have already done.
http://blogs.iis.net/wonyoo/archive/2008/07/10/ssl-off-loading-in-application-request-routing.aspx
Appreciate your help.
owjeff
680 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 27, 2011 09:44 PM|LINK
Have a look at the client affinity section here:
http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/
Since all requests will go through the ARR server and ARR will proxy requests, the certificate still needs to be installed on the ARR node. Client afinity will ensure that requests are sent to the same backend node.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
bashirkashif
10 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 28, 2011 10:40 AM|LINK
yes, the certificate is needed on ARR server which we have already done for single server deployment also.
The link that you have mentioned http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/
I have read this article before. ARR uses cookie for client Affinity. Now I think this cookie can only be inserted if SSL is offloaded at ARR as after this traffic is HTTP based. If the traffic is SSL than cookie can't be inserted as everything is encrypted.
Now to the interesting part where I need clarification.
ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.
If someone can confirm this if this understanding is correct.
owjeff
680 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 28, 2011 01:47 PM|LINK
Yes, that's correct. ARR proxies all requests, so there's really no benefit to passing HTTPS traffic to the backend nodes. All requests will be decrypted on the ARR node, and it will then proxy the request to the backend node. If you're concerned that the application on the backend node would see the traffic as non-SSL, have a look at ARRHelper which will trick IIS on the backend node to seeing the original headers:
http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
bashirkashif
10 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 28, 2011 02:58 PM|LINK
1) my security requirements is to terminate SSL at weblogic layer not at IIS layer.
2) My other requirement is for SSL stickiness should be supported by IIS to the weblogic server. I am not worried about client IP.
owjeff
680 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 28, 2011 03:22 PM|LINK
ARR acts as a proxy, so this might not be possible using ARR. SSL will always terminate at ARR, but ARR can re-encrypt the request to the backend node using SSL. The cookie used with client affinity will be decrypted at ARR which will allow it to know which backend node to send the traffic to.
If you need the request to stay in-tact all the way to the web-server, you will need to look at a hardware load balancer or using NLB.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
bashirkashif
10 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 28, 2011 05:31 PM|LINK
I think I have not explain it clearly. Sorry my mistake.
But I think this will work.
The setup is like this
Cisco CSM Load balancer ( with SSL ID stickiness) -> IIS with ARR (doing some URL filtering on source IP,reverse proxying with no SSL offloading) -> Backend Weblogic Application servers.
1) Now CSM has SSL stickiness so it will pass traffic to correct IIS server with ARR (reverse proxy)
2) As discussed IIS with ARR (reverse proxy with no SSL offloading) will decrypt at this layer look at the cookie and reencrypt traffic back to correct backend weblogic server.
What do you think is the flow correct?
owjeff
680 Posts
Re: How IIS7 session Persistence works when no SSL offloading
Apr 29, 2011 01:20 PM|LINK
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
bashirkashif
10 Posts
Re: How IIS7 session Persistence works when no SSL offloading
May 03, 2011 01:59 PM|LINK
yes CSM will be used for ARR loadbalancing.