[Contents] [Index]

About This Document >>     Installing SSH Tectia Server (M) >>     Using SSH Tectia Server (M) >>         Configuration Files>>             Recommended Algorithms for Mainframe Environment             Crypto Hardware Support             Configuration Options in Load-Balanced Environments             Running SSH Tectia and OpenSSH in a z/OS Environment         Running the Server >>         Setting Up a Shell User>>         Running Client Programs>>         Handling MVS Datasets>>         File Transfer Examples>>     Troubleshooting SSH Tectia Server (M) >>     Configuration >>     Authentication >>     Application Tunneling >>     Sample Files >>     Man Pages     Log Messages >>

Configuration Options in Load-Balanced Environments

To tunnel traffic between clients and balanced hosts, the SSH traffic needs to be balanced on the load balancer instead of the port traffic.

Example scenario:

Client machine 1.1.1.1 needs to reach 2.2.2.2:80 which is load-balanced by three machines (3.3.3.3:8080, 4.4.4.4:8000, and 5.5.5.5:9000). The load balancer may forward the client's request to either machine on the port the daemon is listening on. The first request may go to 3.3.3.3:8080 and the second request may go to 4.4.4.4:8000. If the client's request goes to 127.0.0.0:80 and is forwarded to 2.2.2.2:22, the SSH tunnel will terminate on the load balancer.

Requirements:

• Client has SSH Tectia Client (or Connector) installed.
• Balanced hosts have SSH Tectia Servers installed.
• The load balancer forwards the clients' port 22 requests to balanced hosts.
• In order for tunneling to work, all the balanced hosts must use the same port, for example 8080 (now 8080, 8000 and 9000).
• The clients create connections to 2.2.2.2:22 with local tunnels 80:127.0.0.1:8080.
• The load balancer forwards the traffic to one of the balanced hosts and a local listener is created on Windows.
• Now, when the SSH connection is created between the client and the balanced host, the client uses its application and connects to localhost:80. Traffic is forwarded to the SSH connection and to the balanced host.

If this is not possible, there are two choices:

1. You can end the tunnel at the load balancer. In this case, the traffic between the client (1.1.1.1) and the load balancer (2.2.2.2) is encrypted and the traffic between the balancer and the balanced hosts is not encrypted. Therefore you should create an SSH connection from the client to the balancer with a local tunnel 80:127.0.0.1:80.
2. Another possibility is to install SSH Tectia Servers to balanced hosts and create the direct tunnels between the client and the balanced hosts. In this case, a load balancer cannot be used, but the balancing needs to be done in a different way, for example by using a round-robin DNS.