Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

Hi

Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.

Example:

Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server

The "client" Server does not support SSL.

Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)

Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.

Regards

  • Application Networking
2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

ACE functionally question - SSL tunnelling / proxy on behalf of

Hi,

Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).

HTH

Cathy

Re: ACE functionally question - SSL tunnelling / proxy on behalf

Hello Byron,

Yes, the ACE can do it

Here you have some of the flavors of SSL with the ACE.

Here you have a sample about it:

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

class-map match-all CLEAR_TEXT_VIP

  2 match virtual-address 172.20.120.19 tcp eq www

policy-map multi-match JORGE-MULTIMATCH

  class CLEAR_TEXT_VIP

    loadbalance vip inservice

    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC

  class class-default

    serverfarm ENCRYPTED-SERVERFARM

    ssl-proxy client SSL-PROXY-JORGE

ssl-proxy service SSL-PROXY-JORGE

  key TAC-key

  cert TAC-cert

serverfarm host ENCRYPTED-SERVERFARM

  rserver JORGE-SERVER 443

    inservice

Here you have some additional details under the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html

Here you have some additional samples:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

Hope this helps for you and fix your issue

Jorge

2 REPLIES
Silver

ACE functionally question - SSL tunnelling / proxy on behalf of

Hi,

Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).

HTH

Cathy

Re: ACE functionally question - SSL tunnelling / proxy on behalf

Hello Byron,

Yes, the ACE can do it

Here you have some of the flavors of SSL with the ACE.

Here you have a sample about it:

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

class-map match-all CLEAR_TEXT_VIP

  2 match virtual-address 172.20.120.19 tcp eq www

policy-map multi-match JORGE-MULTIMATCH

  class CLEAR_TEXT_VIP

    loadbalance vip inservice

    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC

  class class-default

    serverfarm ENCRYPTED-SERVERFARM

    ssl-proxy client SSL-PROXY-JORGE

ssl-proxy service SSL-PROXY-JORGE

  key TAC-key

  cert TAC-cert

serverfarm host ENCRYPTED-SERVERFARM

  rserver JORGE-SERVER 443

    inservice

Here you have some additional details under the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html

Here you have some additional samples:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

Hope this helps for you and fix your issue

Jorge

560
Views
0
Helpful
2
Replies
This widget could not be displayed.