none
WCF: SSL offloading in load balancer with TCP Binding RRS feed

  • Question

  • Hi 

    We are migrating our WCF Self hosted service that uses TCP binding to Docker.  The service will live behind load balancer.

    We will be using load balancer with certificate.

    The current client and server binding looks as follows:

    public static Binding SharedBinding()
            {
                var binding = new NetTcpBinding(SecurityMode.Transport)
                                  {
                                      MaxReceivedMessageSize = int.MaxValue,
                                      ReaderQuotas =
                                          {
                                              MaxStringContentLength = int.MaxValue,
                                              MaxDepth = int.MaxValue,
                                              MaxArrayLength = int.MaxValue
                                          },
                                      ReceiveTimeout = TimeSpan.MaxValue,
                                      SendTimeout = TimeSpan.MaxValue,
                                      MaxConnections = 10000,
                                      ListenBacklog = 10000,
    
                                  };
    
                binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;
                binding.Security.Message.ClientCredentialType = MessageCredentialType.None;
                binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;
                return binding;
            }
    What do we need to change on the server side for clients to connect without security?


    Haroon

    Sunday, July 7, 2019 7:01 PM

All replies

  • Hi,
    As far as I know, when we use transport security mode of the NetTcpBinding, we should specify a service certificate to encrypt/sign the communication. 
    Like below,
    Uri uri = new Uri("net.tcp://localhost:9900");
                NetTcpBinding binding = new NetTcpBinding();
                binding.Security.Mode = SecurityMode.Transport;
                binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;
                binding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
                ServiceHost sh = new ServiceHost(typeof(MyService), uri);
                ServiceEndpoint se = sh.AddServiceEndpoint(typeof(IService), binding, "");
                ServiceMetadataBehavior smb;
                smb = sh.Description.Behaviors.Find<ServiceMetadataBehavior>();
                if (smb == null)
                {
                    smb = new ServiceMetadataBehavior()
                    {
                    };
                    sh.Description.Behaviors.Add(smb);
                }
    
                //Add MEX service endpoint to make the call from the third party possible.
                Binding mexbinding = MetadataExchangeBindings.CreateMexTcpBinding();
                sh.AddServiceEndpoint(typeof(IMetadataExchange), mexbinding, "mex");
                //specify a server certficate so that the Transport security is available.
                sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "5ba5022f527e32ac02548fc5afc558de1d314cb6");
                sh.Open();
                Console.WriteLine("service is ready");
                Console.ReadLine();
                sh.Close();
    

    Therefore, the server side should specify a certificate under any circumstances.
    Feel free to let me know if there is anything I can help with.
    Best Regards
    Abraham
    Monday, July 8, 2019 1:52 AM
    Moderator
  • Hi Abraham

    Are you saying that there is no way to have traffic client send via TLS to load balancer and switch to TCP without TLS?

    client -> (tcp, TLS, Port 5500) -> load-balancer -> (tcp without TLS) -> Docker WCF Service?

    Thanks


    Haroon

    Monday, July 8, 2019 2:37 PM
  • Hi,

    Sorry for my poor English, I could not get your point, what do you want? In my opinion, the server could use the None security mode instead of the Transport, provided you want to switch to TCP without TLS.

    As for the illustrator you described, I don’t know much about load-balancer. In my opinion, the TLS communication will always be used during the two segment communications when server uses Transport security mode.

    Feel free to let me know if there is anything I can help with.

    Bet Regards

    Abraham

    Tuesday, July 9, 2019 2:30 AM
    Moderator