Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
4
Replies

End to End SSL load balancing

jteixido
Level 1
Level 1

‎04-06-2009 12:43 PM

Team,

I have to load balance some servers that communicate via port 443. These servers are configured with a cert and provide the cookie.

Do I need to configure a cert and key on the ACE module even though the server will provide the cert?

Could someone leave a sample config if you are already doing this kind of load balancing?

Thank You,

John...

Labels:
0 Helpful
4 Replies 4

Syed Iftekhar Ahmed
Level 8
Level 8

‎04-06-2009 05:48 PM

It depends

If you want ACE to simply loadbalance TCP443 (Layer 4 traffic) then you will create rules that Loadbalance based on Layer3/4 (ip & port) information.

If you want ACE to make loadbalancing decisions based on Layer 7 headers (headers,cookies..) then you need to provide ACE with the keys & certs and "offload SSL" on ACE.This way ACE will be able to decrypt the traffic and read the headers & can utilize Layer 7 info for making intelligent decisions.

If you are offloading SSL on ACE then you have two options

1. Offload SSL on ACE, Send cleartext traffic to backend servers and remove certs/Keys from Servers OR

2. (End2End SSL) Offload SSL on ACE, let ACE make the decision, "Encrypt the request again" and Send it to selected servers (servers are expecting encrypted traffic -- certs/keys installed on servers).

option1 is recommended if main objective is to free up resources on Real Servers and simplify Certificate Management (Imagine renewing certs at only ACE vs on N servers serving the app).

option2 is recommended where security is the main focus and data should not be in clear text even in the inside networks.

Syed

0 Helpful

jteixido
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎04-07-2009 05:16 AM

Syed,

So if the project decides to go with end to end encrytion, should the ACE be the only device with the cert and cookie.

My confusion is that if the server is currently providing the cert and cookie and if I configure the ACE for end to end load balancing; I can't see the need for two devices having a cert and cookie at the same time.

John...

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to jteixido

‎04-07-2009 09:16 AM

With End2End SSL, Certs & Keys will be on both ACE & Servers.

End2End SSL vpn means

1. Encrypted Traffic from Client to ACE

2. & Encrypted Traffic from ACE to Servers

Wherever Encrypted Traffic terminates you need to have Certs/keys.

Need is to ensure the traffic is encrypted again before it leaves ACE.

Syed

0 Helpful

jteixido
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎04-08-2009 06:51 AM

Syed,

If I simply load balance TCP 443 can I configure the probe to check for a URL string?

John...

0 Helpful
Customers Also Viewed These Support Documents