I currently have 2 test web servers that are being frontend'd by a CSS 11501 w/SSL module. During the second content rule lookup (during the backend ssl setup) which is decrypted and in clear text, I am redirecting the traffic to different backend servers for a SSL session. This works fine with my test servers which I am segmenting from the other SSL/443 traffic by port translation on a network device (Snapgear - to be replaced by a PIX ASAP) below are the current content rules/URL srings that work fine.
content ssl_backend
vip address 10.1.11.111
add service ssl_test_1
advanced-balance arrowpoint-cookie
protocol tcp
port 81
url "//www.acme.com:8001/web1/*"
active
content ssl_backend_2
vip address 10.1.11.111
add service ssl_test_2
advanced-balance arrowpoint-cookie
protocol tcp
port 81
url "//www.acme.com:8001/web2/*"
active
When I put the content rules (see below) in production with no port translation and push straight 443 traffic to the CSS .. the backend SSL session never sets up ( I see 2 flows from the sho ssl flows command).
content ssl_employee_backend
vip address 10.1.11.111
add service ssl_employee
advanced-balance arrowpoint-cookie
protocol tcp
port 81
url "//www.acme.com/employee/*"
active
content ssl_time_backend
vip address 10.1.11.111
add service ssl_time
advanced-balance arrowpoint-cookie
protocol tcp
port 81
url "//www.acme.com/timesheet/*"
active
Does anyone have this type of setup working?
Do I need to include a port number in the URL string (i.e. :443).
Can I debug the traffic the SSL module sees?
Thanks in advance ....
Paul