Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE deployment considerations


i'm looking for a good practice guide for ace deployment if anyone can help

i intend to use my ACE appliance to load balance traffic between 4 different proxy servers, i.e. users request a url, i.e. from the ACE and it then connects to one of 4 proxies which will then retrieve the web page, pass it back to the ACE which will deliver the content to the user

my ACE appliance is no my trusted/corporate lan

my proxies are on an untrusted lan/dmz behind a firewall

i want to install a 4710 with its client interface on my corporate lan (closest to the users) and the server interface on my proxy lan but i need to know if the ACE appliance is secure enough to be deployed in this topology

is it EAL certified or does it run in a firewall/stateful inspection mode?

thanks to anyone taking the time to read this or to reply


Re: ACE deployment considerations


As far as I know, the ACE is not stateful like your typical firewall device, and I have no knowledge of wether it's EAL certified or not.

However, since ACE comes with a wide range of inspection features and is generally considered very security-aware, you could argue that it would make a good firewall substitute. Personally, I've deployed the ACE as an addition to my firewall setup and attached the proxies to ACE on dedicated interfaces, having a clientside interface point towards the users and a dedicated egress interface attached to the firewall on a dmz. That way any nat-rules can remain unchanged.

Another option, depending on your topology, would be a bridge-mode implementation, basically deploying the ACE as a bumb-in-road between the firewall-dmz and the proxies.

Anyway, just my thought. Hope you find 'em useful.


New Member

Re: ACE deployment considerations


many thanks for your offering, its greatly appreciated and very helpful

i suspect i'll have to go with putting a failover pair of 4710s inline to my proxies

i'll readdress the firewall interface and put the 4710s in front of the proxies so i can keep my proxies with the same IPs and simply put a static route to the proxies via the client side

thanks again

New Member

Re: ACE deployment considerations

Just one minor point:

As far as I know, the ACE is not stateful like your typical firewall 
device, and I have no knowledge of wether it's EAL certified or not.

Actually, the ACE is a stateful packet inspection based solution. It could not acheive much of what it does without maintaining state. It is certainly not as feature rich as say an ASA firewall or IDS/IPS system for security, but nevertheless it has a considerable amount of DDoS, normalization, and ACL features.


Re: ACE deployment considerations

Hi Jason,

Thanks for the info.