https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437737#M29906 <P>Hi,</P><P></P><P>I've installed two Ironport S660 proxyservers to handle all webtraffic. As the Ironport apparently doesn't come with its own loadbalancing/redundacy feature (like VRRP), I've decided to let the ACE handle loadbalancing. 90% of all the traffic is destined to be proxied, but a small portion of specific url's are not suitable for proxying, e.g. sites that provides stockinformation, financial realtimedata etc. For that purpose, I'm trying to configure a method to detect theese url's and simply forward them toward our internet-firewall. But so far, I've unsuccessful in my attempts.</P><P></P><P>The basic loadbalancing works like a charm. The issue here is, that all traffic hits the vip on port 8080. I've tried to configure a class-map to detect the specific urls and used the action=forward under the loadbalance policy-map. For routing purposes, I've tried to apply PAT, so firewall won't have to be aware of all internal addresses. Sadly, it never worked. I did get the class-map for url-detecting to work, but the actual forwarding failed.</P><P></P><P><SPAN>I'm thinking, that maybe there's problem related to the fact, that all traffic arrives with 8080 as dst.port. And this goes for both http and https. So even if I manage to correctly configure a class-map til detect theese urls, how do I forward the traffic and "rewrite" the dst.port? I would somehow need to inspect the header for either </SPAN><A class="jive-link-external-small" href="http://">http://</A><SPAN> og </SPAN><A class="jive-link-external-small" href="https://">https://</A><SPAN> in order to forward the traffic with the correct dst.port (80 or 443).</SPAN></P><P></P><P>Has anyone configured ACE for Ironport loadbalancing and faced the same problems? If so, I'd be very interested in knowing, how you made it work.</P><P></P><P>Simple drawing and config-file attached.</P><P></P><P>Thanx</P><P></P><P>/Ulrich</P> Fri, 21 May 2010 07:57:37 GMT UHansen1976 2010-05-21T07:57:37Z https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437737#M29906 <P>Hi,</P><P></P><P>I've installed two Ironport S660 proxyservers to handle all webtraffic. As the Ironport apparently doesn't come with its own loadbalancing/redundacy feature (like VRRP), I've decided to let the ACE handle loadbalancing. 90% of all the traffic is destined to be proxied, but a small portion of specific url's are not suitable for proxying, e.g. sites that provides stockinformation, financial realtimedata etc. For that purpose, I'm trying to configure a method to detect theese url's and simply forward them toward our internet-firewall. But so far, I've unsuccessful in my attempts.</P><P></P><P>The basic loadbalancing works like a charm. The issue here is, that all traffic hits the vip on port 8080. I've tried to configure a class-map to detect the specific urls and used the action=forward under the loadbalance policy-map. For routing purposes, I've tried to apply PAT, so firewall won't have to be aware of all internal addresses. Sadly, it never worked. I did get the class-map for url-detecting to work, but the actual forwarding failed.</P><P></P><P><SPAN>I'm thinking, that maybe there's problem related to the fact, that all traffic arrives with 8080 as dst.port. And this goes for both http and https. So even if I manage to correctly configure a class-map til detect theese urls, how do I forward the traffic and "rewrite" the dst.port? I would somehow need to inspect the header for either </SPAN><A class="jive-link-external-small" href="http://">http://</A><SPAN> og </SPAN><A class="jive-link-external-small" href="https://">https://</A><SPAN> in order to forward the traffic with the correct dst.port (80 or 443).</SPAN></P><P></P><P>Has anyone configured ACE for Ironport loadbalancing and faced the same problems? If so, I'd be very interested in knowing, how you made it work.</P><P></P><P>Simple drawing and config-file attached.</P><P></P><P>Thanx</P><P></P><P>/Ulrich</P> Fri, 21 May 2010 07:57:37 GMT https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437737#M29906 UHansen1976 2010-05-21T07:57:37Z https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437738#M29907 <HTML><HEAD></HEAD><BODY><P>I don't think you can achieve what you want.</P><P>ACE is not a proxy and so it won't change the HTTP request....</P><P>Therefore, since proxy request are not the same as direct server request, if you loadbalance proxy traffic, you need to send it to a proxy.</P><P></P><P><SPAN>For example a client will do a proxy request which looks like "CONNECT </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/">http://www.cisco.com/</A><SPAN>"&nbsp; which will be translated by the proxy to "GET /"</SPAN></P><P></P><P>Is your internet firewall also a proxy ?</P><P>If not, you will have to send the proxy request to your proxy, whatever the url and let the proxy decide what to do with it.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 25 May 2010 09:08:17 GMT https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437738#M29907 Gilles Dufour 2010-05-25T09:08:17Z https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437739#M29908 <HTML><HEAD></HEAD><BODY><P>Hi Giles,</P><P></P><P>Thanks for your reply.</P><P></P><P>I'll try and find a work-around.</P><P></P><P>/Ulrich</P></BODY></HTML> Tue, 25 May 2010 09:14:16 GMT https://community.cisco.com/t5/application-networking/ace-proxy-loadbalancing/m-p/1437739#M29908 UHansen1976 2010-05-25T09:14:16Z