05-10-2011 10:13 PM
Need help in configuring SSL offload for sendmail
When users access the VIP ,the VIP need to commnunicate to the internet goole via outbound eternal email (smtp) smart. and the host is outbounds.200.obsmtp.com
user to vip in HTTP
VIP to google(internet) need to be https.
Probe tcp PROBE_SMTP
description Google Probe
port 25
interval 10
faildetect 5
passdetect interval 15
passdetect count 5
receive 20
rserver host pin3
ip address 161.247.133.15
inservice
rserver host pin4
ip address 161.247.133.16
inservice
serverfarm host google
predictor leastconns
probe PROBE_SMTP
rserver pin3
inservice
rserver pin4
inservice
sticky ip-netmask 255.255.255.255 address source google_STICKY
replicate sticky
serverfarm google
class-map match-all google_class
2 match virtual-address 161.247.133.10 tcp eq smtp
ssl-proxy service interceptorproxy
key interceptorkey.pem
cert entrustcert.txt
chaingroup interceptor
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match google_POLICY
class class-default
sticky-serverfarm google_STICKY
policy-map multi-match POLICY
class google_class
loadbalance vip inservice
loadbalance policy google_POLICY
loadbalance vip icmp-reply active
ssl-proxy service interceptorproxy
nat dynamic 2 vlan 20
access-group input ALL
nat-pool 2 161.247.133.10 161.247.133.10 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
05-11-2011 12:09 AM
Good morning,
What exactly are you trying to load-balance in this case? Is it HTTP/HTTPS or SMTP/SSMTP?
The reason I'm asking is that they are completely different protocols, so, in the case of HTTP, you could configure SSL initiation on the ACE so that the backend connection is encrypted with HTTPS, but, that's not possible if the client traffic is SMTP
Assuming you are using SMTP, why don't you use SSMTP also on the client side? Since you are not doing any kind of protocol inspection, you can simply forget about the application you are load-balancing and just load-balance it at L4 (which is what you are doing right now), so, load-balancing SMTP or SSMTP would be the same as far as the ACE is concerned.
Regards
Daniel
05-11-2011 04:47 AM
Daniel
Thanks for your response ,In this scenario I will be loadbalancing the SMTP traffic.Is there any specific config do I need to consider for doing this,
Please let me know
05-12-2011 02:15 AM
It would be enough to delete the ssl-proxy service server from your configuration and, change the VIP to listen on the SSMTP port. All the rest can stay as it is now.
Regards
Daniel
05-12-2011 09:02 PM
Daniel
Sorry ,I din't get you .Can you let me know ,how to change my VIP to listen on SSMTP port.
You mean I delete complete the SSL-proxy server ,If I delete it ,then how will SMTP service be terminated via ssl.Sorry I din't get you.
Please help me
05-13-2011 12:22 AM
Good morning,
It would be as simple as changing the port on which you are listening.
I'm suggesting to delete the ssl-proxy because, since you are not doing any kind of L7 processing of the traffic, it doesn't really make sense to terminate and initiate SSL connections on it. It's better to just allow it to be done with the server directly
Daniel
05-13-2011 05:45 AM
Daniel
Sorry ,I posted question wrong ,As the application team wants SMTP over SSL on the LoadBalancers.
So when the Internet Server communicates with the ACE using sendmail SMTP services,LoadBalancers needs to terminante the SSL connection.
And servers responds back to the ACE ,ACE will send the SMTP to the internet server securely.
So SSL will be done by ACE.
let me know if I still need to delete the SSL proxy server config.Or I do I need to add anything else.
05-16-2011 06:34 AM
Hi
My answer remains the same. It makes no sense to terminate the SSL connection on the ACE, because you are not going to do any L7 processing of the traffic.
You can still have SMTP over SSL, of course, but treating it as SSL traffic and doing L4 load-balancing for this traffic. To configure this, since you are not going to do SSL termination, you don't need the ssl-proxy on the ACE. Just the basic L4 load-balancing configuration is required.
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide