ACE as Proxy

xshant · ‎04-17-2012

Dear *,

Based on the below cisco link:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1159517

SSL Termination Overview

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Now i would like to clarify the following:

•1) When ACE terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server, in this case what is the source IP that the server will see? Will it see client IP or ACE IP as source? I believe it should see the source IP of the ACE Or here the ACE only terminates and re-initiates the TCP session without changing the source IP?
•2) If we don’t want to use SSL can ACE work as normal proxy, can we terminate a connection from the client and then establish a new session to the HTTP server? If yes then servers will see the source IP of ACE?

Thanks,

Aamir

chrhiggi · ‎04-19-2012

Hello Aamir-

1.) It depends on your configuration, however, ACE will use the client IP by default and a Source Nat Pool if you have it configured to do so. Even with SSL on the front and backend, this still holds true.

2.) No.

ACE is not a prxoy server in any means. Even with a layer 5 content rule where ACE needs to terminat the client session to make a loadbalancing decision, once it creates a backend session, it steps out of the way and lets the client/server handle everything. In otherwords, you would never point your client browser to ACE as a proxy.

Regards,

Chris Higgins