Showing results for 
Search instead for 
Did you mean: 


ACE 4710 - SSL config questions

Currently migrating over from  our CSS to the new ACE and I have a few questions re: SSL certs and VIPS

All of our inbound SSL connections terminate on the CSS and redirect a backend HTTP request to an internal server.

Right now we URL match on the incoming header to determine which server to send it to and we have 2 flavours of inbound headers.

one is an english URL

one is a french URL

I have wildcard SSL certs * and * and because of this on the CSS I end up having to use 2 for english and one for french as I cant specify 2 certs for one VIP.

Is there anyway around this on the ace ?

Any help would be appreciated.




I think this is what you are asking for.  It will terminate ssl, translate to port 80, send url to one serverfarm and to another serverfarm.

class-map type http loadbalance match-all url1

match http url /*

class-map type http loadbalance match-all url2

match http url /*

class-map match-all EXAMPLE_L4

  2 match virtual-address tcp eq https

serverfarm host Serverfarm1

  rserver Server1 80


  rserver Server2 80


serverfarm host Serverfarm1

  rserver Server3 80


  rserver Server4 80


ssl-proxy service SSLWILDCARDCERT

  key key.key

  cert cert.cert

policy-map type loadbalance first-match EXAMPLE_L7

  class url1

    sticky-serverfarm Serverfarm1

  class url2

    sticky-serverfarm Serverfarm2

policy-map multi-match VIPS

  class EXAMPLE_L4

    loadbalance vip inservice

    loadbalance policy EXAMPLE_L7

    loadbalance vip icmp-reply active    

    ssl-proxy server SSLWILDCARDCERT

I guess he wants to look to the pattern in the Host field of the http header embedded in HTTPS; not into the URL.

Cesar Roque

Hi Dave,

If I understand your question correctly the answer is no.  You can't have two certificates associated to the same VIP address.

The SSL handshake goes first and once the traffic is decrypted the ACE can look at the HTTP headers, at that moment you can use a L7 match to choose where to send the request depending on the URI, Host header, etc.


Cesar R

--------------------- Cesar R ANS Team


Is there any plan to support SNI in the roadmap to overcome this limitation ?


Hi Dave,   From the description it appears that you are trying to bind mutiple certs with one vip.   On Ace you can't specify 2 certs for one VIP. You can use different combination of port for the same VIP which will work for you. In real world situation this may not feasible.   The point is how ACE will decide what cert to give to Client. As ACE does not know which website the user is requesting.   Remember SSL handshake happens first and then HTTP request comes into picture. So there is no way for ACE to decide what certificate to give to client. Thats the reason it is always recommended to use two VIP.   In your case since you are using two different wildcard certs. You have to go with two VIP's again or same VIP with different port combinations.  regards, Ajay Kumar

Thanks everyone for the answers...The CSS has the same limitation and I was hoping that had changed with the ACE

Was trying to pull back a couple of pub IP's....

Thanks again.



In all cases the browser has to support SNI.

For generic cases : use a wildcard mask if all the sites are hosted under the same domain, or multiple VIPs or ports to host different virtual servers.

Content for Community-Ad
This widget could not be displayed.