Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
2
Replies

ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

Go to solution
byron.momsen
Level 1
Level 1

‎07-11-2012 09:06 AM

Hi

Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.

Example:

Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server

The "client" Server does not support SSL.

Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)

Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.

Regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ciscocsoc
Level 4
Level 4

‎07-11-2012 09:30 AM

Hi,

Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).

HTH

Cathy

View solution in original post

0 Helpful

Go to solution
Jorge Bejarano
Level 4
Level 4

‎07-11-2012 03:22 PM

Hello Byron,

Yes, the ACE can do it

Here you have some of the flavors of SSL with the ACE.

Here you have a sample about it:

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

class-map match-all CLEAR_TEXT_VIP

  2 match virtual-address 172.20.120.19 tcp eq www

policy-map multi-match JORGE-MULTIMATCH

  class CLEAR_TEXT_VIP

    loadbalance vip inservice

    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC

  class class-default

    serverfarm ENCRYPTED-SERVERFARM

    ssl-proxy client SSL-PROXY-JORGE

ssl-proxy service SSL-PROXY-JORGE

  key TAC-key

  cert TAC-cert

serverfarm host ENCRYPTED-SERVERFARM

  rserver JORGE-SERVER 443

    inservice

Here you have some additional details under the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html

Here you have some additional samples:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

Hope this helps for you and fix your issue

Jorge

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ciscocsoc
Level 4
Level 4

‎07-11-2012 09:30 AM

Hi,

Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).

HTH

Cathy

0 Helpful

Go to solution
Jorge Bejarano
Level 4
Level 4

‎07-11-2012 03:22 PM

Hello Byron,

Yes, the ACE can do it

Here you have some of the flavors of SSL with the ACE.

Here you have a sample about it:

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

class-map match-all CLEAR_TEXT_VIP

  2 match virtual-address 172.20.120.19 tcp eq www

policy-map multi-match JORGE-MULTIMATCH

  class CLEAR_TEXT_VIP

    loadbalance vip inservice

    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC

  class class-default

    serverfarm ENCRYPTED-SERVERFARM

    ssl-proxy client SSL-PROXY-JORGE

ssl-proxy service SSL-PROXY-JORGE

  key TAC-key

  cert TAC-cert

serverfarm host ENCRYPTED-SERVERFARM

  rserver JORGE-SERVER 443

    inservice

Here you have some additional details under the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html

Here you have some additional samples:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

Hope this helps for you and fix your issue

Jorge

0 Helpful
Customers Also Viewed These Support Documents