The TCP proxy terminates client connections to the virtual service, processes the payload, and then opens a new TCP connection to the destination server. Any application data from the client that is destined for a server is forwarded to that server over the new server-side TCP connection. Separating (or proxying) the client-to-server connections enables the NSX Advanced Load Balancer to provide enhanced security, such as TCP protocol sanitization and denial of service (DoS) mitigation.
The TCP proxy mode also provides better client and server performance, such as maximizing client and server TCP maximum segment size (MSS) or window sizes independently, and buffering server responses.
Each connection negotiates the optimal TCP settings for the connecting device. For example, consider a client connecting to the NSX Advanced Load Balancer with a 1400-byte MTU, while the server is connected to it with a 1500-byte MTU. In this case, the NSX Advanced Load Balancer buffers the 1500-byte server responses and sends them back to the client separately as 1400-byte responses.
If the client connection drops a packet, the NSX Advanced Load Balancer handles re-transmission, as the server might have already finished the transmission and moved on to handling the next client request. This optimization is particularly useful in environments with high-bandwidth, low-latency connectivity to the servers and low-bandwidth, high-latency connectivity to the clients (as is typical of Internet traffic).
Use a TCP/UDP profile with the type set to Proxy for application profiles such as HTTP.
To create a TCP proxy network profile,
In the New TCP/UDP Profile screen, enter the Name of the network profile.
Select TCP Proxy as the Type.
Under TCP Proxy, select the mode (Auto Learn or Custom) to set the configurations for this profile.
Click Save.
TCP Parameters
The NSX Advanced Load Balancer exposes only the configurable parameters of the TCP protocol that might have tangible benefits on application performance. More configuration options are available through the NSX Advanced Load Balancer CLI or REST API.
Auto Learn
Auto-learn mode sets all parameters to default values and dynamically changes the buffer size.
In practice, many NSX Advanced Load Balancer administrators have found that manual TCP tweaking is rarely needed. The default TCP Profile in NSX Advanced Load Balancer is set to Auto Learn and a majority of its customers might never have to deviate from this top level setting. This approach is for reducing the complexity involved in managing application delivery platforms and simplifying service consumption by application owners.
With the TCP Proxy profile, enabling Auto Learn makes the NSX Advanced Load Balancer set the configuration parameters. The NSX Advanced Load Balancer can make changes to the TCP settings at any point in time. For example, if an SE is running low on memory, it might reduce buffers or window sizes to ensure application availability.
Settings |
Default Value |
---|---|
TCP Keep Alive |
Enabled |
Idle Duration |
10 minutes. After 10 minutes idle time, the NSX Advanced Load Balancer initiates the TCP keep alive protocol. If the other side responds, the connection continues to live. |
Max Retransmissions |
8 |
Max SYN Retransmissions |
8 |
IP DSCP |
No special DSCP values used. |
Enable Nagles Algorithm |
Disabled. |
Buffer Management |
The receive window advertised to the client and on the server dynamically change. It starts small (2kb) and can increase when needed up to 64mb for a single TCP connection. The algorithm also takes into account the amount of memory available in the system and the number of open TCP connections. |