Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Mon, 5 May 2008 13:00:56 -0700 (PDT),    group: microsoft.public.platformsdk.security        back       


schannel app    
All:

I work for an application-service provider.. sort of... anyway.  One
of our many applications is actually a TN3270/telnet application which
has hooks into a microsoft DLL to tunnel/encrypt the user traffic over
SSL.  So on the network, we see encrypted packets destined to/from
port 443.

This traffic hits a load-balancer that offloads the SSL encrypt/
decrypt process.

We are having an issue where, it seems, everything a single user does
(like just login, or pull up a VT100 screen) ends up launching 8-12
TCP connections.  Over the course of a day 160 users launched upwards
of 90000 tcp sessions.

We have many thousands of users that use this application.  Needless
to say, this is starting to cripple our load balancer.

Its my belief.. as an ex-programmer from a decade+ ago, that for the
duration a user is logged into this app there should be a single TCP
session.

Does anyone know why this might be occuring or if there is someway of
fixing this?  I am speaking in the broadest possible terms here
because I am a network engineer, not a programmer.

Thanks for your help.

Derick
CCIE 15672
date: Mon, 5 May 2008 13:00:56 -0700 (PDT)   author:   unknown

Re: schannel app    
As far as I can tell from your description, whether the application opens 
one TCP connection or multiple ones is totally dependent on the how the 
application was designed, implemented, and configured.

You should be able to configure your load balancer such that each SSL 
connection from a given client is offloaded to the same machine, so that SSL 
reconnect connections can be made most of the time, rather than performing a 
full SSL handshake each and every time. This will probably improve the 
performance of your system quite a bit, if you're not doing this already.

Regards,
John

 wrote in message 
news:bce1fdaa-83fa-48a0-ae73-6747de1f7b74@f36g2000hsa.googlegroups.com...
> All:
>
> I work for an application-service provider.. sort of... anyway.  One
> of our many applications is actually a TN3270/telnet application which
> has hooks into a microsoft DLL to tunnel/encrypt the user traffic over
> SSL.  So on the network, we see encrypted packets destined to/from
> port 443.
>
> This traffic hits a load-balancer that offloads the SSL encrypt/
> decrypt process.
>
> We are having an issue where, it seems, everything a single user does
> (like just login, or pull up a VT100 screen) ends up launching 8-12
> TCP connections.  Over the course of a day 160 users launched upwards
> of 90000 tcp sessions.
>
> We have many thousands of users that use this application.  Needless
> to say, this is starting to cripple our load balancer.
>
> Its my belief.. as an ex-programmer from a decade+ ago, that for the
> duration a user is logged into this app there should be a single TCP
> session.
>
> Does anyone know why this might be occuring or if there is someway of
> fixing this?  I am speaking in the broadest possible terms here
> because I am a network engineer, not a programmer.
>
> Thanks for your help.
>
> Derick
> CCIE 15672
>
>
date: Sat, 10 May 2008 22:33:48 -0700   author:   John Banes

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us