04-06-2009 12:43 PM
Team,
I have to load balance some servers that communicate via port 443. These servers are configured with a cert and provide the cookie.
Do I need to configure a cert and key on the ACE module even though the server will provide the cert?
Could someone leave a sample config if you are already doing this kind of load balancing?
Thank You,
John...
04-06-2009 05:48 PM
It depends
If you want ACE to simply loadbalance TCP443 (Layer 4 traffic) then you will create rules that Loadbalance based on Layer3/4 (ip & port) information.
If you want ACE to make loadbalancing decisions based on Layer 7 headers (headers,cookies..) then you need to provide ACE with the keys & certs and "offload SSL" on ACE.This way ACE will be able to decrypt the traffic and read the headers & can utilize Layer 7 info for making intelligent decisions.
If you are offloading SSL on ACE then you have two options
1. Offload SSL on ACE, Send cleartext traffic to backend servers and remove certs/Keys from Servers OR
2. (End2End SSL) Offload SSL on ACE, let ACE make the decision, "Encrypt the request again" and Send it to selected servers (servers are expecting encrypted traffic -- certs/keys installed on servers).
option1 is recommended if main objective is to free up resources on Real Servers and simplify Certificate Management (Imagine renewing certs at only ACE vs on N servers serving the app).
option2 is recommended where security is the main focus and data should not be in clear text even in the inside networks.
Syed
04-07-2009 05:16 AM
Syed,
So if the project decides to go with end to end encrytion, should the ACE be the only device with the cert and cookie.
My confusion is that if the server is currently providing the cert and cookie and if I configure the ACE for end to end load balancing; I can't see the need for two devices having a cert and cookie at the same time.
John...
04-07-2009 09:16 AM
With End2End SSL, Certs & Keys will be on both ACE & Servers.
End2End SSL vpn means
1. Encrypted Traffic from Client to ACE
2. & Encrypted Traffic from ACE to Servers
Wherever Encrypted Traffic terminates you need to have Certs/keys.
Need is to ensure the traffic is encrypted again before it leaves ACE.
Syed
04-08-2009 06:51 AM
Syed,
If I simply load balance TCP 443 can I configure the probe to check for a URL string?
John...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide