| 1. | What sticky configuration should you perform in an SSL termination environment? |
| Answer: | If you have multiple SSL offloading modules, you must configure SSL sticky to ensure that the content switch chooses the same SSL module for each connection of a session. If you also want your client to stick to the same back-end real server and you don't have back-end SSL configured, you must also configure a cleartext sticky method, such as HTTP cookie or source IP address sticky. Otherwise, you should consider configuring back-end SSL. |
| 2. | What is the purpose of HTTP header insertion and URL rewriting? |
| Answer: | You can use HTTP header insertion to inform real servers that the client requested an SSL page, in order for your real server to make sure that all embedded URLs include "https://" links. URL rewriting automatically rewrites the "Location:" header in HTTP redirects from your real servers with "https://" URLs. |
| 3. | What is the purpose of IP reverse-sticky? |
| Answer: | If you have applications that originate connections in both directions (that is, from client-to-server and server-to-client, such as FTP), you should use IP reverse-sticky to ensure that connections originating from a real server traverse the same firewall as the clientoriginated connections. |
| 4. | Why should you "sandwich" your firewalls with content switches when performing FWLB? |
| Answer: | You should sandwich your firewalls to ensure that return traffic and connections that originate from real servers flow through the same firewall as incoming traffic. Return traffic of existing connections is forwarded to the same firewall using the inside content switch's connection table. Additionally, you can configure reverse-sticky to ensure that outgoing buddy connections originating from the real servers are forwarded to the same firewall as incoming connections. |
| 5. | In Example 11-12, why should you configure source IP address hashing on incoming requests and destination hashing on requests initiated by the web servers? |
| Answer: | You should hash on the source IP address for incoming connections because the client IP address space on the Internet introduces more variability to the hash function than the IP address space of your origin servers, decreasing the chances of one firewall receiving more connections than the other. The same concept pertains to connections initiated from your origin servers. |
| 6. | How would you apply reverse-sticky in the single-CSM example in Example 11-14? |
| Answer: | You can apply the command reverse-sticky 77 to the virtual server called "web-vip" and the sticky 100 group 77 command to the virtual server called "out-conns-40" to enable reverse-sticky in to Example 11-14. |
