ACE: Proxy loadbalancing

Answered Question
May 21st, 2010
User Badges:
  • Bronze, 100 points or more

Hi,


I've installed two Ironport S660 proxyservers to handle all webtraffic. As the Ironport apparently doesn't come with its own loadbalancing/redundacy feature (like VRRP), I've decided to let the ACE handle loadbalancing. 90% of all the traffic is destined to be proxied, but a small portion of specific url's are not suitable for proxying, e.g. sites that provides stockinformation, financial realtimedata etc. For that purpose, I'm trying to configure a method to detect theese url's and simply forward them toward our internet-firewall. But so far, I've unsuccessful in my attempts.


The basic loadbalancing works like a charm. The issue here is, that all traffic hits the vip on port 8080. I've tried to configure a class-map to detect the specific urls and used the action=forward under the loadbalance policy-map. For routing purposes, I've tried to apply PAT, so firewall won't have to be aware of all internal addresses. Sadly, it never worked. I did get the class-map for url-detecting to work, but the actual forwarding failed.


I'm thinking, that maybe there's problem related to the fact, that all traffic arrives with 8080 as dst.port. And this goes for both http and https. So even if I manage to correctly configure a class-map til detect theese urls, how do I forward the traffic and "rewrite" the dst.port? I would somehow need to inspect the header for either http:// og https:// in order to forward the traffic with the correct dst.port (80 or 443).


Has anyone configured ACE for Ironport loadbalancing and faced the same problems? If so, I'd be very interested in knowing, how you made it work.


Simple drawing and config-file attached.


Thanx


/Ulrich

Correct Answer by Gilles Dufour about 7 years 1 month ago

I don't think you can achieve what you want.

ACE is not a proxy and so it won't change the HTTP request....

Therefore, since proxy request are not the same as direct server request, if you loadbalance proxy traffic, you need to send it to a proxy.


For example a client will do a proxy request which looks like "CONNECT http://www.cisco.com/"  which will be translated by the proxy to "GET /"


Is your internet firewall also a proxy ?

If not, you will have to send the proxy request to your proxy, whatever the url and let the proxy decide what to do with it.


Regards,


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Tue, 05/25/2010 - 02:08
User Badges:
  • Cisco Employee,

I don't think you can achieve what you want.

ACE is not a proxy and so it won't change the HTTP request....

Therefore, since proxy request are not the same as direct server request, if you loadbalance proxy traffic, you need to send it to a proxy.


For example a client will do a proxy request which looks like "CONNECT http://www.cisco.com/"  which will be translated by the proxy to "GET /"


Is your internet firewall also a proxy ?

If not, you will have to send the proxy request to your proxy, whatever the url and let the proxy decide what to do with it.


Regards,


Gilles.

UHansen1976 Tue, 05/25/2010 - 02:14
User Badges:
  • Bronze, 100 points or more

Hi Giles,


Thanks for your reply.


I'll try and find a work-around.


/Ulrich

Actions

This Discussion