Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
2
Replies

ACE HTTPS Termination

oriel_rose
Level 1
Level 1

‎11-07-2012 07:07 AM

Hi Guys

First of all i am bit new to the ACE so apologies if i am being too silly.

Basically i have around 10 URLs. What load ACE 4710 is doing its just forwarding everything to couple of servers. What we want is basically all requests which will come as https:// , will have their certificate terminated on ACE and will be forwarded as HTTP to the servers.

Here is my current config.

rserver host server1

ip address 192.168.152

inservice

rserver host server2

ip address 192.168.1.154

inservice

class-map match-all https

11 match virtual-address 172.168.132.1 tcp eq 443

policy-map type loadbalance first-match https

class class-default

   serverfarm servers

nat dynamic 200 vlan 200 servers primary

policy-map multi-match policy

class https

   loadbalance vip inservice

   loadbalance policy loadbalance

   loadbalance vip icmp-reply

Labels:
0 Helpful
2 Replies 2

jbartoldus
Level 1
Level 1

‎11-07-2012 10:50 AM

Here is your basic checklist to accomplish what you seek.

1.  Load the certs and keys on the ACE.  Reference the crypto CLI command

2.  Add serverfarm host which references the real servers.  Use port 80 when defining the real servers in the serverfarm

3.  Add ssl-proxy command to define SSL endpoint.  You will reference the appropriate cert/keys here

4.  Add ssl-proxy command to your class statement in the multi-match policy-map

Good luck!

0 Helpful

Cesar Roque
Level 4
Level 4

‎11-07-2012 04:38 PM

Hi Oriel,

Here is a basic SSL configuration:

rserver host test

  ip address 10.198.16.98

  inservice

rserver host test2

  ip address 10.198.16.93

  inservice

serverfarm host test

  rserver test 80

    inservice

  rserver test2 80

    inservice

ssl-proxy service TEST

  key cert

  cert cert

class-map match-all VIPSSL

  2 match virtual-address 10.198.16.122 tcp eq https

policy-map type loadbalance first-match test

  class class-default

    serverfarm test

policy-map multi-match clients

  class VIPSSL

    loadbalance vip inservice

    loadbalance policy test

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 112

    ssl-proxy server TEST

interface vlan 112

  ip address 10.198.16.91 255.255.255.192

  access-group input Allow_Access

  nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat

  service-policy input NSS_MGMT

  service-policy input clients

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.198.16.65

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card