Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
3
Replies

Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

simong
Level 1
Level 1

‎03-26-2015 08:28 AM

Folks,

 

I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology.  ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name.  Traffic then gets load balanced between the Websense servers.  The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.  

ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.

 

So the problem I have is this:

How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080

 

The ACE hardware being used is ACE20-MOD-K9  -  MODULE

 

I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.  

 

I believe I am on the correct track.  The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB

 

I'm looking for ideas!  I'm hopeful someone must have solved this problem previously!!

 

 

Regards,
Simon

 

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-26-2015 12:19 PM

Hi Simon,

Since you have HTTP and HTTPS, you definitely need to match them on two different ports. For HTTPS it can be same VIP matching on 443 or 8443 etc. Whatever it may be, for ACE to insert X-forwarded-for, ACE should be configured for SSL termination. Without it ACE cannot look or insert anything in the HTTP header. If you need configuration example for SSL termination please let me know.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

simong
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-26-2015 02:44 PM

Hi Kanwai,

 

Thanks for taking the time to reply.  On this occasion the requirement is to use a single IP address & tcp port for the VIP to handle both HTTP & HTTPS due to the web browser on each client PC being configured with the VIP DNS name and a single tcp port (although now I am thinking the configuration in Internet Explorer does support 'Advanced' configuration of an alternative port for 'Secure:' traffic.

 

The question remains - is it possible to use a single tcp port for both HTTP & HTTPS using L7 filtering, and how?

 

 

Regards,

Simon

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to simong

‎03-26-2015 02:50 PM

Hi Simon,

The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.

You can class-map match-any xxxxx

2 match virtual-address x.x.x.x tcp any

and then you configure further classification on the basis of L7 like  url, header etc. 

But again, you will still need SSL termination on ACE.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card