Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
5
Replies

CSS SSL

rmoore0917
Level 1
Level 1

‎10-07-2009 05:47 AM

I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.

Thanks!

Labels:
0 Helpful
5 Replies 5

jason.espino
Level 1
Level 1

‎10-11-2009 08:43 PM

Its definitly possible to move the cert/keys from the CSS to the servers and allow them to handle the encryption and decryption of SSL traffic.

Just know that doing so will result in a lose of being able to perform any layer 7 load balancing or persistance.

Also, doing so will result in the servers processing the SSL traffic rather then offload that work to the CSS.

Hope this info helps.

- Jason

0 Helpful

JeramyKoval
Level 1
Level 1
In response to jason.espino

‎10-12-2009 11:19 AM

As Jason mentioned you do lose some things by doing end-to-end SSL. But the changes on the CSS are actually pretty easy. You will need to create services for each of your backend servers for port 443. Then just modify your content rules accordingly. Remove the service that sends to the SSL module and replace with the appropriate HTTPS service that you created.

0 Helpful

rmoore0917
Level 1
Level 1
In response to JeramyKoval

‎10-13-2009 03:15 AM

Jeramy,

Thanks for the post, would you mind reviewing the attachment that i created just to make sure I'm following what you stated?

Thanks!

Preview file
1 KB
0 Helpful

JeramyKoval
Level 1
Level 1
In response to rmoore0917

‎10-13-2009 07:34 AM

That will work. Just remember that the default behavior will be round robin load balancing with no stickiness.

0 Helpful

jason.espino
Level 1
Level 1
In response to JeramyKoval

‎10-14-2009 07:24 AM

As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?

The group rule will SNAT all client requests to appear as the 192.168.20.4 VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.

- Jason

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents