SSL offloading refers to outsourcing encryption/decryption of network traffic to an outside device, thus relieving web servers of their responsibility of handling this CPU-intensive task, which could otherwise negatively impact performance.
With SSL offloading, an ADC appliance intercepts SSL-encrypted traffic, decrypts it, and then forwards it to services associated with virtual servers. This method provides an alternative to SSL bridging, which requires manually assigning an RSA key that must be manually bound.
Understanding SSL Offloading
SSL offloading (also called SSL termination or acceleration) refers to shifting responsibility for encrypting and decrypting traffic away from web servers to free up processing power for more immediate information delivery. Using a third-party device such as an accelerated SSL termination service provider, web application servers can focus on quickly delivering requested information to users.
To achieve this, a load balancer is employed – this device helps even out workload distribution amongst various resources and devices. Here, the load balancer handles encryption/decryption tasks before sending plain text data directly to its least-occupied backend server.
SSL offloading is an increasingly popular technique to reduce server stress from CPU-intensive tasks, but there remains a trade-off between speed and security when employing this technique.
Virtual SSL accelerators (VSSLs) are another effective method for offloading SSL. They consist of hardware or software solutions specifically tailored to offload the SSL handshaking task – an intricate two-step process that involves encryption and decryption, one of the primary tasks consuming web application servers’ resources.
VSSLs typically utilize an ASIC processor dedicated solely to processing SSL protocol traffic, enabling it to process much faster than regular computers and be deployed into DMZs to reduce stress on application servers and ward off malicious attacks more securely – providing increased performance while decreasing costs without investing in expensive specialized hardware. This provides a great way of improving performance while reducing costs simultaneously.
Importance of SSL Offloading
SSL encryption fortifies the connection between the server and the user by encoding the data. However, the encryption process is heavily CPU-intensive, and the strain intensifies during session initiation or ‘Handshake,’ where simultaneous client-server authentication occurs. This demand can exhaust system resources, threatening website functionality. SSL offloading provides a proactive solution by redirecting encryption tasks to specialized devices, thus freeing up resources and enhancing the web server’s performance.
Two prominent techniques to offload SSL are SSL passthrough and SSL bridging, leveraging application delivery controllers to unburden the web servers. SSL passthrough encrypts data packets at the client-end, decrypted via the load balancer or proxy server before being forwarded to the web server, and vice versa. As it enables concurrent functions like header insertion, it’s often preferred.
SSL bridging mirrors the process but re-encrypts the data at the server end before sending it back to the client. This method provides a higher security level as it minimizes data exposure to potential hackers during the transfer. It also provides security features like sandboxing and anti-virus scanning for comprehensive protection.
In essence, to understand the importance of offloading SSL from web servers, you enhance performance and fortify data security, thereby lightening the server load and boosting overall performance.
Configuring SSL Offloading
SSL offloading eases the burden on web servers by delegating the task of encrypting and decrypting SSL traffic to another specialized server, such as an application delivery controller (ADC). This relief from intensive CPU usage allows the server to dedicate resources to cater to other vital applications.
ADCs serve more than just the function of SSL offloading; they also perform inspections and header insertions that can significantly enhance server performance. The primary SSL offloading methods are Acceleration and Termination.
Acceleration-based SSL offloading empowers a NetScaler appliance to decrypt incoming HTTPS connections and forward them as plaintext to the backend web servers of a virtual server. This process liberates the CPU resources on the web servers, improving performance.
To enable SSL acceleration on a virtual server, follow these steps:
- Navigate to Traffic Management > Load Balancing > Services**: This will open the services settings.
- Create a new service with an SSL protocol setting**: This creates a dedicated service for SSL offloading.
- Assign an SSL-based virtual server to this new service and specify the port number**: This helps to route SSL traffic correctly.
- Use an SSL certificate/key pair on this virtual server before binding it with its host service**: It is essential to secure SSL traffic.
- Add a rewriting rule in the SharePoint site**: Insert an HTTPS session header by setting the x-front-end-https value to “on.” This signals SharePoint to handle SSL offloading, managing the traffic appropriately.
These steps allow you to effectively offload SSL from your server to a NetScaler ADC, enabling optimal performance while maintaining secure connections.
Best Practices for SSL Offloading
SSL offloading is a way of improving the performance of web servers by outsourcing SSL encryption and decryption tasks to another device, freeing up processing power for other purposes and increasing the speed at which requests can be responded to. SSL offloading typically happens using an application delivery controller built for just this task – these solutions usually also offer load balancing and other network services.
By default, the server hosting your web certificate handles the decryption and encryption of SSL traffic. This can become increasingly taxing during periods of high traffic volumes; furthermore, encryption processes consume CPU resources – particularly those related to two-factor authentication between client and server.
One effective method for SSL offloading is called SSL termination, in which a gateway system (often an application delivery controller) explicitly designed to perform this function acts as the front end for a server or cluster of servers and handles client communications from clients while decoding them and encrypting outgoing replies – saving server resources and decreasing network latency.
SSL acceleration provides another method of SSL offloading that uses particular hardware components to process encryption. By performing only those necessary tasks, this hardware component significantly decreases server workload while improving the response time of web applications and websites. Other names, such as SSL bridging or proxying, may also know it.
Troubleshooting SSL Offloading Issues
SSL offloading enables your web servers to focus on serving requests from clients as quickly as possible rather than being consumed with encryption tasks that require computational power and take up CPU resources. By offloading these processes onto an SSL accelerator or termination device (commonly called an SSL acceleration/termination device), SSL offloading helps reduce this unnecessary burden from web servers and improves performance.
An SSL offloader unit, typically configured as a load balancer, offloads decryption and encryption tasks from web servers to itself and forwards plain text traffic directly to backend servers – eliminating the handshake/session initiation phase between the web server and client and freeing up computing power for more simultaneous connections per server.
An SSL offloader reduces SSL processing overhead and can assist in security measures like inspection, reverse proxying, traffic control, persistence of cookies, and more. An SSL offloader generally utilizes special hardware explicitly designed to handle this traffic.
If you are having issues with SSL offloading on your BIG-IP system, turning on SSL debug logging can provide log messages that aid in diagnosing failed handshakes between BIG-IP and clients.
Another way to test SSL offloading is with a dummy load balancing service configured for SSL redirect. To do this, create a virtual server with an IP address similar to 127.0.0.1 for use as the loopback IP and then bind this dummy service to port 80 virtual server, which does not support offloading (e.g., 127.0.0.1) once bound the status can be found in SSL Redirect Virtual Servers list and reviewed accordingly.