NOTE: This article has been updated with a correction to the NetSH commands. Previously I documented the “forwarding” should be enabled on the interfaces, but “weak host receive” and “weak host send” is more accurate, as documented here:
Recently we had a problem with a web applicaiton configured for SSL-offload on our Load Balancers. Our F5 Guru (Ben Coddington) recommended that we swich to a “Layer 4 forwarding” configuration. In this mode, the F5 will forward TCP packets from the client directly to the web server without altering packet content, which is just what we needed.
Making this work on Server 2008 took a bit of extra leg work, though. Here are the bones of it:
- On the F5, create a new Virtual Server using the Type category “Performance (Layer 4)”. Make sure that address translation and port translation are disabled.
- Create a new F5 Pool that uses a simple port 443/ssl health monitor. You could use any of a number of load balancing methods, but I cose “Round Robin” because it is in keeping with the “simpler is better” school of thought.
- On the Server 2008 system, add a “loopback adapter” in the Device Manager. (At the root of the MMC console, right-click the computer and select “Add legacy device”. It will be of type “network adapter”, from manfacturer “Microsoft”, and have a name containing “loopback adapter”).
- Assign the load balanced IP to the loopback adpater with netmask “255.255.255.255”.
- Here is the trick… you must now allow “weak host receive” on all network interfaces involved with load balancing on the Server 2008 system, and “weak host send” on the loopback interface. If this step is skipped, the Windows server will drop all packets destined for the load balancer address:
netsh interface ipv4 set interface "Loopback Connection" weakhostreceive=enable set interface "Public Network" weakhostreceive=enabled set interface "Loopback Connection" weakhostsend=enabled exit
- Make sure you have a vaild SSL certificate configured on all RDGateway systems in your farm.
That’s about it… The F5 will forward all packets sent to the load balanced IP to the next pool member in the rotation (barring persistence). The Server 2008 host will receive the packet, and forward it to the loopback adapter (following TCP/IP routing logic). The Server 2008 host will reply directly to the client. Amazingly, it all seems to work.