cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
5
Helpful
4
Replies

ACE: Multiple vHost with SSL in a single context?

Roble Mumin
Level 3
Level 3

Just had a conversation with our application team. They are thinking/planning about moving a construct of approximate 10+ real servers that host around 70+ vhost to a single ACE context.

So far we only configured 1:1 relations in terms of context to ssl proxy.

Questions:

    1. Is it possible to ssl-terminate multiple websites with multiple certificates in one context?
    2. Do you have to distinguish those different vhosts (websites) and the related SSL traffic through separate SSL proxy services?
    3. If you have to use separate ssl proxies, is it sufficient to bind them via different class maps into one single (multi match) policy map?
    4. What would be the best practice approach for this scenario?

Thanks for reading

Roble

1 Accepted Solution

Accepted Solutions

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

View solution in original post

4 Replies 4

ciscocsoc
Level 4
Level 4

Hi,

1. Yes - but there are limitations. Each context can only support 8 chaingroups. The SSL proxy server references the certificate and the chain group so I suspect you're likely to hit a limit unless most of the websites have a common chain.  Each webserver will need its own Proxy server definition unless you use a wildcard certificate. It really depends on what you're hosting.

2. As above - yes unless you can use a wildcard certificate.

3. Works for me.

4. Not sure - it really depends on the exact requirements for the websites.

HTH

Cathy

Hey Cathy,

thanks for the quick answer.

When i am talking about multiple certificates i am not talking about intermediate certificates and therefore chaingroups. So if i stick to single certificate which can be verified by a known root cert the limit shouldn't apply.

Does the limit of 8 chaingroups also to proxy services?

The resource overview on the following link only mentions a total limit of 3800 certs.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_ACE_Module_Resource_Limits

Thanks for reading

Roble

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: