Loadbalancing SSL on CSS
Hi,
the customer has to loadbalance SSL traffic which is terminated on servers port 8001. But the clients need to communicate on port 443. So the customer provide the following configuration, but it isn't work. Does anybody know where is a problem? Thank you.
Roman
*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 192.168.110.158 1
************************* INTERFACE ************************* interface e1
description "public-test VIP"
bridge vlan 56
interface e2
description "intra-test"
bridge vlan 57
!************************** CIRCUIT ************************** circuit VLAN56
ip address 192.168.110.131 255.255.255.224
circuit VLAN57
ip address 192.168.110.161 255.255.255.224
!************************** SERVICE ************************** service webt1
ip address 192.168.110.162
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
service webt2
ip address 192.168.110.163
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
!*************************** OWNER *************************** owner VIST
content webt
add service webt1
add service webt2
protocol tcp
port 443
url "/*"
vip address 192.168.110.129
application ssl
advanced-balance ssl
active
Hello,
te customer again tried the L3 rule:
!*************************** GLOBAL
ip route 0.0.0.0 0.0.0.0 192.168.110.158 1
!************************* INTERFACE interface e1
description "public-test VIP"
bridge vlan 56
interface e2
description "intra-test"
bridge vlan 57
!************************** CIRCUIT circuit VLAN56
ip address 192.168.110.131 255.255.255.224
circuit VLAN57
ip address 192.168.110.161 255.255.255.224
!************************** SERVICE service webt1
ip address 192.168.110.162
protocol tcp
port 8001
keepalive port 8001
keepalive type tcp
active
service webt2
ip address 192.168.110.163
protocol tcp
port 8001
keepalive port 8001
keepalive type tcp
active
!*************************** OWNER owner VIST
content webt
add service webt1
add service webt2
vip address 192.168.110.129
protocol tcp
port 443
active
!*************************** GROUP group serverst
vip address 192.168.110.129
add destination service webt1
add destination service webt2
active
but the communication between the client (192.168.110.133) and the server throught CSS didn't work:-( I'm sending you the output from sniffer between client and CSS (vist11_in) - here are seen only SYN packets:-( And I'm sending you the output from tcpdump between CSS and server (vist11_out) - here are not seen some client traffic:-(
I don't know why it doesn't work:-( Thank you. Roman.
Similar Messages
-
I have been asked about providing this as a way to secure RDP connections - has anyone done this?
I can see two potential ways, but do not know much about RDP.
How is the SSL part of RDP initialised? would it be prractical to terminate the SSL on the CSS in a similar manner to SSl for HTTP?
The other option would be to "blind" load balance the encrypted traffic straight to the servers, and let them sort SSL.
Thanks,
Paul.Hi Paul,
what we have done here is to deploy an MS ISA Server farm behind the CSS: client SSL connection terminate at ISA external interface, and ISA starts a new internal SSL connection to a MS TS_Gateway . So RDP over SSL traffic is: internet client ---> Firewall ---> CSS ---> ISA farm (in DMZ) ---> Firewall ---> TS_Gateway (internal network)---> TS Server (internal network)
(see for example: http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx) -
HTTPS ans SSL with CSS (No SSL Module)
Hi,
My customers have two server and need to load balance.
These servers initiate SSL.
and VIP address is :
https://erpappl.erp.mis.blabla.tgc:8005
My CSS has no ssl module. An dconfiguration is:
service venice
ip address 10.200.104.32
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 120
active
service calgary
ip address 10.200.104.33
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 121
active
owner ERPAPPL
content erpapp_test
add service venice
add service calgary
redundant-index 60
vip address 10.200.104.28
protocol tcp
port 8005
url "/*"
arrowpoint-cookie expiration 00:00:03:00
advanced-balance arrowpoint-cookie
application ssl
active
After this configuration I cannot reach the URL shown above.
Can you help me?if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
If we sell an SSL module, there is a reason :-)
The only sticky option you can use are :
- sticky based on srcip
- sticky on sslid
The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
Gilles. -
Will the loadbalancer be fixed to handle SSL for the new OC4J release? Orion 1.5.2 and 1.5.3 currently does not have this fixed.
Just got to the bottom of this problem. If you use openssl s_client, you can try a https:// connection to the oc4j loadbalancer (configured for secure ssl connections). This fails with a handshake failure.
