ssl termination at load balancer or web server

Posted on 2009-12-23
Last Modified: 2012-05-08
I am looking at the option terminating SSL at load balancer level.
I have couple of questions
1.     From security audit point terminating ssl at load balancer level is ok or  it is violation  by any standard?? (we are  not processing any cradit card info in the web site).
2     SSL termination at load balancer : will it save cost compare to buying ssl for each web server ?
3.   SSL termination at load balancer better or web server level is better ?
4.   which load balancer perform better when SSL is added (Cisco, f5, etc) ??

Question by:mnchandra2009
    1 Comment
    LVL 13

    Accepted Solution


    For 1: As long as your network is secure from the load balancer to your webservers, then it is ok.  Essentially SSL is designed to be secure over the internet.  Once the traffic hits your load balancer and is in your network, it is deemed secure anyway.  So there is no violation of any standards.

    For 2: You will still need an SSL certificate for each secure URL you will be using.  The advantages to offloading the SSL certificates to a hardware LB are:
    - Webservers don't need to spend valuable CPU processing time dealing with the SSL encryption.  End result is faster servers than if they were dealing with SSL.
    - Saves time on administration.  If you have a server farm of 10 servers, you don't need to load the SSL certificate on each server.  It just needs to be loaded once onto the load balancer.

    For 3: If you can afford to, use the load balancer to offload SSL certs.  Bear in mind this is only really cost effective in a large web environment, or when dealing with really busy websites.

    For 4: All load balancers would be pretty much the same with regards to SSL offloading.  I think the trick would be to find a load balancer that does a really good job at load balancing and managing the traffic, as this would be primarily why you would buy a load balancer.  Then just ensure it has capabilities to offload SSL.

    I've used F5 and Citrix Netscalers before, and there have been no problems with SSL offloading.

    You can also use a software load balancer to offload SSL, such as the IIS ARR module if perhaps you wanted to test the concept out before purchasing a hardware load balancer.


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
    It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now