HTTPS VIP to HTTPS

Is it possible to do load-balancing (CSS 11503) from a HTTPS (VIP) to other HTTPS Servers? If yes, please provide examples. I do not have a SSL module.

Can't you simply configure the services that you want to use on the content rule ?
Or are the services behind a remote CSS and you need a redirect ?
Because traffic is encrypted and you have no ssl module, you are very limited to what you can do.
Basically, all you can do is route and nat.
Gilles.

Similar Messages

  • Problem accessing VIP via HTTP from service servers

    I thought I had a pretty simple config on my CSS11501- but have run into an issue I'm having trouble resolving.
    I have two unix webservers (IPs are .99 and .100) on ports e1 and e2, and my uplink for the CSS is on port e8.
    The CSS has a VIP address (.105) that load balances HTTP requests to .99 and .100.
    From .99 and .100 I can ping the VIP address - and from outside the CSS - almost everything works great for the site I'm hosting on .105.
    I do have two web pages however that attempt to make calls directly to the VIP address - I noticed I can't load those pages.
    Nor can I just browse the website on the VIP address from either of the servers. The webservers can browse their own pages via IP, and each other's pages via IP.
    Just not pages on the VIP.
    I think it may be a case of the servers thinking that IP spoofing is occurring - or maybe I missed something simple in the config.
    Here's what I see in a 'show flows' when I try and browse the VIp address (.105) from the .100 server.
    Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
    65.207.212.100 53758 65.207.212.105 80 65.207.212.100 TCP e2 e2
    65.207.212.100 80 65.207.212.100 53758 65.207.212.100 TCP e2 e2
    Since it appears that the CSS NATs the request to the same IP the server is using, will the reply from the server ever make it back to the CSS?
    Or does it think that it shouldn't need to reply - becauuse it is that IP?
    Should I be able to browse the VIP site from the webservers.
    Below is the full CSS config if someone can help me figure this out.
    Thanks in advnace for any and all help.
    Paul
    CSS11501# show run
    !Generated on 08/30/2005 12:08:11
    !Active version: sg0750004
    configure
    !*************************** GLOBAL ***************************
    no restrict web-mgmt
    acl enable
    logging subsystem acl level debug-7
    ip route 0.0.0.0 0.0.0.0 65.207.212.1 1
    !************************** CIRCUIT **************************
    circuit VLAN1
    ip address 65.207.212.104 255.255.255.0
    !************************** SERVICE **************************
    service www2
    keepalive type tcp
    keepalive port 80
    ip address 65.207.212.99
    active
    service www3
    keepalive type tcp
    keepalive port 80
    ip address 65.207.212.100
    active
    !*************************** OWNER ***************************
    owner WWW
    content rule1
    vip address 65.207.212.105
    add service www2
    add service www3
    port 80
    protocol tcp
    advanced-balance sticky-srcip-dstport
    active
    !**************************** ACL ****************************
    acl 1
    clause 10 permit any any destination any
    apply circuit-(VLAN1)

    Paul,
    simple config and well-know basic mistake :-)
    If a server tries to access the vip, the css will forward the request to the same server or the other one.
    Both ways, the response from the server will go directly to the client-server, bypassing the CSS.
    For this to work, you need to do client nat so the server making the HTTP connection appears to be coming from the CSS.
    Create a group like this
    group servernat
    vip addr 65.207.212.105
    active
    and add the following to your acl
    clause 5 permit any 65.207.212.99 destination content www/rule1 sourcegroup servernet
    Do a similar clause for the 2nd server.
    re-apply the acl.
    Everything should work now.
    Gilles.
    Thanks for rating.