So ssl, session aware loadbalancing is broken with the oc4j loadbalancer. -
CSS without SSL Module needing sticky sessions
Hello All,
If anyone can help with this sticky situation I'd appreciate it.
I have a customer with a CSS11501. He does not have an SSL module installed.
He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
I've configured the following:-
service web1
protocol tcp
port 443
keepalive type tcp
ip address 192.168.200.50
string web1
active
service web2
rotocol tcp
port 443
eepalive type tcp
ip address 192.168.200.51
string web2
active
content SSL_Web
add service web1
add service web2
rotocol tcp
port 443
vip address 1.2.3.4
application ssl
advanced-balance sticky-srcip-dstport
active
group web_Farm
add service web1
add service web2
vip address 1.2.3.4
active
I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
Once the customer turns off the second blade, all is ok.
I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
Best Regards TonyTony,
The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
Regards
Jim -
Load balancing ssl that terminates on servers
hi,
right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.
on the css i have a very simple ssl-balance rule:
content srv.443
add service srv1.ssl
add service srv2.ssl
advanced-balance sticky-srcip
protocol tcp
port 443
url "/*"
vip address 10.72.39.17
active
service srv1.ssl
ip address 10.72.39.71
protocol tcp
keepalive port 51001
port 51001
active
service srv2.ssl
ip address 10.72.39.72
protocol tcp
port 51001
keepalive port 51001
active
the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.
it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.
now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?
regards,
c.yes, SSL can be terminated on the servers and loadbalancer by the CSS.
You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.
If the config is what you indicated, there is no way the CSS can send its own certificate.
Absolutely no way :-)
Are you sure your server is sending the correct certificate ?
Gilles. -
We have a web app that still uses frames. The web URL is HTTPS, but 1 of the frames uses HTTP. I need for a user to stick to the same server for both frames or it screws up the application.
I am load balancing to 2 servers over HTTP and HTTPS using a group for client NATing. I have tried the advanced-loadbalancing ssl on both HTTP and HTTPs services, and I tried advanced-loadbalancing arrowpoint-cookie. on both. Neither way worked.
How do i get the CSS to stick to 1 server for both frames?If you have 2 rules, this is not going to be possible unless you terminate SSL traffic on the CSS SSL module.
If you do not terminate SSL traffic on the CSS, I would suggest to combine your HTTPS and HTTP rule into a single one.
Simply remove one of the rule and in the remaining one, remove the port command.
All traffic will be handled by that single rule.
You can then implement 'advanced-balance srcip'
Gilles. -
HTTPS redirect from server on CSS 11501
Hi,
I make HTTPS request to server via CSS and now my question is can i get the response from the server in HTTP mode due to redirect function. I want to put it in HTTPS is this possible???
Regards
SaraAre you offloading SSL on CSS and sending clear traffic to servers and servers and sending back redirects using http? If thats the issue and you want clients to get redirects with https Use urlrewrite feature on CSS
details at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/terminat.html#wp999332
Syed Iftekhar Ahmed -
I have a CSS with services set up for a Primary/Failover scenario with our web servers.
The primary server takes all requests on port 80, if that service dies, the inbound requests go to the secondary server.
The content rule is set up as:
Content = myweb.com
primarySorryServer = myweb_DR.com
secondarySorry = redirect to a third server
The CSS is only doing DNS name resolution for the third server, basically just pointing to a url.
The Content and PrimarySorryserver are working ok.
The secondarySorryserver is working ok as well.
I need to know if I do not have the SSL module in the CSS, will it point the requests to an https web page?
I would like to redirect this page to a s
TheI couldn't understand clearly what your question is.
If you are asking if its possible to redirect an HTTP request to HTTPS request without SSL module then yes you can do it. SSL module is only needed when you need to offload SSL on CSS.
If you have a Layer 4 rule configured that listens on port 443 and and only your servers are doing the SSL offloading then you dont need SSL module. In this case you can redirect hhtp requests to HTTPS without SSL module
an example would be
service http-to-https-APP1
keepalive type none
type redirect
no prepend-http
domain https://www.App1.com
active
content APP1-redirect
vip address 10.10.10.111
protocol tcp
port 80
url "/*"
add service http-to-https-APP1
active
You should have a Layer4 content rule waiting for these https://www.app1.com requests.
HTH
Syed Iftekhar Ahmed -
Folks
o
I have a client who says he doesn't want to offload SSL at CSS. But he wants to install certs on the CSS. How do u do that? if u have certs in the server why do u need it on CSS and not do off load on CSS? am i missing something?I don't believe that you are missing anything.
Maybe they want to do end-to-end SSL? Terminate and re-create the SSL session so they can do things like cookie-insert, etc.
just a thought.... -
Hi,
I have a pair of CSS providing HA, one as pri and the other as backup. They have ASR between them. The configs are symmetric except the SSL keys.
On the server segment I use pair of L2 switches to provide resiliency. Etherchannel configured between them on couple of 10/100 port. Each server uses NIC-teaming on the interfaces and connects to both the L2 switches.
Each server has got port 80 and 90 in production. So there are a total of 4 services configured with L4 KAL on each CSS.
The issue is primary CSS has all the 4 services up. But on the sec I see only 2 of them active the other 2 are down. L4 connectivity using icp probe against those 2 ports(port 90) fetches nothing. Actually these ports are working fine with the primary. Any clue?
thanks in advance.Hi Gilles,
Here is the config of both the primary and the back up CSS. The issue was that the services with similar config is up on primary but not on backup. There is a pair of L2 switches between the CSS and the server farm. We use CSS on Routing mode, 2 different VLANs one for client and another for server segment.
CSS-primary# sh run ser server1-http
!************************** SERVICE **************************
service server1-http
ip address 172.16.111.71
protocol tcp
port 85
keepalive tcp-close fin
keepalive type tcp
keepalive port 85
active
CSS-primary# sh ser summary |grep http
server1-http Alive 0 1 2 0
server2-http Alive 0 1 2 0
server3-http Alive 0 1 2 0
CSS-primary# llama
CSS-primary(debug)# icp probe service server1-http
Probing 172.16.111.71:85(-) KeepAlive probe (9)
IP Address: 172.16.111.71
Port: 85
URL: /
HTTP Version: 1.1
Server Model: Microsoft-IIS/6.0
Server Date: Fri, 25 Mar 2005 10:01:52 GMT
HEAD Response: 302 Moved Temporarily
Location: /login.aspx?ReturnUrl=%2fDefault.aspx
HEAD Support: Yes
Persistence: Yes
Keep-Alive: No
Request Depth: 14
TBR: Unknown
Connect Time: 1 ms
Rqst/Rsp Time: 3 ms
Pipeline: No
SSL: No
CSS-primary(debug)#
CSS-Backup# sh run ser server1-http
!************************** SERVICE **************************
service server1-http
ip address 172.16.111.71
protocol tcp
port 85
keepalive tcp-close fin
keepalive type tcp
keepalive port 85
active
CSS-Backup# sh ser summary |grep http
server1-http Down 0 1 255 0
server2-http Down 0 1 255 0
server3-http Down 0 1 255 0
CSS-Backup(debug)# icp probe service server1-http
Probing 172.16.111.71:85(\) KeepAlive probe (14)
IP Address: 172.16.111.71
Port: 85
URL: /
HTTP Version: 1.1
Server Model: Microsoft-IIS/6.0
Server Date: Fri, 25 Mar 2005 09:52:48 GMT
HEAD Response: 302 Moved Temporarily
Location: /login.aspx?ReturnUrl=%2fDefault.aspx
HEAD Support: Yes
Persistence: Yes
Keep-Alive: No
Request Depth: 14
TBR: Unknown
Connect Time: 1 ms
Rqst/Rsp Time: 2,463 ms
Pipeline: No
SSL: No
CSS-Backup(debug)#
thanks -
Hi all,
I have a question about WL8.1 clustering and CSS loadbalancing. I hope to get some answers here!
Environment: WLS8.1 SP5, Solaris, Cisco CSS11500, URL rewriting.
Environment setup: We have 2 boxes hosting the WL cluster. We don't have a web farm in front. We only have Cisco CSS to perform loadbalancing and stickiness. Our application does not support coockies.
My question is: Does CSS really care about primary and secondary servers? From what I have understood, if we use a h/w loadbalancer like Cisco CSS, we can configure it do make sticky decisions based on "jsessionid" in the URL (since we use URL rewriting) and the CSS forwards client requests to app servers based on their IP addresses? I guess if we were to use the plug-in, then it looks for primary server id to stick to the server?
