Critical points to be taken care as best practice while configuring reverse proxy or load balancer infront of SapphireIMS application server

While configuring reverse proxy or load balancer in-front of SapphireIMS application server, following things to be looked into, please note that this is generic article among reverse proxy, load balancer or web application firewall ( gateway) and suggested to use the points which are relevant to specific device -

  1. SapphireIMS application user sessions to be handled using sticky session (sometimes referred as session affinity and this term typically used for client source IP address) with SapphireIMS user session cookie. This is not applicable for components which use stateless REST API, eg: SapphireIMS data collector agents.
  2. If SapphireIMS is running on HTTP and reverse proxy or load balancer is running on HTTPS, SSL offloading or termination needs to be taken care
  3. In case SSL offloading or termination is in place, location header redirects to be rewritten using URL-Rewrite option
  4. In case SSL offloading or termination is in place along with SapphireIMS redirection is enabled with HTTPS only support and if client access application using HTTP which supposed to be redirected to HTTPS, then you need to configure X-forwarded-proto settings at both SapphireIMS and reverse proxy/load balancer level, Please refer X-Forwarded-Proto header
  5. If you need to get the actual client IP address at application instead of reverse proxy or load balancer IP, then you need to configure proxy-address-forwarding configuration at SapphireIMS and at reverse proxy or load balancer, X-Forwarded-For and X-Forwarded-Proto HTTP headers configuration along with reserving the original Host HTTP header needs to be handled. Please refer X-Forwarded-* header. Very important point to consider here is, if there is end-end encryption with SSL pass-through which typically happens at layer 4, then header association cannot be done hence you may not see actual client IP address and as well application cookies will not work as sticky session and may need to use affinity with client IP address. Some LB/Reverse proxy support re-encrypting the traffic( SSL/TLS bridging or re-encryption) followed by SSL termination through which we can achieve to get the actual client IP. Even we can look at transparent mode explained in article Transparent mode
  6. Right traffic distribution algorithm to be chosen if load balancing is needed between multiple instance with proper health check specifically on application availability so that high availability is taken care
  7. Hardware or software load balancer should be fine however preferably layer 7 load balancing should be used. Please refer Layer 4 and 7 difference to check the capabilities.
  8. If back-end application server has to be on SSL, then wildcard certificate or certificate with subject alternative name(SAN) is needed. The certificates have to be configured at load balancer and all back-end servers

Please refer SSL Offload/Bridging/Pass through for understanding on SSL offload, bridging and pass through.