[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1593
  • Last Modified:

ssl termination at load balancer or web server

I am looking at the option terminating SSL at load balancer level.
I have couple of questions
1.     From security audit point terminating ssl at load balancer level is ok or  it is violation  by any standard?? (we are  not processing any cradit card info in the web site).
2     SSL termination at load balancer : will it save cost compare to buying ssl for each web server ?
3.   SSL termination at load balancer better or web server level is better ?
4.   which load balancer perform better when SSL is added (Cisco, f5, etc) ??

1 Solution

For 1: As long as your network is secure from the load balancer to your webservers, then it is ok.  Essentially SSL is designed to be secure over the internet.  Once the traffic hits your load balancer and is in your network, it is deemed secure anyway.  So there is no violation of any standards.

For 2: You will still need an SSL certificate for each secure URL you will be using.  The advantages to offloading the SSL certificates to a hardware LB are:
- Webservers don't need to spend valuable CPU processing time dealing with the SSL encryption.  End result is faster servers than if they were dealing with SSL.
- Saves time on administration.  If you have a server farm of 10 servers, you don't need to load the SSL certificate on each server.  It just needs to be loaded once onto the load balancer.

For 3: If you can afford to, use the load balancer to offload SSL certs.  Bear in mind this is only really cost effective in a large web environment, or when dealing with really busy websites.

For 4: All load balancers would be pretty much the same with regards to SSL offloading.  I think the trick would be to find a load balancer that does a really good job at load balancing and managing the traffic, as this would be primarily why you would buy a load balancer.  Then just ensure it has capabilities to offload SSL.

I've used F5 and Citrix Netscalers before, and there have been no problems with SSL offloading.

You can also use a software load balancer to offload SSL, such as the IIS ARR module if perhaps you wanted to test the concept out before purchasing a hardware load balancer.


Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now