Load Balancing CTERA Portal Servers
General Load Balancing Best Practices
• Probing to test tomcat reachability: Most load balancers have a health check/probing mechanism that checks for ports and services availability. The best scenario is to only use port tests that check if the port is available (checking ports 995 and 443). If the customer needs more accurate probing he can use port 995 probe. With HTTPS he can use: portalurl/admin/startup.
• It is not recommended to use source NAT on the load balancer as this makes it hard to monitor and troubleshoot networking issues, since all the connections come to the tomcat servers from the same IP. This will also open the possibility that the portal will be locked due to too many retries if any user gets his password wrong 3 times and it will affect all users since this mechanism is based on IP.
Using F5 Load Balancer
Using F5 load balancing to perform SSL offloading requires the following configuration:
• Create an F5 iRule to add Secure and HttpOnly flags to the JSESSIONID cookie.
• Create an F5 iRule to add HSTS flags.
• Disable old insecure encryption algorithms like RC4.
F5 Best Practices
The following best practices are recommended by CTERA:
• Configure the tcp TCP protocol profile.
• If Idle Timeout is configured, make sure the value is at least 5 minutes, 300 seconds, as CTERA handles its own TCP sessions with keep alives.
• If Keep Alive Interval is configured, make sure the value is less than half the value specified for Send CTTP keepalive messages every in the virtual portal settings. Send CTTP keepalive messages every prevents proxy or load balancer servers from preemptively terminating connection between a CTERA Agent and the CTERA Portal.
• If Zero window Timeout is configured, make sure it is as high as possible. For example, 30000.
The following shows recommended F5 settings for the tcp TCP protocol profile.
• Configure the source_addr Persistence profile.
The following shows recommended F5 settings for source_addr Persistence profile.
• After setting the profiles, set up the load balancing for the CTERA virtual servers.
