1. Security Guide
  2. Load Balancers

Load Balancers

Siebel Servers are dynamically load balanced using native Siebel load balancing. In addition, third-party HTTP load balancers supporting jsession-based load balancing can be applied in front of the Siebel reverse proxy Web server to balance Web server load. Using HTTP load balancing distributes incoming network traffic over several servers.

A third-party load balancer typically can provide additional security features, such as limiting TCP port exposure to a single port for multiple Siebel Servers. Single-port exposure allows you to consolidate network access for better port monitoring and security. It also provides simplified firewall configuration. You have to configure only one virtual port.

Additional security features provided by most third-party load balancers include:

  • Denial of service (DoS) attack prevention. In a DoS attack, a third-party HTTP load balancer helps handle the TCP connections. Incoming attacks can be caught at the load balancer before they reach the Siebel Server. A third-party HTTP load balancer typically has a built-in mechanism to stop DoS attacks at the point of entry.

  • Virtual Internet Protocol (VIP) addressing. A third-party HTTP load balancer uses VIP addressing. Unlike an IP address, a VIP address is not associated with a specific device in a network, so VIP addressing helps prevent hackers from accessing Siebel Servers directly. Web servers in the demilitarized zone communicate with the VIP only.

  • TCP handshake protection. The TCP handshake is replayed from the third-party HTTP load balancer to the Siebel Server rather than directly from the Web server in the demilitarized zone to the Siebel Server. This helps prevent attacks in which the TCP handshake is intercepted and redirected, for example, a SYN flood DoS attack.

When installing Siebel CRM, if you are using Siebel Server or third-party HTTP load balancers, then plan the use of TCP ports for firewall access:

  • If Siebel load balancing is used, then make sure the Web server can access the SCBroker port on each Siebel server.

  • If a third-party load balancer is used, then make sure the Web server can communicate with the VIP addresses and ports specified in the load balancer.

  • Load balancer JSESSIONID persistence is required for UI applications when the load balancer in front of the application interface. The same can be used for Siebel Migration Application and test automation. Load balancer persistence is not required for REST.

For information on the default port allocations used by Siebel CRM, see Default Port Allocations.