Cisco ACE Loadbalancing and LDAPS

Unanswered Question
Dec 13th, 2011
User Badges:

Could anyone put me in the direction of a configuration document or advice on configuring load balancing with LDAP secure port. Ive read various articles about LDAPS not being supported on the ACE, is this correct?


I have partially configured this but have nat issues at the moment as its in one arm mode and this VLAN does not have any NAT configured. I have no configuration for the SSL termination and not quite sure how that will work either.


Any advice would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Arrondo Ostiz Tue, 12/13/2011 - 03:21
User Badges:
  • Cisco Employee,

Hi Cassandra,


LDAP is not supported in ACE as a L7 protocol, but that doesn't mean you cannot load-balance it, it's simply that you cannot apply any kind of L7 inspection and forget also about the SSL termination. If you configure it for pure L4 load-balancing, it should be just like any other protocol.


If you are using one armed, you must find a way to send the return traffic through the ACE. This is normally done with the use of NAT, but, you may also use other methods such as policy-based routing. Be aware that unless this return traffic goes through the ACE, connections will not work, so there is no point in testing the application until this is fixed.


I hope this helps


Daniel

svenkateshv Tue, 08/12/2014 - 07:33
User Badges:

you can L4 loadbalancing for LDAP over SSL,

Something like:

 

ssl-proxy service sfLDAP_SSL-Proxy

key LDAP-KEY-1024.pem

cert LDAPS.FOO.COM.pem

 

serverfarm host LDAP-SF

predictor leastconns

rserver rs1 389

  inservice

rserver rs2 389

   inservice

 

class-map match-any LDAPS-VIP

2 match virtual-address 10.10.10.100  tcp eq 636

 

policy-map type loadbalance first-match LDAP-L4-Policy

class class-default

   serverfarm LDAP-SF

 

policy-map multi-match LDAP-MM

class LDAPS-VIP

   loadbalance vip inservice

   loadbalance policy LDAP-L4-POLICY

   ssl-proxy server LDAP-SSL-PROXY

Actions

This Discussion