08-25-2006 01:35 AM
Could anyone help me to correct the following configuration:
service ssl-slot3-srv
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list ssl-slot3
active
service pub-serv
ip address 10.3.3.42
keepalive type tcp
keepalive port 80
active
content ssl-rule
port 443
protocol tcp
vip address 10.1.1.131
add service ssl-slot3-srv
active
content ssl-rule2
protocol tcp
port 81
balance leastconn
add service pub-serv
vip address 10.2.2.10
active
the archtecture is:
subnet 10.3.3.0 - server subnet not in DMZ, in public network.
subnet 10.2.2.0 - special vlan for configure SSL module. internal for CSS11506.
subnet 10.1.1.0 - VIPs, public site of CSS
I have to make the one-armed infrostructure work. I have tried to add destnation group for it, but confused which service I need added to the VIP.
How can I make one-armed archtecture with SSL termination on CSS work?
Any comments will be appreciated
Thanks in advance
Solved! Go to Solution.
08-25-2006 06:22 AM
08-25-2006 02:25 AM
Hi,
first let me say there is no vlan between ssl module and css. The module is part of the css.
However, having a special subnet for decrypted traffic is ok.
So, client nat will be required when traffic leaves the css for the server.
This occurs after the traffic is decrypted.
Therefore, the group must be configured for the services that are in your decrypted content rule (ssl-rule2).
In this case you need a group for pub-serv.
If that does not work, verify with a 'sho summary' if you have a hit on your ssl rule and your decrypted rule each time you open a connection. If not, you may have a problem somewhere else.
Gilles.
08-25-2006 04:37 AM
group pub-serv
vip address 10.2.2.10
add destination service
active
on "sho sum" I can see the hit incease on both rules. but, I still can not see the page on my pc.
how can I troubleshoot this problem?
08-25-2006 06:22 AM
You'll need to capture a sniffer trace.
Gilles.
09-11-2006 09:31 PM
I found the problem. it need the route for the VIP in decrypted content rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide