Do i need a high perf SSL offloader (Like Array Networks APV) for WebLogic

Similar Messages

• ACE 4710 in failover - ssl offload, cert for second ACE

  Hi,
  I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
  At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
  Now I would like to move further and configure ssl offload and configure High availability.
  I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
  Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
  Is it better to first set up high availability and then configure ssl offload or vice versa?
  Does anyone have a config example of ssl offload and active/standby configuration?
  Thank you in advance.

  You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
  FOllowing will be steps to achive that
  On primary Ace
  1. create RSA Keys
  crypto generate key 2048 app1.key
  2. Create CSR & send it to CA
  ace/Admin(config)# crypto csr-params app1-csr
  ace/Admin(config-csr-params)# common-name www.app1.com
  ace/Admin(config-csr-params)# country US
  ace/Admin(config-csr-params)# email [email protected]
  ace/Admin(config-csr-params)# locality xyz
  ace/Admin(config-csr-params)# organization-name xyz
  ace/Admin(config-csr-params)# organization-unit xyz
  ace/Admin(config-csr-params)# state CA
  ace/Admin(config-csr-params)# serial-number 1234
  ace/Admin(config-csr-params)# end
  ace/Admin(config)# crypto generate csr app1-csr app1.key
  (copy the result to a file)
  4. Import certificate recieved from CA
  crypto import terminal app1.cert
  (pasted the content from the cert)
  5. verify the cert & keys match
  crypto verify app1.key app1.cert
  6. Export the keys from Active
  crypto export app1.key
  (copy the result to a file)
  ON Standby ACE:
  1. Import the keys
  crypto import terminal app1.key
  2. Import the cert
  crypto import terminal app1.cert
  3.verify the cert & keys match
  crypto verify app1.key app1.cert
  Hope this helps
  Syed

• Cisco ACE - Exempt HTTP URL from SSL Offloading

  Hi,
  I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http.  Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
  Your inputs highly appreciated.
  Regards,

  Hi Masif,
  In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
  class-map type http loadbalance match-any No-Redirect
    2 match http url /docs/abc.aspx
  policy-map type loadbalance first-match ABC
    class No-Redirect
      serverfarm HTTP-Servers
    class class-default
      serverfarm Redirect
  Hope this helps.
  Pablo 

• Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

  Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5.  SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM.  We would like to implement ADFS 3.0
  later for Single Sign-on, and we are wondering if ADFS supports SSL offload.  
  Do we need to bind the certificate to the WFEs as well to use ADFS?  
  Thank you!

  Just got it confirmed that ADFS supports SSL offload.  There is no direct communication between SharePoint and ADFS server during the authentication process.  It is always the browser that's talking to ADFS server. We just need to do the following:
  Configure SharePoint URLs in ADFS as replying parties with https.
  Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

• SSL Offloading and Certificate Errors

  I am attempting to offload SSL on an F5 load balancer.  I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer.  I then followed SSL Offloading TechNet instructions here:
  http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.  My two CAS servers still have the self-signed certificates bound in IIS.  I am getting certificate
  errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
  My question is what do I do with the certificates on my 2 CAS servers?  Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS? 
  Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
  Or am I completely misunderstanding how this works and need to do something different entirely?
  Thanks in advance for any guidance.

  As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.) 
  Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell.  See for example output of Get-OutlookAnywhere:
  RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
  ServerName                         : TSTEXCG2013
  SSLOffloading                      : True
  ExternalHostname                   : tstowa.XXXX.com
  InternalHostname                   : tstowa.XXXX.com
  ExternalClientAuthenticationMethod : Ntlm
  InternalClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
  XropUrl                            :
  ExternalClientsRequireSsl          : True
  InternalClientsRequireSsl          : True
  MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
  Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
  ExtendedProtectionTokenChecking    : None
  ExtendedProtectionFlags            : {}
  ExtendedProtectionSPNList          : {}
  AdminDisplayVersion                : Version 15.0 (Build 847.32)
  Server                             : TSTEXCG2013
  AdminDisplayName                   :
  ExchangeVersion                    : 0.20 (15.0.0.0)
  Name                               : Rpc (Default Web Site)
  DistinguishedName                  : CN=Rpc (Default Web
                                       Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
  Administrative
                                       Group (FYDIBOHF23SPDLT),CN=Administrative
  Groups,CN=XXX XXXX,CN=Microsoft
                                       Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
  Identity                           : TSTEXCG2013\Rpc (Default Web Site)
  Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
  ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                        : 7/10/2014 7:38:58 PM
  WhenCreated                        : 6/23/2014 2:54:36 PM
  WhenChangedUTC                     : 7/11/2014 12:38:58 AM
  WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
  OrganizationId                     :
  OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
  IsValid                            : True
  ObjectState                        : Changed

• How to pass client IP address via CSS with SSL offload?

  Hello,
  We use Cisco CSS 11501S to do the SSL offload of web servers in one-armed mode. So we have to SNAT client IP in order to guaranty correct return path via the CSS. In this case web server can see only the IP address of the VIP used for SNAT. If there is a way to pass customer?s IP to the web server - i.e insert customized HTTP HEADER something like HTTP_REMOTEADDRESS:<IP address of the client> - similar to what is possible with BIG IP device for instance?
  Second question if there is a way to get from the CSS access log data similar to what we have in Apache access.log file to be used by Webalizer or similar application to analyze web traffic.

  Scott,
  if you're not doing src nat, the css will spoof the client ip and therefore, there is no need to save the client ip in the http header.
  Gilles.

• ACE ssl offloading

  Hi,
  I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
  rserver server1:80
  ip add 192.168.1.1
  inservice
  serverfarm secure-rediect-SF
    probe port80
    reserver server1:80
    inservice
  class-map match-any  secure-rediect-CM
    match virtual-address 10.10.1.1 tcp 80
  policy-map type loadbalance first-match  secure-rediect-PM
    class class-default
     sticky-serverfarm secure-rediect-SG
  policy-map multi-match LBR-LB
    class  secure-rediect-CM
     loadbalance vip inservice
     loadbalance policy secure-rediect-PM
     loadbalance vip icmp-reply
  could you help! how do I configure SSL offloading? what is required to configure it?

  Hello, Gavin
  Here you have some additional examples which might help you out:
  Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cert-test                                2088  PEM     Yes        CERT
  key-test                                 1675  PEM     Yes         KEY
  # crypto verify key-test cert-test
  Keypair in key-test matches certificate in cert-test
  Admin(config)# crypto chaingroup my-chaingroup
  Admin(config-chaingroup)# cert my-root
  Admin(config-chaingroup)# cert my-intermediate
  ACE-M2/Admin(config-chaingroup)# exit
  Admin# sh crypto chaingroup all
  chaingroup muflas contains:
  my-root
  my-intermediate
  (config)# ssl-proxy service my-ssl-proxy
  Admin(config-ssl-proxy)# chaingroup my-chaingroup
  Admin(config-ssl-proxy)# cert cert-test
  Admin(config-ssl-proxy)# key key-test 
  Admin(config-ssl-proxy)# end
  Then finally, your configuration should like this:
  interface vlan 100
    ip address 10.198.16.75 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
    service-policy input MGMT
    service-policy input my-multimatch
    no shutdown
  policy-map multi-match my-multimatch
    class vip
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
  class ssl
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
      ssl-proxy server my-ssl-proxy
  class-map match-all ssl
    2 match virtual-address 10.198.16.103 tcp eq https
  class-map match-all vip
    10 match virtual-address 10.198.16.103 tcp eq www
  policy-map type loadbalance http first-match http
    class class-default
      serverfarm http
  serverfarm host http  
    rserver 1-80 80
      inservice
    rserver 2-80 80
      inservice
  rserver host 1-80
    ip address 10.198.16.99
    inservice
  rserver host 2-80
    ip address 10.198.16.100
    inservice
  ssl-proxy service my-ssl-proxy
    key key-test
    cert cert-test
    chaingroup my-chaingroup
  Hope this helps!!!

• ACE SSL offloading troubleshooting

  Hi All,
  I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
  Regards,
  Thiyagu

  Hi Thiyagu
  Have a read on the following link, what is the issue you are seeing?
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
  Regards Craig

• SSL Offloading

  hello 
  I have an confusion. When we are talking about Load Balancing we heard SSL Offload. Do we need to configure it on Exchange or Load balancer or is it enable by default on the exchange ? 
  regards 

  SSL Offloading means that the load balancer or web publishing device decrypts the SSL messages ahead of the Exchange server.  Whether you use it or not is between you and your network people.  The main reason I don't recommend it is that you
  generally want to re-encrypt the traffic between the load balancer and the Exchange server anyway, so it doesn't help with performance.  A good reason for using it is that the web publishing device can inspect the contents of the packets.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• SSL Offloading - CA

  Hi
  I've a question about SSL offloading.
  According to the documentation on the web i need to generate a CRL (certification revocation list) to get a certificate from a CA.
  In our test environment we have a CA on a Microsoft Server.
  What i want to know is it possible to take this CRL from the ACE and import it in the CA to verify it, and afterwards copy the certificate back to the ACE?
  Thanks for your advice.
  cheers
  patrick

  I think that when you configure an appliance to perform SSL offloading you are actually setting up one or more logical secure servers whose SSL-related configurations reside in the appliance.
  For more information on SSL please click following URL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/sca/v4.20/configuration/guide/SCA_AP_F.html#wp1004454

• TS3276 Hey. I have problems to send e-mail with Mail. The problems is I need to un active ssl ,... but when I do this,... automatically,. its active again????. Whta can i do

  Hey. I have problems to send e-mail with Mail. The problems is I need to un active ssl ,... but when I do this,... automatically,. its active again????. Whta can i do

  Try posting this in the 10.7 Mail forum. You'll get more help there.
  DALE

• For Full performance You need a Higher voltage AC Adapter Message

  Hello,
  I have a HP G70-460US Laptop since October 10,2009. About three days ago, the laptop started showing me a system message about the AC Adapter. The message says: For Full performance you need a higher voltage AC adapter. I verified the AC Adapter and the temperature was normal. The battery was charging OK. I had the laptop connected to a power strip, so I connect the laptop directly to the wall outlet. The next day, my wife was trying to use the laptop, and the battery had no charge. I unplugged and plugged again the AC Adpter and started charging again, but, the system keeps posting the same error message as before. My laptop is usually connected to a electrical outlet.
  What can be the problem?

  We are also getting this same message with a new G60-506US laptop just placed in service with the factory HP A/C adapter. 
  Looks like someone from HP needs to get into this!

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• I can't install any application on my ipod. it needs a higher sofware version. how to upgrade it's software to 4.3? i have 2.1

  i can't install any application on my ipod. it needs a higher sofware version. how to upgrade it's software to 4.3? i have 2.1

  khristianfromaparri wrote:
  i can't install any application on my ipod. it needs a higher sofware version. how to upgrade it's software to 4.3? i have 2.1
  You won't be able to update to 4.3. Depending on which version you have, you may be able to upgrade to 4.2.1. Check out the Apple articles below for info.
  http://support.apple.com/kb/HT1353
  http://support.apple.com/kb/HT2052
  Stedman

• I used to be able to download temple run onto my iPod 2nd generation. I then had to restore the iPod but now I can't re-download temple run onto it. It says you need a higher ios number. Is there anything I can do to get it back?

  I used to be able to download temple run onto my iPod 2nd generation. I then had to restore the iPod but now I can't re-download temple run onto it. It says you need a higher ios number. This is the same with many other apps as well and not just temple run. Is there anything I can do to get them back?

  So, you need an older version of the iOS app, because the current version no longer works on your iPod touch.
  If you do regular backups of your hard drive (as you should), such as by using Apple's built-in Time Machine (if you use a Mac), you may find the older version of the app in the backup archive, and restore it (replacing the newer version).  They are stored in the iTunes Media folder, in the Mobile Applications sub-folder.  You should then be able to sync the older version to your iPod touch.
  I can't think of any other way to get it back...
  NOTE:  An 2nd gen iPod touch can run up to iOS 4.2.1.  If your iPod touch is running something earlier, and that is why the app no longer works, you can also consider updating the iPod's iOS.
  I use an even older iPhone (original).  I avoid this potential problem by aways updating its apps on the iPhone, not in iTunes on the computer.  When I do it on the iPhone, it will not download a newer version of an app that won't run on my old iPhone.