Solved: Need config help with SSL termination on ACE

dclee · ‎05-22-2012

Need a bit of config help terminating SSL on the front end of the ACE..

Essentially I need all inbound (443) ssl to terminate on outside ACE IP 192.168.10.1

then have the backend connection unencrypted to backend server 172.31.17.10 on port 4400.

Any help with the class and policy maps would be appreciated.

Cheers

cpomeroy · ‎05-22-2012

Hi,

Here is the configuration you would use for this. Notice SSL-PROXY client on the policy map, and the ssl-proxy server on the class-map. By adding port 4400 on the serverfarm, you can do port translation.

rserver host server

ip address 172.31.17.10

inservice

serverfarm host server

rserver server 4400

inservice

ssl-proxy service test

key RSAKEY

cert RSACERT

class-map match-all test

2 match virtual-address 192.168.10.1 255.255.255.0 tcp eq https

policy-map type loadbalance first-match test

class class-default

serverfarm server

ssl-proxy client test

policy-map multi-match vip

class test

loadbalance vip inservice

loadbalance policy test

loadbalance vip icmp-reply active

ssl-proxy server test

View solution in original post

cpomeroy · ‎05-22-2012

Hi,

Here is the configuration you would use for this. Notice SSL-PROXY client on the policy map, and the ssl-proxy server on the class-map. By adding port 4400 on the serverfarm, you can do port translation.

rserver host server

ip address 172.31.17.10

inservice

serverfarm host server

rserver server 4400

inservice

ssl-proxy service test

key RSAKEY

cert RSACERT

class-map match-all test

2 match virtual-address 192.168.10.1 255.255.255.0 tcp eq https

policy-map type loadbalance first-match test

class class-default

serverfarm server

ssl-proxy client test

policy-map multi-match vip

class test

loadbalance vip inservice

loadbalance policy test

loadbalance vip icmp-reply active

ssl-proxy server test

dclee · ‎05-23-2012

Thanks Chris. So for every real server I need a corresponding serverfarm entry with a virtual server ?

EX..I have 2 backend servers one that responds on port 4400 and one that responds on port 5500

Would this be the correct config ?

rserver host server

ip address 172.31.17.10

inservice

serverfarm host server

rserver server 4400

inservice

rserver host server1

ip address 172.31.17.11

inservice

serverfarm host server1

rserver server1 5500

inservice

Also how do I match on URL strings and forward it to the appropriate backend web servers ? This is how I am doing it on our older CSS's

content decrypt_WEB TEST

vip address 204.a.b.c

add service WEB TEST

protocol tcp

port 8080

url "//test.one.ca/*"

cpomeroy · ‎05-23-2012

There is a converstion too on the ACE that you can use to convert your CSS configuration to ace. Simply goto http://xx.xx.xx.xx/bin/index. Where xx.xx.xx.xx is your ace's management ip address.

In regards to the server farm you would put both real servers under the same serverfarm. You should not create a seperate serverfarm

Such as:

serverfarm host server

rserver server 4400

inservice

rserver server1 4400

inservice

To do the L7 url matching you would do

class-map type http loadbalance match-all url

2 match http url /test.one.ca/.*

policy-map type loadbalance first-match test

class url

serverfarm FARM1

class class-default

serverfarm FARM2

This would send requests matching /test.one.ca/.* to farm 1 and everything else to farm2.