Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
5
Replies

ACE4710 - Need help with SSL config

Go to solution
dclee
Level 1
Level 1

‎06-12-2012 06:21 AM

Looking for some assistance with the following diagram. I currently have ssl termination

working fine in the lab for one URL but I am having difficulty getting the config right

for one physical server, which runs multiple backend web servers on different ports.

I am using a wildcard ssl cert for *.clean.ca

On our old CSS I was able to define backend web servers with the same IP but different port.

but I cant seem to figure this out on the ACE. If I throw in multiple port statements in the server

farm config it will want to load balance across these ports which isnt what I need.

Do I need to create a seperate physical IP for each backend web server ? Thats a pain but doable.

Here is the diagram, any help would be appreciated.

     

ACE REVERSE PROXY rev1_clean.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackwikinski
Level 1
Level 1
In response to dclee

‎06-12-2012 10:46 AM

Hi Dave,

That was just an example of how you could use the same ip address in different serverfarms with different ports.

The question is whether the external addresses are all the same or different.

If they are the same than it changes how the ACE configuration needs to be.

Thanks.

Jack.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jackwikinski
Level 1
Level 1

‎06-12-2012 06:43 AM

Hi,

I am right in assuming that the other urls will be using different ip addresses?

If so than you need to create separate serverfarms, class-maps, policy maps etc for every site using the relevant port numbers. If you can do the below than the servers physical addresses can remain the same.

For example

serverfarm 1:

rserver 1.1.1.1 21250

serverfarm 2:

rserver 1.1.1.1 20850

class-map typematch-all Site1

  2 match virtual-address 10.1.1.1 tcp eq 443

class-map typematch-all Site 2

  2 match virtual-address 10.1.1.2 tcp eq 443

The same ssl termination parameters can be used in multiple policies.

Hope this helps.

Thanks.

Jack.

0 Helpful

Go to solution
dclee
Level 1
Level 1
In response to jackwikinski

‎06-12-2012 10:42 AM

Jack thanks for the response but I am not sure I understand the use of the 10.1.1.1 and 10.1.1.2 IP's ?

Essentially ALL inbound SSL needs to terminate on 192.168.1.10


Cheers


Dave

0 Helpful

Go to solution
jackwikinski
Level 1
Level 1
In response to dclee

‎06-12-2012 10:46 AM

Hi Dave,

That was just an example of how you could use the same ip address in different serverfarms with different ports.

The question is whether the external addresses are all the same or different.

If they are the same than it changes how the ACE configuration needs to be.

Thanks.

Jack.

0 Helpful

Go to solution
dclee
Level 1
Level 1
In response to jackwikinski

‎06-12-2012 10:48 AM

Yeah unfort I only have so many public IP's on the outside..So the way the old CSS is configured all of my inbound entries resolve to one public VIP.

0 Helpful

Go to solution
jackwikinski
Level 1
Level 1
In response to dclee

‎06-12-2012 10:53 AM

If you want to post the CSS configuration I can help you change it to comply with the ACE.

I have done several migrations from CSS11500 series to the ACE.

Thanks.

Jack.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents