Effortlessly Configure SSL Offload in ILINX for Processing & Security Gains

Recently, I had the opportunity to configure a system in network load balanced configuration for ILINX Content Store and ILINX Capture systems. There was a separate virtual IP address (VIP) for each service (ILINX Content Store and ILINX Capture) and two servers assigned to each VIP. Additional modules, ILINX Capture Format Converter and ILINX Release, resided on the capture servers.

The exact nature of the configuration is not critical for this discussion. What we want to focus on is how easy it is to configure SSL offload in this sort of scenario. SSL offload is a configuration—typically involving a load balancer—where HTTPS (SSL/TLS) communication is terminated at the network device and the network device forwards the communication as HTTP. There are both performance and security benefits for this configuration.

So how do ILINX Content Store, ILINX Capture and associated modules handle this? We will focus on ILINX Content Store first, where there are two main components to the application: the server-side component in the WCF folder and the client-side component in the WebClient folder. The configuration is easy; leave the server-side components in regular HTTP mode and configure the client-side as HTTPS—that’s it. For normal HTTPS (SSL/TLS) configuration, you would follow the instructions for both server and client to communicate in HTTPS. For SSL offload, configure just the client for HTTPS.

ILINX Capture is configured exactly the same as its counterpart. There is one caveat though: there are client bindings in the server-side WCF/web.config for additional modules (ConvertBatchBinding, ReleaseBatchBinding and RecognitionBinding). Those need to have the <security mode=”Transport” /> tag added so that the workflow engine knows to communicate in HTTPS from the IXM’s that utilize those services if those IXM modules are used.

The additional modules—ILINX Format Converter and ILINX Release—do not need to be modified in any way. They do not include client components and remain in OOB HTTP configuration.

As always, if you have questions, get a hold of our support team and they can point you in the right direction.

Mike Peterson
Systems Engineer