  • Load balancing FTP/HTTP on same VIP

    Hi,
    Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
    class-map match-any WCVS
      2 match virtual-address 20.0.0.1 tcp eq www
      4 match virtual-address 20.0.0.1 tcp eq ftp
    policy-map multi-match int3
      class WCVS
        loadbalance vip inservice
        loadbalance policy VS-l7slb
        inspect ftp
        nat dynamic 5 vlan 20
    int vl20
    service-policy input int3

    Hello,
    I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.
    Let me know how it goes...
    logging enable
    logging buffered 6
    access-list ALL line 8 extended permit ip any any
    access-list ALL line 16 extended permit icmp any any
    probe http Probe_HTTP
      interval 5
      passdetect interval 60
      expect status 200 200
      open 2
      receive 2
    probe tcp Probe_FTP
      port 21
      interval 5
      passdetect interval 60
      open 2
      receive 2
    rserver host Server1
      ip address 10.10.10.10
      conn-limit max 4000000 min 4000000
      inservice
    rserver host Server2
      ip address 10.10.10.11
      conn-limit max 4000000 min 4000000
      inservice
    serverfarm host FARM-HTTP
      probe Probe_HTTP
      rserver Server1 80
        conn-limit max 4000000 min 4000000
        inservice
      rserver Server2 80
        conn-limit max 4000000 min 4000000
        inservice
    serverfarm host FARM-FTP
      probe Probe_FTP
      rserver Server1
        conn-limit max 4000000 min 4000000
        inservice
      rserver Server2
        conn-limit max 4000000 min 4000000
        inservice
    sticky http-cookie XXX_tempCookie XXX_tempCookie
      cookie insert
      serverfarm FARM-HTTP
    class-map type management match-any Management
      201 match protocol http any
      202 match protocol https any
      203 match protocol icmp any
      204 match protocol kalap-udp any
      205 match protocol ssh any
      206 match protocol telnet any
      207 match protocol xml-https any
    class-map match-any XXX-WCVS-WWW
      2 match virtual-address 10.10.10.100 tcp eq www
    class-map match-any XXX-WCVS-FTP
      2 match virtual-address 10.10.10.100 tcp eq ftp
      3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this
    class-map match-any NAT-VIP
      2 match destination-address 10.10.10.100 255.255.255.255
    policy-map type management first-match Management
      class Management
        permit
    policy-map type loadbalance first-match XXX_VS-l7slb-WWW
      class class-default
        sticky-serverfarm XXX_tempCookie
    policy-map type loadbalance first-match XXX_VS-l7slb-FTP
      class class-default
        Serverfarm FARM-FTP
    policy-map multi-match int3
      class XXX-WCVS-WWW
        loadbalance vip inservice
        loadbalance policy XXX_VS-l7slb-WWW
      class XXX-WCVS-FTP   
        loadbalance vip inservice
        loadbalance policy XXX_VS-l7slb-FTP
        inspect ftp   
      class NAT-VIP
        nat dynamic 5 vlan 12
    interface vlan 12
      ip address 10.10.10.1 255.255.255.0
      alias 10.10.10.3 255.255.255.0
      peer ip address 10.10.10.2 255.255.255.0
      access-group input ALL
      nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
      service-policy input Management
      service-policy input int3
      no shutdown
    ip route 0.0.0.0 0.0.0.0 10.10.10.254

  • HTTP/HTTPS on the same ACE VIP - best practice

    I currently have a VIP representing one server farm that contains two http servers:-
    class-map match-all VIP-HTTP-xxxxx.co.uk
    2 match virtual-address 10.79.18.10 tcp eq www
    class-map match-all VIP-SSL-xxxxx.co.uk
    2 match virtual-address 10.79.18.10 tcp eq https
    I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
    The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
    I have a couple of queries with regards to URL re-writes:-
    1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
    ssl url rewrite location "www\.cisco\.com\secure-forms"
    2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
    Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
    Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
    Any advice or personal experiences would be gratefully received.
    Thanks
    Matthew

    Back again!
    Could someone possibly cast their eye over the following config?
    The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
    rserver host server1
    description *** HTTP server 1 ***
    ip address 10.100.194.2
    inservice
    rserver host server2
    description *** HTTP server 2 ***
    ip address 10.100.194.3
    inservice
    rserver redirect REDIRECT_TO_HTTPS
    webhost-redirection https://www.website.co.uk/%p 302
    inservice
    rserver redirect REDIRECT_TO_HTTP
    webhost-redirection http://www.website.co.uk/%p 302
    inservice
    class-map type http loadbalance Secure_Pages
    match http url /secure.*
    class-map type http loadbalance Non-Secure_Pages
    *** DO NOT *** match http url /secure.*
    class-map match-all VIP-HTTP-website.co.uk
    2 match virtual-address 10.79.18.10 tcp eq www
    class-map match-all VIP-SSL-website.co.uk
    2 match virtual-address 10.79.18.10 tcp eq https
    policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
    class Secure_Pages
    serverfarm REDIRECT_TO_HTTPS
    class class-default
    serverfarm serverfarm-website.co.uk
    policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
    class Non-Secure_Pages
    serverfarm REDIRECT_TO_HTTP
    class class-default
    serverfarm serverfarm-website.co.uk
    serverfarm host serverfarm-website.co.uk
    failaction purge
    rserver server1 80
    probe PING_SERVER
    probe http-website.co.uk
    inservice
    rserver server2 80
    probe PING_SERVER
    probe http-website.co.uk
    inservice
    serverfarm redirect REDIRECT_TO_HTTPS
    rserver REDIRECT_TO_HTTPS
    inservice
    serverfarm redirect REDIRECT_TO_HTTP
    rserver REDIRECT_TO_HTTP
    inservice
    many thanks

  • Can multiple HTTP redirects be applied to the same VIP

    Greetings all,
    My customer would like to have two redirects to be applied to the same VIP.
    Example:
    VIP configured name is https://test.company.com
    redirect the following:
    http://site1.company.com to https://test.company.com
    http://site2.company.com to https://test.company.com
    I have applied the redirect of 80 to 443 to many VIPs (one for one), but I have not applied one, where two URL redirects go the same VIP.
    Hope my question makes sense, and I will be glad to provide additional info.
    Thanks,
    raman

    Hi Raman,
    There can be only one redirect server with one webhost redirection and hence there cannot be two redirect URL's.  I don't think this can be achieved. Best idea would be for the server to issue redirects.
    Regards,
    Kanwal

