I apologise if this question is too silly but I am a novice to CSSes...
I need to configure a CSS to initiate SSL sessions to servers. Basically, I have a client that will need to initiate clear text sessions to various servers, and the CSS inbetween the client and the server needs to initiate an SSL session to the server on behalf of the client, and then tunnel clear text traffic from the client within the SSL session to he server. I DON'T want to provide the list of all the 400+ servers that this client needs to acccess - so I just want traffic on a specific port, regardless of the destination server IP address to be encapsulated within SSL.
Looking at the CSS documents, this seems to be called Back-end SSL, although all the configuration examples also show SSL termination as well. Also, in all the configuration examples the IP addresses of the SSL servers need to be predefined, which is what I am trying to avoid.
I have done such transparent SSL from a client to a server with SSL Modules in 6500s, and I also know it's possible to do the same on an ACE. Does the CSS support such scenarios? If so, what is the reference for this?
If I get you correctly, you are after SSL initiation. A clear-http traffic from the browser PC to CSS. And then a ssl-http from the CSS to the servers. Question is why would you want to secure the backend traffic. If ou try to conceal the 400+ servers, which is not the correct reason to go for an ssl at backend. When you use clear text everywhere your 400+ are actually concealed and no browser PC would ever see who they are talking to, because from their perspective it is the CSS on behalf of those 400+ servers.
Feel free to give more details. We can help you better.
Thanks for the reply. You've generally got the idea right but I am not trying to conceal the servers. Plus, this is not an HTTP/HTTPS scenario but this is not so important here.
Basically, the idea is the following:
The reason why I want to tunnel client to server traffic within SSL is because the network between the CSS and the 400+ SSL servers is not trusted. I think you may turn the picture the other way around and say that I have one server and 400+ clients, and I want the server to initiated the connection to the clients.
I DO NOT want to statically define all the 400+ clients - can the CSS just pick up the destination IP address from the client session to the server, and use that as its SSL session destination? SSLMs, ACEs and many other devices can do that.
I am still unsure whether this would be Back-end SSL or Initiation.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...