Load-Balancer Ports and Protocols
To properly load balance traffic between PrivX instances in HA configuration, a proper algorithm should be used for different ports.
Generally, if not using any PrivX components (Extender, Carrier, Web-Proxy), all ports could use for example AWS Network Load Balancer with TCP/TLS support.
If PrivX-component support is required (Extender for routing traffic to different VPNs, or using PrivX web connections), then traffic to PrivX port 443 needs to support HTTPS load balancing with affinity-cookie support and round-robin routing algorithm. This is required for PrivX components to discover PrivX Servers through the load balancer, and for maintaining secure connections to required PrivX Servers. As an example in AWS, you could satisfy this by creating a DNS name and Application Load Balancer for ports 80 and 443, while using a Network Load Balancer for other ports. Native clients would use the network LB address.
For on-premises load balancers, see examples:
Example Nginx Load-Balancer Configuration
Example haproxy configuration
Recommended load-balancing protocols for HA deployments:
| Port | Protocol | Usage |
|---|---|---|
| 80 | HTTP or TCP | Redirecting traffic to HTTPS port and Windows CRL requests. |
| 443 | HTTPS with affinity cookies or TLS | HTTPS with affinity cookies required for PrivX components. If PrivX components are not required, TLS can be used instead. |
| 1080 | TCP | SSH native client proxy address when using ProxyCommand |
| 2222 | TCP | SSH native clients require TCP connection. |
| 3389 | TCP | RDP native clients require TCP connection |
| 8443 | TCP | Client certificate authentication requires TCP to get direct access to PrivX instances. |