How IIS7 session Persistence works when no SSL offloading

Question

User1771947948 posted

How IIS7 session Persistence works when no SSL offloading

We have single  server IIS7.5 (with ARRv2 x64) & weblogic 10 at backend. We have successfully done SSL termination at Weblogic 10 not at IIS 7.5 level using ARR. Now we want scale the solution. so before adding multiple weblogic servers I wanted to understand how SSL session persistence works with ARR.

Will IIS 7.5 maintain SSL ID session table like normal load balancer do?

is there any documentation that tell me in detail how this will work as I can't seem to find it on forums or technet. All I have found is this article which we have already done.

http://blogs.iis.net/wonyoo/archive/2008/07/10/ssl-off-loading-in-application-request-routing.aspx

Appreciate your help.

Answer 1

User1080221284 posted

Have a look at the client affinity section here:

http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/

Since all requests will go through the ARR server and ARR will proxy requests, the certificate still needs to be installed on the ARR node. Client afinity will ensure that requests are sent to the same backend node.

Answer 2

User1771947948 posted

yes, the certificate is needed on ARR server which we have already done for single server deployment also.

The link that you have mentioned http://learn.iis.net/page.aspx/486/http-load-balancing-using-application-request-routing/

I have read this article before. ARR uses cookie for client Affinity. Now I think this cookie can only be inserted if SSL is offloaded at ARR as after this traffic is HTTP based. If the traffic is SSL than cookie can't be inserted as everything is encrypted.

 Now to the interesting part where I need clarification.

ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.

If someone can confirm this if this understanding is correct.

 

 

 

Answer 3

User1080221284 posted

ARR does needs certificate even if SSL offloading is not done at ARR. This means that SSL is still terminated at the ARR server, but the ARR server is configured so that it will make SSL connections with the content servers by doing reencryption. Now it might be that cookie is being inserted while doing this decryption and reencryption process to do client affinity so that SSL session state tables are not needed.

Yes, that's correct. ARR proxies all requests, so there's really no benefit to passing HTTPS traffic to the backend nodes. All requests will be decrypted on the ARR node, and it will then proxy the request to the backend node. If you're concerned that the application on the backend node would see the traffic as non-SSL, have a look at ARRHelper which will trick IIS on the backend node to seeing the original headers:

http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx

Answer 4

User1771947948 posted

1) my security requirements is to terminate SSL at weblogic layer not at IIS layer.

2) My other requirement is for SSL stickiness should be supported by IIS to the weblogic server. I am not worried about client IP.

Answer 5

User1080221284 posted

ARR acts as a proxy, so this might not be possible using ARR. SSL will always terminate at ARR, but ARR can re-encrypt the request to the backend node using SSL. The cookie used with client affinity will be decrypted at ARR which will allow it to know which backend node to send the traffic to.

If you need the request to stay in-tact all the way to the web-server, you will need to look at a hardware load balancer or using NLB.

Answer 6

User1771947948 posted

I think I have not explain it clearly. Sorry my mistake.

But I think this will work.

The setup is like this

Cisco CSM Load balancer ( with SSL ID stickiness) -> IIS with ARR (doing some URL filtering on source IP,reverse proxying with no SSL offloading) -> Backend Weblogic Application servers.

1) Now CSM has SSL stickiness so it will pass traffic to correct IIS server with ARR (reverse proxy)

2) As discussed IIS with ARR (reverse proxy with no SSL offloading) will decrypt at this layer look at the cookie and reencrypt traffic back to correct backend weblogic server.

What do you think is the flow correct?

Answer 7

User1080221284 posted
Is CSM being used for ARR load balancing/HA? That flow sounds correct.

Answer 8

User1771947948 posted

yes CSM will be used for ARR loadbalancing.