HTTPS balance without a SSL Module

Similar Messages

• CSS with single SSL module.. balance option needed?

  Hi all,
  Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
  For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
    content DEVCOM_TCP443_L5
      vip address x.x.x.x
      application ssl
      advanced-balance ssl
      protocol tcp
      port 443
      url "//dev.subdomain.domain.com/*"
      add service ssl_module1
      active
  I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
  Many thanks
  Scott

  You're correct.
  There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
  Gilles.

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Load Balancing with a CSM & SSL Module

  I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
  Thanks..

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• HTTPS Keepalive with the CSM & SSL Module

  Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
  Thank you,
  Dave

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• HTTPS ans SSL with CSS (No SSL Module)

  Hi,
  My customers have two server and need to load balance.
  These servers initiate SSL.
  and VIP address is :
  https://erpappl.erp.mis.blabla.tgc:8005
  My CSS has no ssl module. An dconfiguration is:
  service venice
  ip address 10.200.104.32
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 120
  active
  service calgary
  ip address 10.200.104.33
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 121
  active
  owner ERPAPPL
  content erpapp_test
  add service venice
  add service calgary
  redundant-index 60
  vip address 10.200.104.28
  protocol tcp
  port 8005
  url "/*"
  arrowpoint-cookie expiration 00:00:03:00
  advanced-balance arrowpoint-cookie
  application ssl
  active
  After this configuration I cannot reach the URL shown above.
  Can you help me?

  if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
  So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
  If we sell an SSL module, there is a reason :-)
  The only sticky option you can use are :
  - sticky based on srcip
  - sticky on sslid
  The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
  Gilles.

• Using SSL Module to Encrypt HTTP post to external Server

  I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?

  this is possible.
  It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
  If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
  Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
  [ie: cookie stickyness, url hashing, ...]
  Regards,
  Gilles.

• CSS without SSL Module needing sticky sessions

  Hello All,
  If anyone can help with this sticky situation I'd appreciate it.
  I have a customer with a CSS11501. He does not have an SSL module installed.
  He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
  I've configured the following:-
  service web1
  protocol tcp
  port 443
  keepalive type tcp
  ip address 192.168.200.50
  string web1
  active
  service web2
  rotocol tcp
  port 443
  eepalive type tcp
  ip address 192.168.200.51
  string web2
  active
  content SSL_Web
  add service web1
  add service web2
  rotocol tcp
  port 443
  vip address 1.2.3.4
  application ssl
  advanced-balance sticky-srcip-dstport
  active
  group web_Farm
    add service web1
    add service web2
    vip address 1.2.3.4
    active
  I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
  Once the customer turns off the second blade, all is ok.
  I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
  Best Regards Tony

  Tony,
  The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
  Regards
  Jim

• How to Filter Initial Client HTTP Headers on a CSS11506 SSL module

  Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
  This is one of the default options on the "old" SCA11000 appliances.

  Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
  We can then apply any rules to the header.
  I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
  We currently do not have this option on the CSS.
  Gilles.

• Header Insert Statistics on SSL Module

  Hi,
  I use an SSL Module running SW 2.1.8. Within ouput of "sh ssl-proxy stats hdr" I have a lot of "Service Errors" without any configured http header insertion policy.
  Any idea what could cause this ??
  Any answer is appreciated.
  Volker Kreisel
  Header Insert Statistics:
  Session Headers Inserted : 0 Custom Headers Inserted : 0
  Session Id's Inserted : 0 Client Cert. Inserted : 0
  Client IP/Port Inserted : 0
  No End of Hdr Detected : 0 Payload no HTTP header : 0
  Desc Alloc Failed : 0 Buffer Alloc Failed : 0
  Client Cert Errors : 0 Malloc failed : 0
  Service Errors : 28730384 Conn Entry Invalid : 0
  Buffers allocated : 0 Buffers Scanned : 0
  Insertion Points Found : 0 Header Overflow : 0
  End of Header Found : 0 Buffers Accumulated : 0

  CSCsb82589
  show ssl-proxy stats hdr counter Service Errors is erroneously increment
  This has been fixed in 3.1.1 and will be fixed soon in the next 2.1 release.
  Regards,
  Gilles.

• How many ssl modules are needed for a redundant configuration?

  Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
  Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
  Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
  Thanks
  -Dan

  there is no need for 2 modules.
  You would use 2 modules if you need more power [handle more connections].
  However, your assumption is incorrect.
  Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
  In other words, upon failure, all SSL users will have to restart their connection.
  Gilles.

• SSL module - does server key must have a password?

  Hi,
  I'm trying to install server certificate, PEM formatted into SSL module. The key I've received is stripped off the challange password. Is it possible to import such a key without pass? "crypto ca import server.com PEM terminal xxx" seems to not allow for this.
  tia

  Yes, the SSL module must have a password for the server key. It is not possible to import the key without the password.

• CSS 115xx and SSL module.

  Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
  thx
  -Rich

  Check the URL: Overview of CSS SSL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
  Examples of CSS SSL Configurations:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

• CSS - 11506 - Adding New SSL Services on Single SSL Modules

  Hi,
  We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
  Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

  Hi Sean,
  Thanks for replying back just want few clarifcations in configuration part.
  1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
  2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
  1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
  /home/johndoe
  2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
  Connecting
  Completed successfully
  3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
  Connecting
  Completed successfully
  4.Enter configuration mode.
  # config
  (config) #
  4. To use RSA public key exchange and authentication:
  a. Associate the imported RSA certificate with a file.
  (config) # ssl associate cert myrsacert1 rsacert.pem
  b. Associate the imported RSA key pair with a file.
  (config) # ssl associate rsakey myrsakey1 rsakey.pem
  5. Compare the public key in the associated certificate with the public key
  stored with the associated private key and verify that they are identical.
  (config) # ssl verify myrsacert1 myrsakey1
  Certificate mycert1 matches key mykey1
  ssl associate rsakey NEWKEY newkey.pem
  ssl associate cert NEWCERT newcert.pem
  !************************* INTERFACE *************************
  interface 3/3
  description "****WEB SIDE****"
  bridge vlan _ID_X.X.X.X
  bridge port-fast enable
  interface 3/4
  bridge vlan_ID_Y.Y.Y.Y
  bridge port-fast enable
  description "****PIX SIDE****"
  !************************** CIRCUIT **************************
  circuit VLAN_ID_X
  ip address A.A.A.A B.B.B.0
  ip virtual-router 2 priority 101 preempt
  ip redundant-interface 3 C.C.C.C
  ip critical-service 3 chk-con-pix_Y.Y.Y.Y
  ip critical-service 3 chk-con-web_X.X.X.X
  circuit VLAN_ID_Y
  ip address D.D.D.D E.E.E.0
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 4 F.F.F.F
  ip critical-service 4 chk-con-pix_Y.Y.Y.Y
  ip critical-service 4 chk-con-web_X.X.X.X
  !*********************** SSL PROXY LIST ***********************
  ssl-proxy-list NEW
  ssl-server 20
  ssl-server 20 vip address F.F.F.F
  ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
  ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
  ssl-server 20 rsacert NEWCERT
  ssl-server 20 rsakey NEWKEY
  active
  !************************** SERVICE **************************
  service FRONT_SSL
  type ssl-accel
  slot 4
  keepalive type none
  add ssl-proxy-list NEW
  active
  service WEBSERVER-03
  ip address G.G.G.G
  redundant-index 3
  protocol tcp
  port 80
  active
  service WEBSERVER-04
  ip address H.H.H.H
  redundant-index 4
  protocol tcp
  port 80
  active
  service chk-con-pix_Y.Y.Y.Y
  keepalive type script ap-kal-pinglist "N.N.N.N"
  ip address J.J.J.J
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  service chk-con-web_X
  ip address K.K.K.K
  keepalive type script ap-kal-pinglist "P.P.P.P"
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  !*************************** OWNER ***************************
  owner NEW
  content BACKNEW_HTTP
  vip address F.F.F.F
  add service WEBSERVER-03
  add service WEBSERVER-04
  protocol tcp
  port 81
  url "/*"
  redundant-index 5
  no persistent
  active
  content FRONTENDNEW_SSL
  vip address F.F.F.F
  protocol tcp
  port 443
  application ssl
  add service FRONT_SSL
  active
  content NEW
  url "//www.ABC.com/*"
  vip address F.F.F.F
  protocol tcp
  port 80
  redundant-index 4
  redirect "https://ABC.com"
  active
  your reply on this would be highly appericated.

• Issue in setting flex app in load balanced environment using SSL

  I have developed the dashboard in my application using flex 3.0. For this I have used JSP wrapper around the flex application. My application runs on JBoss application server. for communication between flex app and my application i am using LCDS. HTTPService component is being used to receive data from the server. Channel definitions are given in service-config.xml for amf and http channels and for both secure secure and not secure mode. In my proxy-config.xml i have defined Channels and destinations.
  services-config.xml
  <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
      <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
      <properties>
            <polling-enabled>false</polling-enabled>
      </properties>
  </channel-definition>
  <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
      <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
      <properties>
            <add-no-cache-headers>false</add-no-cache-headers>
      </properties>
  </channel-definition>
  <channel-definition id="my-http" class="mx.messaging.channels.HTTPChannel">
      <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint"/>
  </channel-definition>
  <channel-definition id="my-secure-http" class="mx.messaging.channels.SecureHTTPChannel">
      <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure" class="flex.messaging.endpoints.SecureHTTPEndpoint"/>
      <properties>
          <add-no-cache-headers>false</add-no-cache-headers>
      </properties>
  </channel-definition>
  proxy-config.xml
  <default-channels>
      <channel ref="my-http"/>
      <channel ref="my-amf"/>
      <channel ref="my-secure-http"/>
      <channel ref="my-secure-amf"/>
  </default-channels>
  <destination id="dashboardService">
      <properties>
  <url>/kr/servlet/DashboardServlet</url>
      </properties>
  </destination>
  <destination id="dashboardJSPService">
      <properties>
  <url>/kr/krportal/dashboardJSPService.jsf</url>
      </properties>
  </destination>
  In my development environment both secure and non secure mode were working fine. Now when I have deployed it behind the load balancer(which accepts secure requests only and if the request is not secure it redirects it to secure url) there is no response from the message broker servlet. One thing more I have observed is when the environment is non load balanced there are request like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http'. and these requests are post request. But in load balanced environment with ssl the request is again like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a post request and it is redirected to 'https://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a get request. The content returned by this get request is null.
  Looking for some comments
  Thanks
  Abhishek Gupta

  if the load balancing environment is already well configured, thes rest is very easy, there is no difference between a configuration of load balancing environment and a simple one, for you that is transparent, except the manual deployment and manual copying
  of files in the directory 15