Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
2
Replies

SSL full proxy configuration

benjamingarcia
Level 1
Level 1

‎10-06-2005 06:27 PM

I am currently trying to setup a CSS11503 to perform SSL full proxy and there are some logic that I cannot understand.

Current configuration:

!*** SSL PROXY LIST*****

ssl-proxy-list SSL-LIST01

ssl-server 100

ssl-server 100 vip address 10.180.6.1

ssl-server 100 rsakey RSAKEYASSOCIATION1

ssl-server 100 rsacert CERTASSOCIATIO1

ssl-server 100 cipher rsa-with-rc4-128-sha 10.180.6.1 80

active

!**** SERVICE *******

service MYDEVSERVER01

ip address 10.180.7.35

active

service MYDRSERVER01

ip address 10.180.6.35

port 80

active

service MYDRSERVER02

ip address 10.180.6.37

port 80

active

service SSL-MODULE01

type ssl-accel

keepalive type none

slot 3

add ssl-proxy-list SSL-LIST01

active

!***** OWNER ********

owner OWNER

Address Quiapo-Avenida

content DEVSERVERS

vip address 10.180.6.3

balance weightedrr

add service MYDEVSERVER01

protocol tcp

active

content DRSERVERS-HTTP-RULE

vip address 10.180.6.1

protocol tcp

port 80

balance aca

add service MYDRSERVER02

add service MYDRSERVER01

content DRSERVERS-SSL-RULE

vip address 10.180.6.1

balance aca

application ssl

protocol tcp

port 443

add service SSL-MODULE01

active

Questions:

1. is the above config is enough to function as SSL Transparent Proxy?

2. which part of the configuration that tells the CSS to send the port80 traffic to the webserver?

3. to make the above config to function as full proxy, do I need to configure a source group?

4. On source group

4.1 What VIP address to use

4.2 Which service to add, is it the SSL service or the normal service for HTTP

Any help is appreciate.

Thanks

Benjamin

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-06-2005 11:51 PM

1..yes

2.. HTTPS traffic will hit rule DRSERVERS-SSL-RULE which will forward the traffic to the ssl module.

It will be decrypted and forwarded back to ssl to ip 10.180.6.1 and port 80 [according to your cipher command in the ssl-proxy-list].

It will then hit rule DRSERVERS-HTTP-RULE and traffic will be loadbalanced between services configured under that rule.

3.. sourcegroup are only required if you need to nat the client ip address.

So, if your servers do not forward the traffic back to the CSS, doing client nat is a way to force traffic to come back to the CSS.

4.1. you can reuse the same content rule ip address.

This address will be used to nat the client ip.

It can be whatever address as long as your network knows it belongs to the CSS.

4.2. you should add the normal service - not the ssl service.

Regards,

Gilles.

Thanks for rating this answer.

0 Helpful

benjamingarcia
Level 1
Level 1
In response to Gilles Dufour

‎10-09-2005 03:09 PM

Spot on Gilles. It's the answer that I am actually looking for.

Thanks mate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents