Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

SSL Offload on ACE to SSL Serverfarm

Here is what I need to do.

I have a web application that requires HTTPS.  However, I'm told by the vendor that we need to use a cookie for sticky.

Based on what I've read, for cookie sticky to work with HTTPS, the ACE needs to perform SSL offload.

However, when I enable it, the site behind the load balancer will not load.  I'm assuming that the proxied connect between the ACE and the web servers over HTTPS is not working right.

What needs to be done in order to get the ACE to perform SSL offload, but still communicate with the servers over SSL?

Thanks.

Jason

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

SSL Offload on ACE to SSL Serverfarm

Hi Jason,

It's called End-to-End SSL and if you already have SSL offloading working then you're almost there; setting this up would be a matter of adding a new SSL proxy with the "backend" connection parameters and you're good to go.

Please take a look at any of these examples and let us know if any question pops up:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/ssl/guide/endtoend.pdf

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations

HTH

__ __

Pablo

4 REPLIES
Bronze

SSL Offload on ACE to SSL Serverfarm

Hi Jason,

It's called End-to-End SSL and if you already have SSL offloading working then you're almost there; setting this up would be a matter of adding a new SSL proxy with the "backend" connection parameters and you're good to go.

Please take a look at any of these examples and let us know if any question pops up:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/ssl/guide/endtoend.pdf

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations

HTH

__ __

Pablo

New Member

SSL Offload on ACE to SSL Serverfarm

Ok, that seemed to work.

However, and I'll start a new discussion if necessary, I have this config for sticky cookies:

sticky http-cookie WEB_COOKIE WEB

  cookie insert browser-expire

  timeout 60

  replicate sticky

  serverfarm WEB

policy-map type loadbalance http first-match PM_LB_WEB

  class WEB_CLIENT

    sticky-serverfarm WEB

    ssl-proxy client SSL_CLIENT

policy-map multi-match CLIENTSIDE_VIPS

  class VIP_WEB

    loadbalance vip inservice

    loadbalance policy PM_LB_WEB

    loadbalance vip icmp-reply active

    ssl-proxy server SSL_PROXY

How can I tell if the cookie sticky is working?  I can open the website (I'm using Firefox), but when I check the cookies, I don't see anything from the ACE?

Thanks.

Bronze

SSL Offload on ACE to SSL Serverfarm

Hi Jason,

You should seeing something with this command:

ACE-4710A/Admin# show sticky cookie-insert group WEB

Just out of curiosity, is this configured on your admin context or a separate one? If new context, did you assign sticky resources for it?

* Make sure you clear the cache before giving it a shot.

HTH

__ __

Pablo

New Member

SSL Offload on ACE to SSL Serverfarm

It is all working now.  In FF, I was able to view cookies along with the certificate, and the ACE cookie is there.

Thanks again!

668
Views
0
Helpful
4
Replies
CreatePlease to create content