mega_stream

Can anyone advise me on the following,

We house a web site behind a set of load balanced firewalls.
When a connection is made using an ISP that uses a proxy farm, the load balancer at our end thinks its a new connection and kills the established one, kicking the user out the system.

What's the workaround for this? I can't ring the ISP and ask them for a persistant connection...what needs to be done to get our end to know its the same connection even though it maybe coming from a different Proxy server!

Any clues anyone?

stevem2k

Just for clarity, are you load balancing on the firewall ( which one ? ) or on a local director ...

Steve

mega_stream

On the firewalls, using Rainfinity

krankyd

can't the ISP allow more that one concurrent connection per IP address? I know a lot of business customers and all of their web based traffic comes through a few proxy's, therefore a few IP addresses..

dsmith

The load balancer software sounds like its getting confused. It should a) allow multiple connections from 1 Ip address and b) remember which web-server the connection is to and keep all new connections from that source to the same web-server.

Id it was a local director you'd need to adjust the "sticky" connections parameters - but unfortunately I've never seen rainfinity...

Deano

SiCotty

I'm not an expert on load balancing solutions but from what I can remember either an ID in the HTTP/SSL session is used or a cookie to maintain persitence. Using the cookie the load balancer will create a cookie to track the users session. This should be unaffected by any mega proxies. Most of these dedicated load balancers can also perform firewall load balancing.

Si

stevencotton

Yep, if the same client can come from more than one IP address in one session due to a proxy at their end, you'll have to maintain state client-side with a cookie or munging the URL. The normal way to do it is with an MD5 hash to prevent "hijacking" of the session.

Steve.

mega_stream

Thanks, I'll look into it tomorrow.

Jeff Wiltshire

I think that you'll have to front (and back) end your Firewalls with a L3-L7 switch (Alteon, Foundry etc) which will give you the persistance that you require.

Jeff

stevencotton

I don't see how the load balancer comes into it, HTTP is completely stateless yet the load balancer may route certain IP addresses to certain back-end servers, but that wont help session persistence problems, that has to be done client side. Unless of course the latest load-balancers speak fluent layer 4 Load balancing and session-state-saving across requests are two entirely different issues, they just seem to overlap sometimes (when they don't).

Steve.

Jeff Wiltshire

Steve

Your quite right, of course.....I should a read the question properly.....!



Jeff

stevencotton

Heh, my first reply was wrong for the same reason, but hadn't submitted

Steve.