ACE: v2.0, STICKY based on SSL:ID available?

Similar Messages

• ACE Best Sticky Method for SSL Traffic

  Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
  1) low volume sites, 2 real servers
  2) ACE _will not_ do SSL offloading
  3) Balancing HTTPS requests
  4) Many versions of HTTP clients
  5) Currently running ACE A1 code
  I am thinking of:
  1) TCP Header | HostID inspection
  2) SSL-session ID (not good if re-key often though)
  3) Any suggestions?
  many thx,
  WR

  Hi Will,
  You can see a comple configured example for your perusal in this regard for
  Configure ACE Module for End to End SSL Termination
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  And Many more here regarding
  Data Center Application Services Configuration Examples:
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
  Hope these configuration examples will be useful to you.
  Sachin Garg

• ACE session persitence "sticky" TCP port

  Hey guys,
  I trying to work up some configurations on the ACE for performing session persistence "sticky" on the ACE based on source TCP port.  All flows are SSL based therefor, I thought the only option was SSL-ID but I've been running into querky behavior due to clients using IE7.  Evidently there are several cases where IE7 causes the SSL-ID to be regenereated causing this weird behavior.
  Anybody have example configs of the layer4-payload offset, length, etc. to perform sticky based on TCP source port?
  Thanks in advance.
  Paul

  Since source port is not part of the layer 4 payload you cannot  use it for sticky. IE changing ssl id is a known problem (does it every 2 minutes).
  So you are left with:
  terminating SSL on the ace and using cookie sticky (you can always re-encrypt on back end if security demands it)
  or
  source IP sticky (practical only if clients are not behind a proxy  device)

• ACE: Can I loadbalance based on client Source IP/and client tcp source port?

  We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm.  Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm.  Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions?  The application does not require persistence.

  Hello,
  Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
  Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
  Regards Jean-Marc

• How to do http session stickiness based on URL patterns?

  Is there a feature within the WL plugin for Apache that would allow me to emulate the "jvmroute" session stickiness behaviour as provided by Tomcat and its plugin. I would like to have the control to tie requests from http clients to particular WLS servers in a cluster depending on the URL. For example http://foo.com/web01 requests would be forwarded to an appsererver app01 and so on. For all other requests (e.g http://foo.com/web), the WL plugin would do its normal load balancing ignoring the stickiness. From my understanding the WLS inbuilt http session stickiness is based on JSessionIDs which are exchanged using cookies - which is something i cannot use in my case since i want the stickiness based on URL patterns.
  I am using WLS 10.0 with Apache 2.2.4 on Linux.
  Thanks
  Ramdas

  Session is not replicated across all the servers in the Cluster.
  Apache knows which server to go using the JSession ID.
  There is a concept of primary and secondary, secondary is selected based on the replication groups there are configured in the cluster.
  you can configure the cluster so that /web01 requests go to different cluster, and /web requests go to different cluster.
  but you can get all the funtiionalities from the single cluster.
  Do you have any java caching that you are not able to replicate across the cluster ?(I know this can be done too).
  let me know what you are actually trying to solve by doing the behavior you explained.

• I want to implement three level Horizental navigation on the top navigation and menu items are created based on the data available in a SharePoint List.

  Hi All,
  I want to implement three level Horizental navigation on the top navigation and menu items are created based on the data available in a SharePoint List.
  Implement this requirement through customization, how can i start any help
  Thanks

  Hello,
  You can follow these links to get the result that you want. You can get the desired result either using the custom list or a site map. Please make sure when you edit the master page, dont work on the original v4.master. Always make a a copy and then work
  on it.
  This link will show you how get that navigation using a list.
  http://www.bitsofsharepoint.com/BlogPoint/Lists/Posts/Post.aspx?ID=60
  This link will show you how get that navigation using a sitemap.
  http://www.sharepointdiary.com/2012/01/custom-top-navigation-using-sitemap.html
  Please mark as "Answered" if this helped you.
  Thanks,
  norasampang

• Sticky session for SSL termination

  We have a server farm with 2 servers.  The ACE is perfoming SSL termination to this farm, and talking tcp/80 on the back end.  How can I ensure these sessions are sent to the same servers?
  Thanks

  since you are doing ssl termination you can do cookie sticky and have the ace either learn a cookie from the server or insert a cookie to provide sticky.
  for instance to do cookie insert
  sticky http-cookie COOKIE1 GROUP3
  cookie insert browser-expire <-- this makes it a session based cookie. If you want the cookie to expire at a set time you can leave off browser-expire
  and then set a timeout . the timeout is not on ace rather we will send a utc expire time to the browser
  serverfarm test
  then call the sticky serverfarm in your load balance policy
  policy-map type loadbalance first-match L7PLBSF_STICKY-COOKIE_POLICY
    class class-default
     sticky-serverfarm GROUP3
  you can also use other sticky methods see
  http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1070365

• Stickiness based on cookie name

  on ace how do i configure cookie if i want it based on cookie name or set-cookie value. The server is generating cookie and I want to stick the server based on cookie value generated by server not ace
  can someone give me an example?

  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/command/reference/sticky.html#wp1069181
  You first need to know the name of the cookie used by the server.
  You then create a sticky group to match that cookie name.
  You associate your serverfarm to that group.
  You link that group to your policymap.
  Done.
  Gilles.

• Css stickiness based on the http header

  there is CSS 11503 that should load balances the traffic between 2 servers running IIS (http port 80). In front of load balancer there is a reverse proxy, that hides all real ip addresses of users that send requests to web-servers.
  The customer would like to have stickiness per user. The reverse proxy can add user real ip address to http header.
  What kind of load balancing mechanism is better to use  to fulfill customer requirements? HTTP load balancing? If "yes", are there standard field-types that is possible to use?

