Alteon AD3 and SSL and 3rd party payment gateways

Alteon AD3 and SSL and 3rd party payment gateways

Post by edwar » Wed, 24 Sep 2003 20:27:53


When a user is about to make booking at a non-secure http site, he
will
be forwarded to a 3rd-party payment gateway with SSL. When the
acknowledge
ment returns, does the AD3 know which backend server to address?
Ideally,
it should be the one the user has been browsing.

I am asking this because we had a similar problem with Foundry's
ServerIron XL. When the acknowledgement returns from the payment
gateway, it treats it as a new session/user and then load-balance it
again.

We know that SSL is not a problem when there is only the user and
the
server. but now that there is a 3rd party website involved, is the AD3
capable of handling such a situation. Would an isd-SSL accelerator be
required or any other solutions that are viable?

Any suggestions on products that can actually handle this will be
deeply appreciated.

Regards,
Edward
 
 
 

Alteon AD3 and SSL and 3rd party payment gateways

Post by Jim Sanche » Thu, 25 Sep 2003 01:56:29

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...
Edward - I have tried to reply via email but your mailbox is full.
--
Jim Sanchez - Bellevue WA
JH_Sanchez AT hotmail.com

 
 
 

Alteon AD3 and SSL and 3rd party payment gateways

Post by Angle » Thu, 25 Sep 2003 12:19:43

Good question for the Load Balancing mailing list, http://www.yqcomputer.com/
An excellent resource. It will get answered there.

Angler
 
 
 

Alteon AD3 and SSL and 3rd party payment gateways

Post by Jim Sanche » Thu, 25 Sep 2003 23:41:39

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...
You cannot use cookie persistence without an SSL accelerator on the AD3
(or any other loadbalancer ) because the switch cannot see the cookie in
the encrypted packet. However, there are other methods of pesistence.
First, you can use client IP hashing to select the server. This will
guarantee that as long as the client's IP address does not change they
always go to the same server. Only problem here is with AOL clients who
come from mega-proxies. If you have a reasonable distribution of IP
addresses this works just fine. Another way is to use SSL session ID#
which works kinda like a cookie but is outside the encrypted portion of
the packet. This also works fine BUT older versions of Internet
Explorer (5.0 I think) broke it by renegotiating the session ID# every
two minutes (what were those idiots thinking!). This was corrected by
the service patch.

Hope this helps. The SSL accelerator is a very nice solution but it
does cost some $$

--
Jim Sanchez - Bellevue WA
JH_Sanchez AT hotmail.com