Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss E-Transaction Assurance with Cisco expert Jay Cedrone. Jay is a Technical Marketing Engineer for Ciscos Content Networking Business Unit. Feel free to post any questions relating to E-Transaction Assurance.
Jay may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 8. Visit this forum often to view responses to your questions and the questions of other community members.
How does the Cisco CSS 11000 Content Services Switch offload and process SSL Traffic when configured for One-Armed Proxy Configuration?
The SSL One-Armed Proxy configuration can be used when the customer wants to keep SSL offloading and the Layer 5 switching on the same switch. It should only be used if the customer does not require that the client browser IP address be passed to the origin server farm. Note that in this scenario, not all SSL traffic must be redirected to the SonicWALL SSL-Racks. If needed, some SSL traffic can be load balanced at layer 4 to the origin servers, while SSL traffic to other VIPs can be offloaded. This dual support is important because the web application may be written in such a way that it relies on an SSL API or other code dependency. By enabling the dual functionality, the CSS 11000 / SonicWALL SSL-Rack combination allows the graceful implementation and conversion over time.
How does the Cisco CSS 11000 Content Services Switch offload and process SSL Traffic when configured for In-Line Configuration?
The SonicWALL SSL-Rack will intercept all port 443 traffic for those IP addresses configured on it, de-encrypt it and then forward it as in-the-clear-traffic (i.e. port 81) to the CSS 11000. All port 80 traffic will be bridged transparently to the CSS 11000. It is recommended that a port other than port 80 be chosen to support the unencrypted traffic. By keeping the ports separate, it will be possible to track usage for encrypted content, and to apply additional security to the CSS 11000 to ensure that traffic that should be encrypted will not be sent in-the-clear over the Internet. The CSS 11000 will not have any port 443 content rules defined since all traffic that terminates on it is de-encrypted, so all content rules for HTTP traffic can be layer 5 rules. The CSS 11000 should be configured with at least one content rule for each VIP/port combination defined in the SonicWALL SSL-Rack.
How do I offload the demanding SSL encryption/de-encryption from my origin web servers? Does Cisco have a solution to offload this traffic?
Yes. The Cisco/SonicWALL SSL Optimization Solution provides Web hosters, Service Providers, enterprises and e-businesses with a high-performance SSL traffic management solution that improves Web site performance and operational efficiencies for both secure and non-secure traffic. The solution features two integrated components, the Cisco CSS 11000 series content services switch (for Layer 5-7 intelligent load-balancing) and the SonicWALL SSL-Rack (for SSL decryption/encryption).
SSL transactions on my server are really processor intensive? Any recommendations on how to optimize SSL transactions?
Yes, You could use an intelligent switch to load balance SSL traffic to SSL terminators that are specifically designed to optimize all SSL transactions, this would offload your servers from having to handle any SSL transactions and let them process the most important traffic that they get...the actual purchase.