ACE as Proxy

Similar Messages

• Using ACE for proxy server load balancing

  Hello groups,
  I wanted to know your experiences of using ACE for proxy server load balancing.
  I want to load balance to a pool of proxy servers. Note: load-balancing should be based on the HTTP URL (i can't use source or dest. ip address) so that
  a certain domain always gets "cached/forwarded" to the same proxy server. I don't really want to put matching
  criteria in the configuration (such as /a* to S1, /b* to S2, /c* to S3,etc..), but have this hash calculated automatically.
  Can the ACE compute its own hash based on the number of "online" proxy servers ? ie. when 4 servers are online, distribute domains between 1,2,3,4 evenly.
  Should server 4 fail, recalculate hash so that the load of S4 gets distributed across the other 3 evenly. Also load-balancing domains of S1 ,S2 and S3 should not change if S4 fails.....
  regards,
  Geert

  This is done with the following predictor command:
  Scimitar1/Admin# conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Scimitar1/Admin(config)# serverfarm Proxy
  Scimitar1/Admin(config-sfarm-host)# predictor hash ?
    address         Configure 'hash address' Predictor algorithms
    content         Configure 'hash http content' Predictor algorithms
    cookie          Configure 'hash cookie' Predictor algorithms
    header          Configure 'hash header' Predictor algorithm
    layer4-payload  Configure 'hash layer4-payload' Predictor algorithms
    url             Configure 'hash url' Predictor algorithm
  Scimitar1/Admin(config-sfarm-host)# predictor hash url
  It does hash the url and the result takes into account the number of active proxies dynamically.
  This command has been designed for this kind of scenario that you describe.
  Gilles.

• Ace ssl-proxy problem, Online store.

  Hello!
  I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
  The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
  The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
  If i have missed something in the config or if someone have any other idea why this dont work for me..
  Appreciate any help!
  My config:
  (at the moment only web5 is in use)
  ACE-1/CO-WEB1# show run
  access-list ANY line 10 extended permit ip any any
  access-list icmp line 8 extended permit icmp any any
  probe http PROBE-HTTP
  interval 3
  passdetect interval 10
  passdetect count 2
  expect status 200 200
  expect status 300 323
  parameter-map type ssl SSLPARAMS
  cipher RSA_WITH_RC4_128_MD5
  rserver host vmware-server1
  description testserver1
  ip address 219.222.4.180
  probe PROBE-HTTP
  inservice
  rserver host vmware-server2
  description testserver 2
  ip address 219.222.4.181
  probe PROBE-HTTP
  inservice
  rserver host web5
  description testserver from windows nlb
  ip address 219.222.4.185
  probe PROBE-HTTP
  inservice
  ssl-proxy service SSL-PROXY-SE
  key cert-se.key
  cert cert-se.pem
  ssl advanced-options SSLPARAMS
  serverfarm host WM-ware_servers
  rserver vmware-server1
  inservice
  serverfarm host webtest
  description testserver-farm
  predictor leastconns
  rserver vmware-server1 80
  rserver vmware-server2 80
  rserver web5
  inservice
  sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
  timeout 60
  serverfarm webtest
  class-map match-all VIP-HTTP
  2 match virtual-address 219.222.4.178 tcp eq www
  class-map match-all VIP-HTTPS
  2 match virtual-address 219.222.4.178 tcp eq https
  class-map type management match-any icmp
  description for icmp reply
  2 match protocol icmp any
  policy-map type management first-match icmp
  class icmp
  permit
  policy-map type loadbalance first-match VIP-HTTP
  class class-default
  sticky-serverfarm STICKY-GROUP1
  policy-map type loadbalance first-match VIP-SSL
  class class-default
  serverfarm webtest
  policy-map multi-match SLB-VIP-HTTP
  class VIP-HTTP
  loadbalance vip inservice
  loadbalance policy VIP-HTTP
  loadbalance vip icmp-reply
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy VIP-SSL
  loadbalance vip icmp-reply
  ssl-proxy server SSL-PROXY-SE
  interface vlan 21
  description ### ACE OUTSIDE mot FW ###
  ip address 219.222.4.171 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  service-policy input SLB-VIP-HTTP
  no shutdown
  interface vlan 22
  description ### ACE INSIDE Gateway for Web-servers ###
  ip address 219.222.4.177 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  no shutdown
  ip route 0.0.0.0 0.0.0.0 219.222.4.161
  ACE-1/CO-WEB1#
  as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
  ACE-1/CO-WEB1# show conn
  total current connections : 4
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
  14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
  11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
  3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
  ACE-1/CO-WEB1#

  Hello Krille
  i had the same problem.
  The HTT Probe you define will do a check if
  the return code is
  expect status 200 200
  expect status 300 323
  Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
  The only output after ther Certificates is a blank site.
  If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
  regards
  eberhard

• ACE Reverse Proxy question

  Hello, I have a client that needs to reverse proxy sessions to two backend servers. Can the ACE preform reverse proxies?

  Gregg,
  you need to create an action-list and assign it to your policy-map
  switch/Admin(config)# action-list type optimization http avs_default
  switch/Admin(config-actlist-optm)# ?
  Configure optimization actions:
  appscope Appscope measurement against optimization
  cache Cache optimization
  delta Delta optimization
  do EXEC command
  dynamic Enable just-in-time object accelaration
  end Exit from configure mode
  exit Exit from this submode
  flashforward Flashforward optimization
  flashforward-object Flashforward object optimization
  no Negate a command or set its defaults
  You will probably want to use cache forward or cache dynamic.
  More info at
  http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_optimization.html
  Gilles.

• ACE SSL Proxy performance issue

  Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
  So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
  The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
  The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
  My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
  Sent from Cisco Technical Support iPad App

  Hi Craig,
  The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
  To make sure that ACE doesn't renegotiate you can try and use this command:
  (config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
  This is basically to enable SSL session reuse. A little explanation below for your reference:
  When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
  When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
  Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
  Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
  Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
  Regards,
  Kanwal

• ACE 4710 like Proxy Log?

  Hi guys!
  I have one question to the ACE.
  We using the ACE as Proxy.
  Can write the ACE a proxy log? (GET, Post requests)
  Like so
  192.168.0.1 - - [09/Oct/2010:02:12:40 +0200] "GET / HTTP/1.1" 302 304 "http://www.cisco.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.10) Gecko/20100914 AskTbCDS/3.9.0.12758 Firefox/3.6.10"
  192.168.0.1 - - [09/Oct/2010:06:17:14 +0200] "GET /oks/app HTTP/1.1" 200 3861 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)"
  192.168.0.1 - - [09/Oct/2010:06:17:15 +0200] "GET /css/default.css HTTP/1.1" 304 - "https://blablbla.at/oks/app" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C
  did anybody know that the ACE can do this.
  He can also forward the events to a sys Server. Is it posible?
  Thanks
  regards Markus

  Hi Markus,
  The short answer is no.
  This kind of logging you are looking for is more common in HTTP caching devices. However, the ACE will only proxy connections in order to get enough information to make a load-balancing decision.
  Regards
  Daniel

• ACE behind Reverse Proxy - performance issue

  Hi,
    I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers.  Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing.  The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server.  The app functions perfectly with this config; however, there is a severe performance impact.  Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
  Question:  Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
  Relevant Config for both ACE's here:
  !!Front ACE
  parameter-map type http HTTP_REBAL
    persistence-rebalance
    length-exceed continue
  sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
    timeout 60
    replicate sticky
    serverfarm ALPHA
  policy-map type loadbalance first-match vip-R1A-ALPHA
    class class-default
      sticky-serverfarm ALPHA-SRCIP-sticky
      insert-http SRCIP header-value "%is"
  policy-map multi-match PREP-VIP
    class VIP-ALPHA-R1A
      loadbalance vip inservice
      loadbalance policy vip-R1A-ALPHA
      appl-parameter http advanced-options HTTP_REBAL
      ssl-proxy server SSL_ALPHA_R1A
  !!Back ACE
  parameter-map type http HTTP_REBAL
    persistence-rebalance
    length-exceed continue
  sticky http-header SRCIP ALPHA-SRCIP-sticky
    timeout 60
    replicate sticky
    serverfarm coresoms-ALPHAfarm
  class-map type http loadbalance match-all SRCIP-MAP
    2 match http header SRCIP header-value ".*"
  policy-map type loadbalance first-match vip-lb-ALPHA
    class SRCIP-MAP
      sticky-serverfarm ALPHA-SRCIP-sticky
  policy-map multi-match lb-vip
    class VIP-ALPHA
      loadbalance vip inservice
      loadbalance policy vip-lb-ALPHA
      appl-parameter http advanced-options HTTP_REBAL

  Hi Joseph,
  To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
  I have one possible theory for your issue.
  The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
  For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
  From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
      parameter-map type connection
        set tcp wan-optimization rtt 0
  Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
  I hope this helps
  Daniel

• Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

  Folks,
  I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology.  ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name.  Traffic then gets load balanced between the Websense servers.  The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.  
  ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
  So the problem I have is this:
  How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
  The ACE hardware being used is ACE20-MOD-K9  -  MODULE
  I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.  
  I believe I am on the correct track.  The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
  I'm looking for ideas!  I'm hopeful someone must have solved this problem previously!!
  Regards,
  Simon

  Hi Simon,
  The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
  You can class-map match-any xxxxx
  2 match virtual-address x.x.x.x tcp any
  and then you configure further classification on the basis of L7 like  url, header etc. 
  But again, you will still need SSL termination on ACE.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE for layer 4 redirection

  HI
  I've asked a part of this question before, but need further clarifications. Hope some one can help.
  We are trying to deploy an ACE to transparently re-direct http traffic to a set of proxy servers, that are also doing some content filtering. following is the expected high level setup.
  clients -----[ACE] ---- internet
  |
  |
  |
  | | |
  [proxy 1] [proxy 2] [proxy 3]
  The proxy servers have to go through the ACE again to access the internet. The returning traffic should also go back through the ACE to the same proxy server that catered for the forward traffic. As the proxy does not modify the source IP of the forward traffic (source IP of the packets going to the internet remians to be the actual client IP) , this appears to be a problem. Would you be able to suggest a solution ?
  Many thanks

  yes, but two problems.
  1.) Since the return packet from the internet has actual client (not the proxy) IP address as the destination IP, will that traffic go back to the proxy rather than directly to client?
  2.) Even if it can be sent back to the proxy server farm, how can I ensure that it will go to the same proxy that originated the http request/etc. ?
  Sorry to bother you this much
  thanks again
  Din

• How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

  I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
  Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
  The Interfaces and Nat configs are:
  interface vlan 200
    description Server-Side-VLAN
    bridge-group 5
    nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
    service-policy input VIPS
  interface vlan 300
    description Client-Side-VLAN
    bridge-group 5
  interface bvi 5
    ip address 10.1.1.3 255.255.248.0
    description Client-Server-Virtual-Interface
  ip route 0.0.0.0 0.0.0.0 10.1.1.1
  and the policy map looks like this
  policy-map multi-match VIPS
    class Port80
      loadbalance vip inservice
      loadbalance policy Port80
      nat dynamic 5 vlan 200
  Resource assignment:
  sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
    timeout 5
    serverfarm Service80
  Any suggestions will be appreciated,
  Thanks

  Hi Kanwal,
  Thanks for your quick reply,
  I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
  The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
  But I'll try again tomorrow and let you know how it goes.
  Thank you again.

• ACE best practice for proxy servers

  Dear,
  I would like to know which is the best practice scenario to load balance proxy servers:
  1- Best practice to have transparent proxy or proxy setting on the web browser?
  2- for transparent proxy: best practice to use ip wccp or route-map pointing to the ACE VIP?
  3- What are the advantages and disadvantages of transparent proxy V/S web browser proxy setting.
  Regards,
  Pierre

  Hi,
  Sorry, that seem to be an internal link.
  You can also check the below post where a sample config is posted here for transparent cache.
  https://supportforums.cisco.com/thread/129106
                 Best practice :
  VIP would be a catch all address.
  To optimize the caching predictor hash url is used.
  You can also use mac-sticky on interface so proper flow persistence is used within ACE
  The mode is transparent so we preserve the destination ip address.
  Regards,
  Siva

• ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

  Hi
  Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
  Example:
  Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
  The "client" Server does not support SSL.
  Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
  Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
  Regards

  Hello Byron,
  Yes, the ACE can do it
  Here you have some of the flavors of SSL with the ACE.
  Here you have a sample about it:
  parameter-map type http CASE_PARAM
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  class-map match-all CLEAR_TEXT_VIP
    2 match virtual-address 172.20.120.19 tcp eq www
  policy-map multi-match JORGE-MULTIMATCH
    class CLEAR_TEXT_VIP
      loadbalance vip inservice
      loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
    class class-default
      serverfarm ENCRYPTED-SERVERFARM
      ssl-proxy client SSL-PROXY-JORGE
  ssl-proxy service SSL-PROXY-JORGE
    key TAC-key
    cert TAC-cert
  serverfarm host ENCRYPTED-SERVERFARM
    rserver JORGE-SERVER 443
      inservice
  Here you have some additional details under the configuration guide:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
  Here you have some additional samples:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
  Hope this helps for you and fix your issue
  Jorge

• ACE 4710, reverse proxy?

  Hello All,
  Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

  Hi Mate,
  The reverse proxy servers can perform many tasks, like:
  Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
  Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
  Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
  In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
  A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
  A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
  Best regards,
  Ahmad

• ACE to load balance proxy servers

  Hi,
  i have a set of 4 proxy servers that are already load balanced. But they are using a incorrectly configured health probe on the ace. I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it?  I searched the forum and the cisco pages but could not find a proper answer.        
  the current probe is as follows:
  probe http HTTPGET
    description Tests that www.gmail.com returns 302 redirect
    interval 10
    request method get url http://www.gmail.com
    expect status 302 302
  -Gordon

  Hi Gordon,
  This is what you want to achieve :
  I need to know a good configuration for a heath probe that will send a  http request over port 80 , wait for response, and read it?
  So ideally you have to choose what content you want to request and what you expect as response.
  Any HTTP request will assume that the request is going to the web server or the device can understand HTTP and respond accordingly.
  If you ask me I would say that the probes which you are using make sense.
  If the probe fails that means the proxy is unable to reach "www.gmail.com" which is almost as good as proxy is not working.
  Let me know your thought about it.
  regards,
  Ajay Kumar

• ACE - TCP Options for Proxy-Connections

  Hi all,
  I have the issue that my ACE does not seem to allow tcp options with L7 proxied connections to the servers. For the client side connection I see the TCP option timestamp for example, but unfortunately the ACE itself does not put the timestamp option into its own TCP connection to the rserver. A 'parameter-map type connection' does only seem to have an effect on L4 connections, not proxied ones. Does anybody know a way how to tell the ACE to have e.g. a timestamp option in the TCP connection to the server as part of a L7 loadbalancing?
  Any help is highly appreciated!
  Thanks,
  Daniel

  Daniel,
  we do not support timestamp at L7.
  I think we only support window scaling.
  Gilles.