I have a somewhat unusual setup, which I inherited. It is for providing Citrix services, which comprise of a web frontend (HTTPS) and ICA protocol
The traffic flow is thus:
client >> BigIP LTM >> 4 x Reverse Proxy Nodes >> various Backend servers (backend is however not relevant, the problem is between the BigIP and reverse proxy)
My goal is to have session stickiness so that the HTTPS and ICA protocol both pass through the same reverse proxy node. I see there are lots of options for this, but I would just like some feedback about what is needed.
The problem currently, is that the two protocols are sent to different virtual servers and then forwarded to different pools:
HTTPS protocol > virtual server1 > Pool1
ICA protocol > virtual server2 > Pool2
Pool1 and Pool2 both send traffic to the same 4 reverse proxy nodes, but to different virtual IPs. So the load balancer cannot recognize they are in fact the same destination.
There is no SSL offloading on the BigIP, so no session information is available to create persitence via a cookie or URL path.
The BigIP does however see the original source IP address.
What is needed to create persistence for sessions across the pools?
Would a simple source address persitence profile apply to all virtual servers where it is enabled across the whole BigIP config? Or does it only apply to the one individual virtual server?
If it does not apply across all the configuration, then I assume I need to write an irule that associates the IP of reverseproxy1 in pool1 with the IP of reverseproxy1 in pool2 - or is there an easier way?
Thank you in advance for your help!
PS - it would also be possible to change the reverse proxy pools to forward from the BigIP to the reverse proxy nodes on different ports - eg rp1:443 - HTTPS rp1:8443 - ICA, but I would prefer not to change unless it is really necessary
Try taking a look at Match Across options for session persistence. This is setting that allows you to share persistence data between virtual servers.
If you want configuration assistance or have any more questions, I am sure I can help.
thanks for the quick response!
I was trying to understand those options. The way I understand it, my current setup won't fit into one of these options.
So I have pools like this
backend A1 - 10.0.0.1:443
backend A2 - 10.0.0.2:443
backend B1 - 10.0.0.3:80
backend B2 - 10.0.0.4:80
where A1 and B1 are actually the same machine.
So I think I need to either do something with an irule to associate A1 and B1 with each other, so that they are seen as one destination
I need to use the same backend IPs:
backend B1 - 10.0.0.1:80
backend B2 - 10.0.0.2:80
then enable "Match across virtual servers" with source address affinity, so that all traffic coming from one source IP gets forwarded.
I don't think the first option will work with any of the "Match across" options