CSS 11050 and SSL handling

jvercins · ‎07-03-2003

Environment:

Client type HTTPS -> Internet/FW -> CSS public VIP -> HTTPS Web servers

= SSL terminators

In ordinary situation, e.g. HTTP traffic to web server through CSS, CSS spoof

TCP session, establish what backend server is best, then make TCP session

w/ that server and forward first HTTP GET.

In case of Client -> CSS -> SCA (which can be considered as "server" because

terminate SSL), Cisco says CSS transparently forward first TCP SYN to

SCA="server". So, there is no session spoofing?

What is real behavior, when client makes HTTPS port 443 session to VIP?

thanx

Gilles Dufour · ‎07-07-2003

let me correct what you said.

The CSS does not always spoof a session for HTTP traffic.

The CSS will spoof a session if it needs to see information not contained in the SYN to make is loadbalancing decision.

So, for a Layer 3 or Layer 4 content rule, where the CSS does loadbalancing based on IP addresses or TCP ports, the CSS doesn't spoof the connection.

If the CSS needs to see the url or a cookie to decide how where to forward the connection, it will spoof the connection.

For the case of HTTPS, if we do SSLID stickyness, the CSS will spoof the connection. Otherwise, we can simply loadbalance without spoofing.

I hope this is clear enough.

Gilles.