Loadbalancing SSL on CSS

Similar Messages

• RDP with SSL via CSS

  I have been asked about providing this as a way to secure RDP connections - has anyone done this?
  I can see two potential ways, but do not know much about RDP.
  How is the SSL part of RDP initialised? would it be prractical to terminate the SSL on the CSS in a similar manner to SSl for HTTP?
  The other option would be to "blind" load balance the encrypted traffic straight to the servers, and let them sort SSL.
  Thanks,
  Paul.

  Hi Paul,
  what we have done here is to deploy an MS ISA Server farm behind the CSS: client SSL connection terminate at ISA external interface, and ISA starts a new internal SSL connection to a MS TS_Gateway . So RDP over SSL traffic is: internet client ---> Firewall ---> CSS ---> ISA farm (in DMZ) ---> Firewall ---> TS_Gateway (internal network)---> TS Server (internal network)
  (see for example: http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx)

• HTTPS ans SSL with CSS (No SSL Module)

  Hi,
  My customers have two server and need to load balance.
  These servers initiate SSL.
  and VIP address is :
  https://erpappl.erp.mis.blabla.tgc:8005
  My CSS has no ssl module. An dconfiguration is:
  service venice
  ip address 10.200.104.32
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 120
  active
  service calgary
  ip address 10.200.104.33
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 121
  active
  owner ERPAPPL
  content erpapp_test
  add service venice
  add service calgary
  redundant-index 60
  vip address 10.200.104.28
  protocol tcp
  port 8005
  url "/*"
  arrowpoint-cookie expiration 00:00:03:00
  advanced-balance arrowpoint-cookie
  application ssl
  active
  After this configuration I cannot reach the URL shown above.
  Can you help me?

  if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
  So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
  If we sell an SSL module, there is a reason :-)
  The only sticky option you can use are :
  - sticky based on srcip
  - sticky on sslid
  The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
  Gilles.

• Loadbalancer + ssl

  Will the loadbalancer be fixed to handle SSL for the new OC4J release? Orion 1.5.2 and 1.5.3 currently does not have this fixed.

  Just got to the bottom of this problem. If you use openssl s_client, you can try a https:// connection to the oc4j loadbalancer (configured for secure ssl connections). This fails with a handshake failure.
  So ssl, session aware loadbalancing is broken with the oc4j loadbalancer.

• CSS without SSL Module needing sticky sessions

  Hello All,
  If anyone can help with this sticky situation I'd appreciate it.
  I have a customer with a CSS11501. He does not have an SSL module installed.
  He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
  I've configured the following:-
  service web1
  protocol tcp
  port 443
  keepalive type tcp
  ip address 192.168.200.50
  string web1
  active
  service web2
  rotocol tcp
  port 443
  eepalive type tcp
  ip address 192.168.200.51
  string web2
  active
  content SSL_Web
  add service web1
  add service web2
  rotocol tcp
  port 443
  vip address 1.2.3.4
  application ssl
  advanced-balance sticky-srcip-dstport
  active
  group web_Farm
    add service web1
    add service web2
    vip address 1.2.3.4
    active
  I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
  Once the customer turns off the second blade, all is ok.
  I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
  Best Regards Tony

  Tony,
  The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
  Regards
  Jim

• Load balancing ssl that terminates on servers

  hi,
  right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.
  on the css i have a very simple ssl-balance rule:
  content srv.443
  add service srv1.ssl
  add service srv2.ssl
  advanced-balance sticky-srcip
  protocol tcp
  port 443
  url "/*"
  vip address 10.72.39.17
  active
  service srv1.ssl
  ip address 10.72.39.71
  protocol tcp
  keepalive port 51001
  port 51001
  active
  service srv2.ssl
  ip address 10.72.39.72
  protocol tcp
  port 51001
  keepalive port 51001
  active
  the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.
  it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.
  now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?
  regards,
  c.

  yes, SSL can be terminated on the servers and loadbalancer by the CSS.
  You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.
  If the config is what you indicated, there is no way the CSS can send its own certificate.
  Absolutely no way :-)
  Are you sure your server is sending the correct certificate ?
  Gilles.

• CSS 11503 persistence

  We have a web app that still uses frames. The web URL is HTTPS, but 1 of the frames uses HTTP. I need for a user to stick to the same server for both frames or it screws up the application.
  I am load balancing to 2 servers over HTTP and HTTPS using a group for client NATing. I have tried the advanced-loadbalancing ssl on both HTTP and HTTPs services, and I tried advanced-loadbalancing arrowpoint-cookie. on both. Neither way worked.
  How do i get the CSS to stick to 1 server for both frames?

  If you have 2 rules, this is not going to be possible unless you terminate SSL traffic on the CSS SSL module.
  If you do not terminate SSL traffic on the CSS, I would suggest to combine your HTTPS and HTTP rule into a single one.
  Simply remove one of the rule and in the remaining one, remove the port command.
  All traffic will be handled by that single rule.
  You can then implement 'advanced-balance srcip'
  Gilles.

• HTTPS redirect from server on CSS 11501

  Hi,
  I make HTTPS request to server via CSS and now my question is can i get the response from the server in HTTP mode due to redirect function. I want to put it in HTTPS is this possible???
  Regards
  Sara

  Are you offloading SSL on CSS and sending clear traffic to servers and servers and sending back redirects using http? If thats the issue and you want clients to get redirects with https Use urlrewrite feature on CSS
  details at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/terminat.html#wp999332
  Syed Iftekhar Ahmed

• CSS 11501 redirect string

  I have a CSS with services set up for a Primary/Failover scenario with our web servers.
  The primary server takes all requests on port 80, if that service dies, the inbound requests go to the secondary server.
  The content rule is set up as:
  Content = myweb.com
  primarySorryServer = myweb_DR.com
  secondarySorry = redirect to a third server
  The CSS is only doing DNS name resolution for the third server, basically just pointing to a url.
  The Content and PrimarySorryserver are working ok.
  The secondarySorryserver is working ok as well.
  I need to know if I do not have the SSL module in the CSS, will it point the requests to an https web page?
  I would like to redirect this page to a s
  The

  I couldn't understand clearly what your question is.
  If you are asking if its possible to redirect an HTTP request to HTTPS request without SSL module then yes you can do it. SSL module is only needed when you need to offload SSL on CSS.
  If you have a Layer 4 rule configured that listens on port 443 and and only your servers are doing the SSL offloading then you dont need SSL module. In this case you can redirect hhtp requests to HTTPS without SSL module
  an example would be
  service http-to-https-APP1
  keepalive type none
  type redirect
  no prepend-http
  domain https://www.App1.com
  active
  content APP1-redirect
  vip address 10.10.10.111
  protocol tcp
  port 80
  url "/*"
  add service http-to-https-APP1
  active
  You should have a Layer4 content rule waiting for these https://www.app1.com requests.
  HTH
  Syed Iftekhar Ahmed

• CSS 11500 question

  Folks
  o
  I have a client who says he doesn't want to offload SSL at CSS. But he wants to install certs on the CSS. How do u do that?  if u have certs in  the server why do u need it on CSS and not do off load on CSS? am i missing something?

  I don't believe that you are missing anything.
  Maybe they want to do end-to-end SSL? Terminate and re-create the SSL session so they can do things like cookie-insert, etc.
       just a thought....

• Service down on secondary CSS

  Hi,
  I have a pair of CSS providing HA, one as pri and the other as backup. They have ASR between them. The configs are symmetric except the SSL keys.
  On the server segment I use pair of L2 switches to provide resiliency. Etherchannel configured between them on couple of 10/100 port. Each server uses NIC-teaming on the interfaces and connects to both the L2 switches.
  Each server has got port 80 and 90 in production. So there are a total of 4 services configured with L4 KAL on each CSS.
  The issue is primary CSS has all the 4 services up. But on the sec I see only 2 of them active the other 2 are down. L4 connectivity using icp probe against those 2 ports(port 90) fetches nothing. Actually these ports are working fine with the primary. Any clue?
  thanks in advance.

  Hi Gilles,
  Here is the config of both the primary and the back up CSS. The issue was that the services with similar config is up on primary but not on backup. There is a pair of L2 switches between the CSS and the server farm. We use CSS on Routing mode, 2 different VLANs one for client and another for server segment.
  CSS-primary# sh run ser server1-http
  !************************** SERVICE **************************
  service server1-http
  ip address 172.16.111.71
  protocol tcp
  port 85
  keepalive tcp-close fin
  keepalive type tcp
  keepalive port 85
  active
  CSS-primary# sh ser summary |grep http
  server1-http Alive 0 1 2 0
  server2-http Alive 0 1 2 0
  server3-http Alive 0 1 2 0
  CSS-primary# llama
  CSS-primary(debug)# icp probe service server1-http
  Probing 172.16.111.71:85(-) KeepAlive probe (9)
  IP Address: 172.16.111.71
  Port: 85
  URL: /
  HTTP Version: 1.1
  Server Model: Microsoft-IIS/6.0
  Server Date: Fri, 25 Mar 2005 10:01:52 GMT
  HEAD Response: 302 Moved Temporarily
  Location: /login.aspx?ReturnUrl=%2fDefault.aspx
  HEAD Support: Yes
  Persistence: Yes
  Keep-Alive: No
  Request Depth: 14
  TBR: Unknown
  Connect Time: 1 ms
  Rqst/Rsp Time: 3 ms
  Pipeline: No
  SSL: No
  CSS-primary(debug)#
  CSS-Backup# sh run ser server1-http
  !************************** SERVICE **************************
  service server1-http
  ip address 172.16.111.71
  protocol tcp
  port 85
  keepalive tcp-close fin
  keepalive type tcp
  keepalive port 85
  active
  CSS-Backup# sh ser summary |grep http
  server1-http Down 0 1 255 0
  server2-http Down 0 1 255 0
  server3-http Down 0 1 255 0
  CSS-Backup(debug)# icp probe service server1-http
  Probing 172.16.111.71:85(\) KeepAlive probe (14)
  IP Address: 172.16.111.71
  Port: 85
  URL: /
  HTTP Version: 1.1
  Server Model: Microsoft-IIS/6.0
  Server Date: Fri, 25 Mar 2005 09:52:48 GMT
  HEAD Response: 302 Moved Temporarily
  Location: /login.aspx?ReturnUrl=%2fDefault.aspx
  HEAD Support: Yes
  Persistence: Yes
  Keep-Alive: No
  Request Depth: 14
  TBR: Unknown
  Connect Time: 1 ms
  Rqst/Rsp Time: 2,463 ms
  Pipeline: No
  SSL: No
  CSS-Backup(debug)#
  thanks

