Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1569
Views
4
Helpful
1
Replies

ACE 4710 - SSL Termination with multiple certs.

rnolen
Level 1
Level 1

‎01-03-2011 11:11 AM

Hi!

I have a site that I'm load balancing using an ACE 4710.  The FQDN of this site is mysite.mydomain.net.

My users only connect via SSL.  However, while most use the FQDN of https://mysite.mydomain.net/, some insist on using https://mysite/.  Both of these names point to the same vip of 10.10.10.100.

I have two SSL proxies for termination set up in my ACE context.  One has a cert associated with it for the FQDN, while the other has a cert for the "mysite" name.

My problem is that you define the SSL proxy SERVER in the multi-match class rules.  However, I don't think that using a layer-7 class map is possible here, so I can't match on header just for the hostname.  How can I define a different SSL proxy SERVER so that connections to https://mysite/ are terminated with the correct cert, while connections to https://mysite.mydomain.net/ are terminated on a different server with the correct cert?

Thanks for the help.

Labels:
0 Helpful
1 Reply 1

Surya ARBY
Level 4
Level 4

‎01-03-2011 11:45 AM

The feature you want is SNI (server name indication) but it's not implmented yet and some browsers limitations make this feature unusable in production currently.

Workarounds :

1 - Use a Subject Alternative Name certificate with both names

2 - Use a CNAME record in the DNS infrastructure, it may work (to be tested)

3 - make a single SSL Vserver, match the Host field in the HTTP headers and the send a redirection to the right name.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents