Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
8
Helpful
9
Replies

Client Access via Proxy to Cisco CSS Service

butlerb
Level 1
Level 1

‎06-10-2004 06:26 AM

Hi,

I wonder if you could advise me on the following:

I currently have a HTTPS webpage, which has a VIP Address, which load balances 4 ISA Servers.

How would I go about accessing the HTTPS Webpage through a corporate proxy, load balanced across the 4 servers, but still maintaining state information?

Would different clients accessing through the same proxy still load balance correctly or will they receive the same ISA Server?

Would I need to introduce some sort of “stickiness?”

Many Thanks !

CSS Novice

Labels:
0 Helpful
9 Replies 9

Gilles Dufour
Cisco Employee
Cisco Employee

‎06-10-2004 09:01 AM

a proxy usually maintain one HTTP/1.1 persistent connection with the CSS and sends all http request into this single TCP connection.

The way to make sure all http requests are still loadbalanced is the command 'no persistent' under the content rule with the command 'persistence reset remap' in the global config.

[You can get more info about these commands by searching on them on our website].

If you need stickyness at the same time - one client [not the proxy] is always sent to the same server - you can the use 'advanced-balance arrowpoint-cookies'.

Regards,

Gilles

CSS Expert :-)

0 Helpful

butlerb
Level 1
Level 1
In response to Gilles Dufour

‎06-11-2004 03:29 AM

Hi ,

Maybe I can put this a different way to clear this up.

The clients are initiating SSL (https) connections through there corporate proxy through to my VIP Address.

e.g. www.test.com resolve to ip addr of 62.60.1.1 , which is my VIP address on my CSS

!************************** SERVICE **************************

service ISA_2041

ip address 10.221.6.46

protocol tcp

port 443

keepalive type none

active

service ISA_2042

ip address 10.221.6.47

protocol tcp

port 443

keepalive type none

active

!*************************** OWNER ***************************

owner TEST

dns both

content www-test-com

add service ISA_2041

add service ISA_2042

vip address 62.60.1.1

advanced-balance sticky-srcip

add dns www.test.com

active

And they get a response from ISA_2041.

Will all connections based from the proxy will always speak to server ISA_2041, because of the “advanced-balance sticky-srcip” ?

What would I need to do to get users making connections to the VIP through a proxy to load balance request between ISA_2041 and ISA_2042, keeping in mind that this is SSL Connections (https webpage requests) ?

0 Helpful

jfoerster
Level 4
Level 4
In response to butlerb

‎06-11-2004 05:18 AM

HI,

you could use advance-balance ssl (compare to the advanced config guide where vips for SSL are described) instead of the src-stickieness.

In case of the src-stickienss the connection is done to the same Server in your case as the source is always the proxy.

Kind Regards,

Joerg

Gilles Dufour
Cisco Employee
Cisco Employee
In response to jfoerster

‎06-11-2004 06:38 AM

good workaround Joerg.

I didn't think about this one.

Gilles.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to butlerb

‎06-11-2004 06:00 AM

the problem is "advanced-balance sticky-srcip".

All users behing a proxy server will appear as coming from the same ip address - proxy server ip address.

Because you are doing sticky source ip, all traffic from a proxy is sent to the same server.

For HTTPS traffic you don't have any solution except using a SSL module to decrypt the HTTPS traffic and insert a cookie in the HTTP messages to replace source ip sticky with cookie sticky.

Regards,

Gilles.

0 Helpful

butlerb
Level 1
Level 1
In response to Gilles Dufour

‎06-14-2004 12:35 AM

Hi

I must Thank everyone for there input, much appreciated.

!************************** SERVICE **************************

service ISA_2041

ip address 10.221.6.46

protocol tcp

port 443

keepalive type none

active

service ISA_2042

ip address 10.221.6.47

protocol tcp

port 443

keepalive type none

active

!*************************** OWNER ***************************

owner TEST

dns both

content www-test-com

add service ISA_2041

add service ISA_2042

vip address 62.60.1.1

advanced-balance ssl

add dns www.test.com

port 443

url “/*”

application ssl

active

Would this correct the problem?

Gilles, Please could you clarify the last line in your response.

Much Appreciated,

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to butlerb

‎06-14-2004 12:52 AM

apparently you need stickyness [same client always goes to the same server].

You previously used source ip which was a problem for clients behind proxy server since they were all going to the same server.

Solution suggested by Joerg is ssl stickyness since the SSLID is per client even if using a proxy server.

So this is a good solution.

Except that it does not work with all SSL solution.

SSLv1 client will still fall back to source ip stickyness.

So, the best solution is to terminate the SSL traffic on the CSS using an SSL module and insert an Arrowpoint cookie to perform stickyness on cookie.

Regards,

Gilles.

0 Helpful

butlerb
Level 1
Level 1
In response to Gilles Dufour

‎06-14-2004 02:07 AM

Thanks

Where could I find more info on this SSL Module ?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card