https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238658#M3398 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>With SSL traffic, the CSS cannot see the URL. The only systems that can see the URL are the SSL server and the SSL client. </P><P></P><P>With that in mind, the only things we can load balance SSL on is the TCP port and IP address. Any layer 5 information is encrypted.</P><P></P><P>-Steve</P><P></P></BODY></HTML> Tue, 06 Apr 2004 18:29:40 GMT stevehall 2004-04-06T18:29:40Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238657#M3397 <P>I have a customer who requires client access to specific SSL / https content on different servers using different TCP port numbers.</P><P></P><P>Using standard http we used the 'url' command in the content rules as follows:</P><P></P><P>url "/scripts/wgate/webgui_TST*"</P><P></P><P>However, when we try this in a content rule using SSL it doesn't work as (I presume) the SSL Hello never gets responded to.</P><P></P><P>I have seen a few messages already posted highlighting this problem.. Does anyone have any suggestions on workaround options..? Is there a way to redirect SSL / https traffic.?</P><P></P><P>My contnent rule for standard http looks as follows:</P><P></P><P> content standard-http</P><P> add service sss02-83</P><P> add service sss03-83</P><P> vip address xxx.xxx.xxx.xxx</P><P> balance aca</P><P> protocol tcp</P><P> port 80</P><P> url "/scrs/wate/webgui_STS*"</P><P> advanced-balance arrowpoint-cookie</P><P> active</P><P></P><P>I need to do the same but using SSL..</P><P></P><P>Any help would be appreciated.</P><P></P><P>Cheers....J Pepper</P><P>EDS</P> Tue, 06 Apr 2004 12:57:02 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238657#M3397 john.pepper 2004-04-06T12:57:02Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238658#M3398 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>With SSL traffic, the CSS cannot see the URL. The only systems that can see the URL are the SSL server and the SSL client. </P><P></P><P>With that in mind, the only things we can load balance SSL on is the TCP port and IP address. Any layer 5 information is encrypted.</P><P></P><P>-Steve</P><P></P></BODY></HTML> Tue, 06 Apr 2004 18:29:40 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238658#M3398 stevehall 2004-04-06T18:29:40Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238659#M3399 <HTML><HEAD></HEAD><BODY><P>to complete Steve answer, you can alsu use an SSL offloader to decrypt the traffic for the CSS so the CSS can see the url and http header.</P><P></P><P>The CSS11500 can receive an ssl module to do the ssl encryption/decryption.</P><P></P><P>You can also use a SCA as an external SSL offloader.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 07 Apr 2004 11:20:36 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238659#M3399 Gilles Dufour 2004-04-07T11:20:36Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238660#M3400 <HTML><HEAD></HEAD><BODY><P>Steve,</P><P></P><P>Thanks for the reply.</P><P></P><P>We did come up with a workaround using the 'redirect' command in the main http Contnet Rules. This 'redirected' user traffic to a different url which in turn pointed at a Contnet Rule / VIP configured for SSL. This means users only ever had to remember specific business http url's</P><P></P><P>An extract from our test config is shown below. It seems to work ok. Do you see this as a valid configuration.?</P><P></P><P>content abc-http</P><P> vip address 192.168.1.100</P><P> balance aca</P><P> protocol tcp</P><P> port 80</P><P> url "/scs/ate/gui_TST*"</P><P> advanced-balance arrowpoint-cookie</P><P>redirect "<A class="jive-link-custom" href="https://wwwtst.tst.zero.com/scs/ate/gui_TST/" target="_blank">https://wwwtst.tst.zero.com/scs/ate/gui_TST/</A>!"</P><P>active</P><P></P><P>content ssl-abc</P><P> add service ssl-as02-ts-port-1443</P><P> add service ssl-as03-ts-port-1443</P><P> advanced-balance ssl</P><P> application ssl</P><P> balance aca</P><P> vip address 192.168.1.101</P><P> protocol tcp</P><P> port 443</P><P> url "/*"</P><P> active</P><P></P><P>Cheers...John</P></BODY></HTML> Wed, 07 Apr 2004 11:41:01 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238660#M3400 john.pepper 2004-04-07T11:41:01Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238661#M3401 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>That config is valid. You just need to make sure all the SSL (HTTPS) links have the proper host name that resolves to the .101 address. Also, make sure the SSL cert has a "cn" field with the proper domain name. If it does not match, then the user will get a warning message on the browser stating the domain names don't match.</P><P></P><P>-Steve</P></BODY></HTML> Wed, 07 Apr 2004 18:08:49 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238661#M3401 stevehall 2004-04-07T18:08:49Z https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238662#M3402 <HTML><HEAD></HEAD><BODY><P>Steve / Giles,</P><P></P><P>Thanks for the responses, much appreciated and helpful information.</P><P></P><P>Cheers...John</P></BODY></HTML> Wed, 07 Apr 2004 18:41:25 GMT https://community.cisco.com/t5/application-networking/ssl-url-problem/m-p/238662#M3402 john.pepper 2004-04-07T18:41:25Z