End to End SSL load balancing

Unanswered Question


I have to load balance some servers that communicate via port 443. These servers are configured with a cert and provide the cookie.

Do I need to configure a cert and key on the ACE module even though the server will provide the cert?

Could someone leave a sample config if you are already doing this kind of load balancing?

Thank You,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Mon, 04/06/2009 - 17:48
User Badges:
  • Blue, 1500 points or more

It depends

If you want ACE to simply loadbalance TCP443 (Layer 4 traffic) then you will create rules that Loadbalance based on Layer3/4 (ip & port) information.

If you want ACE to make loadbalancing decisions based on Layer 7 headers (headers,cookies..) then you need to provide ACE with the keys & certs and "offload SSL" on ACE.This way ACE will be able to decrypt the traffic and read the headers & can utilize Layer 7 info for making intelligent decisions.

If you are offloading SSL on ACE then you have two options

1. Offload SSL on ACE, Send cleartext traffic to backend servers and remove certs/Keys from Servers OR

2. (End2End SSL) Offload SSL on ACE, let ACE make the decision, "Encrypt the request again" and Send it to selected servers (servers are expecting encrypted traffic -- certs/keys installed on servers).

option1 is recommended if main objective is to free up resources on Real Servers and simplify Certificate Management (Imagine renewing certs at only ACE vs on N servers serving the app).

option2 is recommended where security is the main focus and data should not be in clear text even in the inside networks.



So if the project decides to go with end to end encrytion, should the ACE be the only device with the cert and cookie.

My confusion is that if the server is currently providing the cert and cookie and if I configure the ACE for end to end load balancing; I can't see the need for two devices having a cert and cookie at the same time.


Syed Iftekhar Ahmed Tue, 04/07/2009 - 09:16
User Badges:
  • Blue, 1500 points or more

With End2End SSL, Certs & Keys will be on both ACE & Servers.

End2End SSL vpn means

1. Encrypted Traffic from Client to ACE

2. & Encrypted Traffic from ACE to Servers

Wherever Encrypted Traffic terminates you need to have Certs/keys.

Need is to ensure the traffic is encrypted again before it leaves ACE.



This Discussion