Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL config

Dear Sir,

I have a pair of 11501, which load balance two SSL server behind them. The cert is stored in SSL server(10.106.13.20 & 21). The external vip is 10.106.13.224.

I read the SSL Config Gide and made the below configuration. Can you check if my config below is ok?

ssl-proxy-list PIS-SSL-LIST

backend-server 1

backend-server 1 type backend-ssl

backend-server 1 ip address 10.106.13.224

backend-server 1 server-ip 10.106.13.20

backend-server 1 version ssl3

backend-server 1 session-cache 300

backend-server 1 tcp virtual ack-delay 0

backend-server 2

backend-server 2 type backend-ssl

backend-server 2 ip address 10.106.13.224

backend-server 2 server-ip 10.106.13.21

backend-server 2 version ssl3

backend-server 2 session-cache 300

backend-server 2 tcp virtual ack-delay 0

active

service PIS-SSL-SERVICE

type ssl-accel-backend

ip address 10.106.13.224

add ssl-proxy-lit PIS-SSL-LIST

active

owner PIS-SSL-OWNER

content PIS-SSL-VIP-1

vip adddress 10.106.13.224

port 80

advanced-balance arrowpoint-cookie

url "/*"

add service PIS-SSL-SERVICE

active

Thanks

1 REPLY
Cisco Employee

Re: SSL config

this is totally wrong unfortunately.

What are you trying to achieve here ?

Normally the connection between CSS and server does not need to be encrypted because they are close to each other.

You probably want to encrypt the connection from the client to the CSS since this connection goes throug the Internet.

Is this what you need ?

Here are sample configs:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html#wp999094

backend-ssl is @

SSL Transparent Proxy Configuration - HTTP and Back-End SSL Servers

You will see that you did many mistakes, like ip addresses used in the ssl-proxy-list.

Gilles.

263
Views
4
Helpful
1
Replies