11-02-2010 09:05 AM
Guys
I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP. Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP. The customer wants to use only port 443. I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
Is this possible at all? I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
Thanks
11-02-2010 09:32 AM
Hi,
I don't think you can do this directly with the ACE. A wildcard certificate would work if all the sites were in the same domain. If the addresses are in different domains and a wildcard isn't appropriate, you might be able to use a SAN (Subject Alternative Name) certificate.
HTH
Cathy
11-02-2010 11:51 AM
Cathy
Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide certificates for www.website.com and ww2.website.com due to cost.
Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first? Or would this not be advisable / possible. I always thought it was the L4 policy that made the VIP proxy?
Can SAN certs not be used in this example?
Thanks
11-03-2010 01:22 AM
You need to do the decryption before you can implement layer7.
Your options seem to be wildcards, SAN, re-negotiate the requirements or use another load-balancer.
Kind Regards
Cathy
11-03-2010 04:25 AM
Thanks Cathy,
Ill try to do this with SAN Certs, you have been a huge help
Thanks once more
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide