Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE as Proxy

Dear *,

Based on the below cisco link:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1159517

SSL Termination Overview

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Now i would like to clarify the following:

  • •1) When ACE terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server, in this case what is the source IP that the server will see? Will it see client IP or ACE IP as source? I believe it should see the source IP of the ACE Or here the ACE only terminates and re-initiates the TCP session without changing the source IP?
  • •2) If we don’t want to use SSL can ACE work as normal proxy, can we terminate a connection from the client and then establish a new session to the HTTP server? If yes then servers will see the source IP of ACE?

Thanks,

Aamir

1 REPLY
Bronze

ACE as Proxy

Hello Aamir-

1.) It depends on your configuration, however, ACE will use the client IP by default and a Source Nat Pool if you have it configured to do so.  Even with SSL on the front and backend, this still holds true.

2.) No.

ACE is not a prxoy server in any means.  Even with a layer 5 content rule where ACE needs to terminat the client session to make a loadbalancing decision, once it creates a backend session, it steps out of the way and lets the client/server handle everything.  In otherwords, you would never point your client browser to ACE as a proxy.

Regards,

Chris Higgins

407
Views
0
Helpful
1
Replies
CreatePlease login to create content