Load-Balancer Ports and Protocols

To properly load balance traffic between PrivX instances in HA configuration, a proper algorithm should be used for different ports.

Generally, if not using any PrivX components (Extender, Carrier, Web-Proxy), all ports could use for example AWS Network Load Balancer with TCP/TLS support.

If PrivX-component support is required (Extender for routing traffic to different VPNs, or using PrivX web connections), then traffic to PrivX port 443 needs to support HTTPS load balancing with affinity-cookie support and round-robin routing algorithm. This is required for PrivX components to discover PrivX Servers through the load balancer, and for maintaining secure connections to required PrivX Servers. As an example in AWS, you could satisfy this by creating a DNS name and Application Load Balancer for ports 80 and 443, while using a Network Load Balancer for other ports. Native clients would use the network LB address.

For on-premises load balancers, see examples:
Example Nginx Load-Balancer Configuration
Example haproxy configuration

Recommended load-balancing protocols for HA deployments:

80HTTP or TCPRedirecting traffic to HTTPS port and Windows CRL requests.
443HTTPS with affinity cookies or TLSHTTPS with affinity cookies required for PrivX components. If PrivX components are not required, TLS can be used instead.
1080TCPSSH native client proxy address when using ProxyCommand
2222TCPSSH native clients require TCP connection.
3389TCPRDP native clients require TCP connection
8443TCPClient certificate authentication requires TCP to get direct access to PrivX instances.

Was this page helpful?