07-11-2012 09:06 AM
Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
Regards
Solved! Go to Solution.
07-11-2012 09:30 AM
Hi,
Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).
HTH
Cathy
07-11-2012 03:22 PM
Hello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
Here you have some additional samples:
Hope this helps for you and fix your issue
Jorge
07-11-2012 09:30 AM
Hi,
Yes. The ACE SSL Configuration Guide shows how to do this in the "Configuring SSL Initiation" section, culminating in a worked example. The only gotcha is forgetting to specify the port 443 in the serverfarm - otherwise the ACE will send traffic to port 80 (the same destination port as the client request).
HTH
Cathy
07-11-2012 03:22 PM
Hello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
Here you have some additional samples:
Hope this helps for you and fix your issue
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide