06-12-2012 06:21 AM
Looking for some assistance with the following diagram. I currently have ssl termination
working fine in the lab for one URL but I am having difficulty getting the config right
for one physical server, which runs multiple backend web servers on different ports.
I am using a wildcard ssl cert for *.clean.ca
On our old CSS I was able to define backend web servers with the same IP but different port.
but I cant seem to figure this out on the ACE. If I throw in multiple port statements in the server
farm config it will want to load balance across these ports which isnt what I need.
Do I need to create a seperate physical IP for each backend web server ? Thats a pain but doable.
Here is the diagram, any help would be appreciated.
Solved! Go to Solution.
06-12-2012 10:46 AM
Hi Dave,
That was just an example of how you could use the same ip address in different serverfarms with different ports.
The question is whether the external addresses are all the same or different.
If they are the same than it changes how the ACE configuration needs to be.
Thanks.
Jack.
06-12-2012 06:43 AM
Hi,
I am right in assuming that the other urls will be using different ip addresses?
If so than you need to create separate serverfarms, class-maps, policy maps etc for every site using the relevant port numbers. If you can do the below than the servers physical addresses can remain the same.
For example
serverfarm 1:
rserver 1.1.1.1 21250
serverfarm 2:
rserver 1.1.1.1 20850
class-map typematch-all Site1
2 match virtual-address 10.1.1.1 tcp eq 443
class-map typematch-all Site 2
2 match virtual-address 10.1.1.2 tcp eq 443
The same ssl termination parameters can be used in multiple policies.
Hope this helps.
Thanks.
Jack.
06-12-2012 10:42 AM
Jack thanks for the response but I am not sure I understand the use of the 10.1.1.1 and 10.1.1.2 IP's ?
Essentially ALL inbound SSL needs to terminate on 192.168.1.10
Cheers
Dave
06-12-2012 10:46 AM
Hi Dave,
That was just an example of how you could use the same ip address in different serverfarms with different ports.
The question is whether the external addresses are all the same or different.
If they are the same than it changes how the ACE configuration needs to be.
Thanks.
Jack.
06-12-2012 10:48 AM
Yeah unfort I only have so many public IP's on the outside..So the way the old CSS is configured all of my inbound entries resolve to one public VIP.
06-12-2012 10:53 AM
If you want to post the CSS configuration I can help you change it to comply with the ACE.
I have done several migrations from CSS11500 series to the ACE.
Thanks.
Jack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide