Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
1
Replies

SSL termination on CSS, but have encrypted tunnel to servers?

chris.cell
Level 1
Level 1

‎06-29-2004 06:03 AM

Hi all. I have looked for this, but can't find a clear answer so any assistance would be appreciated.

I have a new CSS 11506 with a SSL module I am about to implement; all current web based applications are ssl. I was just told that data needs to be encrypted all the way from the client to the servers, zero clear text. I know I can setup backend servers, with a separate ssl connections (one from client to CSS, one from CSS to server).

My questions are:

1) Is each connection from the CSS to the servers separate? In other words if I have 100 client connections are there 100 ssl connections between the CSS and server farm? This defeats SSL off-loading.

2) If the answer to #1 is yes, is there a way to have one encryption tunnel to each server, and have http traffic use that tunnel for client connections while still load balancing?

Basically I want to off load the extra processing needed for ssl from the servers to the CSS module, but I also need to ensure encrypted traffic all the way from client to server at the same time.

One more wrinkle - I need sticky connections by cookie.

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-01-2004 01:21 AM

answer to 1 is yes.

The reason is that the CSS will spoof the client ip address so the server still sees the connection as coming from the client and not the CSS.

SSL off-loading goals is to move the cpu intensive encryption/decryption functionalities from the server to the CSS.

In your case you still want SSL on the server so there is no off-loading.

Answer to Q2.

The gain you would get by having 1 tunnel to each server is very little.

The reason is that the amount of traffic to be encrypted/decrypted by the servers would still be the same. The only gain is that you would reduce the amount of time for negotiating keys and processing certificates, which anyway is being reduced to a minimum by reusing SSL session id.

The only advantage of using an SSL module in your case is that the CSS now sees the traffic in clear text and it is able to perform loadbalancing decision on HTTP data [cookie, url, ...].

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card