• CSS and stickness

  Hi all,
            I have a question about WL8.1 clustering and CSS loadbalancing. I hope to get some answers here!
            Environment: WLS8.1 SP5, Solaris, Cisco CSS11500, URL rewriting.
            Environment setup: We have 2 boxes hosting the WL cluster. We don't have a web farm in front. We only have Cisco CSS to perform loadbalancing and stickiness. Our application does not support coockies.
            My question is: Does CSS really care about primary and secondary servers? From what I have understood, if we use a h/w loadbalancer like Cisco CSS, we can configure it do make sticky decisions based on "jsessionid" in the URL (since we use URL rewriting) and the CSS forwards client requests to app servers based on their IP addresses? I guess if we were to use the plug-in, then it looks for primary server id to stick to the server?
            In our our case, we need to have the CSS look for "jsessionid" and not prmary server id. Please correct me if I am wrong.

  There is something up I noticed it too - the work around I'm using at the moment is to split classes with the same tag into separate CSS and use @import in the main CSS file.
  For instance, suppose i have CSS for body and then body.myClass - Safari ignores "myClass" when specified unless it's saved into a separate CSS file.
  I first noticed this behaviour in 10.4.4

• Can't create or open a project in Robohelp HTML 8

  Hi,
  I just installed RoboHelp HTML 8.0.0.203 trial on Windows XP (SP3). It's the first RoboHelp
  version I've installed on this computer.
  No error occured during installation the program starts normally.
  1. When I try to create a new empty project the program only creates the folder with
  following files and folders:
  !SkinSubFolder!
  Adobe AIR.ssl
  default.css
  FlashHelp Pro.ssl
  FlashHelp.ssl
  Microsoft HTML Help.ssl
  testproject.cpd
  testproject.glo
  testproject.hpr
  testproject.ppf
  testproject.syn
  WebHelp Pro.ssl
  WebHelp.ssl
  At the moment when the new project file should open nothing happens not even an error
  message.
  2. When I try to open the sample project file CCC.xpj an error prompt tells me that the
  opening of the project was aborted or CCC.cpd couldn't be loaded.
  3. When I try to import a PDF (File>New>Project>Import>PDF) an "unexpected error" occures
  during conversion.
  I already reinstalled RoboHelp and I have administrator rights, but still the same problem.
  P.S. I had the same problem on another system with the Robohelp 7 trial some months ago.
  But RoboHelp X5 works fine on a third system, I consider an upgrade if the problem can be solved.

  Well I tested to install RoboHelp 8 on my machine at home where the RoboHelp 7 trial didn’t work. At first with Comodo Firewall Pro enabled and it blocked the two attempts of Windows Installer to access the internet. ->Creating a project still doesn’t work.
  Then I uninstalled Robohelp 8 and disabled the firewall. Installed Robohelp 8 again and tried to create a project but it still doesn’t work.
  Also I installed Robohelp 8 on different machines at home (XP, Vista Business, 7 Professional) all running with Zonalarm Firewall and it worked.
  But installing a new OS is no option for the company especially when everything else works fine.
  Before I opened this thread I googled some time for this problem but couldn’t find anything. This is weird because I’ve installed it on two systems which have noting in common besides both run XP.

• JDBC connection monitor on CSS11506

  Hi experts
  Does anyone has experiece for monitoring oracle database performance by JDBC connection from CSS11506?  I guess by script?
  if it is not possible to do so, if there is otherway the system do eitehr application server or DB server is performance is too low?
  I found the ping is not the solution.
  Any comments will be appreciated
  Thanks in advance

  Hello,
  SASP or DFP are the only automated systems the CSS hooks directly into:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/sasp.html
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/DFP.html
  You can configure Load Variables with ACA loadbalancing for a CSS based view of the load:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Load.html#wp1077555
  Regards,
  Chris Higgins

• Load Balance a Citrix Farm

  Been approached by our server team. They are having issues with DNS load distibution (won't call it balancing as there's no logic to it) with a 10 server Citrix Farm. It seems to me this would be a good candidate for L3 loadbalancing on a CSS 11500 series.
  Anyone have any experience or things I need to consider?
  Thanks in advance.
  Jim

  Check that traffic volumes and patterns are the ones that you have dimensioned the circuits for.
  For basic css load balancing configuration kindly refer the following url,
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a008009438d.shtml
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/prod_end-of-life_notice0900aecd804882de.html