https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912857#M36971 <HTML><HEAD></HEAD><BODY><P>If the server could not run HTTP , then yes.</P><P></P><P>Regards</P><P>Dan</P></BODY></HTML> Tue, 17 Apr 2012 13:14:27 GMT Dan-Ciprian Cicioiu 2012-04-17T13:14:27Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912851#M36965 <P>Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.</P><P></P><P>I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?</P><P></P><P>Any configuration examples would be helpful.</P><P></P><P>Thanks.</P> Tue, 17 Apr 2012 12:41:18 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912851#M36965 Andy Johnson 2012-04-17T12:41:18Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912852#M36966 <HTML><HEAD></HEAD><BODY><P>Hi Andy, </P><P></P><P>The easy way is to terminate the SSL on ACE just for the clients , and between the ACE and the servers you will have HTTP ( clear ) connection - usually the datacenter traffic is could be clear and is some how not a threat.</P><P>As for the certificate , this should be copied on both ACE, it is not replicated and is needed for each client connection.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Apr 2012 12:52:06 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912852#M36966 Dan-Ciprian Cicioiu 2012-04-17T12:52:06Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912853#M36967 <HTML><HEAD></HEAD><BODY><P>IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).</P><P></P><P>when speaking of SSL</P><P></P><P>SSL termination refers to ace terminating SSL and sending to server as clear text</P><P>end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.</P><P></P><P>You can find some config examples at</P><P></P><P><A class="jive-link-external-small" href="http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples">http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples</A></P></BODY></HTML> Tue, 17 Apr 2012 12:54:25 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912853#M36967 litrenta 2012-04-17T12:54:25Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912854#M36968 <HTML><HEAD></HEAD><BODY><P>I am not the Exchange admin, but does OWA work without being HTTPS?</P><P></P><P>So can I use the same CSR from the primary and get the cert, then install the same certificate on both ACE? Or would I need two CSR's and two certs?</P></BODY></HTML> Tue, 17 Apr 2012 12:58:03 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912854#M36968 Andy Johnson 2012-04-17T12:58:03Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912855#M36969 <HTML><HEAD></HEAD><BODY><P>Yes , you can access OWA on HTTP.</P><P></P><P>You will need the same certificate on both ACE.</P><P></P><P><A class="active_link" href="http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Using_an_Existing_Certificate_and_Key_in_Routed_Mode_Configuration_Example">http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Using_an_Existing_Certificate_and_Key_in_Routed_Mode_Configuration_Example</A></P><P></P><P></P><P>Dan</P></BODY></HTML> Tue, 17 Apr 2012 13:01:37 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912855#M36969 Dan-Ciprian Cicioiu 2012-04-17T13:01:37Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912856#M36970 <HTML><HEAD></HEAD><BODY><P>Thanks for all the help and quick responses.</P><P></P><P>If the another server requires HTTPS this would require the end-to-end SSL configuration?</P></BODY></HTML> Tue, 17 Apr 2012 13:09:33 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912856#M36970 Andy Johnson 2012-04-17T13:09:33Z https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912857#M36971 <HTML><HEAD></HEAD><BODY><P>If the server could not run HTTP , then yes.</P><P></P><P>Regards</P><P>Dan</P></BODY></HTML> Tue, 17 Apr 2012 13:14:27 GMT https://community.cisco.com/t5/application-networking/ace-4710-https-load-balance-configuration/m-p/1912857#M36971 Dan-Ciprian Cicioiu 2012-04-17T13:14:27Z