A new knob is introduced in the pool configuration called user_service_ssl_mode. When this knob is enabled, the server-side connection’s SSL mode is decided based on the client-side connection mode.

The SSL mode of the connection to the server is decided by the SSL mode on the virtual service port on which the request was received.

Note:

This knob can currently be configured only using the CLI/ API.

When both use_service_ssl_mode and use_service_port are configured for SSL-enabled VS service ports, the SSL traffic will be sent to the server by using the pool’s SSL profile/ certificate settings. For non-SSL enabled VS service ports, non-SSL traffic will be sent to the server.

Refer to the table below

use_service_ssl_mode

Pool SSL

Traffic Sent to the Backend Server

False

False

All traffic Plaintext

False

True

All traffic SSL

True

True

For SSL-enabled VS service ports, SSL traffic using Pool SSL profile /cert settings.For the non-SSL enabled VS service ports, non SSL traffic.

For example, If the VS has received non-SSL traffic on port 8081 then we will send the non ssl traffic to the backend servers on port 8081 . Similarly if VS has received ssl traffic on say port 8443 then NSX Advanced Load Balancer will send ssl traffic to backend servers on port 8443 using the SSL settings configured on pool level.
Note:

  • This knob can only be enabled if user_service_port (Disable port translation) is set to true. So NSX Advanced Load Balancer will keep the client’s destination port to the back-end server.

  • Configure the ssl_profile on the pool’s side to use the option use_service_ssl_mode.