Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
5
Replies

SSL & URL Problem

john.pepper
Level 1
Level 1

‎04-06-2004 05:57 AM

I have a customer who requires client access to specific SSL / https content on different servers using different TCP port numbers.

Using standard http we used the 'url' command in the content rules as follows:

url "/scripts/wgate/webgui_TST*"

However, when we try this in a content rule using SSL it doesn't work as (I presume) the SSL Hello never gets responded to.

I have seen a few messages already posted highlighting this problem.. Does anyone have any suggestions on workaround options..? Is there a way to redirect SSL / https traffic.?

My contnent rule for standard http looks as follows:

content standard-http

add service sss02-83

add service sss03-83

vip address xxx.xxx.xxx.xxx

balance aca

protocol tcp

port 80

url "/scrs/wate/webgui_STS*"

advanced-balance arrowpoint-cookie

active

I need to do the same but using SSL..

Any help would be appreciated.

Cheers....J Pepper

EDS

Labels:
0 Helpful
5 Replies 5

stevehall
Level 1
Level 1

‎04-06-2004 11:29 AM

John,

With SSL traffic, the CSS cannot see the URL. The only systems that can see the URL are the SSL server and the SSL client.

With that in mind, the only things we can load balance SSL on is the TCP port and IP address. Any layer 5 information is encrypted.

-Steve

0 Helpful

john.pepper
Level 1
Level 1
In response to stevehall

‎04-07-2004 04:41 AM

Steve,

Thanks for the reply.

We did come up with a workaround using the 'redirect' command in the main http Contnet Rules. This 'redirected' user traffic to a different url which in turn pointed at a Contnet Rule / VIP configured for SSL. This means users only ever had to remember specific business http url's

An extract from our test config is shown below. It seems to work ok. Do you see this as a valid configuration.?

content abc-http

vip address 192.168.1.100

balance aca

protocol tcp

port 80

url "/scs/ate/gui_TST*"

advanced-balance arrowpoint-cookie

redirect "https://wwwtst.tst.zero.com/scs/ate/gui_TST/!"

active

content ssl-abc

add service ssl-as02-ts-port-1443

add service ssl-as03-ts-port-1443

advanced-balance ssl

application ssl

balance aca

vip address 192.168.1.101

protocol tcp

port 443

url "/*"

active

Cheers...John

0 Helpful

stevehall
Level 1
Level 1
In response to john.pepper

‎04-07-2004 11:08 AM

John,

That config is valid. You just need to make sure all the SSL (HTTPS) links have the proper host name that resolves to the .101 address. Also, make sure the SSL cert has a "cn" field with the proper domain name. If it does not match, then the user will get a warning message on the browser stating the domain names don't match.

-Steve

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-07-2004 04:20 AM

to complete Steve answer, you can alsu use an SSL offloader to decrypt the traffic for the CSS so the CSS can see the url and http header.

The CSS11500 can receive an ssl module to do the ssl encryption/decryption.

You can also use a SCA as an external SSL offloader.

Regards,

Gilles.

0 Helpful

john.pepper
Level 1
Level 1
In response to Gilles Dufour

‎04-07-2004 11:41 AM

Steve / Giles,

Thanks for the responses, much appreciated and helpful information.

Cheers...John

0 Helpful
Customers Also Viewed These Support Documents