Thanks Kanwalsi,

I am not sure on passdetect interval as I have had no information from the server guys. This isn't micrsoft CAS but it is CAS for a webportal application.

I will let you know what requirements the server guys get back to me with. Again they didn't specify a cipher but this has been used in all other load balancer configs.

Thanks.

Hi Netter,

It is your set up and you shall tweak different parameters available to suit your environment.

But let me know if you need anything from my side.

Regards,

Kanwal

Thanks Kanwalsi,

Seems there is a change in design. They want to pass traffic straight onto the CAS servers, where the certificates will be installed. The CAS certificates have to be on the CAS servers, both http and https traffic to be enabled from Load Balancer to CAS.

They say this method ensures that all servers  and internal communication to CAS takes place securely.

I will redo the config and see how it goes.

Hi,

No problem. Let me know if you need anything. Also, if they don't want ACE to do anything but just loadbalance then it is just going to be simple L3-L4 based loadbalancing and should be pretty straight forward.

Good luck!

Regards,

Kanwal

Thanks Kanwalsi,

Is the configuration in the post above correct? I am not sure if the redirect server farm is the right approach to doing this. it may work but would the right approach  be to 443 from the servers in the serverfarm and have it like this:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

And then just add another class match to the vip for www like below?

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

3 match virtual-address 10.192.158.60 tcp eq www

And totally remove the redirect config?

Hi Netter,

Redirect would be needed if you want the ACE to redirect the users coming on HTTP  to HTTPS. Once they come on HTTPS they will be loadbalanced.

If redirect is needed then you need to configure a redirect server, serverfarm, call it in policy map and then call the class-map for www in policy multi-match. So traffic would be redirected from http to HTTPS. Once the user comes on HTTPS, it will match class 443, and get loadbalanced to a different serverfarm.

Coming back to your configuration i don't see you have called redirect serverfarm in policy map. That will not work. So you need to be very clear what customer wants and we can configure accordingly.

Regards,

Kanwal

Thanks Kanwalsi,

This is what I got from the external server guys.

·         For the CAS Tier, pass the traffic straight onto the CAS servers, on which the certificates will be installed. The CAS Certificates just have to be on the CAS servers, both http and https traffic to be enabled from Load balancer to CAS.

The internal server guys say the servers listen on both 80 and 443 and if a request comes in on 80 the servers redirect to 443.

This makes me think I need my server farm setup as follows:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

And then my class match as follows:

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

3 match virtual-address 10.192.158.60 tcp eq www

Am I totally wrong or is this the right idea? Never had to do a configuration where the servers handled ssl offload and where they accepted traffic on both 80 and 443.

Do I need two probes configured to the one serverfarm? Then two vips as above?

Hi Netter,

So you should have two class-maps:

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

class-map match-any TESTCAS-VIP1

3 match virtual-address 10.192.158.60 tcp eq www

Then you should have two serverfarms:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

serverfarm host TESTCAS-FARM-HTTPS

rserver TSTCAS 443

inservice

rserver TSTCAS2 443

inservice

policy-map type loadbalance first-match TESTCAS-POLICY-HTTP

class class-default

serverfarm TESTCAS-FARM

policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS

class class-default

serverfarm TESTCAS-FARM-HTTPS

policy-map multi-match TESTPOLICY

Class TESTCAS-VIP

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-HTTPS

class TESTCAS-VIP1

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-HTTP

That's the configuration you need to do. I just did it for you:)

Now of course you should have two different probes. Simply you can have TCP port 80 for serverfarm TESTCAS-FARM and TCP port 443 for serverfarm TESTCAS-FARM-HTTPS or you can have HTTP and HTTPS for respective serverfarms.

Let me know if you have any questions.

Regards,

Kanwal

Hi Kanwal,

Firstly thanks for all your help and time spent on this. I have taken your advice and redone the hole config. I have 2 class maps and 2 serverfarms. Can you please double check my serverfarms and probes?

Below is the full config. Does it look ok to you? Am I on the right track?

probe https TESTCASHTTPS-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

probe http TESTCASWWW-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

rserver host TSTCAS

  ip address  10.192.158.44

  inservice

rserver host TSTCAS2

  ip address 10.193.158.58

  inservice

serverfarm host TESTCASHTTPS-FARM

  predictor leastconns

  probe TESTCASHTTPS-PROBE

  rserver TSTCAS

    inservice

  rserver TSTCAS2

    inservice

serverfarm host TESTCASWWW-FARM

  predictor leastconns

  probe TESTCASWWW-PROBE

  rserver TSTCAS

    inservice

  rserver TSTCAS2

    inservice

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASWWW-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm TESTCASWWW-FARM

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASHTTPS-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm TESTCASHTTPS-FARM

class-map match-any TESTCASHTTPS-VIP

  2 match virtual-address 10.192.158.60 tcp eq https

class-map match-any TESTCASWWW-VIP

  3 match virtual-address 10.192.158.60 tcp eq www

policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS

  class class-default

    sticky-serverfarm STICKY-TESTCASHTTPS-FARM

policy-map type loadbalance first-match TESTCAS-POLICY-WWW

  class class-default

    sticky-serverfarm STICKY-TESTCASWWW-FARM

policy-map multi-match TESTCASPOLICYHTTPS

  class TESTCASHTTPS-VIP

    loadbalance vip inservice

    loadbalance policy TESTCAS-POLICY-HTTPS

policy-map multi-match TESTCASPOLICYWWW

  class TESTCASWWW-VIP

    loadbalance vip inservice

    loadbalance policy TESTCAS-POLICY-WWW

service-policy input TESTCASPOLICYWWW

service-policy input TESTCASPOLICYHTTPS

Hi Netter,

The configuration looks good but you should also have port number 443 defined in the HTTPS serverfarm.

Regards,

Kanwal

Thanks Kanwal,

But why when the probe is https? Am I missing something?

probe https TESTCASHTTPS-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

Hi Netter,

No. You are good:)

Regards,

Kanwal

Great, thanks again for all the help on this. Lets hope the server guys are happy. I will let you know how it goes.

Thanks/