cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
5
Helpful
5
Replies

CSS SSL questions

stuart.christie
Level 1
Level 1

Hi,

I've got a couple of questions relating to CSS SSL termination which hopefully someone can help with:

- is it possible to terminate an SSL connection on the CSS, pass the session through a cache engine/reverse proxy for content checking, then back to the CSS for reencryption and delivery to the backend HTTPS web server farm?

- when SSL bridging (from HTTPS to HTTPS), does the CSS aggregate several requests before passing them on to the web servers, or is there no real performance gain from the web server point of view?

Thanks

Stuart

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

1. yes you can send the traffic to a cache once decrypted and request from cache to webserver can be encrypted by the CSS.

2. requests are not aggregated.

For 1 & 2 you need an SSL module.

The CSS by default does not do SSL functions.

Regards,

Gilles.

Hi Giles,

I have a followup question to your response and thanks in advance for your response.

1. SSL aggregation with SSL Module on the CSS 11503.

Is there a ratio by which we can control the backend ssl connection between the module and the real server.

2. How does the aggregation basically happens. (i guess what i mean is how does the tcp sessions get aggregated using, say one ssl tunnel - how the session information be maintained by aggregating)

Thanks again and would appreciate your help.

Best regards,

Murali

as I mentioned in my previous response, we do not do aggregation.

Every connection received by the CSS will trigger a connection with the server.

Regards,

Gilles.

Hi Gilles,

Thanks for the response. I think I misunderstood your initial response.

Will increasing the ssl session cache-time accelerate the backend server (meaning fewer ssl calculations) and are there any real-world drawbacks.

TIA.

Murali

Murali,

you do not reduce ssl calculations by increasing the cache-time.

You just speed up the ssl handshake which is just a fraction of the time needed to send/receive data.

If you have a lot of short connections, this is indeed interesting.

If you have long lasting connections, this is useless.

Drawback is resources available.

If you have a timeout value too high and are getting a lot of connections, you can end up with no more memory.

Gilles.

Review Cisco Networking for a $25 gift card