02-26-2010 12:35 PM
Hello all,
I have an ACE 4700 and It is balancing a web aplication using tcp ports 80 (http) and 443 (https). The configuration of ACE is in One-Arm, it means that the ACE does a NAT to client IP source address.
For requeriment legal the web aplication must to show the client IP source address in the web site, but with configurationin One-Arm only shows the IP address ACE.
Whit the next configuration I can insert into the http packet the client IP source address
!
policy-map type loadbalance first-match L7_LB_POLICY_SURA.COM.CO
class class-default
serverfarm sura.com.co
insert-http X-Forwarded-For header-value "%is"
!
but that don´t work with HTTPS (443)
How do I do in HTTPS?
If I buy this licenses, Can I do this?
ACE-AP-SSL-05K-K9
ACE-AP-SSL-07K-K9
ACE-AP-SSL-100-K9
ACE-AP-SSL-UP1-K9
ACE-AP-SSLUP-5K-K9
Thanks.
Haiver Bermon
Solved! Go to Solution.
02-26-2010 02:04 PM
Hello Haiver,
The X-Forwarded-For option appends the client IP within the HTTP header of the packet. HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.
Regards,
Jason
02-26-2010 04:22 PM
Hello Haiver,
Any of the following licenses should work:
ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License
ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License
You will not require an "UP" SSL license as you are not upgrading from an existing license.
Regards,
Jason
03-01-2010 06:55 AM
The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.
02-26-2010 02:04 PM
Hello Haiver,
The X-Forwarded-For option appends the client IP within the HTTP header of the packet. HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.
Regards,
Jason
02-26-2010 03:37 PM
Thanks very much Jason, do you know which SSL licenses I have to use?
02-26-2010 04:22 PM
Hello Haiver,
Any of the following licenses should work:
ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License
ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License
You will not require an "UP" SSL license as you are not upgrading from an existing license.
Regards,
Jason
03-01-2010 06:55 AM
The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.
03-01-2010 09:20 AM
Hello Eric, Jason, thanks.
I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS
03-01-2010 10:16 AM
Hello Jason, thanks
I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS
03-02-2010 01:14 AM
Hi,
you don't need to buy any license.
By default the ACE can do SSL Offload (1000 Transactions per Second). This means that the HTTS session is terminated at the ACE (and no longer at the server).
Take a look at following example on how to configure ssl offload:
HTH,
Dario
03-02-2010 11:30 AM
Hello, everybody, thanks for help.
I probed a configuration in a context LAB and It works. I used the examples that I found in this url, http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
I have a final question. How do this configuration impact the ACE CPU?. Today the ACE has 2000 connections and the CPU level is 2%
01-13-2012 04:12 AM
I have somewhat same scenario.
I offloaded the SSL on ACE to insert client ip in http. Then again encrypted the http which is getting offloaded on server. But it is not working. Is this a wrong approach?
01-13-2012 07:23 AM
Hi Akhil
It should work. There is no limitation that this traffic can't be encrypted again. So if you decrypted and then inserted header properly it should work.
If your config looks ok - the best way to troubleshoot just to perform capturing and then decrypt it with private key of the server.
I guess it'd be better if you open a new topic for your issue just not to continue some old closed topics.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide