Resolving HTTPS Connection Delays in Network Zones
In our continuous effort to enhance network performance, a recent investigation into significant delays in HTTPS connections within certain network zones has shed light on the underlying causes and possible solutions. This blog post offers an in-depth analysis of the issue, findings, and actionable recommendations.
Problem Statement: Understanding the Delay
Users in specific network zones, referred to here as Production zones, reported experiencing notable delays—around five seconds—when initiating HTTPS connections to external IPs that were not recently accessed. This delay not only impacts user productivity but also the effectiveness of time-sensitive applications.
Investigative Approach: Tracing the Network Path
The investigation involved tracing the network path for a sample HTTPS request originating from an internal source IP to an external destination IP. The path traversed several key network components, including:
Source Tool
Internal Firewall
Transit Zones
Internet Firewall
Intrusion Prevention System
Edge Router
Internet
Key Findings: Identifying the Bottleneck
Our analysis pinpointed the primary bottleneck at the internal firewall, which was set up for full SSL inspection. The inspection process at this point was identified as the root cause of the delay. Here’s how the SSL inspection impacted the network flow:
Full SSL Inspection:
This method interrupts the SSL/TLS handshake to inspect the content before re-encrypting it. Although it ensures a higher level of security, it is considerably slower and was the main contributor to the observed delays.
Proposed Solutions: Enhancing Network Efficiency
To address these delays, we propose two potential solutions:
Option 1: Modifying SSL Inspection Settings
Procedure:
Clone and Edit Profile: Create a duplicate of the existing "no-inspection" profile and disable SSL inspection for HTTPS.
Protocol Port Mapping: Assign an unused port for HTTPS to bypass deep inspection on the standard port 443.
Apply Custom Profile: Implement the new profile where deep inspection is deemed non-critical.
Option 2: Standardizing SSL Certificate Inspection
Align Inspection Type: Adjust the internal firewall to perform only SSL Certificate Inspection, mirroring the settings of the external and other location firewalls. This approach standardizes the inspection process across the board, minimizing delays while maintaining essential security checks.
Conclusion: Towards a More Efficient Network
By reconfiguring the SSL inspection processes at our internal firewalls, we can significantly diminish network latency and enhance the reliability of HTTPS connections across the organization. These changes aim to strike a balance between maintaining strong security measures and ensuring high network performance.
