Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
4
Helpful
3
Replies

SSL IP Forwarding problem in ACE 4700

rahilgulaliyev
Level 1
Level 1

‎03-02-2015 04:59 AM

Hello,

 I have a Load Balancer (Cisco ACE 4710 with vA4(2)) and two Web servers which is run on port number 443(https) and I would like to get real IP addresses of clients in Apache log files. Unfortunately It seem NATed IP address of Load Balancer. And I have tried three of forwarding type (Initiation, Termination, and End-to-End SSL ) but still I could not get success on that. Please let me explain processing more detail about connection type between load balancer and Web server.

 

Web Servers is established through SSL and requires from client side certificate via Cisco ACE.

By default:

1) Client sends request to ACE and Load Balancer gets client request send to web servers.

2)  The main issue in here is that web serves unable to get clients real IP it attains only ACE IP.

 

I had been applied certificates like as below:

1) Installed client and server SSL certificates to the ACE in order to decrypt and encrypt packets

2) The real IP from client side is written in web servers.

3) But in here it works only with ACE client certificate

4) The problem in here is that by configuring that option restricting to send client's real  certificate to the web server. Because the application which deployed to the web servers requires client's real certificate also.

 

I hope that it can be clearly for you. Please help me.

Thank you.

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-02-2015 07:09 AM

Hi,

I didn't get the requirement here. If you need to see the client IP in the server logs, then you can do X-FORWARDED-FOR and that should take care of the problem.

If you need to present client certificate to the server then ACE(with client cert installed on it) will send the certificate to the server during the ssl handshake at the backend if END-TO-END ssl is configured.

Do you see something otherwise?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

rahilgulaliyev
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-03-2015 12:37 AM

Hi, Mr. Kanwal

Actually. I use END-TO-END ssl and I got client's real IP address in the server logs too. But still problem continue. In My system approximately 2000 clients must be connect with their unique cert which is defined one by one. Also, I had defined a client certificate to my ACE because of my END-TO-END ssl properly work.  As I explained above 'The problem in here is that by configuring that option restricting to send client's real  certificate to the web server. Because the application which deployed to the web servers requires client's real certificate too.' Other way, outside client's certificates must be match in my Web server database certificates. But my Web server only see my ACE certificate. I need to forward 2000 client's certificate across ACE to my Web server.

I hope that It will be clear for you.


Regards,


Rahil

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to rahilgulaliyev

‎03-03-2015 06:52 AM

Hi Rahil,

I am very positive that this is not possible on ACE but let me double check and get back to you.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents