Unanswered Question
Oct 7th, 2009

I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jason.espino Sun, 10/11/2009 - 20:43

Its definitly possible to move the cert/keys from the CSS to the servers and allow them to handle the encryption and decryption of SSL traffic.

Just know that doing so will result in a lose of being able to perform any layer 7 load balancing or persistance.

Also, doing so will result in the servers processing the SSL traffic rather then offload that work to the CSS.

Hope this info helps.

- Jason

JeramyKoval Mon, 10/12/2009 - 11:19

As Jason mentioned you do lose some things by doing end-to-end SSL. But the changes on the CSS are actually pretty easy. You will need to create services for each of your backend servers for port 443. Then just modify your content rules accordingly. Remove the service that sends to the SSL module and replace with the appropriate HTTPS service that you created.

rmoore0917 Tue, 10/13/2009 - 03:15


Thanks for the post, would you mind reviewing the attachment that i created just to make sure I'm following what you stated?


JeramyKoval Tue, 10/13/2009 - 07:34

That will work. Just remember that the default behavior will be round robin load balancing with no stickiness.

jason.espino Wed, 10/14/2009 - 07:24

As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?

The group rule will SNAT all client requests to appear as the VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.

- Jason


This Discussion