CSS with multiple SSL-Offload modules

pcoughlin01 · ‎01-18-2008

I'm looking for some suggestions on using multiple SSL-Offload modules (CSS5-SSL-C-K9) for ssl-termination and compression.

We ran into some isolated application problems with compression when it was globally enabled on a single ssl-termination service. As a work-around, we're selectively enabling compression on the cleartext content rules for those sites that support compression, however that seems like it maybe inefficient because the data back to the client will hit the ssl-module twice, once for compression (on the cleartext rules) and then again for encryption (on the ssl rule.)

I'm thinking that using two SSL-offload modules is a better solution. Both modules will use the same ssl-proxy-list, but one module's service will have compression enabled and the other will not. The decision then to enable compression, will be based upon which ssl service is added to the ssl content rule. In that design, compression will happen along with encryption for the compression-enabled service, and seems to be more efficient.

Has anyone done a design like that?

If not, has anyone run into any scalability or performance issues with selectively enabling compression on the cleartext rules?

Thoughts?

didyap · ‎01-24-2008

Selectively enabling compression on multiple SSL modules can cause some problems. You should enable compression for all data in a multi module steup. Following link may help you

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00800c4fe9.html#wp1002163

pcoughlin01 · ‎02-05-2008

-Sorry for the delay in getting back to you.

Thanks for the info. Please elaborate.

I'm testing this now with some success and I just want to be sure I don't run into any issues.

Thanks,

Pat