What is Load Balancing and Host Affinity on a Reverse ProxySG appliance

book

Article ID: 169241

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Load Balancing and Host Affinity must be used together for the best distribution of workload across multiple servers.

Resolution

Where to configure

You can configure Load Balancing and Host Affinity in 2 different ways:
 

1. Configuration for an individual Forwarding service:
  • for a forwarding host: Configuration > Forwarding > Forwarding Hosts > Forwarding Hosts > New/Edit > Load Balancing and Host Affinity
  • for a forwarding group: Configuration > Forwarding > Forwarding Hosts > Forwarding Groups > New/Edit > Load Balancing and Host Affinity
2. or as a Global configuration for all your Forwarding services that are not individually configured as shown above: Configuration > Forwarding > Forwarding Hosts > Global Defaults > Load Balancing and Host Affinity



About Load Balancing

Load balancing distributes forwarding traffic among multiple IP addresses to achieve optimal resource utilization, to maximize throughput, and to minimize response time. Typically, you use load balancing to equally distribute client requests to more than one server.

The ProxySG's load balancing methods include:

  • 'None' which disables the Load Balancing.
  • the 'Round Robin' method which selects the next system in the list.
  • the 'Least Connections' method which selects the system with the lowest number of connections.
  • the 'URL hash' method which makes a hash of the requests based on the request URL (for Forwarding Groups only).
  • the 'Domain hash' method which makes a hash of the requests based on the request Domain (for Forwarding Groups only).


These above methods of Load Balancing can be configured on your Forwarding services depending on their type:

  • Forwarding Host: this is based on a hostname that is DNS-resolvable to multiple IP addresses that you must configure on your name servers. The load-balancing method that you can select are: None, Round Robin or Least Connections. The method is either explicitly set for that forwarding host only or taken from the configurable global default settings.
  • Forwarding Group: this is a group composed of hosts that you can create in Configuration > Forwarding > Forwarding Hosts > Forwarding Groups > New . It can use one of all the methods listed above: None, Round Robin, Least Connections, URL hash or Domain hash. It can be explicitly selected for a forwarding group only or taken from the global default settings.


About Host Affinity

Host Affinity is the attempt to direct multiple connections by a single user to the same member of the servers group. Host affinity causes the user’s connections to return to the same server until the configurable host affinity timeout period is exceeded.

Host Affinity allows you to do one of the followings:

  • Use the client IP address to determine which group member was last used. When the same client IP sends another request, the host makes the connection to that group member.
  • Place a cookie in the response to the client. When the client makes future requests, the cookie data is used to determine which group member the client last used. The host makes the connection to that group member.
  • For HTTPS, extract the SSL session ID name from the connection information. The host uses the session ID in place of a cookie or client IP address to determine which group member was last used. The host makes the connection to that group member.


Table of the Host Affinity methods:

Setting Description HTTP HTTPS Other Protocols
Global Default Use the default setting for all forwarding hosts on the system. X X X
None Disables host affinity. X X X
Client IP address Uses the client IP address to determine which forwarding group member was last used. X X X
Accelerator Cookie Inserts a cookie into the response to the client. X X  

SSL Session ID

Used in place of a cookie or client IP address. Extracts the SSL session ID name from the connection information.   X  

SSL Session ID

(SGOS version 7.3 and later)

Dynamically uses the session ID, session ticket SHA256 hash, or PSK hash to make multiple client connections to the same forwarding host/group or SOCKS gateway/group.

  X  


Note: If your users are all behind the same NAT IP address, the Host Affinity "Client IP address" will be counterproductive as it will always redirect the traffic to the same server considering it is always the same client - no Load Balancing will be performed. Instead, you may want to use "SSL Session ID" if you use HTTPS or use the "Accelerator Cookie" method otherwise.

Using Load Balancing with Host Affinity

By default, if you use load balancing, each connection is treated independently. The connection is made to whichever member of the load-balancing group the load-balancing algorithm selects.
If host affinity is configured, the system checks the host affinity first (before load balancing) to see if the request comes from a known client. If this is a first connection, then load-balancing is used to select a member of the group to which to connect. After Load Balancing is applied, the host affinity records the result of the load balancing and uses it if that client connects again. Host affinity does not make a connection to a host that health checks report is down; instead, if host affinity breaks, the load-balancing algorithm selects a new group member that is healthy and re-establishes host affinity on that working group member.

Symantec highly recommends you to enable Host Affinity if you want to use Load Balancing. The reason is that the application running behind the Forwarding service may require the user to always be connected to the same server. As an example, we suppose a website with a shopping cart that runs on several load-balanced web servers, but only one web server has the session data for a given user’s shopping cart transaction. If a connection is sent to a different Web server (due to load balancing) that has no data about the user’s session, the user has to start all over again. The ProxySG host affinity helps make sure each request goes to its proper destination; however, the proxy does not interact with the session or with session data.