Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
ns
Community Member

CSS 11501 and SSL

Hi,

I have a few questions regarding the CSS and SSL certificates.

I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?

I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.

And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)

Any help is much appreciated.

Thanks,

Niels

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSS 11501 and SSL

Niels,

active/active means that both CSS handles part of the traffic. So at any time, you have traffic going through both CSS.

This difficult to achieve for different reasons.

What you want is just active/backup and be sure that the when the backup takes over active SSL connections can continue to work.

Unfortunately, when terminating the SSL traffic on the CSS itself, this is currently not possible.

All active connections will be lost and users will have to reopen a new connection.

Gilles.

4 REPLIES
Cisco Employee

Re: CSS 11501 and SSL

Niels,

there is currently an ASK THE EXPERT event.

Please join us if you have more questions.

Regarding the certificate, you could just use one.

Get 1 certificate for your VIP and upload it on both SSL module.

However, you might have to get 2, because certificate providers usually say it's one per physical device.

If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.

Backend refers to server behind the CSS.

Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.

The frontend is the client side and the backend the server side.

When you say active/active, what do you want to achieve exactly ?

You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.

However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).

Regards,

Gilles.

ns
Community Member

Re: CSS 11501 and SSL

Thanks for your reply.

I just might join in if it is still open.

I will install the certificates on the CSSs only (not the servers.

Thanks for the definition.

With Active/Active I want to achieve that no ssl session is lost when/if a CSS is taken offline/goes down, just like when configuring the IP redundancy type as VIP which enables session redundancy.

Thanks,

Niels

Cisco Employee

Re: CSS 11501 and SSL

Niels,

active/active means that both CSS handles part of the traffic. So at any time, you have traffic going through both CSS.

This difficult to achieve for different reasons.

What you want is just active/backup and be sure that the when the backup takes over active SSL connections can continue to work.

Unfortunately, when terminating the SSL traffic on the CSS itself, this is currently not possible.

All active connections will be lost and users will have to reopen a new connection.

Gilles.

ns
Community Member

Re: CSS 11501 and SSL

Thanks this answers my question.

159
Views
5
Helpful
4
Replies
CreatePlease to create content