Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE4710 - Need help with SSL config

Looking for some assistance with the following diagram. I currently have ssl termination

working fine in the lab for one URL but I am having difficulty getting the config right

for one physical server, which runs multiple backend web servers on different ports.

I am using a wildcard ssl cert for *.clean.ca

On our old CSS I was able to define backend web servers with the same IP but different port.

but I cant seem to figure this out on the ACE. If I throw in multiple port statements in the server

farm config it will want to load balance across these ports which isnt what I need.

Do I need to create a seperate physical IP for each backend web server ? Thats a pain but doable.

Here is the diagram, any help would be appreciated.

     

ACE REVERSE PROXY rev1_clean.jpg

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ACE4710 - Need help with SSL config

Hi Dave,

That was just an example of how you could use the same ip address in different serverfarms with different ports.

The question is whether the external addresses are all the same or different.

If they are the same than it changes how the ACE configuration needs to be.

Thanks.

Jack.

5 REPLIES
New Member

ACE4710 - Need help with SSL config

Hi,

I am right in assuming that the other urls will be using different ip addresses?

If so than you need to create separate serverfarms, class-maps, policy maps etc for every site using the relevant port numbers. If you can do the below than the servers physical addresses can remain the same.

For example

serverfarm 1:

rserver 1.1.1.1 21250

serverfarm 2:

rserver 1.1.1.1 20850

class-map typematch-all Site1

  2 match virtual-address 10.1.1.1 tcp eq 443

class-map typematch-all Site 2

  2 match virtual-address 10.1.1.2 tcp eq 443

The same ssl termination parameters can be used in multiple policies.

Hope this helps.

Thanks.

Jack.

New Member

ACE4710 - Need help with SSL config

Jack thanks for the response but I am not sure I understand the use of the 10.1.1.1 and 10.1.1.2 IP's ?

Essentially ALL inbound SSL needs to terminate on 192.168.1.10


Cheers


Dave

New Member

ACE4710 - Need help with SSL config

Hi Dave,

That was just an example of how you could use the same ip address in different serverfarms with different ports.

The question is whether the external addresses are all the same or different.

If they are the same than it changes how the ACE configuration needs to be.

Thanks.

Jack.

New Member

ACE4710 - Need help with SSL config

Yeah unfort I only have so many public IP's on the outside..So the way the old CSS is configured all of my inbound entries resolve to one public VIP.

New Member

ACE4710 - Need help with SSL config

If you want to post the CSS configuration I can help you change it to comply with the ACE.

I have done several migrations from CSS11500 series to the ACE.

Thanks.

Jack.

259
Views
0
Helpful
5
Replies