10-07-2010 04:58 AM
Hi all,
Just a quick question :
Is it possible to match a field of the client certificate to make a Load balacing decision ?
so that if a client has a cert with a CN or C field with a specific value that is is redirected to a specific serverfarm.
Thanks,
Luc.
10-07-2010 07:34 AM
Hi Luc,
Unfortunately the ACE can't do such a thing, when it comes to client authentication the client cert will be used exclusively for client validation, meaning that the cert provided by the requestor must match with the one that has been configured on the ACE, but that's it.
On ACE decryption happens before L7 load balancing so even if you take client authentication out of the picture and say that you're dealing with a SAN certificate, ACE needs to decrypt the traffic first and then match the appropiate host header in order to send the traffic to the SF in question.
From the post below you can see that Gilles states the feature is not even on the ACE roadmap, you may want to raise the flag with your sales team.
https://supportforums.cisco.com/thread/2037449
HTH.
__ __
Pablo
10-07-2010 11:08 PM
Hi Pablo,
Thank you for your quick answer, I had tried to searh for an answer on the topic but I didn't run into Gilles's post.
As everytime I have a question regarding LB, Gilles has the answer....
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: