nerdexam
F5

101 · Question #571

HTTPS traffic is being passed from behind a NAT router, through a load balancer, to servers without being decrypted. What is the F5-recommended persistence method in this situation?

The correct answer is A. SSL session ID persistence. When HTTPS traffic traverses a load balancer without SSL decryption, SSL session ID persistence is the F5-recommended method because it uses data visible in the unencrypted SSL handshake.

Section 3: Load Balancing and High Availability Basics

Question

HTTPS traffic is being passed from behind a NAT router, through a load balancer, to servers without being decrypted. What is the F5-recommended persistence method in this situation?

Options

  • ASSL session ID persistence
  • Bsource address persistence
  • CSIP persistence
  • Ddestination address persistence

How the community answered

(35 responses)
  • A
    80% (28)
  • B
    11% (4)
  • C
    6% (2)
  • D
    3% (1)

Why each option

When HTTPS traffic traverses a load balancer without SSL decryption, SSL session ID persistence is the F5-recommended method because it uses data visible in the unencrypted SSL handshake.

ASSL session ID persistenceCorrect

SSL session ID persistence allows the BIG-IP to inspect the SSL session identifier present in the unencrypted SSL ClientHello and ServerHello handshake messages, routing the client to the same server without needing to decrypt the payload. This approach is reliable in NAT environments because each SSL session carries a unique identifier, unlike source IP addresses which may be shared by many clients behind a NAT device.

Bsource address persistence

Source address persistence is unreliable behind a NAT router because multiple clients share the same external IP address, causing all clients from that network to be incorrectly directed to a single server.

CSIP persistence

SIP persistence is designed for Session Initiation Protocol traffic used in VoIP applications, not for HTTPS web traffic.

Ddestination address persistence

Destination address persistence routes traffic based on the destination IP address, which does not maintain client-to-server affinity across a pool of backend servers.

Concept tested: F5 BIG-IP SSL passthrough persistence configuration

Source: https://support.f5.com/csp/article/K7911

Topics

#SSL persistence#NAT#load balancing#HTTPS

Community Discussion

No community discussion yet for this question.

Full 101 Practice