Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Using a load balancer with the Edge proxy server

Log in to subscribe to topics and get notified when content changes.

Using a load balancer with the Edge proxy server

You can use a load balancer to balance the load across the proxy servers in your Edge Encryption proxy setup. However, you must either configure the environment to return responses to the load balancer instead of the proxy server and configure load balancer iRules, or run the proxy servers on the same port as the load balancer. Otherwise, users cannot view the responses to their requests.

Important: All production environments should include at least two Edge Encryption proxy servers for redundancy.

Edge request processing without a load balancer

If you are not using a load balancer, a request is processed as described below.
  1. The user issues a request from a browser.
  2. The browser sends the request to the Edge proxy server.
  3. The proxy server sends the request to the Edge Encryption instance.
  4. The instance returns the response to the proxy server.
  5. The proxy server adds its own port number in the response header before returning the response to the user's browser.

The request is completed successfully because the user can view the response from the proxy server at the port number specified in the response header.

Edge request processing with a load balancer

However, if you are using a load balancer, the user's browser communicates directly with the load balancer, not with the proxy server. A request is processed as described below.
Note: The following example uses 1025 as the proxy server port number.
  1. The user issues a request from a browser.
  2. The browser sends the request to a load balancer Virtual IP (VIP), also known as a Virtual Server.
  3. The VIP is configured to point to the proxy server (for example, 10.2.200.148:1025), so the load balancer forwards the request to the proxy server.
  4. The proxy server sends the request to the ServiceNow instance.
  5. The ServiceNow instance returns the response to the proxy server.
  6. The proxy server rewrites the location header in the response with values configured in the properties for the Virtual Server.
    • Host: edgencryption.proxy.host
    • HTTP port: edgeencryption.proxy.http.port
    • HTTPS port: edgeencryption.proxy.https.port
  7. The proxy server forwards the response to the load balancer with the location header pointing to the proxy server port.
The outcome depends on whether the load balancer and proxy servers are using the same port.
  • If the load balancer and proxy servers are using the same port, the request succeeds because the user receives the response on the same port identified in the response header.
  • If the load balancer and proxy servers are using different ports, the request fails because the user's browser communicates only with the load balancer, but the response is on the proxy server.

Solutions

To return responses from the load balancer to the clients in your network, determine whether to use proxy servers on the same port as the load balancer, or to configure the load balancer environment instead.
Use proxy servers on the same port as the load balancer
Because the proxy servers and load balancer use the same port, the client browser receives the response on the same port identified in the response header. This solution requires less maintenance and is more performant than configuring the load balancer environment.
Verify that the host and port properties in the edgeencryption.properties file to point to the port running both the load balancer and Edge proxies. The host must point to the load balancer. Properties to configure include:
  • edgencryption.proxy.host: Set the value to the load balancer host machine.
  • edgeencryption.proxy.http.port: Set the value to the port used by both the load balancer and the Edge proxies.
  • edgeencryption.proxy.https.port: Set the value to the port used by both the load balancer and the Edge proxies.

For more information on Edge Encryption properties, see Edge Encryption properties.

Configure the load balancer to rewrite the response
If the load balancer and proxy servers are using different ports, configure the load balancer to rewrite the response before forwarding it to the client browser. The load balancer must terminate the SSL connection with the Edge proxy, rewrite the response using an iRule, and recertify and forward the response to the browser. This solution enables you to configure proxy servers on different ports from the load balancer, but can cost more in maintenance and performance. In this configuration:
  1. The instance sends a response to the Edge proxy, which forwards the response to the load balancer.
  2. The load balancer terminates the SSL connection.
  3. The load balancer uses an iRule to rewrite the response, changing the port in the response location header to the load balancer port.
  4. The load balancer recertifies the response and forwards it to the client browser. To recertify the response, the load balancer must host the servicenow certificate and private key.

Configure the load balancer

If the load balancer and proxy servers are using different ports, configure the load balancer to rewrite the response before forwarding it to the client browser. The load balancer must terminate the SSL connection with the Edge proxy, rewrite the response using an iRule, and recertify and forward the response to the browser. This solution enables you to configure proxy servers on different ports from the load balancer, but can cost more in maintenance and performance.

Before you begin

Role required: admin

Procedure

  1. Add the servicenow certificate and private key to the load balancer. These files must be maintained and up-to-date.
  2. Configure the load balancer to terminate the SSL connection, modify the response from the instance, and recertify and forward the response to the client browser.
    Create scripts or iRules on the load balancer to rewrite the response location header to use the load balancer port. This enables the client browser communicating with the load balancer to receive the response. To learn more about iRules, see F5 load balancer documentation.

Result

The load balancer intercepts each response from the proxy server and rewrites the response location header before forwarding it to the client.
Feedback