ssl connection through a ACE , with dual certificates

Jan Loop · ‎11-16-2010

hi

i have a new setup with some ipsec challenges

i have a public certificate pointing the outside, and a internal on the servers

i have a new exchange enviroment and need to run ipsec between a client to a TMG server , where the trafic terminate andinitialte from the TMG further to a ACE cocntext, where it shall be load balanced and from the ace to the final serve(internal certificat) (offcourse with sticky sessions)

i have found this page http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/endtoend.htmlhttp://http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/endtoend.html

but seams to need a more visual example ,can anybody help

Jan

pablo.nxh · ‎11-16-2010

Hi Jan,

The config you need would depend on whether your TMG sends the traffic unencrypted to the ACE VIP or if it decrypts/encrypts the traffic prior sending it to the ACE.

If the traffic goes unencrypted you need a SSL initiation config where the traffic path is the following:

Client -->(Encrypted)---->TMG -->(decrypted)---->ACE-->(Encrypted)----> Server

Here is the wiki info for SSL initiation config on the ACE, if you need a bigger picture you can look for SSL initiation on the CSS as it is the same concept

http://xrl.us/bh75ys

Now if your TMG server decrypts the client traffic but it encrypts it again before it goes to the ACE then you need End-2-End SSL to make this work.

Client -->(Encrypted)---------->TMG------>(Encrypted)---->ACE-->(Encrypted)----> Server

(decrypted|encrypted)

Here is a good paper about end to end SSLdetails and t-shooting

http://xrl.us/bh75y6

HTH

__ __

Pablo