Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Tunnel iscsi through https
2013-06-09, 10:15
Post: #1
Tunnel iscsi through https
Hi, is it possible to tunnel iscsi through https or other protocols?

I would like to provide a webbased vdi client service to my customers.
As internet bandwidth increases every year, a 100/200mbit line is no utopia anymore.

I know that iscsi doesn't work very well over wan so tunneling it would be a good idea i guess.

Any thoughts?
Visit this user's website Find all posts by this user
Quote this message in a reply
2013-06-09, 15:09
Post: #2
RE: Tunnel iscsi through https
(2013-06-09 10:15)jrsmile Wrote:  Hi, is it possible to tunnel iscsi through https or other protocols?

I would like to provide a webbased vdi client service to my customers.
As internet bandwidth increases every year, a 100/200mbit line is no utopia anymore.

I know that iscsi doesn't work very well over wan so tunneling it would be a good idea i guess.

iSCSI is a TCP protocol; unless you have firewalls blocking it then you should use raw iSCSI rather than trying to tunnel it.

If firewalls are a problem then you could try running your iSCSI target on port 80 or port 443. If you need to get out through a web proxy then this will require support for HTTP proxy CONNECT in iPXE; contact vendor-support@ipxe.org if you want to fund this development.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
2013-06-09, 18:46
Post: #3
RE: Tunnel iscsi through https
Wouldn't it be easier to set up a VPN between you and your clients location, and just use iSCSI without tunnelling, or is that too much of an overhead in terms of administration?
Visit this user's website Find all posts by this user
Quote this message in a reply
2013-06-11, 15:25
Post: #4
RE: Tunnel iscsi through https
(2013-06-09 10:15)jrsmile Wrote:  I know that iscsi doesn't work very well over wan so tunneling it would be a good idea i guess.

The performance issue of a "WAN" is latency not bandwidth, encapsulating iSCSi in HTTPS or IPSec will improve security, but not improve latency. Even if you use SSD/Flash disks to remove IO latency and you have gigabit links, unless you have guaranteed single digit ms latency between the "SAN" and the "clients" you will have issues.

You will probably also see an impact from the reduction in MTU with encapsulation.

Doing an iPXE boot across the Internet over HTTP(S) is one thing, running iSCSI over an ISP connection is another...
Find all posts by this user
Quote this message in a reply
2013-06-15, 11:59 (This post was last modified: 2013-06-15 12:05 by jrsmile.)
Post: #5
RE: Tunnel iscsi through https
I send a mail to vendor-support to discuss the project.
(2013-06-09 18:46)robinsmidsrod Wrote:  Wouldn't it be easier to set up a VPN between you and your clients location, and just use iSCSI without tunnelling, or is that too much of an overhead in terms of administration?

My solution is for endusers, they should just install a preburned nic and have a dataplan registered to them where they can backup their whole machine encrypted in the cloud. In case of a breakdown ipxe will provide their backup via https, select their image and download it from the net and reinstall it to their harddrive.
Visit this user's website Find all posts by this user
Quote this message in a reply
2013-06-15, 21:11
Post: #6
RE: Tunnel iscsi through https
It is do-able on paper, but most VPNs are fairly "lossy". VPN is very concerned about timestamps on packets, and most will retransmit or request a retransmit from the host/client. But TCP is a "best effort" protocol, and VPN Servers/ Clients are written with WANs in mind. Thus, VPNs add latency, and will tolerate a fair number dropped packets. But iSCSI inside of a VPN tunnel doesn't know it's in a tunnel, it can handle latency to a degree, but packet loss can cause major problems very quickly.

I don't know a single network engineer who will support even the idea of iSCSI in a VPN Tunnel.

(2013-06-15 11:59)jrsmile Wrote:  I send a mail to vendor-support to discuss the project.
(2013-06-09 18:46)robinsmidsrod Wrote:  Wouldn't it be easier to set up a VPN between you and your clients location, and just use iSCSI without tunnelling, or is that too much of an overhead in terms of administration?

My solution is for endusers, they should just install a preburned nic and have a dataplan registered to them where they can backup their whole machine encrypted in the cloud. In case of a breakdown ipxe will provide their backup via https, select their image and download it from the net and reinstall it to their harddrive.

"Thus far, you have been adrift within the sheltered harbor of my patience..."
Find all posts by this user
Quote this message in a reply
2013-06-16, 15:51 (This post was last modified: 2013-06-16 16:01 by jrsmile.)
Post: #7
RE: Tunnel iscsi through https
Hmm, a lot of good ideas for now.
Maybe switching from iscsi to sshfs would be a good idea?
Could a sshfs filesystem driver work in ipxe?
Of course the sshfs should be tunneled via https as well.
Visit this user's website Find all posts by this user
Quote this message in a reply
2013-06-17, 08:24 (This post was last modified: 2013-06-17 08:26 by robinsmidsrod.)
Post: #8
RE: Tunnel iscsi through https
jrsmile: From what I understand, you're not actually planning on _running_ the OS over the WAN link, it's just backup/restore to local disk? If that's the case, I'd go with a customized CloneZilla or Macrium Reflect setup. Their recovery software can both be booted directly using iPXE, and at least Macrium Reflect can image the drive from within Windows. You can also have the backup option somewhere in your boot menu if you so prefer. In that case you can probably solve everything by just using HTTPS support and imgtrust.

I feel I should make you aware that Citrix has their XenDesktop/XenClient system that is designed for more robust enterprise usage, which is basically VMs on the go on laptops in semi-connected modes.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)