05-17-2011 08:27 AM
Hi,
I'm throwing this one out there to the ACE module Load-balancing experts!
how do I configure a request method get url for google.co.uk so that it authenticates a healthprobe AD user with a Bluecoat proxy appliance?
The objective here is to have a probe run a http get to google to test our bluecoat proxy appliance and then failover to another real server (or bluecoat appliance)
Thanks
05-19-2011 03:30 AM
Hi Matthew,
This would partially depend on the authentication type defined on your Bluecoat proxy.
For most of the setups, it should be enough to configure the credentials to be used under the probe parameters with the "(config-probe-http)# credentials
If this doesn't work, you may also try inserting an authentication header inside the request. Again configured under the probe parameters.
For more details on the available options, please refer to http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1031398
Regards
Daniel
05-19-2011 04:05 AM
Hi Daniel,
Actually becuse the GET will come from the vlan addresses on the ACE rather than the VIP used for client connections, we can allow access to google for those addresses unauthenticated!
thanks for your help in any case
05-24-2011 01:37 AM
Hi Daniel,
I don't know why, but i thought this was working...turns out i was wrong.
The issue I have is that this probe is for a socks connection. So usually I just use a probe on TCP port 1080 to our sock gateway. However, i am trying to perform a GET to google.co.uk on the same port/protocol. This is failing. I'm assuming this is probably related to socks user/password which is version 5.
Can i use the user and password in the probe configuration to authenticate with socks gateway?
many thanks for your help in this matter!
Matthew
05-24-2011 02:04 AM
Hi Matthew,
I have to admit I'm not 100% sure, but I don't think SOCKS5 authentication is supported for ACE probes.
If it's not possible to use different authentication mechanisms or allow the ACE IP to go out unauthenticated (as you were suggesting), then, another alternative you may consider is creating a TCL script. You can find more details on the TCL probe scripts on ACE at http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/script.html
Regards
Daniel
05-24-2011 02:16 AM
I think that just purely from a security perspective, we will have to use authentication as the traffic traverses our internal firewal clu
ster.
Thanks for your help and I'll update you on my TCL scripting research and design!
kind regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide