TLS Configuration with Third-Party Load Balancers

TLS Configuration with Third-Party Load Balancers

Introduction

When deploying GO-Global with a third-party load balancer, administrators can choose where to terminate the TLS protocol to balance security and performance. While web applications often benefit from terminating TLS at the load balancer to reduce host workload, GO-Global typically requires fewer connections per session, making both approaches viable. This guide explains when to terminate TLS at the load balancer versus the GO-Global hosts and provides step-by-step instructions for configuring each option securely and efficiently.

When a third-party load balancer is used and the TLS protocol is required (e.g., when clients will connect to the load balancer over the internet), the TLS protocol may be terminated at either the load balancer or the GO-Global Hosts.

With web applications, it is generally desirable to terminate the TLS protocol at the load balancer because this places the load of negotiating the TLS connections on the load balancer, rather than the application hosts. This is important for web applications because web applications generally open many connections to application hosts for each user session. GO-Global, however, generally only opens one connection per session. Therefore, with GO-Global, there is less of a need to terminate the TLS protocol at the load balancer. There are situations, however, where it is desirable to do this.

To terminate TLS at the load balancer

A. Configure the GO-Global Hosts to use the TCP protocol and no encryption:

1. Run the Admin Console on the Farm Manager.
2. Click Tools | Host Options.
3. Click the Security tab.
4. Under Protocol, select TCP.
5. Under Encryption, select None.
6. Click OK.

B. If a failover Farm Manager is used, ensure that it has the same settings.
This may be done by either:

• Repeating step 1 on the failover Farm Manager                      
  -or-
• Copying the HostProperties.xml file from the primary Farm Manager to the failover Farm Manager
  

C. Configure the load balancer to use the TLS protocol. For example, if using an Amazon Web Services Network Load Balancer, set the Protocol of the Listener to TLS and install the TLS certificate on the load balancer.

If the TLS certificate is a wildcard certificate, the domain specified by the certificate’s Common Name must match the domain of the address that clients use to connect to the load balancer. Alternatively, if the TLS certificate is not a wildcard certificate, the certificate’s Common Name must match the address that clients use to connect to the load balancer.

D. Enable the TLS option in AppController and/or the GO-Global Web App:

• For AppController, add -tls 1 to the AppController command line.
  
• For the GO-Global Web App, add tls=true to the URL or set tls=true in the logon.html file.
  

When the TLS protocol is terminated at the load balancer, data is encrypted between the clients and the load balancer but is not encrypted between the load balancer and the hosts. When data must be encrypted end-to-end from the clients to the hosts, the TLS protocol should be terminated at the hosts.

Conclusion

Properly configuring TLS termination in a GO-Global environment ensures secure, efficient communication between clients, load balancers, and hosts. Terminating TLS at the load balancer simplifies management and reduces CPU load on hosts, while end-to-end TLS termination enhances data security. By understanding both methods, administrators can implement the best configuration for their network’s performance, scalability, and security needs.

Are you an ISV exploring cloud-based application delivery? Contact us to learn how GO-Global can help you streamline software access for your end users. Or download a free trial to test it yourself.