ACE 4710 in failover - ssl offload, cert for second ACE

Similar Messages

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• ACE ssl offloading

  Hi,
  I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
  rserver server1:80
  ip add 192.168.1.1
  inservice
  serverfarm secure-rediect-SF
    probe port80
    reserver server1:80
    inservice
  class-map match-any  secure-rediect-CM
    match virtual-address 10.10.1.1 tcp 80
  policy-map type loadbalance first-match  secure-rediect-PM
    class class-default
     sticky-serverfarm secure-rediect-SG
  policy-map multi-match LBR-LB
    class  secure-rediect-CM
     loadbalance vip inservice
     loadbalance policy secure-rediect-PM
     loadbalance vip icmp-reply
  could you help! how do I configure SSL offloading? what is required to configure it?

  Hello, Gavin
  Here you have some additional examples which might help you out:
  Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cert-test                                2088  PEM     Yes        CERT
  key-test                                 1675  PEM     Yes         KEY
  # crypto verify key-test cert-test
  Keypair in key-test matches certificate in cert-test
  Admin(config)# crypto chaingroup my-chaingroup
  Admin(config-chaingroup)# cert my-root
  Admin(config-chaingroup)# cert my-intermediate
  ACE-M2/Admin(config-chaingroup)# exit
  Admin# sh crypto chaingroup all
  chaingroup muflas contains:
  my-root
  my-intermediate
  (config)# ssl-proxy service my-ssl-proxy
  Admin(config-ssl-proxy)# chaingroup my-chaingroup
  Admin(config-ssl-proxy)# cert cert-test
  Admin(config-ssl-proxy)# key key-test 
  Admin(config-ssl-proxy)# end
  Then finally, your configuration should like this:
  interface vlan 100
    ip address 10.198.16.75 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
    service-policy input MGMT
    service-policy input my-multimatch
    no shutdown
  policy-map multi-match my-multimatch
    class vip
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
  class ssl
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
      ssl-proxy server my-ssl-proxy
  class-map match-all ssl
    2 match virtual-address 10.198.16.103 tcp eq https
  class-map match-all vip
    10 match virtual-address 10.198.16.103 tcp eq www
  policy-map type loadbalance http first-match http
    class class-default
      serverfarm http
  serverfarm host http  
    rserver 1-80 80
      inservice
    rserver 2-80 80
      inservice
  rserver host 1-80
    ip address 10.198.16.99
    inservice
  rserver host 2-80
    ip address 10.198.16.100
    inservice
  ssl-proxy service my-ssl-proxy
    key key-test
    cert cert-test
    chaingroup my-chaingroup
  Hope this helps!!!

• ACE SSL offloading troubleshooting

  Hi All,
  I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
  Regards,
  Thiyagu

  Hi Thiyagu
  Have a read on the following link, what is the issue you are seeing?
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
  Regards Craig

• ACE SSL Reverse Proxy for multible URLs

  Hi,
  I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
  1. Use different VIP for each URL and do
  L4 loadbalancing or use a
  combination of IP address and port.
  2. Use different VIP for each URL, do
  SSL offloading and do L7 URL based
  loadbalancing.
  So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
  Any comments appreciated
  George Georgiou

  Geroge,
  your understanding is absolutely correct.
  We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
  But without decrypting, we can't see the domain name.
  So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
  There is no other solution.
  Gilles.

• Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)

  Hi,
  I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
  My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
  For reskilling, I will assume I will have to do some command line stuff here ...
  eg: keytool -genkey -keyalg RSA -keystore hostname.key
  to create the key,
  keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
  to create the csr, and
  keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
  to import the new cert
  Suggestions or comments for anyone who has tried this before would be appreciated.
  Regards,
  Brian

  I've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
  david

• How to setup SSL cert for SharePoint apps in a three tier farm with nlb

  I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

  Please check the below thread..
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
  Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
  Mahesh

• Cisco ACE SSL Offloading not working

  Dear All,
    I have configured SSL  offloading on ACE when i tried to test it from the PC i found that:
  1. when i try to test the SSL Offloading by   (https://192.168.69.110)  i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
  Thanks,
  Bader

  Hello Mohammed,
  The behavior which you are getting is totally expected since you are NOT matching the url.
  Why do not you try this?
  (config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
  (config-cmap-http-lb)# match http url /.*
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /.*
  Also you can try this one instead of the one above, since this one will be more specific:
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /web.*
  policy-map type loadbalance first-match WEB-SERVERS-LB
  class MATCH-URL
      sticky-serverfarm Sticky-WEB-SERVERS
  class class-default
      sticky-serverfarm Sticky-WEB-SERVERS
  Please mark it, if it fixes your issue.
  Jorge

• Cisco ACE - Exempt HTTP URL from SSL Offloading

  Hi,
  I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http.  Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
  Your inputs highly appreciated.
  Regards,

  Hi Masif,
  In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
  class-map type http loadbalance match-any No-Redirect
    2 match http url /docs/abc.aspx
  policy-map type loadbalance first-match ABC
    class No-Redirect
      serverfarm HTTP-Servers
    class class-default
      serverfarm Redirect
  Hope this helps.
  Pablo 

• SSL Offload Requests

  When using any loadbalancer, CSS, CSM or ACE and doing SSL offload, how does the request to the backend server get created? For example if the client requests https://secure.example.com/privatedata.html and that url is configured for SSL offload on the loadbalancer, it the request from the LB to the server just http://secure.example.com/privatedata.html ? What would the request look like if SSL offload and backend SSL are both configured? Are there methods to modify the default behavior on any of the platforms?
  TIA

  First you have to understand that a url is not sent the way you type it in http.
  So the request actually looks like this :
  GET /privatedata.html
  Host: secure.example.com
  This request is encrypted with SSL if you enter the url with HTTPS:// and is sent in cleartext if you don't use SSL.
  So, what the offloader will do is simply decrypt the traffic and whatever the request will send it in cleartext to the server ip address.
  The offloader can't change the content of the request. However, it can add some lines in the header.
  Also, instead of just transmitting in cleartext, the loadbalancer can re-encrypt so the communication between offloader and server is also SSL.
  Again, the request (see above) does not change.
  Gilles.

• 2 quest ssl offload and DR

  1. ssl offload - how do I secure clear text pwd sent from ACE to serverfarm?
  2. If 2 DR site say CA and UK, and CA has earthquake, can pair of ACE be design to keep website going in UK.

  Hi,
  1/ ACE can be configured to setup a second ssl tunnel and encrypt data between ACE and server. For more details:
  http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html
  Is this what you are looking for?
  2/ Where are the ACEs? Are they load balancing traffic to servers in both CA and UK?
  --Olivier

• SSL Offloading - CA

  Hi
  I've a question about SSL offloading.
  According to the documentation on the web i need to generate a CRL (certification revocation list) to get a certificate from a CA.
  In our test environment we have a CA on a Microsoft Server.
  What i want to know is it possible to take this CRL from the ACE and import it in the CA to verify it, and afterwards copy the certificate back to the ACE?
  Thanks for your advice.
  cheers
  patrick

  I think that when you configure an appliance to perform SSL offloading you are actually setting up one or more logical secure servers whose SSL-related configurations reside in the appliance.
  For more information on SSL please click following URL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/sca/v4.20/configuration/guide/SCA_AP_F.html#wp1004454

• Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

  Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5.  SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM.  We would like to implement ADFS 3.0
  later for Single Sign-on, and we are wondering if ADFS supports SSL offload.  
  Do we need to bind the certificate to the WFEs as well to use ADFS?  
  Thank you!

  Just got it confirmed that ADFS supports SSL offload.  There is no direct communication between SharePoint and ADFS server during the authentication process.  It is always the browser that's talking to ADFS server. We just need to do the following:
  Configure SharePoint URLs in ADFS as replying parties with https.
  Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

• SSL Offloading and Certificate Errors

  I am attempting to offload SSL on an F5 load balancer.  I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer.  I then followed SSL Offloading TechNet instructions here:
  http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.  My two CAS servers still have the self-signed certificates bound in IIS.  I am getting certificate
  errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
  My question is what do I do with the certificates on my 2 CAS servers?  Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS? 
  Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
  Or am I completely misunderstanding how this works and need to do something different entirely?
  Thanks in advance for any guidance.

  As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.) 
  Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell.  See for example output of Get-OutlookAnywhere:
  RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
  ServerName                         : TSTEXCG2013
  SSLOffloading                      : True
  ExternalHostname                   : tstowa.XXXX.com
  InternalHostname                   : tstowa.XXXX.com
  ExternalClientAuthenticationMethod : Ntlm
  InternalClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
  XropUrl                            :
  ExternalClientsRequireSsl          : True
  InternalClientsRequireSsl          : True
  MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
  Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
  ExtendedProtectionTokenChecking    : None
  ExtendedProtectionFlags            : {}
  ExtendedProtectionSPNList          : {}
  AdminDisplayVersion                : Version 15.0 (Build 847.32)
  Server                             : TSTEXCG2013
  AdminDisplayName                   :
  ExchangeVersion                    : 0.20 (15.0.0.0)
  Name                               : Rpc (Default Web Site)
  DistinguishedName                  : CN=Rpc (Default Web
                                       Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
  Administrative
                                       Group (FYDIBOHF23SPDLT),CN=Administrative
  Groups,CN=XXX XXXX,CN=Microsoft
                                       Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
  Identity                           : TSTEXCG2013\Rpc (Default Web Site)
  Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
  ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                        : 7/10/2014 7:38:58 PM
  WhenCreated                        : 6/23/2014 2:54:36 PM
  WhenChangedUTC                     : 7/11/2014 12:38:58 AM
  WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
  OrganizationId                     :
  OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
  IsValid                            : True
  ObjectState                        : Changed

• CSS11500 SSL handling question for multiple url/FQDNs with the same ip address

  I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url.   For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:
  content cats
  vip address 192.168.35.12
  port 80
  url "//www.cats.com/*"
  add server cats1
  add server cats2
  active
  content dogs
  vip 192.168.35.12
  port 80
  url "//www.dogs.com/*"
  add server dogs1
  add server dogs2
  active.
  Easy and straightforward.
  But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?
  I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
  Can this be done?  Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service?  Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
  Thanks in advance for any insights.

  Hi Tim,
  Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.
  But there are a couple of options that you may want to look at (depending on the URL string)
  If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com
  The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.
  I hope this helps.
  Pablo