Cisco ACE SSL Front-End of non HTTP traffic

Unanswered Question
Jul 30th, 2012

Hi

Does the ACE support the following.

We have a home grown application. Client-Server application. Application uses native TCP traffic. Client initiates the TCP connection to a TCP port on the Server. After three way TCP handshake, client writes application data to the socket. Server reads data off socket (does processing) and replies and writes response back onto the socket. Client reads response data off the socket and closes the socket.

We are looking at using Stunnel on the Client side to create a SSL connection to an ACE that will front end the real server. Client will connect via Stunnel that will connect to ACE.

ACE needs to perform the SSL termination and then after receiving the first data packet from the client via Stunnel. ACE should establish a TCP socket to the Real server and send data. This is not HTTP traffic. It is native TCP traffic. Does the ACE support this functionality or does the application on the Real server have to be HTTP?

Regards
Byron
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jlamousn Mon, 07/30/2012 - 12:03

Byron,

If you are using you own application protocol but just wrapping it in SSL, the ACE should be able to encrypt/decrypt the generic traffic. The ace is not going to care about the data in the ssl tunnel unless it is specifically configured to do so, only exception might be the ACE30 which has http persistence rebalance enabled by default, so you might need to apply a http parameter map on the vip to disable persistence rebalance.

Thanks

Joel Lamousnery

Customer Support Engineer

Cisco TAC

byron.momsen Tue, 07/31/2012 - 07:53

Thanks Joel.

Yes we are just planning to Tunnel our own application TCP traffic.

We also require the ACE to load balance the decrypted traffic across multiplied real ports on a single real server after performing the SSL Front Ending. Is this possible on the ACE 4710 version A5(2.0)

Native TCP traffic tunneled using SSL.

SSL Client --->>> VIP 10.10.10.10:443 ACE ------->>>> Real IP 20.20.20.20:4431, 4432, 4433

Regards

Byron

pipaulo Tue, 07/31/2012 - 08:32

Hi Joel,

So for the Layer 7 Class-map, this would be a class-map type loadbalance, not http loadbalance, yes? If required?

And the Layer 7 Policy map, also a normal policy-map type loadbalance, yes?

Policy-map multi-match as normal?

I hear what you are saying, just wondering if the ACE will pick it up?

Just a thought, Would the ACE support this, i.e. non SSL from local server to VIP on local ACE, then local ACE initiate SSL to remote ACE which would terminate SSL, decrypt and clear to remote server on similar type home grown Application utilising one of the available SSL Solutions? A bit crazy, but would really be interested to know. A "nasty" workaround to IPSEC I suppose?

There is a reason I am asking.

Cheers.

Paul.

Actions

Login or Register to take actions

This Discussion

Posted July 30, 2012 at 3:25 AM
Stats:
Replies:4 Avg. Rating:
Views:661 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 1,551
2 369
3 333
4 228
5 212
Rank Username Points
5