https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985307#M37849 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request). </P><P></P><P>HTH</P><P></P><P>Cathy</P></BODY></HTML> Wed, 11 Jul 2012 16:30:59 GMT ciscocsoc 2012-07-11T16:30:59Z https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985306#M37848 <P>Hi </P><P></P><P>Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.</P><P></P><P>Example:</P><P>Client (HTTP) ----&gt;&gt;&gt; (HTTP)Cisco ACE(HTTPS) ------&gt;&gt;&gt;&gt;(HTTPS) Server</P><P></P><P>The "client" Server does not support SSL. </P><P>Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)</P><P></P><P>Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.</P><P></P><P>Regards</P> Wed, 11 Jul 2012 16:06:20 GMT https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985306#M37848 byron.momsen 2012-07-11T16:06:20Z https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985307#M37849 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request). </P><P></P><P>HTH</P><P></P><P>Cathy</P></BODY></HTML> Wed, 11 Jul 2012 16:30:59 GMT https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985307#M37849 ciscocsoc 2012-07-11T16:30:59Z https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985308#M37850 <HTML><HEAD></HEAD><BODY><P>Hello Byron, </P><P></P><P>Yes, the ACE can do it</P><P></P><P>Here you have some of the flavors of SSL with the ACE.</P><P></P><P><IMG height="287" id="il_fi" src="http://docwiki.cisco.com/w/images/1/18/ACE_SSL_Configurations.jpg" style="padding-right: 8px; padding-top: 8px; padding-bottom: 8px;" width="386" /></P><P>Here you have a sample about it:</P><P></P><P>parameter-map type http CASE_PARAM</P><P>&nbsp; case-insensitive</P><P>&nbsp; persistence-rebalance</P><P>&nbsp; set header-maxparse-length 65535</P><P>&nbsp; set content-maxparse-length 65535</P><P></P><P>class-map match-all CLEAR_TEXT_VIP</P><P>&nbsp; 2 match virtual-address 172.20.120.19 tcp eq www</P><P></P><P>policy-map multi-match JORGE-MULTIMATCH</P><P>&nbsp; class CLEAR_TEXT_VIP</P><P>&nbsp;&nbsp;&nbsp; loadbalance vip inservice</P><P>&nbsp;&nbsp;&nbsp; loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC</P><P>&nbsp;&nbsp;&nbsp; loadbalance vip icmp-reply active</P><P>&nbsp;&nbsp;&nbsp; appl-parameter http advanced-options CASE_PARAM</P><P></P><P>policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC</P><P>&nbsp; class class-default</P><P>&nbsp;&nbsp;&nbsp; serverfarm ENCRYPTED-SERVERFARM</P><P>&nbsp;&nbsp;&nbsp; ssl-proxy client SSL-PROXY-JORGE</P><P></P><P>ssl-proxy service SSL-PROXY-JORGE</P><P>&nbsp; key TAC-key</P><P>&nbsp; cert TAC-cert</P><P></P><P>serverfarm host ENCRYPTED-SERVERFARM</P><P>&nbsp; rserver JORGE-SERVER 443</P><P>&nbsp;&nbsp;&nbsp; inservice</P><P></P><P>Here you have some additional details under the configuration guide:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html" rel="nofollow">http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html</A></P><P></P><P>Here you have some additional samples:</P><P></P><P><A class="jive-link-external-small" href="http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples" rel="nofollow">http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples</A></P><P></P><P></P><P>Hope this helps for you and fix your issue</P><P></P><P>Jorge</P></BODY></HTML> Wed, 11 Jul 2012 22:22:07 GMT https://community.cisco.com/t5/application-networking/ace-functionally-question-ssl-tunnelling-proxy-on-behalf-of-non/m-p/1985308#M37850 Jorge Bejarano 2012-07-11T22:22:07Z