In our our case, we need to have the CSS look for "jsessionid" and not prmary server id. Please correct me if I am wrong.There is something up I noticed it too - the work around I'm using at the moment is to split classes with the same tag into separate CSS and use @import in the main CSS file.
For instance, suppose i have CSS for body and then body.myClass - Safari ignores "myClass" when specified unless it's saved into a separate CSS file.
I first noticed this behaviour in 10.4.4 -
Can't create or open a project in Robohelp HTML 8
Hi,
I just installed RoboHelp HTML 8.0.0.203 trial on Windows XP (SP3). It's the first RoboHelp
version I've installed on this computer.
No error occured during installation the program starts normally.
1. When I try to create a new empty project the program only creates the folder with
following files and folders:
!SkinSubFolder!
Adobe AIR.ssl
default.css
FlashHelp Pro.ssl
FlashHelp.ssl
Microsoft HTML Help.ssl
testproject.cpd
testproject.glo
testproject.hpr
testproject.ppf
testproject.syn
WebHelp Pro.ssl
WebHelp.ssl
At the moment when the new project file should open nothing happens not even an error
message.
2. When I try to open the sample project file CCC.xpj an error prompt tells me that the
opening of the project was aborted or CCC.cpd couldn't be loaded.
3. When I try to import a PDF (File>New>Project>Import>PDF) an "unexpected error" occures
during conversion.
I already reinstalled RoboHelp and I have administrator rights, but still the same problem.
P.S. I had the same problem on another system with the Robohelp 7 trial some months ago.
But RoboHelp X5 works fine on a third system, I consider an upgrade if the problem can be solved.Well I tested to install RoboHelp 8 on my machine at home where the RoboHelp 7 trial didn’t work. At first with Comodo Firewall Pro enabled and it blocked the two attempts of Windows Installer to access the internet. ->Creating a project still doesn’t work.
Then I uninstalled Robohelp 8 and disabled the firewall. Installed Robohelp 8 again and tried to create a project but it still doesn’t work.
Also I installed Robohelp 8 on different machines at home (XP, Vista Business, 7 Professional) all running with Zonalarm Firewall and it worked.
But installing a new OS is no option for the company especially when everything else works fine.
Before I opened this thread I googled some time for this problem but couldn’t find anything. This is weird because I’ve installed it on two systems which have noting in common besides both run XP. -
JDBC connection monitor on CSS11506
Hi experts
Does anyone has experiece for monitoring oracle database performance by JDBC connection from CSS11506? I guess by script?
if it is not possible to do so, if there is otherway the system do eitehr application server or DB server is performance is too low?
I found the ping is not the solution.
Any comments will be appreciated
Thanks in advanceHello,
SASP or DFP are the only automated systems the CSS hooks directly into:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/sasp.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/DFP.html
You can configure Load Variables with ACA loadbalancing for a CSS based view of the load:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Load.html#wp1077555
Regards,
Chris Higgins -
Been approached by our server team. They are having issues with DNS load distibution (won't call it balancing as there's no logic to it) with a 10 server Citrix Farm. It seems to me this would be a good candidate for L3 loadbalancing on a CSS 11500 series.
Anyone have any experience or things I need to consider?
Thanks in advance.
JimCheck that traffic volumes and patterns are the ones that you have dimensioned the circuits for.
For basic css load balancing configuration kindly refer the following url,
http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a008009438d.shtml
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/prod_end-of-life_notice0900aecd804882de.html
Maybe you are looking for
-
Service Desk Notifications - Processed By
Hello. I am with an issue in service desk e-mail notifications, when i create a message the system ignores the Processed By function partner (SLFN0004) - the notification do not appear in actions tab. At this moment i have notifications for all funct
-
Synchronising two different objects
Hi everyone, I am asking for your help while i am writing an example code. I want to learn how to synchronise two differents objects. The first class is actually a MIDlet, which has to increase a counter and display it until the second class send a m
-
Error when opening a VO xml file
I am starting to look at using the framework extension capability for some changes to the Oracle Sourcing module. I have used an enhanced version of Luke's script to generate my server.xml files. I have successfully loaded these into my project in Jd
-
How to I get my devices to sync to new computer?
How to I get my devices to sync to new computer?
-
Hey everybody. I recently upgraded my Adobe Reader to Adobe Reader X from Adobe Reader 9. However, I can't find the "Search" box in the new Adobe Reader X. I really need it to make my reasearch for Homework a lot easier. Can anyone help me out?