Virtual servers receive all the client connections and distribute them among the servers. A virtual server has an IP address, a port, and a protocol TCP.

If a virtual server status is disabled, any new connection attempts to the virtual server are rejected by sending either a TCP RST for the TCP connection or ICMP error message for UDP. New connections are rejected even if there are matching persistence entries for them. Active connections continue to be processed. If a virtual server is deleted or disassociated from a load balancer, then active connections to that virtual server fail.

Note: SSL profile is not supported in the NSX-T Data Center limited export release.

If a client-side SSL profile binding is configured on a virtual server but not a server-side SSL profile binding, then the virtual server operates in an SSL-terminate mode, which has an encrypted connection to the client and plain text connection to the server. If both the client-side and server-side SSL profile bindings are configured, then the virtual server operates in SSL-proxy mode, which has an encrypted connection both to the client and the server.

Associating server-side SSL profile binding without associating a client-side SSL profile binding is currently not supported. If a client-side and a server-side SSL profile binding is not associated with a virtual server and the application is SSL-based, then the virtual server operates in an SSL-unaware mode. In this case, the virtual server must be configured for Layer 4. For example, the virtual server can be associated to a fast TCP profile.

Prerequisites

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Networking > Load Balancing > Virtual Servers > Add Virtual Server.
  3. Select L7 HTTP from the drop-down list and enter the protocol details.
    Layer 7 virtual servers support the HTTP and HTTPS protocols.
    Option Description
    Name and Description Enter a name and a description for the Layer virtual server.
    IP Address Enter the virtual server IP address. Both IPv4 and IPv6 addresses are supported.
    Ports Enter the virtual server port number.
    Load Balancer Select an existing load balancer to attach to this Layer 4 virtual server from the drop down menu.
    Server Pool Select an existing server pool from the drop-down menu.

    The server pool consists of one or more servers, also called pool members that are similarly configured and running the same application.

    You can click the vertical ellipses to create a server pool.
    Application Profile Based on the protocol type, the existing application profile is automatically populated.

    You can click the vertical ellipses to create an application profile.

    Persistence Select an existing persistence profile from the drop-down menu.

    Persistence profile can be enabled on a virtual server to allow Source IP and Cookie related client connections to be sent to the same server.

  4. Click Configure to set the Layer 7 virtual server SSL.
    You can configure the Client SSL and Server SSL.
  5. Configure the Client SSL.
    Option Description
    Client SSL Toggle the button to enable the profile.

    Client-side SSL profile binding allows multiple certificates, for different host names to be associated to the same virtual server.

    Default Certificate Select a default certificate from the drop-down menu.

    This certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.

    To use a 2k/3k/4k certificate/key use NSX Manager to Create a Self-Signed Certificate, or to Create a Certificate Signing Request File.

    To use an 8k certificate/key, import the 8k certificate key using Importing and Replacing Certificates.

    Client SSL Profile Select the client-side SSL Profile from the drop-down menu.
    SNI Certificates Select the available SNI certificate from the drop-down menu.
    Trusted CA Certificates Select the available CA certificate.
    Mandatory Client Authentication Toggle the button to enable this menu item.
    Certificate Chain Depth Set the certificate chain depth to verify the depth in the server certificates chain.
    Certificate Revocation List Select the available CRL to disallow compromised server certificates.
  6. Configure the Server SSL.
    Option Description
    Server SSL Toggle the button to enable the profile.
    Client Certificate Select a client certificate from the drop-down menu.

    This certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.

    Server SSL Profile Select the Server-side SSL Profile from the drop-down menu.
    Trusted CA Certificates Select the available CA certificate.
    Mandatory Server Authentication Toggle the button to enable this menu item.

    Server-side SSL profile binding specifies whether the server certificate presented to the load balancer during the SSL handshake must be validated or not. When validation is enabled, the server certificate must be signed by one of the trusted CAs whose self-signed certificates are specified in the same server-side SSL profile binding.

    Certificate Chain Depth Set the certificate chain depth to verify the depth in the server certificates chain.
    Certificate Revocation List Select the available CRL to disallow compromised server certificates.

    OCSP and OCSP stapling are not supported on the server-side.

  7. Click Additional Properties to configure additional Layer 7 virtual server properties.
    Option Description
    Max Concurrent Connection Set the maximum concurrent connection allowed to a virtual server so that the virtual server does not deplete resources of other applications hosted on the same load balancer.
    Max New Connection Rate Set the maximum new connection to a server pool member so that a virtual server does not deplete resources.
    Sorry Server Pool Select an existing sorry server pool from the drop-down menu.

    The sorry server pool serves the request when a load balancer cannot select a backend server to the serve the request from the default pool.

    You can click the vertical ellipses to create a server pool.

    Default Pool Member Port Enter a default pool member port, if the pool member port for a virtual server is not defined.

    For example, if a virtual server is defined with port range 2000-2999 and the default pool member port range is set as 8000-8999, then an incoming client connection to the virtual server port 2500 is sent to a pool member with a destination port set to 8500.

    Admin State Toggle the button to disable the admin state of the Layer 7 virtual server.
    Access Log Toggle the button to enable logging for the Layer 7 virtual server.
    Log Significant Event Only This field can only be configured if access logs are enabled. Requests with an HTTP response status of >=400 are treated as a significant event.
    Tags Select a tag from the drop-down list.

    You can specify a tag to set a scope of the tag.

  8. Click Save.