  You can't do sticky on http header in CSS , best solution is to insert a cookie for stickyness, individula clients will get a cookie and will stick based on cookie ppresented.
  see:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Sticky.html#wp1109390
  content testing
  vip address 192.168.128.131
  add service s1
  advanced-balance arrowpoint-cookie
  active

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• When will domain based SSL be available?

  I understand the way BC does SSL, based on a certificate for worldsecuresystems.com. I think it is a large problem that we cannot do SSL certificates using our clients domain names. Besides the current Google preference for SSL enabled sites, there are other instances where clients want secure pages under their own domain. When will this be made available?

  Hey there,
  There has been a lot of discussion here, if you forum search you can see all threads
  The bullet points for you though....
  - Read the google SSL announcements properly, its a state of intention, not something that is going to effect your site rankings at the moment
  - When it does start to kick in it will account for less then 1% of the ranking algorithm (Google said this)
  - Is it a nice to have? Yes of course
  - Is it possible with BC? Yes but the way it works now is a core backbone of the system, to change it wold be a big amount of time and cost for BC to do.
  - Are BC going to do this any time soon? No

• Can the ACE bleed off users based on http probe?

  We need to have our ACE look at our two servers, and based on the text it sees on a predetermined page, take an action.
  Example 1: ACE looks at web page on server1, and sees "maintenance". Desired action - send all users to server2, & wait for server1 to bleed off all users.
  Example 2: ACE looks at web page on server1, and sees "online". Desired action - allow users to go back to server1.
  current config:
  probe http HTTP-Server1
  interval 15
  passdetect interval 2
  request method get url /maintenance.htm
  expect status 200 200
  probe http HTTP-Server2
  interval 15
  passdetect interval 2
  request method get url /maintenance.htm
  expect status 200 200
  Thanks.

  if you are looking at content for maintenance and online you need to do 2 things
  1. make sure server uses content length header in reply to probe
  2. construct probe to look for content as the criteria for probe success or failure so probe would be:
  probe http HTTP-Server1
  interval 15
  passdetect interval 2
  request method get url /maintenance.htm
  expect regex "online"
  if content does not have online probe will fail new connections would go to other server existing connections will be maintained.
  Regards

• How to change addressbar color based on SSL/SSL-EV/Broken-SSL/No-SSL

  Hello,
  is there any way how to force FF31 to color the address bar background with green for verified SSL, yellow for normal SSL red for broken SSL and white for no SSL? I know FF shows a little icon next to the URL, but I want whole address bar background to display the security mode. The little icon is just not visible enough. I haven't found any addon that could do that. I tried using chrome/userChrome.css but it seems to be broken and cannot properly display all 4 states.
  The following code does not work for "level=low", and I could not test "level=broken" because i do not know of any website to test it on. "level=high" seem to be displayed always when there is a SSL regardless of whether it's "high" (verified) or "low" (not verified).
  Could you please tell me if there is any way to achieve this address bar coloring? Thank you.
  #urlbar[level="high"] {
  background-color: #D0F2C4 !important;
  #urlbar[level="low"] {
  background-color: #FFFFB7 !important;
  #urlbar[level="broken"] {
  background-color: white !important;
  }

  Go to the '''[https://addons.mozilla.org/en-US/firefox/ Mozilla Add-ons Web Page]''' {web link}
  (There’s a lot of good stuff here) and search for what you want.

• ACE 4710 Appliance end-to-end SSL

  Hello,
  Am I able to use a port other than 443 to the servers in a end to end SSL config?  For example, 443 to the users and 8443 to the servers?
  Thanks,
  Dave

  Hi Dave,
  Sure that's not a problem at all.  Just make sure you add the 8443 after the rserver name in the serverfarm configuration
  serverfarm host REAL_SERVERS
    probe HTTPS-KEEPALIVE
    rserver SERVER_01 8443
      inservice
    rserver SERVER_02 8443
      inservice
  Hope this helps,
  Sean

• Chicago Based Labview Electrical Engineer Available for Remote Work

  I work while you sleep
  I have over 8 years experience in Labview including most recently; GPS route mapping, CDMA and GSM test systems, OFDM and FSK test systems, and standalone applications (details available upon request).
  I'm looking for remote projects to work on in the evening to supplement my income and pay for all the expensive Christmas gifts.  I am willing to do work at reasonable rates based on project goals.  I have my MS in Electrical Engineering and over 8 years of digital hardware design experience as well as automation experience with Labview.  I have pretty much automated every piece of test equipment that has crossed my path. 
  Full source code, documentation, flow diagram, etc. upon project completion!  Labview 8.5, Windows XP 
  Regards,
  Labview 4 You
  Electrical Engineer,  Labview Guru

  This is a repost to show this thread is still active.
  I have over 8 years experience in Labview including most recently; GPS route mapping, CDMA and GSM test systems, OFDM and FSK test systems, and standalone applications (details available upon request).
  I'm looking for remote projects to work on in the evening to supplement my income.  I am willing to do work at reasonable rates based on project goals.  I have my MS in Electrical Engineering and over 8 years of digital hardware design experience as well as automation experience with Labview.  I have automated almost every piece of test equipment that has crossed my path. 
  Full source code, documentation, flow diagram, etc. upon project completion!  Labview 8.5, Windows XP 
  Regards,
  Labview 4 You
  Electrical Engineer,  Labview Guru