SSL offloading

SSL offloading is an optional endpoint configuration for the IPS Server, where the SSL encryption and decryption are handled by an alternative machine (or service), with traffic between the SSL server and the IPS Server machines using unencrypted HTTP communication.

In a clustered Planning Space deployment the load balancer server will typically be the location for SSL offloading. Note that the URL to use for a connection to the IPS service address will be HTTPS, but the URL to access individual server machines will be HTTP.

Note: When configuring SSL offloading, it is recommended to create/configure a separate certificate to that which is bound to the service address via the load balancer. It is recommended that the certificate configured in IPS Server is used only for signing SAML authentication requests, so that it is less likely for the access security of Planning Space/IPS to be compromised. In non-production environments it is reasonable to make use of self-signed certificates.

Advantages of SSL offloading

SSL offloading allows the option to implement a perimeter security model for Planning Space, rather than full end-to-end HTTPS. SSL processing is entirely handled by an optimized device or service, and IPS server machines can be freed from the certificate and port configuration, and processing effort involved. This reduces overall system complexity and benefits security management. There are fewer certificates to be managed in fewer locations, less (re-)configuration needed for cluster setup, and less server downtime needed for certificate updating, etc.

Offloading is also an important element in evolving the architecture of Planning Space and IPS for cloud-based deployment (and containerization), for example to allow for rapidly adding and removing server machines for auto-scaling of clusters.

Load balancer setup for SSL offloading

The load balancer must be configured for HTTPS with a valid SSL certificate. The same certificate must be installed on every IPS server machine in the cluster (see below).

The load balancer should be configured to listen on its HTTP port (port 80) and to rewrite/forward all requests to its HTTPS port.

IPS server setup

Enable SSL offload in the IPS Manager: Go to the Services screen, section Endpoint settings, and tick the option Use SSL offloading. Tick Use default port, or type in a different port number.

The Service address setting must be set as HTTPS.

The SSL certificate (same as was installed in the load balancer) must be installed in every IPS server machine in the cluster. Follow the steps in the topic Basic setup for secure HTTP to install the certificate and to give service account access to the private key. Note you do not need to register the port or bind the certificate to the port when SSL offloading is being used.

In the section Service Certificate, click the Browse button. Choose Store location 'Local Machine' and Store name 'My' then 'Search for Certificates'. Select the name of the certificate that you have just installed.

Note for Azure AppGateway only: The Monitor Port setting needs to be set to port 80 (the same as the HTTP port) because the health probe port is required to be set to HTTP default port.

Click the Save all changes button at the top of the screen.

Finally, remote login as Windows Administrator to every server machine in the cluster and perform a Restart for the IPS Service.