2 quest ssl offload and DR

1. ssl offload - how do I secure clear text pwd sent from ACE to serverfarm?
2. If 2 DR site say CA and UK, and CA has earthquake, can pair of ACE be design to keep website going in UK.

Hi,
1/ ACE can be configured to setup a second ssl tunnel and encrypt data between ACE and server. For more details:
http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html
Is this what you are looking for?
2/ Where are the ACEs? Are they load balancing traffic to servers in both CA and UK?
--Olivier

Similar Messages

  • SSL Offloading and Certificate Errors

    I am attempting to offload SSL on an F5 load balancer.  I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer.  I then followed SSL Offloading TechNet instructions here:
    http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.  My two CAS servers still have the self-signed certificates bound in IIS.  I am getting certificate
    errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
    My question is what do I do with the certificates on my 2 CAS servers?  Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS? 
    Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
    Or am I completely misunderstanding how this works and need to do something different entirely?
    Thanks in advance for any guidance.

    As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.) 
    Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell.  See for example output of Get-OutlookAnywhere:
    RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
    ServerName                         : TSTEXCG2013
    SSLOffloading                      : True
    ExternalHostname                   : tstowa.XXXX.com
    InternalHostname                   : tstowa.XXXX.com
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
    XropUrl                            :
    ExternalClientsRequireSsl          : True
    InternalClientsRequireSsl          : True
    MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
    Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
    ExtendedProtectionTokenChecking    : None
    ExtendedProtectionFlags            : {}
    ExtendedProtectionSPNList          : {}
    AdminDisplayVersion                : Version 15.0 (Build 847.32)
    Server                             : TSTEXCG2013
    AdminDisplayName                   :
    ExchangeVersion                    : 0.20 (15.0.0.0)
    Name                               : Rpc (Default Web Site)
    DistinguishedName                  : CN=Rpc (Default Web
                                         Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
    Administrative
                                         Group (FYDIBOHF23SPDLT),CN=Administrative
    Groups,CN=XXX XXXX,CN=Microsoft
                                         Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
    Identity                           : TSTEXCG2013\Rpc (Default Web Site)
    Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
    ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged                        : 7/10/2014 7:38:58 PM
    WhenCreated                        : 6/23/2014 2:54:36 PM
    WhenChangedUTC                     : 7/11/2014 12:38:58 AM
    WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
    OrganizationId                     :
    OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
    IsValid                            : True
    ObjectState                        : Changed

  • ACE 4710 & SSL Offloading

    I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
    We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
    My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
    Description of the web application usage:
    Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

    Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
    Am I correct?

  • SSL Offload Requests

    When using any loadbalancer, CSS, CSM or ACE and doing SSL offload, how does the request to the backend server get created? For example if the client requests https://secure.example.com/privatedata.html and that url is configured for SSL offload on the loadbalancer, it the request from the LB to the server just http://secure.example.com/privatedata.html ? What would the request look like if SSL offload and backend SSL are both configured? Are there methods to modify the default behavior on any of the platforms?
    TIA

    First you have to understand that a url is not sent the way you type it in http.
    So the request actually looks like this :
    GET /privatedata.html
    Host: secure.example.com
    This request is encrypted with SSL if you enter the url with HTTPS:// and is sent in cleartext if you don't use SSL.
    So, what the offloader will do is simply decrypt the traffic and whatever the request will send it in cleartext to the server ip address.
    The offloader can't change the content of the request. However, it can add some lines in the header.
    Also, instead of just transmitting in cleartext, the loadbalancer can re-encrypt so the communication between offloader and server is also SSL.
    Again, the request (see above) does not change.
    Gilles.

  • ACE 4710 in failover - ssl offload, cert for second ACE

    Hi,
    I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
    At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
    Now I would like to move further and configure ssl offload and configure High availability.
    I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
    Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
    Is it better to first set up high availability and then configure ssl offload or vice versa?
    Does anyone have a config example of ssl offload and active/standby configuration?
    Thank you in advance.

    You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
    FOllowing will be steps to achive that
    On primary Ace
    1. create RSA Keys
    crypto generate key 2048 app1.key
    2. Create CSR & send it to CA
    ace/Admin(config)# crypto csr-params app1-csr
    ace/Admin(config-csr-params)# common-name www.app1.com
    ace/Admin(config-csr-params)# country US
    ace/Admin(config-csr-params)# email [email protected]
    ace/Admin(config-csr-params)# locality xyz
    ace/Admin(config-csr-params)# organization-name xyz
    ace/Admin(config-csr-params)# organization-unit xyz
    ace/Admin(config-csr-params)# state CA
    ace/Admin(config-csr-params)# serial-number 1234
    ace/Admin(config-csr-params)# end
    ace/Admin(config)# crypto generate csr app1-csr app1.key
    (copy the result to a file)
    4. Import certificate recieved from CA
    crypto import terminal app1.cert
    (pasted the content from the cert)
    5. verify the cert & keys match
    crypto verify app1.key app1.cert
    6. Export the keys from Active
    crypto export app1.key
    (copy the result to a file)
    ON Standby ACE:
    1. Import the keys
    crypto import terminal app1.key
    2. Import the cert
    crypto import terminal app1.cert
    3.verify the cert & keys match
    crypto verify app1.key app1.cert
    Hope this helps
    Syed

  • Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

    Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5.  SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM.  We would like to implement ADFS 3.0
    later for Single Sign-on, and we are wondering if ADFS supports SSL offload.  
    Do we need to bind the certificate to the WFEs as well to use ADFS?  
    Thank you!

    Just got it confirmed that ADFS supports SSL offload.  There is no direct communication between SharePoint and ADFS server during the authentication process.  It is always the browser that's talking to ADFS server. We just need to do the following:
    Configure SharePoint URLs in ADFS as replying parties with https.
    Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

  • How to pass client IP address via CSS with SSL offload?

    Hello,
    We use Cisco CSS 11501S to do the SSL offload of web servers in one-armed mode. So we have to SNAT client IP in order to guaranty correct return path via the CSS. In this case web server can see only the IP address of the VIP used for SNAT. If there is a way to pass customer?s IP to the web server - i.e insert customized HTTP HEADER something like HTTP_REMOTEADDRESS:<IP address of the client> - similar to what is possible with BIG IP device for instance?
    Second question if there is a way to get from the CSS access log data similar to what we have in Apache access.log file to be used by Webalizer or similar application to analyze web traffic.

    Scott,
    if you're not doing src nat, the css will spoof the client ip and therefore, there is no need to save the client ip in the http header.
    Gilles.

  • CSS11501 SSL offload help..

    Hi all,
    I have the attached config where basically I want to have 2 VIPs so that for port 80, it just forwards to the servers. For 443, it should offload the SSL and send it cleartext to port 7778 (for VIP 206.83.206.68) and to port 7777 (for VIP 206.83.206.69).
    SSL Hand shaking starts between the browser and the SLB and seems to complete OK, but there seems to be nothing going on between the SLB and the server... I suspect my configuration is not right for the SSL offload part...
    Can anyone help?
    Sam

    Sam,
    from your config, it looks like you use a source group to do client nat.
    This group applies to your HTTP content rules.
    However, you have no group for the SSL rules.
    If a group is a required for HTTP traffic to guarantee that the server response comes back to the CSS, I believe a group should be necessary for SSL traffic as well.
    Now, the tricky part is that you go directly from the SSL module to the server.
    We usually send the decrypted traffic to another vip on the CSS and from that vip the CSS loadbalances the traffic to the server.
    Client nat is usually then applied on the decrypted content rule.
    So, I would suggest to apply a config as described above. You could for example replace the line :
    ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.69 7777
    with
    ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.100 7777
    Let me know if this works and thanks in advance for rating this answer.
    Gilles.

  • SSL Offloading

    hello 
    I have an confusion. When we are talking about Load Balancing we heard SSL Offload. Do we need to configure it on Exchange or Load balancer or is it enable by default on the exchange ? 
    regards 

    SSL Offloading means that the load balancer or web publishing device decrypts the SSL messages ahead of the Exchange server.  Whether you use it or not is between you and your network people.  The main reason I don't recommend it is that you
    generally want to re-encrypt the traffic between the load balancer and the Exchange server anyway, so it doesn't help with performance.  A good reason for using it is that the web publishing device can inspect the contents of the packets.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • Cisco ACE - Exempt HTTP URL from SSL Offloading

    Hi,
    I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http.  Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
    Your inputs highly appreciated.
    Regards,

    Hi Masif,
    In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
    class-map type http loadbalance match-any No-Redirect
      2 match http url /docs/abc.aspx
    policy-map type loadbalance first-match ABC
      class No-Redirect
        serverfarm HTTP-Servers
      class class-default
        serverfarm Redirect
    Hope this helps.
    Pablo 

  • SSL offloading - Backend Server problem.

    I am configuring SSL offloading for the first time. After configuring my css 11503 to do the offloading I discoverd I can still access the secure web page through a normal HTTP request from the public internet. (as apposed to HTTPS). What is the best and esasiest way to stop this from happening.

    The solution is to use a redirect from HTTP to HTTPS
    You can let the server do the redirect or configure the CSS with a redirect service.
    More info at
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml
    Gilles.

