topic Re: Web Servers with Certificate in Application Networking https://community.cisco.com/t5/application-networking/web-servers-with-certificate/m-p/1123059#M23091 <HTML><HEAD></HEAD><BODY><P>You have two options</P><P></P><P>1. (As you mentioned) Donot offload ssl on CSS and send the traffic to Server directly for ssl offload. Shortcoming of this method is that you cannot use HTTP headers for making Intelligent LB decisions</P><P></P><P>You simply need a content rule listening on TCP 443. For e.g</P><P></P><P>content apps-443</P><P> add service svc1</P><P> add service svc2</P><P> vip address 192.168.1.1</P><P> protocol tcp</P><P> port 443</P><P> active</P><P></P><P>service svc1</P><P> ip address 10.10.10.1</P><P> port 443</P><P> protocol tcp</P><P> keepalive type tcp</P><P> keepalive port 443</P><P> active</P><P></P><P>service svc2</P><P> ip address 10.10.10.2</P><P> port 443</P><P> protocol tcp</P><P> keepalive type tcp</P><P> keepalive port 443</P><P> active</P><P></P><P></P><P>2. Do end2end SSL. Where you will have to install cert on CSS, offload ssl on css, make LB decision based on Layer7 headers, encrypt the http request again and send it to the server as encrypted request (Server will do the SSL offloading again). </P><P></P><P></P><P>HTH </P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Tue, 21 Oct 2008 17:43:49 GMT Syed Iftekhar Ahmed 2008-10-21T17:43:49Z Web Servers with Certificate https://community.cisco.com/t5/application-networking/web-servers-with-certificate/m-p/1123058#M23090 <P>We have 11503-SSL in one-arm mode and have requirement that the Certifiates be on the Web Servers. Can I just not do ssl acceleration on the CSS and pass 443 to the Web Servers. What would that config look like?</P><P>Thank You</P><P>Matt</P> Tue, 21 Oct 2008 15:32:11 GMT https://community.cisco.com/t5/application-networking/web-servers-with-certificate/m-p/1123058#M23090 matt.s 2008-10-21T15:32:11Z Re: Web Servers with Certificate https://community.cisco.com/t5/application-networking/web-servers-with-certificate/m-p/1123059#M23091 <HTML><HEAD></HEAD><BODY><P>You have two options</P><P></P><P>1. (As you mentioned) Donot offload ssl on CSS and send the traffic to Server directly for ssl offload. Shortcoming of this method is that you cannot use HTTP headers for making Intelligent LB decisions</P><P></P><P>You simply need a content rule listening on TCP 443. For e.g</P><P></P><P>content apps-443</P><P> add service svc1</P><P> add service svc2</P><P> vip address 192.168.1.1</P><P> protocol tcp</P><P> port 443</P><P> active</P><P></P><P>service svc1</P><P> ip address 10.10.10.1</P><P> port 443</P><P> protocol tcp</P><P> keepalive type tcp</P><P> keepalive port 443</P><P> active</P><P></P><P>service svc2</P><P> ip address 10.10.10.2</P><P> port 443</P><P> protocol tcp</P><P> keepalive type tcp</P><P> keepalive port 443</P><P> active</P><P></P><P></P><P>2. Do end2end SSL. Where you will have to install cert on CSS, offload ssl on css, make LB decision based on Layer7 headers, encrypt the http request again and send it to the server as encrypted request (Server will do the SSL offloading again). </P><P></P><P></P><P>HTH </P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Tue, 21 Oct 2008 17:43:49 GMT https://community.cisco.com/t5/application-networking/web-servers-with-certificate/m-p/1123059#M23091 Syed Iftekhar Ahmed 2008-10-21T17:43:49Z