Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1576
Views
0
Helpful
4
Replies

Cisco ACE SSL Front-End of non HTTP traffic

byron.momsen
Level 1
Level 1

‎07-30-2012 03:25 AM

Hi

Does the ACE support the following.

We have a home grown application. Client-Server application. Application uses native TCP traffic. Client initiates the TCP connection to a TCP port on the Server. After three way TCP handshake, client writes application data to the socket. Server reads data off socket (does processing) and replies and writes response back onto the socket. Client reads response data off the socket and closes the socket.

We are looking at using Stunnel on the Client side to create a SSL connection to an ACE that will front end the real server. Client will connect via Stunnel that will connect to ACE.

ACE needs to perform the SSL termination and then after receiving the first data packet from the client via Stunnel. ACE should establish a TCP socket to the Real server and send data. This is not HTTP traffic. It is native TCP traffic. Does the ACE support this functionality or does the application on the Real server have to be HTTP?

Regards
Byron
Labels:
0 Helpful
4 Replies 4

jlamousn
Level 1
Level 1

‎07-30-2012 12:03 PM

Byron,

If you are using you own application protocol but just wrapping it in SSL, the ACE should be able to encrypt/decrypt the generic traffic. The ace is not going to care about the data in the ssl tunnel unless it is specifically configured to do so, only exception might be the ACE30 which has http persistence rebalance enabled by default, so you might need to apply a http parameter map on the vip to disable persistence rebalance.

Thanks

Joel Lamousnery

Customer Support Engineer

Cisco TAC

Joel Lamousnery CCIE R&S - 36768 Engineer, Customer Support Technical Services
0 Helpful

byron.momsen
Level 1
Level 1
In response to jlamousn

‎07-31-2012 07:53 AM

Thanks Joel.

Yes we are just planning to Tunnel our own application TCP traffic.

We also require the ACE to load balance the decrypted traffic across multiplied real ports on a single real server after performing the SSL Front Ending. Is this possible on the ACE 4710 version A5(2.0)

Native TCP traffic tunneled using SSL.

SSL Client --->>> VIP 10.10.10.10:443 ACE ------->>>> Real IP 20.20.20.20:4431, 4432, 4433

Regards

Byron

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to byron.momsen

‎07-31-2012 08:05 AM

yes this should work ok.

Gilles.

0 Helpful

Paul Pinto
Level 1
Level 1
In response to jlamousn

‎07-31-2012 08:32 AM

Hi Joel,

So for the Layer 7 Class-map, this would be a class-map type loadbalance, not http loadbalance, yes? If required?

And the Layer 7 Policy map, also a normal policy-map type loadbalance, yes?

Policy-map multi-match as normal?

I hear what you are saying, just wondering if the ACE will pick it up?

Just a thought, Would the ACE support this, i.e. non SSL from local server to VIP on local ACE, then local ACE initiate SSL to remote ACE which would terminate SSL, decrypt and clear to remote server on similar type home grown Application utilising one of the available SSL Solutions? A bit crazy, but would really be interested to know. A "nasty" workaround to IPSEC I suppose?

There is a reason I am asking.

Cheers.

Paul.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents