Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
2
Replies

ACE30 - Setting up SSL Termination for servers that aren't behind the ACE

Go to solution
sgonsalv
Level 1
Level 1

‎09-13-2011 01:11 AM

Hi Guys,

With the SSLM it was possible to use the SSLM to terminate SSL connections for servers that weren't behind the CSM, that is the servers could be anywhere within the data center.  This was done using PBR such that only traffic that only SSL traffic was directed to the SSLM for decryption and then on to the server.

Can this be done on the ACE30?  Where the servers aren't necessarily part of a subnet homed on the ACE30 module, rather they could be L3 reachable, but on another subnet within the data center?  If so, are there any documents with examples of how this can be setup?

thanks

Sheldon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Nam
Level 1
Level 1

‎09-13-2011 11:27 PM

Hi Sheldon

I'm trying to understand your ssl termination setup with SSLM. Looks like you are doing frontend ssl termination with SSLM module and clear text between SSLM and servers via CSM but the servers are multi-hops away from the CSM.

If this is right understanding then short answer is YES, it is supported. The config is much simpler than CSM + SSLM but the only thing you need to consider is client source natting to make sure the ACE receives the return traffic. Otherwise, you will need to use the PBR to control the return traffic as you did with the CSM + SSLM set up.

For your understanding, please refer to below ssl sample config.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

regards

Andrew

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Andrew Nam
Level 1
Level 1

‎09-13-2011 11:27 PM

Hi Sheldon

I'm trying to understand your ssl termination setup with SSLM. Looks like you are doing frontend ssl termination with SSLM module and clear text between SSLM and servers via CSM but the servers are multi-hops away from the CSM.

If this is right understanding then short answer is YES, it is supported. The config is much simpler than CSM + SSLM but the only thing you need to consider is client source natting to make sure the ACE receives the return traffic. Otherwise, you will need to use the PBR to control the return traffic as you did with the CSM + SSLM set up.

For your understanding, please refer to below ssl sample config.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

regards

Andrew

0 Helpful

Go to solution
sgonsalv
Level 1
Level 1
In response to Andrew Nam

‎09-15-2011 05:53 PM

Hi..

Thanks for the info. I've tested things and the SNATing of the client connection works well to ensure that the return traffic comes back to the ACE module

thanks

Sheldon

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card