cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
682
Views
9
Helpful
5
Replies

CSM Policy Question

mark.hansel
Level 1
Level 1

Is it possible to create an slb policy using a single SSL Virtual Server that will redirect based on url, to a different port on the serverfarm. I've got a virtual server configured now without policies listening on port 443, which flows to a serverfarm that is running IIS, it works fine. Could I create a policy based on a url map that would redirect traffic to a different ssl port on the serverfarm. In other words the IIS server would be configured to listen on port 443 for one web site, and 444 on the other. Clients accessing the site would only see the standard HTTPS server. For example clients accessing https:\\xyz.com would be forwarded to port 443, clients accessing https:\\abc.com would be forwarded to port 444, again using the same serverfarm. I'm pretty sure I can make this work by multi-homing the web servers and creating two different serverfarms, but I was wondering if I could do this just using an slb-policy and associated url map.

Thanks.

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

First, there is no way to change the destination port with a policy. The only way is by creating serverfarm with the appropriate port.

Then, since your traffic is encrypted, the CSM [or any other device] is not able to see the content of the traffic and therefore is not able to see the url.

Thus, a url-map is never possible on HTTPS traffic.

So, you need to create 2 different serverfarm, one for port 443 and another one for port 444 and then you need 2 vserver using 2 different ip addresses - one for each website.

Regards,

Gilles.

Thanks for rating this answer.

Thanks Gilles,

I appreciate the fast response.

Giles,

How do you "create a serverfarm with the appropriate port?" It seems like this should be easy, but I haven't been able to find it in the docs or in NetPro.

In general, if I have an application that is publicized as reachable at destination port X, but in actuality the server daemons run on port Y, how do I have the CSM simply redirect the connection at layer 4? I understand that the CSM can facilitate an HTTP redirection at layer 7, but suppose the service is not HTTP. In reality, I *am* trying to redirect connections destined to port 80 to port 7778, but I want to do it "silently" at layer 4, rather than by employing HTTP Redirect. (I suspect redirects would mess up the application.)

So far I have:

!

natpool FOO_CLIENT a.b.c.13 a.b.c.13 netmask 255.255.252.0

!

serverfarm SF_FOO_TCP7778

nat server

nat client FOO_CLIENT

real name F1

inservice

real name F2

inservice

!

vserver VS_FOO_TCP80

virtual a.b.c.55 tcp 80

serverfarm SF_FOO_TCP7778

persistent rebalance

inservice

Thanks very much.

Christopher Ursich

gdufour-cat6k-2(config-module-csm)#serverfarm test

gdufour-cat6k-2(config-slb-sfarm)#real name l1 ?

<1-65535> port translation for this server

local exists on local VLAN

gdufour-cat6k-2(config-slb-sfarm)#real name l1 8080

You specify the server port after the ip address or the name as indicated above.

Gilles.

Ah, how easy. I should have seen that. Thanks much, Gilles.

Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: