Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS 11506 and single SSL module question

Can I add more than one proxy-list to an ssl service?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSS 11506 and single SSL module question

From the documentation at :

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008011940f.html

-------------------

Each SSL proxy list can have up to 256 virtual SSL servers.

Each service may have only one SSL proxy list configured on it. You may only have one active SSL service per slot in the chassis. You can configure more than one on a slot but only one can be activated at a time.

Content rules can have multiple SSL services.

---------------------

So one SSL modeul -> 1 service -> 1 list

Gilles.

5 REPLIES
Cisco Employee

Re: CSS 11506 and single SSL module question

From the documentation at :

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008011940f.html

-------------------

Each SSL proxy list can have up to 256 virtual SSL servers.

Each service may have only one SSL proxy list configured on it. You may only have one active SSL service per slot in the chassis. You can configure more than one on a slot but only one can be activated at a time.

Content rules can have multiple SSL services.

---------------------

So one SSL modeul -> 1 service -> 1 list

Gilles.

New Member

Re: CSS 11506 and single SSL module question

Thank you.

I was trying to figure out how to have multiple certs and servers and just figured out that they all have to be under one proxy-list if you have just one ssl module and that service can be assigned to multiple content rules.

New Member

Re: CSS 11506 and single SSL module question

I'm trying to find out some info regarding configuring SSL loadbalancing on a CSS11503 with an SSL module and this post seems close to what I'm trying to achieve.

We want to load balance one SSL site using 2 back end SSL servers, and another SSL site using 2 different back end SSL servers.

I've read that you can only use one SSL module per type ssl_accel service. If I configure all the servers in the same SSL proxy-list, then I'll have no way of distinguishing between which back end servers in the proxy list I want to hit with content rules??

Is what I want to achieve possible or do I need another SSL module

Cisco Employee

Re: CSS 11506 and single SSL module question

inside the ssl-proxylist, you can configure virtual server [that's the ip address on which the module listen and receive encrypted traffic], and for each virtual server you have to specify at least one cipher method, and for each cipher method you have to specify where to send the decrypted traffic. Usually the decrypted traffic is sent to a content rule on the CSS where you can then loadbalance between backend-servers.

So, in your ssl-proxy-list you will have 2 servers, each listenting on a specific ip:port and redirecting decrypted traffic to again a specific ip:port.

By using different ip:port you can achieve what you want.

Gilles.

New Member

Re: CSS 11506 and single SSL module question

Hi Gilles,

Thanks for your prompt response. For this project, the backend servers are also SSL, so the incoming SSL request is decrypted, and then another SSL session set up to the backend servers. Would this work in this case?

Also, when configuring back-end servers within a proxy list, what's the difference between the 'ip address' command and the 'server-ip' command?

Many Thanks

124
Views
0
Helpful
5
Replies