CSS Back-end SSL/SSL Initiation

Unanswered Question
Jun 6th, 2007


I apologise if this question is too silly but I am a novice to CSSes...

I need to configure a CSS to initiate SSL sessions to servers. Basically, I have a client that will need to initiate clear text sessions to various servers, and the CSS inbetween the client and the server needs to initiate an SSL session to the server on behalf of the client, and then tunnel clear text traffic from the client within the SSL session to he server. I DON'T want to provide the list of all the 400+ servers that this client needs to acccess - so I just want traffic on a specific port, regardless of the destination server IP address to be encapsulated within SSL.

Looking at the CSS documents, this seems to be called Back-end SSL, although all the configuration examples also show SSL termination as well. Also, in all the configuration examples the IP addresses of the SSL servers need to be predefined, which is what I am trying to avoid.

I have done such transparent SSL from a client to a server with SSL Modules in 6500s, and I also know it's possible to do the same on an ACE. Does the CSS support such scenarios? If so, what is the reference for this?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
skumar1969 Thu, 06/07/2007 - 22:47

If I get you correctly, you are after SSL initiation. A clear-http traffic from the browser PC to CSS. And then a ssl-http from the CSS to the servers. Question is why would you want to secure the backend traffic. If ou try to conceal the 400+ servers, which is not the correct reason to go for an ssl at backend. When you use clear text everywhere your 400+ are actually concealed and no browser PC would ever see who they are talking to, because from their perspective it is the CSS on behalf of those 400+ servers.

Feel free to give more details. We can help you better.


dobri Fri, 06/08/2007 - 01:34

Thanks for the reply. You've generally got the idea right but I am not trying to conceal the servers. Plus, this is not an HTTP/HTTPS scenario but this is not so important here.

Basically, the idea is the following:


The reason why I want to tunnel client to server traffic within SSL is because the network between the CSS and the 400+ SSL servers is not trusted. I think you may turn the picture the other way around and say that I have one server and 400+ clients, and I want the server to initiated the connection to the clients.

I DO NOT want to statically define all the 400+ clients - can the CSS just pick up the destination IP address from the client session to the server, and use that as its SSL session destination? SSLMs, ACEs and many other devices can do that.

I am still unsure whether this would be Back-end SSL or Initiation.

Does that make more sense?



Gilles Dufour Fri, 06/08/2007 - 04:50

the CSS does not support this kind of setup.

You have to pre-define the list of destination.

What you're talking about is actually SSL initiation because the traffic comes in as clear text and gets out as SSL.

Backend-SSL, traffic comes in as SSL and leaves as SSL.


dobri Fri, 06/08/2007 - 06:53


Thanks for the reply. Can you please also elaborate on the following:

* Can I have more than 256 destinations on the CSS?

* What's the actual configuration on the CSS that I will need for this for 400+ destinations: 400 services, 400 proxy lists and 400 content rules? Or can this be optimized?





This Discussion