An application profile defines the behavior of the load balancer for a particular type of network traffic. After configuring a profile, you associate it with a virtual server. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.

When you create a profile for HTTPS traffic, the following HTTPS traffic patterns are allowed:
  • Client -> HTTPS -> LB (terminate SSL) -> HTTP -> servers
  • Client -> HTTPS -> LB (terminate SSL) -> HTTPS -> servers
  • Client -> HTTPS-> LB (SSL passthrough) -> HTTPS -> servers
  • Client -> HTTP-> LB -> HTTP -> servers

Procedure

  1. Open Edge Gateway Services.
    1. In the top navigation bar, click Networking and click Edge Gateways.
    2. Select the edge gateway that you want to edit and click Services.
  2. Navigate to Load Balancer > Application Profiles.
  3. Click the Create (Create button) button.
  4. Enter a name for the profile.
  5. Configure the application profile.
    Option Description
    Type Select the protocol type used to send requests to the server. The list of required parameters depends on the protocol you select. Parameters that are not applicable to the protocol you selected cannot be entered. All other parameters are required.
    Enable SSL Passthrough Click to enable SSL authentication to be passed through to the virtual server.

    Otherwise SSL authentication takes place at the destination address.

    HTTP Redirect URL (HTTP and HTTPS) Enter the URL to which traffic that arrives at the destination address should be redirected.
    Persistence Specify a persistence mechanism for the profile.

    Persistence tracks and stores session data, such as the specific pool member that serviced a client request. This ensures that client requests are directed to the same pool member throughout the life of a session or during subsequent sessions. The options are:

    • Source IP

      Source IP persistence tracks sessions based on the source IP address. When a client requests a connection to a virtual server that supports source address affinity persistence, the load balancer checks to see if that client previously connected, and if so, returns the client to the same pool member.

    • MSRDP

      (TCP Only) Microsoft Remote Desktop Protocol persistence (MSRDP) maintains persistent sessions between Windows clients and servers that are running the Microsoft Remote Desktop Protocol (RDP) service. The recommended scenario for enabling MSRDP persistence is to create a load balancing pool that consists of members running a Windows Server guest OS, where all members belong to a Windows cluster and participate in a Windows session directory.

    • SSL Session ID

      SSL Session ID persistence is available when you enable SSL passthrough. SSL Session ID persistence ensures that repeat connections from the same client are sent to the same server. Session ID persistence allows the use of SSL session resumption, which saves processing time for both the client and the server.

    Cookie Name (HTTP and HTTPS) If you specified Cookie as the persistence mechanism, enter the cookie name. Cookie persistence uses a cookie to uniquely identify the session the first time a client accesses the site. The load balancer refers to this cookie when connecting subsequent requests in the session, so that they all go to the same virtual server.
    Mode Select the mode by which the cookie should be inserted. The following modes are supported:
    • Insert

      The edge gateway sends a cookie. When the server sends one or more cookies, the client will receive one extra cookie (the server cookies plus the edge gateway cookie). When the server does not send any cookies, the client will receive the edge gateway cookie only.

    • Prefix
      Select this option when your client does not support more than one cookie.
      Note: All browsers accept multiple cookies. But you might have a proprietary application using a proprietary client that supports only one cookie. The Web server sends its cookie as usual. The edge gateway injects (as a prefix) its cookie information in the server cookie value. This cookie added information is removed when the edge gateway sends it to the server.
    • App Session For this option, the server does not send a cookie. Instead, it sends the user session information as a URL. For example, http://example.com/admin/UpdateUserServlet;jsessionid=OI24B9ASD7BSSD, where jsessionid is the user session information and is used for the persistence. It is not possible to see the App Session persistence table for troubleshooting.
    Expires in (Seconds) Enter a length of time in seconds that persistence stays in effect. Must be a positive integer in the range 1–86400.
    Note: For L7 load balancing using TCP source IP persistence, the persistence entry times out if no new TCP connections are made for a period of time, even if the existing connections are still alive.
    Insert X-Forwarded-For HTTP header (HTTP and HTTPS) Select Insert X-Forwarded-For HTTP header for identifying the originating IP address of a client connecting to a Web server through the load balancer.
    Note: Using this header is not supported if you enabled SSL passthrough.
    Enable Pool Side SSL (HTTPS Only) Select Enable Pool Side SSL to define the certificate, CAs, or CRLs used to authenticate the load balancer from the server side in the Pool Certificates tab.
  6. (HTTPS only) Configure the certificates to be used with the application profile. If the certificates you need do not exist, you can create them from the Certificates tab.
    Option Description
    Virtual Server Certificates Select the certificate, CAs, or CRLs used to decrypt HTTPS traffic.
    Pool Certificates Define the certificate, CAs, or CRLs used to authenticate the load balancer from the server side.
    Note: Select Enable Pool Side SSL to enable this tab.
    Cipher Select the cipher algorithms (or cipher suite) negotiated during the SSL/TLS handshake.
    Client Authentication Specify whether client authentication is to be ignored or required.
    Note: When set to Required, the client must provide a certificate after the request or the handshake is canceled.
  7. To preserve your changes, click Keep.

What to do next

Add service monitors for the load balancer to define health checks for different types of network traffic. See Create a Service Monitor On An NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.