Load Balancing CTERA Portal Servers

CTERA Portal Installations > VMware ESXi > Managing CTERA Portal Servers > Load Balancing CTERA Portal Servers

General Load Balancing Best Practices

Probing to test tomcat reachability: Most load balancers have a health check/probing mechanism that checks for ports and services availability. The best scenario is to only use port tests that check if the port is available (checking ports 995 and 443). If a more accurate probing is required, use port 995 probe. With HTTPS use: portalurl/admin/startup.

It is not recommended to use source NAT on the load balancer as this makes it hard to monitor and troubleshoot networking issues, since all the connections come to the tomcat servers from the same IP. This will also open the possibility that the portal will be locked due to too many retries if any user gets his password wrong 3 times and it will affect all users since this mechanism is based on IP.

Using F5 Load Balancer

The following describes setting up load balancing using a version of F5 software that is not the latest version. If your version is different, contact CTERA support for help with your configuration.

Using F5 load balancing to perform SSL offloading requires the following configuration:

Create an F5 iRule to add Secure and HttpOnly flags to the JSESSIONID cookie.

Create an F5 iRule to add HSTS flags.

Disable old insecure encryption algorithms like RC4.

If F5 is configured to use TLS 1.0, you must change it for TLS 1.1, by running:

GET /admin/startup HTTP/1.1\r\nHost: global.myportal.com\r\nConnection: Close

where myportal.com is the portal DNS suffix.

F5 Best Practices

The following best practices are recommended by CTERA:

Configure the tcp TCP protocol profile.

If Idle Timeout is configured, make sure the value is at least 5 minutes, 300 seconds, as CTERA handles its own TCP sessions with keep alives.

If Keep Alive Interval is configured, make sure the value is less than half the value specified for Send CTTP keepalive messages every in the virtual portal settings. Send CTTP keepalive messages every prevents proxy or load balancer servers from preemptively terminating connection between a CTERA Agent and the CTERA Portal.

If Zero window Timeout is configured, make sure it is as high as possible. For example, 30000.

The following shows recommended F5 settings for the tcp TCP protocol profile.

Configure the source_addr Persistence profile.

The following shows recommended F5 settings for source_addr Persistence profile.

After setting the profiles, set up the load balancing for the CTERA virtual servers.