Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
4
Helpful
1
Replies

ACE 4710 - SSL Termination with multiple certs.

rnolen
Level 1
Level 1

‎01-03-2011 11:11 AM

Hi!

I have a site that I'm load balancing using an ACE 4710.  The FQDN of this site is mysite.mydomain.net.

My users only connect via SSL.  However, while most use the FQDN of https://mysite.mydomain.net/, some insist on using https://mysite/.  Both of these names point to the same vip of 10.10.10.100.

I have two SSL proxies for termination set up in my ACE context.  One has a cert associated with it for the FQDN, while the other has a cert for the "mysite" name.

My problem is that you define the SSL proxy SERVER in the multi-match class rules.  However, I don't think that using a layer-7 class map is possible here, so I can't match on header just for the hostname.  How can I define a different SSL proxy SERVER so that connections to https://mysite/ are terminated with the correct cert, while connections to https://mysite.mydomain.net/ are terminated on a different server with the correct cert?

Thanks for the help.

Labels:
0 Helpful
1 Reply 1

Surya ARBY
Level 4
Level 4

‎01-03-2011 11:45 AM

The feature you want is SNI (server name indication) but it's not implmented yet and some browsers limitations make this feature unusable in production currently.

Workarounds :

1 - Use a Subject Alternative Name certificate with both names

2 - Use a CNAME record in the DNS infrastructure, it may work (to be tested)

3 - make a single SSL Vserver, match the Host field in the HTTP headers and the send a redirection to the right name.

Customers Also Viewed These Support Documents