Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1420
Views
5
Helpful
4
Replies

ACE: Multiple vHost with SSL in a single context?

Go to solution
Roble Mumin
Level 3
Level 3

‎04-22-2010 06:18 AM

Just had a conversation with our application team. They are thinking/planning about moving a construct of approximate 10+ real servers that host around 70+ vhost to a single ACE context.

So far we only configured 1:1 relations in terms of context to ssl proxy.

Questions:

    1. Is it possible to ssl-terminate multiple websites with multiple certificates in one context?
    2. Do you have to distinguish those different vhosts (websites) and the related SSL traffic through separate SSL proxy services?
    3. If you have to use separate ssl proxies, is it sufficient to bind them via different class maps into one single (multi match) policy map?
    4. What would be the best practice approach for this scenario?

Thanks for reading

Roble

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ciscocsoc
Level 4
Level 4
In response to Roble Mumin

‎04-22-2010 07:46 AM

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ciscocsoc
Level 4
Level 4

‎04-22-2010 07:14 AM

Hi,

1. Yes - but there are limitations. Each context can only support 8 chaingroups. The SSL proxy server references the certificate and the chain group so I suspect you're likely to hit a limit unless most of the websites have a common chain.  Each webserver will need its own Proxy server definition unless you use a wildcard certificate. It really depends on what you're hosting.

2. As above - yes unless you can use a wildcard certificate.

3. Works for me.

4. Not sure - it really depends on the exact requirements for the websites.

HTH

Cathy

Go to solution
Roble Mumin
Level 3
Level 3
In response to ciscocsoc

‎04-22-2010 07:38 AM

Hey Cathy,

thanks for the quick answer.

When i am talking about multiple certificates i am not talking about intermediate certificates and therefore chaingroups. So if i stick to single certificate which can be verified by a known root cert the limit shouldn't apply.

Does the limit of 8 chaingroups also to proxy services?

The resource overview on the following link only mentions a total limit of 3800 certs.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_ACE_Module_Resource_Limits

Thanks for reading

Roble

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4
In response to Roble Mumin

‎04-22-2010 07:46 AM

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

0 Helpful

Go to solution
Roble Mumin
Level 3
Level 3
In response to ciscocsoc

‎04-22-2010 07:49 AM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Top