Application Delivery (ADX)

Reply
Contributor
Posts: 25
Registered: ‎05-04-2009

Is it possible to use direct server return (DSR) together with SSL offload/acceleration?

I would like to do SSL offload and DSR together if somehow possible. Any problems doing so?

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: Is it possible to use direct server return (DSR) together with SSL offload/acceleration?

This is not possible - I am sorry. The reason for this is the following: DSR (direct server return) implies that the real servers are able to reply to the client bypassing the load balancer (ServerIron/ADX). The problem with SSL offload and DSR is the fact that the load balancer is the endpoint of the SSL communication. The client is establishing an SSL connection to the virtual server sitting at the ServerIron. The ServerIron itself is going to send the stuff as plain-text traffic to the real server.

The real server itself does not know anything about encryption/SSL and it is going to reply to the client directly bypassing the ServerIron. What happens is that the client gets plain-text traffic back from the real server. This traffic does not fit to the stuff the client is expecting and the session will breack. This is the simple explanation. It is a bit more complex because the backend connection would not even come up due to the strange communication flow.

All in all: SSL termination together with DSR for the real server behind the SSL service is not possible.

ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook