cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
5
Replies

ACE service module SSL termination for soap over HTTPS

JeramyKoval
Level 1
Level 1

I have a virtual server configured to terminate SSL traffic and send to the real server in clear text. This works great when I test from my browser and access the web site on the server.

However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection.

Just wondering if anyone has seen this before?

access-list PERMIT line 8 extended permit ip any any

serverfarm host SecureSite

probe PROBE_SERVICE_ICMP

rserver SecureSite 81

inservice

parameter-map type connection TCP_PARAM

syn-data drop

exceed-mss allow

class-map match-all SecureSite

2 match virtual-address 10.24.44.11 tcp eq https

policy-map type loadbalance first-match SecureSite-l7slb

class class-default

serverfarm SecureSite

policy-map multi-match POLICY

class SecureSite

loadbalance vip inservice

loadbalance policy SecureSite-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 332

ssl-proxy server SecureSite

connection advanced-options TCP_PARAM

Service policy is applied at the interface.

5 Replies 5

koltl-gold
Level 1
Level 1

I suspect the server sends an HTTP redirect which will not be usable until you set up SSL URL rewrite. It is a very good practice to have this feature enabled for all SSL termination configs.

Peter

koltl-gold
Level 1
Level 1

I assume you just omitted to paste the 'ssl-proxy service SecureSite' section with the cert and the key.

Yes, I actually forgot to include the ssl-proxy service in my post. It is there and is configured. Works just fine with regular website traffic. I even tried a different ssl-proxy service just to see if there was any change.

"However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection."

Where's this group connecting to the VIP from?

Is it from a client-side or server-side vlan?

We ended up resolving this issue. It turned out to be something really simple. The client that was sending the soap traffic did not have the proper SSL certificate installed on the server that was generating the soap traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: