Insights from the load balancer experts

Thank you to everyone who visited our stand at IP Expo 2015.

Anyone who has been watching Loadbalancer.org over the last few years will have noticed the things that we don't like :-). We've made it pretty clear that we don't like load balancing firewalls and we've also been pretty reluctant to turn our load balancers into a GSLB.

All of us here at Loadbalancer.org hope we are responding to your needs today and preparing for the future.

Anomaly score based blocking is more flexible and effective than simple first error blocking.

One of our favorite methods of load balancing is using Layer 4 DR because it is transparent and fast. Unfortunately, because of Amazon's infrastructure, this is not possible in EC2 so we need to use another method which means we are left with layer 4 NAT and transparent HAproxy using TProxy.

Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site.

Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!

There seems to have been so much hype over the recent bash bug, shell shock! And there were all the people in the Microsoft world thinking YES we are so cool we are NOT affected by it!

Understandably, we get quite a few requests for a product roadmap containing release notes and feature updates. We've had a chat about this internally and thought that it would be nice to have a permanent post on the blog that we change on the fly as and when customer requirements change.

By default, the load balancer uses a TCP connect to the port defined in the Virtual Service to verify the health of each real (backend) server. For IIS, this would typically be port 80.

WNLB causes switch flooding and does not support multiple scheduling algorithms for distributing client load.

By default, the source IP address of the packet reaching the web servers is the IP address of the load balancer and not the IP address of the client.

Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not.

To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key.

Exchange 2013 is Microsoft's latest enterprise level messaging and collaboration server. It has been designed for simplicity of scale, hardware utilization, and failure isolation.

In Exchange 2010, system functionality is split into five server roles (Mailbox, Client Access (CAS), Unified Messaging, Hub Transport (HT) and Edge Transport).  Mandatory roles are Mailbox, Client Access and Hub Transport.

Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me.

There are a lot of SSL offload throughput statistics available for appliances across the internet but rarely do they detail the way they were tested.

The ideal way to monitor the health of the real servers is to to have a dedicated monitoring system in place such as Nagios. However this isn’t always an option, so for some they require the loadbalancer to send an alert.

In general when you are load balancing a cluster you can evenly spread the connections through the cluster. However, with some applications, you might get very high load from just a few users doing heavy work, which can compromise performance.

Some of the most common questions we get at Loadbalancer.org are performance related. It is quite difficult to give a straight answer to these questions as the real answer is often slightly unsatisfactory.

I must confess, at certain times it has looked like open warfare would break out between the support team and development team at Loadbalancer.org over the last few months.

We are pretty sure Microsoft have quietly fixed this bug and not told anyone... But the story is quite fun so lets leave it here for a lesson in corporate stupidity

In Exchange Server 2013, there are two basic building blocks – the Client Access Array and the Database Availability Group (DAG).

As of haproxy-1.6-dev1 it is now possible to send email alerts directly from HAProxy thanks to the excellent work done for us by Simon Horman.