We have a home grown application. Client-Server application. Application uses native TCP traffic. Client initiates the TCP connection to a TCP port on the Server. After three way TCP handshake, client writes application data to the socket. Server reads data off socket (does processing) and replies and writes response back onto the socket. Client reads response data off the socket and closes the socket.
We are looking at using Stunnel on the Client side to create a SSL connection to an ACE that will front end the real server. Client will connect via Stunnel that will connect to ACE.
ACE needs to perform the SSL termination and then after receiving the first data packet from the client via Stunnel. ACE should establish a TCP socket to the Real server and send data. This is not HTTP traffic. It is native TCP traffic. Does the ACE support this functionality or does the application on the Real server have to be HTTP?
If you are using you own application protocol but just wrapping it in SSL, the ACE should be able to encrypt/decrypt the generic traffic. The ace is not going to care about the data in the ssl tunnel unless it is specifically configured to do so, only exception might be the ACE30 which has http persistence rebalance enabled by default, so you might need to apply a http parameter map on the vip to disable persistence rebalance.
Customer Support Engineer
CCIE R&S - 36768
Engineer, Customer Support
Yes we are just planning to Tunnel our own application TCP traffic.
We also require the ACE to load balance the decrypted traffic across multiplied real ports on a single real server after performing the SSL Front Ending. Is this possible on the ACE 4710 version A5(2.0)
Native TCP traffic tunneled using SSL.
SSL Client --->>> VIP 10.10.10.10:443 ACE ------->>>> Real IP 188.8.131.52:4431, 4432, 4433
So for the Layer 7 Class-map, this would be a class-map type loadbalance, not http loadbalance, yes? If required?
And the Layer 7 Policy map, also a normal policy-map type loadbalance, yes?
Policy-map multi-match as normal?
I hear what you are saying, just wondering if the ACE will pick it up?
Just a thought, Would the ACE support this, i.e. non SSL from local server to VIP on local ACE, then local ACE initiate SSL to remote ACE which would terminate SSL, decrypt and clear to remote server on similar type home grown Application utilising one of the available SSL Solutions? A bit crazy, but would really be interested to know. A "nasty" workaround to IPSEC I suppose?
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...