  • ACE VIP OK HTTP, NOK other TCP port

    Hi,
    we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
    Here goes the relevant config:
    probe http PROBE-HTTP
      interval 5
      passdetect interval 2
      passdetect count 1
      request method get url /idc/
      expect status 200 200
    probe tcp PROBE-TCP
      port 4444
      interval 5
      passdetect interval 10
    rserver host PRD1
      ip address 10.10.10.1
      inservice
    rserver host PRD2
      ip address 10.10.10.2
      inservice
    serverfarm host SF-HTTP
      probe PROBE-HTTP
      rserver PRD1 80
        inservice
      rserver PRD2 80
        inservice
    serverfarm host SF-TCP
      probe PROBE-TCP
      rserver PRD1 4444
        inservice
      rserver PRD2 4444
        inservice
    sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
      timeout 10
      serverfarm SF-HTTP
    class-map match-all NAT-VIP-HTTP
      2 match virtual-address 10.10.35.1 any
    class-map match-all NAT-VIP-TCP
      2 match virtual-address 10.10.35.1 tcp eq 4444
    policy-map type loadbalance first-match LB-VIP-HTTP
      class class-default
        sticky-serverfarm SC-IP-PRD-HTTP
        insert-http x-forward header-value "%is"
    policy-map type loadbalance first-match LB-NAT-VIP-TCP
      class class-default
        serverfarm SF-TCP
    policy-map multi-match POLICY-RSERVER-VIP
      class NAT-VIP-TCP
        loadbalance vip inservice
        loadbalance policy LB-NAT-VIP-TCP
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 200
      class NAT-VIP-HTTP
        loadbalance vip inservice
        loadbalance policy LB-VIP-HTTP
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 200
    interface vlan 200
      description SERVER-SIDE
      ip address 10.10.14.2 255.255.255.0
      alias 10.10.14.1 255.255.255.0
      peer ip address 10.10.14.3 255.255.255.0
      access-group input EVERYONE
      nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
      service-policy input AllowICMP
      service-policy input POLICY-RSERVER-VIP
      no shutdown
    The probe are OK, but nothing seems to get to the VIP:
    ACE/CTX# show probe PROBE-TCP
    probe       : PROBE-TCP
    type        : TCP
    state       : ACTIVE
       port      : 4444    address     : 0.0.0.0         addr type  : -
       interval  : 5       pass intvl  : 10              pass count : 3
       fail count: 3       recv timeout: 10
                           --------------------- probe results --------------------
       probe association   probed-address  probes     failed     passed     health
       ------------------- ---------------+----------+----------+----------+-------
       serverfarm  : SF-TCP
         real      : PRD1[4444]
                           10.10.10.1     8853       1          8852       SUCCESS
         real      : PRD2[4444]
                           10.10.10.2     8853       1          8852       SUCCESS
    ACE/CTX# show serverfarm SF-TCP detail
    serverfarm     : SF-TCP, type: HOST
    total rservers : 2
    active rservers: 2
    description    : -
    state          : ACTIVE
    predictor      : ROUNDROBIN
    failaction     : -
    back-inservice    : 0
    partial-threshold : 0
    num times failover       : 0
    num times back inservice : 1
    total conn-dropcount : 0
    Probe(s) :
        PROBE-TCP,  type = TCP
                                                    ----------connections-----------
           real                  weight state        current    total      failures
       ---+---------------------+------+------------+----------+----------+---------
       rserver: PRD1
           10.10.10.1:4444      8      OPERATIONAL  0          0          0
             max-conns            : -         , out-of-rotation count : -
             min-conns            : -
             conn-rate-limit      : -         , out-of-rotation count : -
             bandwidth-rate-limit : -         , out-of-rotation count : -
             retcode out-of-rotation count : -
             load value           : 0
       rserver: PRD2
           10.10.10.2:4444      8      OPERATIONAL  0          0          0
             max-conns            : -         , out-of-rotation count : -
             min-conns            : -
             conn-rate-limit      : -         , out-of-rotation count : -
             bandwidth-rate-limit : -         , out-of-rotation count : -
             retcode out-of-rotation count : -
             load value           : 0
    ACE/CTX# show service-policy POLICY-RSERVER-VIP
    Status     : ACTIVE
    Interface: vlan 1 200
      service-policy: POLICY-RSERVER-VIP
        class: NAT-VIP-TCP
          nat:
            nat dynamic 1 vlan 200
            curr conns       : 0         , hit count        : 0
            dropped conns    : 0
            client pkt count : 0         , client byte count: 0
            server pkt count : 0         , server byte count: 0
            conn-rate-limit      : 0         , drop-count : 0
            bandwidth-rate-limit : 0         , drop-count : 0
          loadbalance:
            L7 loadbalance policy: LB-NAT-VIP-TCP
            VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
            VIP State: INSERVICE
            curr conns       : 0         , hit count        : 0
            dropped conns    : 0
            client pkt count : 0         , client byte count: 0
            server pkt count : 0         , server byte count: 0
            conn-rate-limit      : 0         , drop-count : 0
            bandwidth-rate-limit : 0         , drop-count : 0
          compression:
            bytes_in  : 0
            bytes_out : 0
    I see a lot of this messages in the logging of the ACE:
    show logging | i 4444
    22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
    22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
    22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
    22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
    22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
    22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
    show logging | i 4444
    22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
    22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
    22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
    22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
    22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
    22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
    The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
    Thank you.
    Best regards

    Hi Norberto,
    The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
    I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
    Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
    Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
    Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
    Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
    Let me know if you have any other questions.
    Best regards,
    Ahmad

  • Intercepting all http traffic and forwarding to VIP on CSM?

