Add Layer 7 HTTP Virtual Servers

Virtual servers receive all the client connections and distribute them among the servers. A virtual server has an IP address, a port, and a protocol TCP.

If a virtual server status is disabled, any new connection attempts to the virtual server are rejected by sending either a TCP RST for the TCP connection or ICMP error message for UDP. New connections are rejected even if there are matching persistence entries for them. Active connections continue to be processed. If a virtual server is deleted or disassociated from a load balancer, then active connections to that virtual server fail.

Note: SSL profile is not supported in the NSX-T Data Center limited export release.

If a client-side SSL profile binding is configured on a virtual server but not a server-side SSL profile binding, then the virtual server operates in an SSL-terminate mode, which has an encrypted connection to the client and plain text connection to the server. If both the client-side and server-side SSL profile bindings are configured, then the virtual server operates in SSL-proxy mode, which has an encrypted connection both to the client and the server.

Associating server-side SSL profile binding without associating a client-side SSL profile binding is currently not supported. If a client-side and a server-side SSL profile binding is not associated with a virtual server and the application is SSL-based, then the virtual server operates in an SSL-unaware mode. In this case, the virtual server must be configured for Layer 4. For example, the virtual server can be associated to a fast TCP profile.

Prerequisites

Verify that application profiles are available. See Add an Application Profile.
Verify that persistent profiles are available. See Add a Persistence Profile.
Verify that SSL profiles for the client and server are available. See Add an SSL Profile.
Verify that server pools are available. See Add a Server Pool.
Verify that CA and client certificate are available. See Create a Certificate Signing Request File.
Verify that a certification revocation list (CRL) is available. See Import a Certificate Revocation List.
Verify that load balancer is available. See Add Load Balancers.

Procedure

From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
Select Networking > Load Balancing > Virtual Servers > Add Virtual Server.

Select L7 HTTP from the drop-down list and enter the protocol details.

Layer 7 virtual servers support the HTTP and HTTPS protocols.

Option	Description
Name and Description	Enter a name and a description for the Layer virtual server.
IP Address	Enter the virtual server IP address. Both IPv4 and IPv6 addresses are supported.
Ports	Enter the virtual server port number.
Load Balancer	Select an existing load balancer to attach to this Layer 4 virtual server from the drop down menu.
Server Pool	Select an existing server pool from the drop-down menu. The server pool consists of one or more servers, also called pool members that are similarly configured and running the same application. You can click the vertical ellipses to create a server pool.
Application Profile	Based on the protocol type, the existing application profile is automatically populated. You can click the vertical ellipses to create an application profile.
Persistence	Select an existing persistence profile from the drop-down menu. Persistence profile can be enabled on a virtual server to allow Source IP and Cookie related client connections to be sent to the same server.

Click Configure to set the Layer 7 virtual server SSL.
You can configure the Client SSL and Server SSL.

Configure the Client SSL.

Option	Description
Client SSL	Toggle the button to enable the profile. Client-side SSL profile binding allows multiple certificates, for different host names to be associated to the same virtual server.
Default Certificate	Select a default certificate from the drop-down menu. This certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.
Client SSL Profile	Select the client-side SSL Profile from the drop-down menu.
SNI Certificates	Select the available SNI certificate from the drop-down menu.
Trusted CA Certificates	Select the available CA certificate.
Mandatory Client Authentication	Toggle the button to enable this menu item.
Certificate Chain Depth	Set the certificate chain depth to verify the depth in the server certificates chain.
Certificate Revocation List	Select the available CRL to disallow compromised server certificates.

Configure the Server SSL.

Option	Description
Server SSL	Toggle the button to enable the profile.
Client Certificate	Select a client certificate from the drop-down menu. This certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.
Server SSL Profile	Select the Server-side SSL Profile from the drop-down menu.
Trusted CA Certificates	Select the available CA certificate.
Mandatory Server Authentication	Toggle the button to enable this menu item. Server-side SSL profile binding specifies whether the server certificate presented to the load balancer during the SSL handshake must be validated or not. When validation is enabled, the server certificate must be signed by one of the trusted CAs whose self-signed certificates are specified in the same server-side SSL profile binding.
Certificate Chain Depth	Set the certificate chain depth to verify the depth in the server certificates chain.
Certificate Revocation List	Select the available CRL to disallow compromised server certificates. OCSP and OCSP stapling are not supported on the server-side.

Click Additional Properties to configure additional Layer 7 virtual server properties.

Option	Description
Max Concurrent Connection	Set the maximum concurrent connection allowed to a virtual server so that the virtual server does not deplete resources of other applications hosted on the same load balancer.
Max New Connection Rate	Set the maximum new connection to a server pool member so that a virtual server does not deplete resources.
Sorry Server Pool	Select an existing sorry server pool from the drop-down menu. The sorry server pool serves the request when a load balancer cannot select a backend server to the serve the request from the default pool. You can click the vertical ellipses to create a server pool.
Default Pool Member Port	Enter a default pool member port, if the pool member port for a virtual server is not defined. For example, if a virtual server is defined with port range 2000-2999 and the default pool member port range is set as 8000-8999, then an incoming client connection to the virtual server port 2500 is sent to a pool member with a destination port set to 8500.
Admin State	Toggle the button to disable the admin state of the Layer 7 virtual server.
Access Log	Toggle the button to enable logging for the Layer 7 virtual server.
Log Significant Event Only	This field can only be configured if access logs are enabled. Requests with an HTTP response status of >=400 are treated as a significant event.
Tags	Select a tag from the drop-down list. You can specify a tag to set a scope of the tag.

Click Save.