Cisco ACE SSL Front-End of non HTTP traffic

Unanswered Question
Jul 30th, 2012


Does the ACE support the following.

We have a home grown application. Client-Server application. Application uses native TCP traffic. Client initiates the TCP connection to a TCP port on the Server. After three way TCP handshake, client writes application data to the socket. Server reads data off socket (does processing) and replies and writes response back onto the socket. Client reads response data off the socket and closes the socket.

We are looking at using Stunnel on the Client side to create a SSL connection to an ACE that will front end the real server. Client will connect via Stunnel that will connect to ACE.

ACE needs to perform the SSL termination and then after receiving the first data packet from the client via Stunnel. ACE should establish a TCP socket to the Real server and send data. This is not HTTP traffic. It is native TCP traffic. Does the ACE support this functionality or does the application on the Real server have to be HTTP?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jlamousn Mon, 07/30/2012 - 12:03


If you are using you own application protocol but just wrapping it in SSL, the ACE should be able to encrypt/decrypt the generic traffic. The ace is not going to care about the data in the ssl tunnel unless it is specifically configured to do so, only exception might be the ACE30 which has http persistence rebalance enabled by default, so you might need to apply a http parameter map on the vip to disable persistence rebalance.


Joel Lamousnery

Customer Support Engineer

Cisco TAC

byron.momsen Tue, 07/31/2012 - 07:53

Thanks Joel.

Yes we are just planning to Tunnel our own application TCP traffic.

We also require the ACE to load balance the decrypted traffic across multiplied real ports on a single real server after performing the SSL Front Ending. Is this possible on the ACE 4710 version A5(2.0)

Native TCP traffic tunneled using SSL.

SSL Client --->>> VIP ACE ------->>>> Real IP, 4432, 4433



Paul Pinto Tue, 07/31/2012 - 08:32

Hi Joel,

So for the Layer 7 Class-map, this would be a class-map type loadbalance, not http loadbalance, yes? If required?

And the Layer 7 Policy map, also a normal policy-map type loadbalance, yes?

Policy-map multi-match as normal?

I hear what you are saying, just wondering if the ACE will pick it up?

Just a thought, Would the ACE support this, i.e. non SSL from local server to VIP on local ACE, then local ACE initiate SSL to remote ACE which would terminate SSL, decrypt and clear to remote server on similar type home grown Application utilising one of the available SSL Solutions? A bit crazy, but would really be interested to know. A "nasty" workaround to IPSEC I suppose?

There is a reason I am asking.




This Discussion

Related Content