How IIS7 session Persistence works when no SSL offloading [Answered]RSS

8 replies

Last post May 03, 2011 09:59 AM by bashirkashif

  • How IIS7 session Persistence works when no SSL offloading

    Apr 26, 2011 01:23 PM|bashirkashif|LINK

    How IIS7 session Persistence works when no SSL offloading

    We have single  server IIS7.5 (with ARRv2 x64) & weblogic 10 at backend. We have successfully done SSL termination at Weblogic 10 not at IIS 7.5 level using ARR. Now we want scale the solution. so before adding multiple weblogic servers I wanted to understand how SSL session persistence works with ARR.

    Will IIS 7.5 maintain SSL ID session table like normal load balancer do?

    is there any documentation that tell me in detail how this will work as I can't seem to find it on forums or technet. All I have found is this article which we have already done.

    http://blogs.iis.net/wonyoo/archive/2008/07/10/ssl-off-loading-in-application-request-routing.aspx

    Appreciate your help.

  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 27, 2011 05:44 PM|owjeff|LINK

    Have a look at the client affinity section here:

    http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/

    Since all requests will go through the ARR server and ARR will proxy requests, the certificate still needs to be installed on the ARR node. Client afinity will ensure that requests are sent to the same backend node.

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 28, 2011 06:40 AM|bashirkashif|LINK

    yes, the certificate is needed on ARR server which we have already done for single server deployment also.

    The link that you have mentioned http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/

    I have read this article before. ARR uses cookie for client Affinity. Now I think this cookie can only be inserted if SSL is offloaded at ARR as after this traffic is HTTP based. If the traffic is SSL than cookie can't be inserted as everything is encrypted.

     Now to the interesting part where I need clarification.

    ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.

    If someone can confirm this if this understanding is correct.

     

     

     

  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 28, 2011 09:47 AM|owjeff|LINK

    bashirkashif

    ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.

    Yes, that's correct. ARR proxies all requests, so there's really no benefit to passing HTTPS traffic to the backend nodes. All requests will be decrypted on the ARR node, and it will then proxy the request to the backend node. If you're concerned that the application on the backend node would see the traffic as non-SSL, have a look at ARRHelper which will trick IIS on the backend node to seeing the original headers:

    http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 28, 2011 10:58 AM|bashirkashif|LINK

    1) my security requirements is to terminate SSL at weblogic layer not at IIS layer.

    2) My other requirement is for SSL stickiness should be supported by IIS to the weblogic server. I am not worried about client IP.

  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 28, 2011 11:22 AM|owjeff|LINK

    ARR acts as a proxy, so this might not be possible using ARR. SSL will always terminate at ARR, but ARR can re-encrypt the request to the backend node using SSL. The cookie used with client affinity will be decrypted at ARR which will allow it to know which backend node to send the traffic to.

    If you need the request to stay in-tact all the way to the web-server, you will need to look at a hardware load balancer or using NLB.

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 28, 2011 01:31 PM|bashirkashif|LINK

    I think I have not explain it clearly. Sorry my mistake.

    But I think this will work.

    The setup is like this

    Cisco CSM Load balancer ( with SSL ID stickiness) -> IIS with ARR (doing some URL filtering on source IP,reverse proxying with no SSL offloading) -> Backend Weblogic Application servers.

    1) Now CSM has SSL stickiness so it will pass traffic to correct IIS server with ARR (reverse proxy)

    2) As discussed IIS with ARR (reverse proxy with no SSL offloading) will decrypt at this layer look at the cookie and reencrypt traffic back to correct backend weblogic server.

    What do you think is the flow correct?

  • Re: How IIS7 session Persistence works when no SSL offloading

    Apr 29, 2011 09:20 AM|owjeff|LINK

    Is CSM being used for ARR load balancing/HA? That flow sounds correct.
    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: How IIS7 session Persistence works when no SSL offloading

    May 03, 2011 09:59 AM|bashirkashif|LINK

    yes CSM will be used for ARR loadbalancing.