  • SSL Offloading - CA

    Hi
    I've a question about SSL offloading.
    According to the documentation on the web i need to generate a CRL (certification revocation list) to get a certificate from a CA.
    In our test environment we have a CA on a Microsoft Server.
    What i want to know is it possible to take this CRL from the ACE and import it in the CA to verify it, and afterwards copy the certificate back to the ACE?
    Thanks for your advice.
    cheers
    patrick

    I think that when you configure an appliance to perform SSL offloading you are actually setting up one or more logical secure servers whose SSL-related configurations reside in the appliance.
    For more information on SSL please click following URL:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/sca/v4.20/configuration/guide/SCA_AP_F.html#wp1004454

  • Cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.

    when Update to 10.7.2 ,I cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.
    OS:10.7.2
    Macbook Pro 2010-mid 13inch

    I also have the same problem, however if I use Firefox or Opera sites with ssl connection work fine. Still, I can't use Google Chrome (ssl), Safari (ssl), the Mac app store (generally), or the iTunes store (generally). Both the iTunes store, Safari and the app store won't respond, and Chrome displays this error: (net::ERR_TIMED_OUT). The problem persists regardless of what network I'm using. Also, when trying to access the keychain or iCloud, the process will not start (will hang). I didn't have these problems at all before updating to 10.7.2.
    Sometimes rebooting helps, and sometimes not. If the problem disappears by rebooting, then it only lasts a few minutes before it reappears. It is very frustrating, especially since there doesn't seem to be any obvious or consistent way of which to fix it.
    I'm also using a Macbook Pro 13-inch mid 2010.

  • SSL certificates and Web Services Usage inside Oracle Database Questions!

    We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
    Service1 is already working, and we can call the service from PL/SQL without troubles.
    However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
    Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
         - SSL Certificates:
    1- Can installed certificates in the Database put in risk the stability of the database?
              2- Can installed certificates in the Database generate performance issues?
              3- Can installed certificates reloading the Databases?
              2- Can installed certificates in the Database generate security issues?
         - Web services:
    1- Can web services calling from the Database put in risk the stability of the database?
    2- Can web services calling from the Database generate performance issues?
    3- Can web services calling from the Database generate security issues in the DMZ?
    Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
    Those are the links describing the procedure mentioned above.
    1 -http://www.kotti.es/2009/11/oracle-wallet/
    DB: Oracle 9i.
    Average number of lines in file: 300
    Periodicity: Twice at day.

    Thiago:
    You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
    I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
    http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
    Regards,
    Jason

  • SSL Accelerators and WLS???

    The web applications that I'm being asked to build will involve heavy
    use of SSL encryption thoughout. In fact, most of the user interactions
    will be handled over an SSL connection. I know what heavy SSL traffic
    can do to CPU utilization...
    One of the architectural components that we are considering is the use
    of hardware SSL accelerators. We're considering this as a way to make
    the user interaction snappier and to support more concurrent users on a
    single web/app server.
    The one that we are considering is nFast from http://www.ncipher.com/.
    It supports Netscape Enterprise on Solaris, which is our probable
    development/deployment environment. This would, of course, preclude us
    from using WLS as the web server.
    Question #1: In heavily SSL-ified web applications, does BEA reccomend
    the use of an external web server, or will WLS-as-http-server handle the
    job just as well as NES? What experiences have people had using
    WLS-as-http-server in SLL-intensive environments?
    Question #2: Are there any SSL accelerator products out there that
    support the WLS HTTP server? I doubt there are, but it couldn't hurt to
    ask.
    Question #3: By using an external web server (NES on Solaris, for
    example) is there a noticable decrease in servlet performance due to the
    fact that your servlets are now running in a separate process?
    Thanks for your feedback,
    jason

    We are using this box in production. Its very simple, it significantly
    increases load times, and it simplifies the backend architecture since you
    wont have to worry about https, every request is turned into an http
    request. Its around 13K, but I would think the benefits are worth the money
    for anything but lightly loaded sites.
    -eric
    [email protected]
    "Herman Burema" <[email protected]> wrote in message
    news:[email protected]..
    Intel seems to have an interesting product. It's called IntelNetstructure
    7180 e-Commerce Director. It's a bit pricy. Please let me know if anyoneknows
    an alternative.
    http://www.intel.com/network/products/director_7180.htm
    Russell Castagnaro wrote:
    Aren't there some products that just do all of the SSL and the server
    just
    acts like a standard http server??
    Bryan O'Sullivan wrote:
    j> me 4
    We are aware that customers want this feature, don't worry. The
    problem is that the integration between Java SSL products and hardware
    from vendors like Rainbow and NCipher is immature at the moment, so
    it's a lot of work for us to get this done.
    It is pretty high on our list, though, so you will see something just
    as soon as we've built and tested it.
    <b
    Let us pray:
    What a Great System.
    Please Do Not Crash.
    ^G^IP@P6--
    Russell Castagnaro
    Chief Mentor
    SyncTank Solutions
    http://www.synctank.com
    Earth is the cradle of mankind; one does not remain in the cradleforever
    -Tsiolkovsky

Maybe you are looking for