Solved: CSS1501 SSL Pass Through

roraver · ‎01-20-2005

I know you can not literally do pass through with out an SSL module, is there any jimmy rig method to pass through the content switch without an SSL module? We recieved the wrong concentrators and have to deal with this for the time... please help!!

Gilles Dufour · ‎01-24-2005

is http working ?

This config should be independent of protocol you are using.

So if HTTP work and not HTTPS, this is a server issue.

Check if the server are correctly setup for https.

If both HTTP and HTTPS are not working, verify that the return traffic is going via the CSS.

You will have to make the CSS the default gateway for your servers.

Finally, make sure to test from a client that is not in the range 10.0.1.x.

Regards,

Gilles.

View solution in original post

Gilles Dufour · ‎01-20-2005

what do you mean by pass through ?

The ssl module is there to decrypt/encrypt traffic.

If you do not have it, it means you server needs to be able to do this function.

Are your servers able to do SSL ?

IIS server and Apache server will let you turn on SSL.

If this is the case, on the css you just need to configure an ssl content rule to loadbalance ssl between the servers.

Something like this :

owner blahblah

content ssl

vip x.x.x.x

proto tcp

port 443

add service ssl1

add service ssl2

....

active

Regards,

Gilles.

roraver · ‎01-20-2005

I have entered this configuration and it doesn't pass throug the ssl. Is there anything specific I need to tell it to use when passing through SSL?

roraver · ‎01-21-2005

There servers can do SSL and are doing SSL at the moment. How is the CSS suppose to keep track of flows and load balancing if the data is encrypted? There is no SSL module, but the servers are doing SSL. When I do a setup like that it doesn't work, it will come in, then forward it to the server .. but there is no response the browser. If I go directly to that machine it works great.

Gilles Dufour · ‎01-21-2005

the css will do loadbalancing based on ip and tcp info which are not encrypted.

do a 'sho summary' and verify that the SSL content rule is getting hits.

Send us the config if this does not work.

Regards,

Gilles.

roraver · ‎01-24-2005

!Generated on 01/24/2005 13:32:18

!Active version: sg0740004

configure

!*************************** GLOBAL ***************************

dns primary 192.168.1.2

dns secondary 192.168.1.2

ip route 0.0.0.0 0.0.0.0 10.0.1.254 1

!************************* INTERFACE *************************

interface e2

bridge vlan 2

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.0.1.166 255.255.255.0

!************************** SERVICE **************************

service testserv1

ip address 10.0.1.2

active

service testserv2

ip address 10.0.1.8

active

!*************************** OWNER ***************************

owner partnet

content testrule

add service testserv1

vip address 10.0.5.226

balance leastconn

active

CSS11501#

Here is my running config .. can u see anything wrong? Everything has IP connectivity.

Gilles Dufour · ‎01-24-2005

is http working ?

This config should be independent of protocol you are using.

So if HTTP work and not HTTPS, this is a server issue.

Check if the server are correctly setup for https.

If both HTTP and HTTPS are not working, verify that the return traffic is going via the CSS.

You will have to make the CSS the default gateway for your servers.

Finally, make sure to test from a client that is not in the range 10.0.1.x.

Regards,

Gilles.