    We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!

    Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!

  • CSS 11501 Disable plain HTTP to VIP

    Hi,
    How does one disable plaintext http access to the VIP of the 11501. In other words, is it possible to have the device listen _only_ on 443 and not on port 80 for incoming requests? We are do not want to provide plain http access to the VIP which is handling SSL encryption/decryption for our backend servers.
    thanks,
    Matt

    Matt,
    take a look at the config in my post 'Sticky Situation with CSS-11503'
    We are set to only take https traffic inbound and gets routed through the ssl module for decryption, http traffic gets an error msg if it hits the css.
    Hope this helps
    Mark

  • 4710 HTTPs VIP Slow Response

    Hi All
    I am having problems with HTTPs load balanced connections in one arm mode. When we test direct to the servers in the serverfarm, it is 4 times faster than connections through the VIP to the same servers. I have configured ICMP probes direct to the servers, and an HTTPs probe in the serverfarm itself. I'm using predictor 'least bandwidth. Attached below is the config.I have compared this config to another client site utilising the same design and it looks fine. Also, when we perform the same test at the other client site, we have no problems.... connections direct to the servers and through the LB are the same speed.
    Does anybody have any ideas ?

    Hi,
    First thing to be checked would be whether the ACE is the device responsible for the delay or not. With this in mind, I would recommend you to do a traffic capture on the ACE vlan while doing a test connection. With this capture, you should be able to see where is the delay coming from.
    If you need help analyzing this, you can always open a TAC service request
    Regards
    Daniel

  • Https front end and http backend

    Hi there....I am having a small issue....I have a web app that is https based....I have installed the cert on the CSS, and DNS for this app points to the VIP....the client is wanting to have an https front end, and then load balance in http to the backend servers....the issue I am running into is that this only works if I have an active port 80 rule on that same VIP....if I suspend the port 80 rule and only leave the port 443 rule active on that VIP, it doesn't work....please see appropriate config portions below....Thanks in advance!
    Sandeep
    ANy suggestions? I have been trying this for a couple of days now...it works fine if the backend sessions are also https, but the client has changed their requirement....
    ssl-proxy-list SSL1
    ssl-server 1
    ssl-server 1 rsakey app1-test
    ssl-server 1 rsacert app1-test
    ssl-server 1 vip address 10.19.55.10
    ssl-server 1 cipher rsa-with-rc4-128-md5 10.19.55.10 81
    backend-server 1
    backend-server 1 port 81
    backend-server 1 server-ip 10.19.55.132
    backend-server 1 ip address 10.19.55.132
    backend-server 2
    backend-server 2 port 81
    backend-server 2 server-ip 10.19.55.133
    backend-server 2 ip address 10.19.55.133
    backend-server 3
    backend-server 3 port 83
    backend-server 3 server-ip 10.19.55.132
    backend-server 3 ip address 10.19.55.132
    backend-server 4
    backend-server 4 port 83
    backend-server 4 server-ip 10.19.55.133
    backend-server 4 ip address 10.19.55.133
    backend-server 5
    backend-server 5 port 85
    backend-server 5 server-ip 10.19.55.132
    backend-server 5 ip address 10.19.55.132
    backend-server 6
    backend-server 6 port 85
    backend-server 6 server-ip 10.19.55.133
    backend-server 6 ip address 10.19.55.133
    active
    service webserver002:81
    ip address 10.19.55.132
    port 81
    keepalive port 2199
    keepalive type tcp
    protocol tcp
    active
    service webserver003:81
    ip address 10.19.55.133
    port 81
    keepalive port 2199
    keepalive type tcp
    protocol tcp
    add ssl-proxy-list SSL1
    active
    service webserver002:83
    ip address 10.19.55.132
    port 83
    add ssl-proxy-list SSL1
    keepalive port 2399
    keepalive type tcp
    protocol tcp
    active
    service webserver003:83
    ip address 10.19.55.133
    port 83
    keepalive port 2399
    keepalive type tcp
    protocol tcp
    add ssl-proxy-list SSL1
    active
    service webserver002:85
    ip address 10.19.55.132
    port 85
    add ssl-proxy-list SSL1
    keepalive port 2599
    keepalive type tcp
    protocol tcp
    active
    service webserver003:85
    ip address 10.19.55.133
    port 85
    keepalive port 2599
    keepalive type tcp
    protocol tcp
    add ssl-proxy-list SSL1
    active
    service SSL_Front
    slot 2
    type ssl-accel
    keepalive type none
    add ssl-proxy-list SSL1
    active
    owner app1-test
    content app-test_back
    vip address 10.19.55.10
    add service webserver002:81
    add service webserver003:81
    add service webserver002:83
    add service webserver003:83
    add service webserver002:85
    add service webserver003:85
    balance aca
    protocol tcp
    port 81
    active
    content app1-test_front
    vip address 10.19.55.10
    application ssl
    add service SSL_Front
    protocol tcp
    port 443
    advanced-balance ssl
    balance aca
    active

    Thanks for the quick reply....there is another port 80 rule setup for that vip....I was using that to test with the app until I got the front end https rules working....
    my port 80 rules just says listen to 10.19.55.10 on port 80 and load balance btwn the webervers on port 8x in the back end...
    I am trying to do https front end and http backend....
    no where in my SSL config have I configured port 80....but when I suspend that rule it all fails....
    I am wondering if the backend server sessions are happening properly?
    I don't fully get what you mean by "You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module"
    Haven'tI done that?
    Thanks again!
    Sandeep

  • Load Balance https based on url

    I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
    I attached an image of the topology.
    Ace Config:
    rserver host SRV01_123
      ip address 192.168.1.101
      inservice
    rserver host SRV02_123
      ip address 192.168.1.102
      inservice
    rserver host SRV01_456
      ip address 192.168.1.111
      inservice
    serverfarm host farm_123
      rserver SRV01_123
        inservice
      rserver SRV02_123
        inservice
    serverfarm host farm_456
      rserver SRV01_456
        inservice
    class-map match-all VIP_Application
      2 match virtual-address 192.168.1.10 tcp eq https
    class-map type http loadbalance match-all L7_server_456
      2 match http url /456/
    policy-map type loadbalance http first-match LB_Application
      class L7_server_456
        serverfarm farm_456
      class class-default
        serverfarm farm_123
    policy-map multi-match ServerGroup1_PM
      class VIP_Application
        loadbalance vip inservice
        loadbalance policy LB_Application
        loadbalance vip icmp-reply
    interface vlan 70
      bridge-group 1
      no shutdown
    interface vlan 700
      bridge-group 1
      service-policy input ServerGroup1_PM
      no shutdown
    Thanks

    Hi John,
    If you want to do the offload in the ACE also called SSL termination, it is a two step process:
    1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
    2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
    You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
    Here you can take a look at the SSL termination process (using clear text port in the backend servers).
    Oficial Configuration Example
    http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html
    Cisco Wiki Example
    http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example
    HTH
    Pablo

  • Policy agent using https redirect to AM for authentication

    We are using Access Manager 6 2005Q1.
    Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
    Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
    All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
    Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
    In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
    However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
         2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
         2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
         2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
         2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
         2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
    Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
    Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
    From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
    Any help with this configuration issue is appreciated.

    Bernhard,
    From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
    Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
    We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
    Craig

  • Css stickiness based on the http header

    there is CSS 11503 that should load balances the traffic between 2 servers running IIS (http port 80). In front of load balancer there is a reverse proxy, that hides all real ip addresses of users that send requests to web-servers.
    The customer would like to have stickiness per user. The reverse proxy can add user real ip address to http header.
    What kind of load balancing mechanism is better to use  to fulfill customer requirements? HTTP load balancing? If "yes", are there standard field-types that is possible to use?

    You can't do sticky on http header in CSS , best solution is to insert a cookie for stickyness, individula clients will get a cookie and will stick based on cookie ppresented.
    see:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Sticky.html#wp1109390
    content testing
    vip address 192.168.128.131
    add service s1
    advanced-balance arrowpoint-cookie
    active

  • How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

    I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
    Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
    The Interfaces and Nat configs are:
    interface vlan 200
      description Server-Side-VLAN
      bridge-group 5
      nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
      service-policy input VIPS
    interface vlan 300
      description Client-Side-VLAN
      bridge-group 5
    interface bvi 5
      ip address 10.1.1.3 255.255.248.0
      description Client-Server-Virtual-Interface
    ip route 0.0.0.0 0.0.0.0 10.1.1.1
    and the policy map looks like this
    policy-map multi-match VIPS
      class Port80
        loadbalance vip inservice
        loadbalance policy Port80
        nat dynamic 5 vlan 200
    Resource assignment:
    sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
      timeout 5
      serverfarm Service80
    Any suggestions will be appreciated,
    Thanks

    Hi Kanwal,
    Thanks for your quick reply,
    I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
    The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
    But I'll try again tomorrow and let you know how it goes.
    Thank you again.

  • Http probe on non-standard tcp port 8021

    I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
    CSM v2.3(3)2
    probe 8021 http
    request method head
    interval 2
    retries 2
    failed 4
    port 8021
    serverfarm TEST
    nat server
    no nat client
    real 10.1.2.101
    inservice
    real 10.1.2.102
    inservice
    probe 8021
    vserver TEST
    virtual 10.1.2.100 tcp 8021
    serverfarm TEST
    replicate csrp connection
    persistent rebalance
    inservice
    VIP and real status:
    vserver type prot virtual vlan state conns
    Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
    real server farm weight state conns/hits
    10.1.2.101 TEST 8 PROBE_FAILED 0
    10.1.2.102 TEST 8 PROBE_FAILED 0

    you need to specify what HTTP response code you expect.
    The command is :
    gdufour-cat6k-2(config-slb-probe-http)#expect status ?
    <0-999> expected status - minimum value in a range
    The default is to expect only 200.
    This is why your 403 is not accepted.
    Gilles.

Maybe you are looking for

  • Syncing photos from an iPod Touch to a macbook

    a couple of days ago, my macbooks hard drive got fried, and i had lost all my music, videos, and photos. i have found third party apps which let me take my music and videos of my ipod, but im having trouble finding a app. that lets me take my photos

  • Help please:  Large photos do not appear in album...

    I am having difficulty viewing the large photos in iphoto. All of the photos appear in the "thumbnail size", but when i want to view them "screen size", only the small size photos appear - when i try to view a larger photo, nothing but white screen..

  • Restored from TM; missing default apps like System Preferences, etc.

    I restored from my TM last night. Unfortunately, I came back to some missing essential applications, such as System Preferences, Preview, all of my Utilities folder, Games, iCal, Photobooth, etc. I didn't realize I'd have to back up those application

  • How to install a update for a boot rom firmware On a intel iMac mid 2011?

    I HAVE A INTEL IMAC  2.5 GHz Intel Core i5 4 G RAM MID 2011  21,5 inches, SOFTWARE VERSION  OS X 10.8.3 (12D78),  Boot ROM Version:          IM121.0047.B1F I try to use boot camp to install windos 8 nad get this dialog box notification: Boot Camp Ass

  • 10.4.7 update disabled email

    Anyone else having trouble with email after the 10.4.7 update? My Mac Mail and Entourage both time out without connecting to the servers. Reverting back to 10.4.6 or 10.4.5 solves the problem.