Manualshelf

Specifications

ManualsBrandsCoyote Point Systems ManualsHome AudioEqualizer
919293949596979899100
Managing Servers
Equalizer Installation and Administration Guide 87
the injection of custom headers to relay to the server the fact that Equalizer terminated the
HTTPS connection and performed SSL processing on the incoming request (see the previous
section, above)
the "munging", or translation, of HTTP redirects to HTTPS redirects (see the description of
the dont munge flag under “Adding a Virtual Cluster”, in Step 12 on page 71)
One flag which frequently affects the behavior of these options is the once only flag. This flag is
present to speed up processing of HTTP requests by only looking at the first request, but since
HTTPS has a lot of overhead associated with it anyway, turning this flag off does not reduce
HTTPS performance. Furthermore, having this flag on for HTTPS clusters causes some applications
to not function as needed.
In general, it is recommended to turn the once only flag off for HTTPS clusters. This is particularly
true if you're using Microsoft Internet information Service (IIS) on the servers in your cluster.
For most applications, Xcel will sustain several hundred HTTPS transactions per second with no
noticeable degradation in performance either of the cluster or Equalizer.
In terms of bulk data throughput, the theoretical maximum throughput for Xcel/HTTPS is roughly
50% of that for the Equalizer in HTTP mode: Equalizer models with gigabit Ethernet can move
HTTP traffic at wire speed (1Gbit/s) for large transfers, while Xcel can encrypt only approximately
400Mbit/s with 3DES/SHA1 or 600Mbit/s with RC4/MD5. This reflects the fact that Xcel is
primarily a transaction accellerator, not a bulk data encryptor. It is noteworthy, however, that even
when moving bulk data at 600Mbit/s, Xcel removes the entire load of HTTPS/SSL processing from
the servers in the cluster.
One final issue to be aware of is that Xcel supports only 3DES and RC4 encryption; it does not
support AES. It also does not support SSL or TLS cipher suites that use ephemeral or anonymous
Diffie-Hellman exchange (cipher suites whose names contain "EDH", "DHE", or "ADH").
The default configuration for HTTPS clusters created with an Xcel card present in the system will
not use the modes described above. If, however, one either modifies the cipher suite string in the
advanced cluster properties to use them (or, creates a cluster before installing the Xcel card and then
adds an Xcel card to the system), it is possible that they may be negotiated with clients. This will
not lead to incorrect operation of the system, but will cause encryption to occur in software (which
does not perform as well as the Xcel card).
Managing Servers
In this section, you will learn how to work with servers: adding them, adjusting their static weight,
shutting them down, and deleting them.
Server Software Configuration
Please observe the following guidelines and restrictions when configuring the software that is
running on your servers:
If the spoof flag is turned on for a cluster (the default), you should configure your network
topology so that Equalizer is the gateway for all traffic for its virtual clusters. Each server in a
cluster should be configured to use Equalizer as its default gateway. This way, all packets that
come through Equalizer from clients will pass back through Equalizer and then to the clients.