This topic describes the security related details. What to read next Overview of NSX Advanced Load Balancer SecurityThis section is focused on the security of NSX Advanced Load Balancer Service Engines and Controllers. SSL CertificatesNSX Advanced Load Balancer supports terminating client SSL and TLS connections at the virtual service, which requires it to send a certificate to clients that authenticate the site and establishes secure communications. Multi-level Domain Support for SSLNSX Advanced Load Balancer SSL support includes multi-level domain name support. Multi-level domain support allows a pool to be configured with a list of multiple domain names for server certificate verification. During SSL session setup between a back-end server and the Service Engine (SE), the NSX Advanced Load Balancer checks the server’s certificate for the domain names listed in the pool. If any of the domain names are found in the certificate, the SSL session is allowed. However, if the certificate presented by the back-end server does not contain any of the domain names listed in the pool, the SSL session is not allowed. Integrating Let's Encrypt Certificate Authority with NSX Advanced Load Balancer SystemLet’s Encrypt is a free, automated (automates both issuing and renewing the certificate) and open certificate authority. This section elaborates the configuration summary for the Let’s Encrypt integration with the NSX Advanced Load Balancer. OCSP Stapling in NSX Advanced Load BalancerOnline certificate status protocol (OCSP) stapling is an extension of the OCSP protocol. The validity of SSL/ TLS certificates can be checked using OCSP stapling. This section discusses OCSP Stapling in detail. Client SSL Certificate ValidationThis article explains the application profiles and PKI profile configurations. Client-IP-based SSL ProfilesTo terminate the client SSL connections, both the SSL profile and SSL certificate must be assigned to the virtual service. The NSX Advanced Load Balancer can accommodate a broader set of security needs within a client community by associating multiple SSL profiles with a single virtual service, and it can allow the Service Engines to choose based on the client’s IP address. SSL/ TLS ProfileThe NSX Advanced Load Balancer supports the ability to terminate SSL connections between the client and the virtual service, and to enable encryption between NSX Advanced Load Balancer and the back-end servers. SSL Client Cipher in Application Logs on NSX Advanced Load BalancerNSX Advanced Load Balancer supports capturing of SSL client’s ciphers details in the application logs on NSX Advanced Load Balancer. It records ciphers sent by a client in the client hello SSL packet. The ciphers details used to establish an SSL connection with a virtual service is available in the application log. Server Name IndicationServer Name Indication, or SNI, is a method of virtual hosting multiple domain names for an SSL enabled virtual IP. A single VIP is advertised for multiple virtual services. When a client connects to the VIP, the NSX Advanced Load Balancer begins the SSL/ TLS negotiation, and chooses a virtual service or an SSL certificate, only when the client has requested the site by name through the domain field of the TLS hello packet. If the requested domain name is configured on the virtual IP, the appropriate certificate is returned to the client and the connection is bound to the proper virtual service. True Client IP in L7 Security FeaturesThis section discusses the advantages of using True Client IP and its configuration. App Transport SecurityWith iOS 9 and later, Apple has mandated minimum security settings to comply with their App Transport Security (ATS) standard. To enable this level of SSL security for applications proxies by NSX Advanced Load Balancer, use the following settings for SSL/ TLS Certificates and SSL/ TLS Profiles. Venafi IntegrationThe NSX Advanced Load Balancer can be set up to integrate with the Venafi Trust Protection Platform™ for automation of SSL and TLS certificate life-cycle management. All certificates will be protected and controlled through TPP. This process is transparent to the NSX Advanced Load Balancer Controllers. Basic AuthenticationBasic Authentication is the simple and most widely used authentication mechanism in HTTP based services or APIs. OAuth and OIDCIn the traditional authentication methods, the client requests a protected resource on the server by authenticating using the user name and password. To provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. Requirements for Load Balancing during NTLM AuthenticationMany Microsoft applications such as SharePoint and Outlook Anywhere rely on NTLM for session authentication. NTLM has a few unique requirements for load balancing that are addressed in this topic, along with recommended changes for impacted applications or virtual services. IPv6 Support in NSX Advanced Load BalancerWith the emerging utility of IPv6 in traditional networks, web applications are adapting to support IPv4 and IPv6 requests. The network infrastructure is expected to process client requests originating from IPv4 or IPv6 based devices. Server clustering with server load balancing has emerged as a promising technique to build scalable web servers. Masking and Removing Personally Identifiable Information (PII) in Applications Logs on NSX Advanced Load BalancerNSX Advanced Load Balancer collects different types of logs for troubleshooting various performance or outage issues, end-user experience, and success of any application. NSX Advanced Load Balancer Controller collects HTTP request header and response header information while establishing connections between the incoming client requests and the back-end servers.
