Using SSL Daughter card in CSM -S blade

jlhainy · ‎04-25-2011

I am placing a new server farm behind my CSM -S and would like to utilize the SSL Daughter Card so that I only need one certificate for all of the servers.

I am using http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/SSLxple.html#wp1212539 as a guide.

I understand the basic concepts, but am a little fuzzy on the details.

I understand that in general, my Client vlan is where the SSL requests come from, then they go to the SSL daughter card and then from there, they are sent clear text to the real servers and the reverse happnes on the return trip.

It is the SSL network config I am fuzzy on. Can anyone help explain it in better detail?

stmccabe · ‎04-25-2011

The easiest way to explain the SSL offload feature card on the CSM-S is to provide an example:

Lets assume the following:
 
1 -  www.example.com resolves to 192.168.78.35
2 -  Client comes in on port 80.
3 -  Client is redirected to come back on port 443 (HTTPS)
4 -  Client is sent to SSL daughter card and SSL is terminated
5 -  Clear text traffic is sent to another vserver on port 81 and load balanced to reals.

#====VLAN for servers you are frontending SSL offload for========

!
 vlan 10 server
  description Server VLAN
  ip address 192.168.78.1 255.255.255.224
!
#===vlan client connections come in on==
!
 vlan 20 client
  description Client VLAN
  ip address 192.168.78.34 255.255.255.240
  gateway 192.168.78.33
#===config to ensure we redirect any clients coming in on clear port 80 to 443 were csm is listenign for ssl on==
!
serverfarm REDIRECT
  nat server
  no nat client
   redirect-vserver REDIRECT
    webhost relocation https://www.example.com/
    inservice
!
 serverfarm REAL_SERVERS
  nat server
  no nat client
  real 192.168.78.2
   inservice
  real 192.168.78.3
   inservice
!
 serverfarm SSL_DC
  no nat server
  no nat client
  real 192.168.78.36 local
   inservice
!
 vserver VSERVER_80
  virtual 192.168.78.35 tcp 80
  serverfarm REDIRECT
  persistent rebalance
  inservice
!
### vserver were ssl offloaded flows are sent to.
!
 vserver VSERVER_81 
  virtual 192.168.78.35 tcp 81
  serverfarm REAL_SERVERS
  persistent rebalance
  inservice
!
 vserver VSERVER_443
  virtual 192.168.78.35 tcp 443
  serverfarm SSL_DC
  persistent rebalance
  inservice
!
# ssl-proxy vlan - were ssl requests are send down to ssl card ====
!
 ssl-proxy vlan 20
  ipaddr 192.168.78.36 255.255.255.240
  gateway 192.168.78.34
  admin
!
### client requests hit .35 ssl vip, are sent to ssl module, offloaded,
then new clear text tcp conn to port 81 is made to vip and load balanced cleartext back==## 
!
 ssl-proxy service SSLACC
  virtual 192.168.78.35 protocol tcp port 443 secondary
  server ipaddr 192.168.78.35 protocol tcp port 81
  certificate rsa general-purpose trustpoint thawte.com
  inservice

HTH..

jlhainy · ‎04-25-2011

So, in this example, your Client vlan and the vlan that is used for the SSL daughter card appear to be one and the same. Does it have to be that way? In the doc that I posted, that config example shows a 3rd network for the SSL card.

stmccabe · ‎04-25-2011

You would need to set it up in a way that fits the traffic profile. So for example, in a two armed mode you would need three vlans (Client, SSL offload VLAN and Server VLAN). In the examle I provided I wanted to "simplify" how the ssl offload policy fits into the load balancing and forwarding policy for client to server traffic.

jlhainy · ‎04-25-2011

Well, I already have a working configuration where I have a 2 server serverfarm and it wasn't a big deal to just have the real servers host the certificates. But now, I am adding a much bigger server farm with more modes and wanted to look at this SSL card option.

I already have a client vlan with vservers and a server vlan. It is the 3rd network with the ssl card that is throwing me off. Now I have added one admin vlan to the ssl card so I can ssh into it, but that is all I have.