SMTP on ACE

kalugotla1 · ‎05-10-2011

Need help in configuring SSL offload for sendmail

When users access the VIP ,the VIP need to commnunicate to the internet goole via outbound eternal email (smtp) smart. and the host is outbounds.200.obsmtp.com

user to vip in HTTP

VIP to google(internet) need to be https.

Probe tcp PROBE_SMTP
description Google Probe
port 25
interval 10
faildetect 5
passdetect interval 15
passdetect count 5
receive 20

rserver host pin3
ip address 161.247.133.15
inservice
rserver host pin4
ip address 161.247.133.16
inservice

serverfarm host google
predictor leastconns
probe PROBE_SMTP
rserver pin3
inservice
rserver pin4
inservice

sticky ip-netmask 255.255.255.255 address source google_STICKY
replicate sticky
serverfarm google

class-map match-all google_class
2 match virtual-address 161.247.133.10 tcp eq smtp

ssl-proxy service interceptorproxy
key interceptorkey.pem
cert entrustcert.txt
chaingroup interceptor

class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match google_POLICY
class class-default
sticky-serverfarm google_STICKY

policy-map multi-match POLICY
class google_class
    loadbalance vip inservice
    loadbalance policy google_POLICY
    loadbalance vip icmp-reply active
ssl-proxy service interceptorproxy
    nat dynamic 2 vlan 20

access-group input ALL
nat-pool 2 161.247.133.10 161.247.133.10 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input POLICY

Daniel Arrondo Ostiz · ‎05-11-2011

Good morning,

What exactly are you trying to load-balance in this case? Is it HTTP/HTTPS or SMTP/SSMTP?

The reason I'm asking is that they are completely different protocols, so, in the case of HTTP, you could configure SSL initiation on the ACE so that the backend connection is encrypted with HTTPS, but, that's not possible if the client traffic is SMTP

Assuming you are using SMTP, why don't you use SSMTP also on the client side? Since you are not doing any kind of protocol inspection, you can simply forget about the application you are load-balancing and just load-balance it at L4 (which is what you are doing right now), so, load-balancing SMTP or SSMTP would be the same as far as the ACE is concerned.

Regards

Daniel

kalugotla1 · ‎05-11-2011

Daniel

Thanks for your response ,In this scenario I will be loadbalancing the SMTP traffic.Is there any specific config do I need to consider for doing this,

Please let me know

Daniel Arrondo Ostiz · ‎05-12-2011

It would be enough to delete the ssl-proxy service server from your configuration and, change the VIP to listen on the SSMTP port. All the rest can stay as it is now.

Regards

Daniel

kalugotla1 · ‎05-12-2011

Daniel

Sorry ,I din't get you .Can you let me know ,how to change my VIP to listen on SSMTP port.

You mean I delete complete the SSL-proxy server ,If I delete it ,then how will SMTP service be terminated via ssl.Sorry I din't get you.

Please help me

Daniel Arrondo Ostiz · ‎05-13-2011

Good morning,

It would be as simple as changing the port on which you are listening.

I'm suggesting to delete the ssl-proxy because, since you are not doing any kind of L7 processing of the traffic, it doesn't really make sense to terminate and initiate SSL connections on it. It's better to just allow it to be done with the server directly

Daniel

kalugotla1 · ‎05-13-2011

Daniel

Sorry ,I posted question wrong ,As the application team wants SMTP over SSL on the LoadBalancers.

So when the Internet Server communicates with the ACE using sendmail SMTP services,LoadBalancers needs to terminante the SSL connection.

And servers responds back to the ACE ,ACE will send the SMTP to the internet server securely.

So SSL will be done by ACE.

let me know if I still need to delete the SSL proxy server config.Or I do I need to add anything else.

Daniel Arrondo Ostiz · ‎05-16-2011

Hi

My answer remains the same. It makes no sense to terminate the SSL connection on the ACE, because you are not going to do any L7 processing of the traffic.

You can still have SMTP over SSL, of course, but treating it as SSL traffic and doing L4 load-balancing for this traffic. To configure this, since you are not going to do SSL termination, you don't need the ssl-proxy on the ACE. Just the basic L4 load-balancing configuration is required.

Daniel