Using F5 load balancing to perform SSL offloading requires the following configuration:
- Create an F5 iRule to add Secure and HttpOnly flags to the JSESSIONID cookie.
- Create an F5 iRule to add HSTS flags.
- Disable old insecure encryption algorithms like RC4.
F5 Best Practices
The following best practices are recommended by CTERA:
- Configure the tcp TCP protocol profile.
- If Idle Timeout is configured, make sure the value is at least 5 minutes, 300 seconds, as CTERA handles its own TCP sessions with keep alives.
- If Keep Alive Interval is configured, make sure the value is less than half the value specified for Send CTTP keepalive messages every in the virtual portal settings. Send CTTP keepalive messages every prevents proxy or load balancer servers from preemptively terminating connection between a CTERA Agent and the CTERA Portal.
- If Zero window Timeout is configured, make sure it is as high as possible. For example, 30000.
The following shows recommended F5 settings for the tcp TCP protocol profile.
- Configure the source_addr Persistence profile.
The following shows recommended F5 settings for source_addr Persistence profile.
- After setting the profiles, set up the load balancing for the CTERA virtual servers.