03-03-2005 05:59 AM
Just after a bit of quick advice here.
I currently have 2 * CSS11503 units configured for ip redundancy (redundant interfaces, vips, etc.) and also using ASR (redundant-index values). All this works fine and failover is transparent to end users.
I have recently installed SSL modules and would like to know if I should configure an SSL Proxy List the same on both units (i.e. using the same SSL server number on both content switches)..?
My SSL configuration is https-to-http at the backend servers - config looks something like the below:
ssl-proxy-list my-proxy-list
ssl-server 22
ssl-server 22 rsacert my_cert
ssl-server 22 rsakey my_key
ssl-server 22 cipher rsa-export-with-rc4-40-md5 192.168.2.200 80
ssl-server 22 vip address 172.16.1.10 (example)
active
There's no redundant-index command within the ssl-proxy-list - do I need to config the same ssl-server number on the other CSS.?
Also, I presume the SSL service should have a redundant-index specified for failover as per other services / rules etc.?
service ssl-service
type ssl-accel
slot 3
keepalive type none
add ssl-proxy-list my-proxy-list
redundant-index 5
active
Any help appreciated.
Cheers..
03-03-2005 01:18 PM
Hello John,
ASR ist not supported with ASR.
You can ASR the HTTP Streams, but not the HTTPS streams, because the key Exchange is some more complex.
I do the ASR on HTTP. So the client will do a new SSL Handshake in failover, but then work again on the same Backendserver. This works fine.
I read something about, that there is some discussion to get ASR with SSL Module in one of the next releases.
Best Regards
03-08-2005 12:18 PM
Many thanks. I will try this.
Cheers....john
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide