SSL with servers not attached to CSM

James Yeo · ‎12-21-2006

I have the CSM11503 setup in a DMZ. HTTP is working fine to the servers which are in a different subnet. However I cannot get the SSL to work to those same servers. Is there a trick to get it working? What am I overlooking?

Thanks

Gilles Dufour · ‎12-25-2006

this is because for http you do client using the group but you don't for SSL.

You should create a content rule to receive the decrypted traffic and use client nat.

Try to replace the following 2 lines

ssl-server 21 cipher rsa-export1024-with-rc4-56-sha 10.131.155.39 7777

ssl-server 21 cipher rsa-export1024-with-des-cbc-sha 10.131.155.39 7777

with these

ssl-server 21 cipher rsa-export1024-with-rc4-56-sha 10.131.153.30 7777

ssl-server 21 cipher rsa-export1024-with-des-cbc-sha 10.131.153.30 7777

I believe it should work after that.

Gilles.

James Yeo · ‎12-26-2006

Thanks Gilles, I have tried that however it did not work. Perhaps there is an issue with the servers themselves?

Gilles Dufour · ‎12-27-2006

capture a sniffer trace to see if a response is coming back.

Are you server really listening on port 7777 ?

Your config is not really standard.

A better way to do this would be to configure a service for port 80 and a service for port 7777 with tcp probe. So, at least we'll know if the servers are listening.

Then assigned the port 80 service to your current http content rule.

Then create a new content rule with same vip address but with tcp port 7777.

Assign the service with port 7777 to this content rule.

Keep ssl-proxy-list unchanged.

Capture 'show summary' before and after a test and capture a sniffer trace on client and server simultanously.

Gilles.