101 · Question #571
HTTPS traffic is being passed from behind a NAT router, through a load balancer, to servers without being decrypted. What is the F5-recommended persistence method in this situation?
The correct answer is A. SSL session ID persistence. When HTTPS traffic traverses a load balancer without SSL decryption, SSL session ID persistence is the F5-recommended method because it uses data visible in the unencrypted SSL handshake.
Question
HTTPS traffic is being passed from behind a NAT router, through a load balancer, to servers without being decrypted. What is the F5-recommended persistence method in this situation?
Options
- ASSL session ID persistence
- Bsource address persistence
- CSIP persistence
- Ddestination address persistence
How the community answered
(35 responses)- A80% (28)
- B11% (4)
- C6% (2)
- D3% (1)
Why each option
When HTTPS traffic traverses a load balancer without SSL decryption, SSL session ID persistence is the F5-recommended method because it uses data visible in the unencrypted SSL handshake.
SSL session ID persistence allows the BIG-IP to inspect the SSL session identifier present in the unencrypted SSL ClientHello and ServerHello handshake messages, routing the client to the same server without needing to decrypt the payload. This approach is reliable in NAT environments because each SSL session carries a unique identifier, unlike source IP addresses which may be shared by many clients behind a NAT device.
Source address persistence is unreliable behind a NAT router because multiple clients share the same external IP address, causing all clients from that network to be incorrectly directed to a single server.
SIP persistence is designed for Session Initiation Protocol traffic used in VoIP applications, not for HTTPS web traffic.
Destination address persistence routes traffic based on the destination IP address, which does not maintain client-to-server affinity across a pool of backend servers.
Concept tested: F5 BIG-IP SSL passthrough persistence configuration
Source: https://support.f5.com/csp/article/K7911
Topics
Community Discussion
No community discussion yet for this question.