Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
0
Helpful
1
Replies

Client Authentication & Normal SSL Using Same IP on Proxy List

alfiesummers
Level 1
Level 1

‎02-27-2007 07:20 AM

I am using CSS11501's and need to have the option of client authentication or normal client server SSL using the same IP. I cannot see how to do this using just one proxy-list.

The following is an example of what I would like.

https://sslconnection.com = ip address 10.10.10.10 on the ssl-proxy-list and uses normal client server ssl.

https://sslconnection.com/clientauth = ip address 10.10.10.10 and invokes client authentication.

Is there any way to get the proxy list to pick up the url extension and aply the client authentication rules?

I know this would work using 2 proxy lists in say a 11503 or my other option would be to get the web server to redirect to another VIP when client authentication is required.

However if at all possible i would like to use the same IP for both methods.

Any ideas????

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-02-2007 12:17 AM

to see the url, the CSS needs to decrypt the traffic, and to decrypt the traffic the css needs to perform ssl negotiation.

Therefore this is not possible to keep the same proxy-server.

What you can is use a normal ssl service to decrypt the traffic and if there is a match with /clientauth url send a redirect to the same vip ip but a different port ie: 8443 instead of 443.

You can then create a 2nd ssl-proxy server in your proxy list and this one will do client authentication.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card