10-07-2009 05:47 AM
I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.
Thanks!
10-11-2009 08:43 PM
Its definitly possible to move the cert/keys from the CSS to the servers and allow them to handle the encryption and decryption of SSL traffic.
Just know that doing so will result in a lose of being able to perform any layer 7 load balancing or persistance.
Also, doing so will result in the servers processing the SSL traffic rather then offload that work to the CSS.
Hope this info helps.
- Jason
10-12-2009 11:19 AM
As Jason mentioned you do lose some things by doing end-to-end SSL. But the changes on the CSS are actually pretty easy. You will need to create services for each of your backend servers for port 443. Then just modify your content rules accordingly. Remove the service that sends to the SSL module and replace with the appropriate HTTPS service that you created.
10-13-2009 03:15 AM
10-13-2009 07:34 AM
That will work. Just remember that the default behavior will be round robin load balancing with no stickiness.
10-14-2009 07:24 AM
As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?
The group rule will SNAT all client requests to appear as the 192.168.20.4 VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.
- Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide