SSL load balancing requirements

Similar Messages

• Webdispatcher SSL load balance server mismatch errors

  We are setting up a webdispatcher to access an Enterprise Portal with multiple instances.  Currently it is working but we are having to overide host mismatches.  in webdispacther log we see
  [Thr 4856] Mon Mar 07 11:38:02 2011
  [Thr 4856] MatchTargetName("aaa.mycompany.com", "CN=bbb.mycompany.com, OU=xxx, O=ooo, L=ccc, SP=sss, C=US") FAILS
  [Thr 4856] SSL NI-sock: local=##.21.13.137:50746 peer=##.21.13.131:51001
  [Thr 4856] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000008565100)==SSSLERR_SERVER_CERT_MISMATCH
  The Portal instances are on
  aaa.mycompany.com
  bbb.mycompany.com
  Currently have a CA approved certificate for each server installed in the portal.  Dispatcher on aaa uses aaa cert, dispatcher on bbb uses bbb cert.
  Message server is on aaa, but it will load balance and place you on either instance.
  have following related parameters
  wdisp/ssl_encrypt = 2
  wdisp/ssl_auth = 2
  wdisp/ssl_cred = C:\usr\sap\XXX\W00\sec\XXX.pse
  wdisp/ssl_certhost = aaa.mycompany.com
  wdisp/ssl_ignore_host_mismatch = TRUE
  C:\usr\sap\XXX\W00\sec\XXX.pse has ssl cert of both aaa and bbb servers.
  All seems to be working, as users are load balancing.  They are not getting certificate mismatches in their browser anymore.  We are getting the SSSLERR_SERVER_CERT_MISMATCH errors, but the messages do not seem to cause an issue since we have wdisp/ssl_ignore_host_mismatch set.
  Can we eliminate those mismatch errors instead of masking the problem with wdisp/ssl_ignore_host_mismatch?
  Should each portal instance have their own ssl cert, or is there a way to use one cert such as the aaa.mycompany.com cert on each portal instance?  It seems like that might eliminate the mismatch errors.  However, what happens when you go directly to the bbb.mycompany.com portal instance? there is a certificate error if you specify aaa's and you go to bbb.  I was wondering if the wdisp/ssl_auth and wdisp/ssl_certhost are valid in the portal system so that each server uses the aaa server and certificate.  I could not tell if this parameter is valid for java-only portal systems.
  Thanks for your help.
  Edited by: Fett Patrick on Mar 7, 2011 8:35 PM

  Thank you Martin for your prompt reply.  Can you clarify please, can we use the wdisp/ssl_certhost parameter in the instance profiles of the portal instances?  I wasn't sure if that is only valid for webdispatchers or can also be used in abap/java systems?
  We orginally had the aaa server certificate listed for each dispatcher in the portal under ssl provider runtime server identity.  That caused a browser "certificate error" when accessing the bbb server.  So we then installed an ssl certificate for bbb for its dispatcher.  We could then go to either server with no browser "certificate mismatch" error.
  Then when we added the webdispatcher, we started getting the server mismatch errors at the webdispatcher level.  If the wdisp/ssl_certhost can be used in the portal profiles, then that would hopefully resolve direct access or via web dispatcher aceess mismatches.  I.E. only the aaa ssl certificate would be used and parameters would be set at both the webdispatcher and portal profiles
  Thanks, Pat.

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• SSL Load Balancing (Java applets problem)

  Hi,
  I have implemented loadbalancing of two webservers using CSS 11503.
  Servers are containing SSL pages which need to be loadbalanced.
  I have tried configuring the content rule for ssl using
  port 443
  application ssl
  advanced-balance ssl
  commands.The site opens properly using the VIP address (checked the SSL certificate issued by one of the servers. ) and I am able to see all the TABS on the same.The real problem starts when I am trying to upload a file to the server using the VIP address.
  The moment I try to upload a file the session shifts to the second server and prompts for new certificate issued by the second server.
  One more thing which I would like to mention here is that while uploading the file, JAVA is used.
  i.e.the files are being uploaded using JAVA applets.
  If anybody has encountered this kind of problem kindly suggest on the same.
  Would appreciate if you send the solution on [email protected]
  Any configs needed plz contact me on the above e-mail ID.
  Thanks,
  Pankaj P.

  HI Pankaj,
  depending on your Java applett it might be possible that the applett opens a new connection. therefore depending on your total configuration it might be possible taht another server is used.Even worse if you do SSL-offloading the applett might tell the user to do http instead of https. I suggest that you check with a sniffertrace what is happening:
  1) is there a new connection setup while the applett runs
  2) is it again http or https and if https is it a new https session which will be again balanced not depending on the original https session.
  Hope that helps
  regards,
  Joerg

• Sticky load balancing across 2 ports with cookies

  Hi,
  I have a server configuration where I have 1 top level Apache server that deals with SSL termination (and handles static content) and proxy passes dynamic content onto 2 Tomcat servers on 2 ports, one for http requests (9001) and one for the requests that were secure, but have now been un-encrypted by Apache (9002).  My 2 Tomcat servers are load balanced using a CSS and I need this load balancing to stick to the tomcat servers regardless of port so that the user is stuck to the same Tomcat server for their entire session. 
  I would like to use arrowpoint cookies to perform this stickyness, but the documentation suggests that arrowpoint cookie load balancing (in fact any cookie based load balancing) requires the port to be specified in the content rule.  Is this correct?  Is my only option to use the source IP for stickyness? I don't understand why the port should be required if the stickyness is via a cookie. Can I not simply configure my 2 tomcat servers as services with no port and add a single content rule that load balances these services using arrowpoint-cookie advanced balancing?
  service tomcat1
    ip address x.x.x.x
    active
  service tomcat2
    ip address x.x.x.x
    active
  owner me
     content sticky
       vip address x.x.x.x
       protocol tcp
       url "/*"
       add service tomcat-1
       add service tomcat-2
       advanced-balance arrowpoint-cookie
       active

  Angela-
  The issue with port is that cookies are very specifically HTTP only and the CSS has no way of knowing what protocol will hit a VIP prior to trying to address it as HTTP. Your issue is actually a bit clearer than it is initially led to be - you can still use 2 different rules by using the configuration below. 
  However, you might be headed for a headache if you don't implicitly control the client's actions.  By default, browsers don't generally send cookies cross-protocol and definitely not cross-domain.  Use something like httpwatch or iewatch to check out the headers your client sends to your site.  Make sure when the 200ok arrives with the set-cookie that the client sends that cookie in all preceeding packets that are HTTP and HTTPS both.
  service tomcat1
    string "tomcat1"
    ip address x.x.x.x
    active
  service tomcat2
    string "tomcat2"
    ip address x.x.x.x
    active
  owner me
     content sticky9001
       vip address x.x.x.x
       protocol tcp
       url "/*"
       port 9001
       add service tomcat-1
       add service tomcat-2
       advanced-balance arrowpoint-cookie
       active
     content sticky9002
       vip address x.x.x.x
       protocol tcp
       url "/*"
       port 9002
       add service tomcat-1
       add service tomcat-2
       advanced-balance arrowpoint-cookie
       active
  With this configuration, the CSS will use the "string" as the cookie value. So if the client were to recieve set-cookie: ArrowpointCookie=tomcat1, it should use it for either rule, and end up on tomcat1 accessing either VIP.
  Regards,
  Chris

• Load Balance Configuration for OCS 10g

  Hi guys,
  A few question on the load balancer requirement and setup for a OCS 10g cluster.
  1. Can Pound be used as the load balancer for the OCS cluster. (pound is an application for load balancer and reverse proxy).
  2. Basically the load balancer will have two network interface, the first nic is connected to the
  user network, and the second interface is connected at the backend network where the ocs cluster is located. My question is at which network interface the virtual server name (ldap, sso and http ) for the ocs cluster should be created ? at the user network interface or the ocs network interface ?. Do the virtual name need an ip addresses ?
  Thanks for any info.
  Regards
  lanang

  Which articles & documentation have you read already? I don't want to duplicate what they've covered.
  http://catb.org/~esr/faqs/smart-questions.html#beprecise

• Aggressive Load-balancing feasible?

  I am experiencing some issues with laptops in a lab not being able to associate properly.
  I'm in a university environment with 132 APs at the current time.
  The lab in question is in a building with 6 APs total: 4 on the 2nd floor, 2 on the 1st floor. The lab itself is located on the 2nd floor close to the central point of the 4 APs. They plan to use 30 laptops at once via wireless.
  There are also many other areas on campus that have a focused load (common student areas for example).
  For the lab specifically, would this be a viable condition to enable load-balancing? I'm thinking a client window of 10 or 12 should work.
  All 6 APs can see each other, and all the 2nd floor APs can see at least 3 other APs with -70dBm or more (stronger).
  My current threshold is set to -65dBm, but I will be changing that to -70 to meet current recommendations.
  Also, what is considered 'high density' in terms of LWAPP deployments? Is there a certain number of 'visible' APs to aim fo r(from each AP's point of view)?
  Finally, will changing the threshold and enabling load-balancing require controller reboots, or can I just apply them on the fly?
  Thanks.
  Edit: My WLCs (1x WiSM blade) are on version 4.2.61.0.

  You can enable aggressive load balancing and change the thresholds on the fly. These will not require you to reboot the wlc. High density can vary depending on the applications the users are using. Cisco recommends around 15 to 20 per access point, but that is not a hard number. Aggressive load balancing can help or not help, it is something you have to enable and see how the users are affected by the change.

• SA520 Load Balancing Problems

  Hi,
  we've got an SA520 with activated Load Balancing for two ISP's on the two WAN ports. Both WAN ports are showing "WAN status UP".
  The problem is, that every connection stalls after a few minutes (for example a download, a web radio live stream or an PPTP VPN connection). It seems that the load balancing is switching the lines permanently for all sessions, which doesn't make any sense. How can I configure an session based load balancing without binding protocols on a special WAN port?
  Best Regards, Klaus

  Hello Klaus,
  Thank you so much for your inquiry.
  It seems that the load balancing is switching the lines permanently for
  all sessions, which doesn't make any sense.
  With Load Balancing enabled, pacekts traverse through the gateway in a manner that has no initial regard to protocol assignment to a specific WAN port. After the SA learns the routes to destination networks, it uses the route that is best, usually the shortest. The router will automatically switch back and forth, literally balancing the load, based on packet amount, with no regard to protocols.
  How can I configure an
  session based load balancing without binding protocols on a special WAN
  port?
  That said, protocol binding is neccessary in order to direct the traffic, based on protocol assigment, in a specified manner. The nature of Load Balancing requires protocol binding in order to prevent a protocol, even HTTP, from jumping WAN ports. I hope this helps!

• WebAS access via Portal: Web Dispatcher required for load balancing ABAP

  Hi Folks -
  We have EP 6.0 SP18 (Java only, WebAS 6.40, Unix/Solaris).  The portal has a CI/SCS and one DI so we have a Web Dispatcher to load balance the portal servers. This works fine (and provides port 80 access).
  This portal will provide access to HTTP services from an ABAP WebAS (6.20 with 6.40 kernel, Unix/Solaris). A landscape configuration entry has been added to the portal for this ABAP system. The ABAP system has a CI and multiple app servers, all capable of handling HTTP requests.  This will also require port 80 access.
  1. Will we need an additional Web Dispatcher to load balance HTTP requests to the 'backend' ABAP WebAS system, or will the portal be smart enough to handle the load balancing itself (perhaps based on the information in the landscape configuration)?
  2. If the portal itself handles the HTTP load balancing can you point me to documentation (so I can make sure I have proper configuration)? 
  3. Are there any changes to this with NW2004s Portal (we plan to upgrade soon)?
  Thanks in advance!  Jeff

  Jeff,
  Regarding:
  Q1. If you create a system object from the "SAP system with load balancing" template in portal and configure the object to point to your CI (msg server), the LB should be handled.
  Q2. Portal load balancing is handled by the message server.  If you point a test URL to the port of your message server, you will notice that you are issued a redirect the URL of your dialog instance.  The web dispatcher is just a proxy (with some intelligence).  When a request is made to the WD, it makes a connection to the MSG server, the list of active instances is queried, a redirect is made to that instanct.  If you use WD, that connection can be proxied behind a standard URL.   If you connect directly to the MSG Server instead, you will notice your URL change, just as it does on the service marketplace.
  WDs are good for providing services, masked (proxied) behind virtual names.  If you do not want the customer to see a physical URL of the server, use the WD.  There are lots of other solutions that can do this too though such as Apache, ISA, Juniper devices, Cisco LDs.  WDs have a very low performance threshold though, especially if you use SSL. WD is a performance bottleneck and should be benchmarked to see if it is right for your application.
  Q3. No changes this architecture in 04s.
  jwise

• Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

  Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5.  SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM.  We would like to implement ADFS 3.0
  later for Single Sign-on, and we are wondering if ADFS supports SSL offload.  
  Do we need to bind the certificate to the WFEs as well to use ADFS?  
  Thank you!

  Just got it confirmed that ADFS supports SSL offload.  There is no direct communication between SharePoint and ADFS server during the authentication process.  It is always the browser that's talking to ADFS server. We just need to do the following:
  Configure SharePoint URLs in ADFS as replying parties with https.
  Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

• RPC Load Balancing on CSM and SSL

  We are load-balancing SSL successfully but the Exchange people want to use RPC to access
  mailboxes using CSM.
  We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

  Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
  serverfarm EXCH-CAS
  nat server
  no nat client
  real x.x.248.100
    inservice
  real x.x.248.101
    inservice
  probe EXCH-CAS
  serverfarm EXCH-CAS-SSL
  nat server
  no nat client
  real x.x.254.60
    inservice
  real x.x.254.61
    inservice
  probe SSL-FARM
  ! vserver EXCH-CAS
    virtual x.x.254.154 tcp www
    vlan 460
    serverfarm EXCH-CAS
    sticky 1440 group 152
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-S
    virtual x.x.214.139 tcp https
    vlan 400
    serverfarm EXCH-CAS-SSL
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-TEST-S
    virtual x.x.214.139 tcp 0
    vlan 400
    serverfarm EXCH-CAS
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  Thanks,
  Mohamad

• SSL Setup in a load balanced portal

  Hi,
  We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
  So the configuration would be:
  Portal requests --> Load Balancer --> Portal --> Backend
  We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
  The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
  So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
  I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
  Now, can we install the same certificate (that we put on the LB) on the portal as well?
  (This might not work because the server type will be different)
  (or)
  Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
  Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
  Thank You ,
  Raj

  Raj Kumar wrote:
  My question is about how to go about installing the certificates on the LB and on the portal.
  If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
  Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
  You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
  On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
  Regards,
  Sean

• WCF service fronted with SSL enabled NGINX load balancer shows HTTP based WSDL url instead of HTTPS

  Hi,
  I have WCF service hosted using IIS 8.5 on application server. And application servers are fronted with NGINX load balancer with SSL enabled. Backend communication protocol between NGINX to application server is http. 
  When customer visits public domain url (https://xxx.com/service.svc), they can see the WSDL url with http://xxx.com/service.svc?wsdl. 
  What change should I make so that WSDL url will have https instead of http ? 
  This is service side configuration.
  <system.serviceModel>
      <services>
        <service name="Service.IService">
          <endpoint address="" binding="basicHttpBinding" bindingNamespace="http://xyz.com/Service" name="Service_Endpoint" contract="Service.IService" />
        </service>
      </services>
      <bindings>
        <basicHttpBinding />
      </bindings>
      <client />
      <behaviors>
        <serviceBehaviors>
          <behavior>
            <serviceThrottling maxConcurrentCalls="5000" maxConcurrentInstances="2147483647" maxConcurrentSessions="5000" />
            <serviceMetadata httpGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="true" />
          </behavior>
        </serviceBehaviors>
      </behaviors>
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
  Thanks in advance !!

  Hi,
  For this scenario, you could just enable SSL in IIS to get HTTPS endpoints. If your service is exposed at https then you configure the same using “httpsGetEnabled”:
  <behaviors>
  <serviceBehaviors>
  <behavior
  name="MyServiceTypeBehaviors"
  >
  <serviceMetadata
  httpGetEnabled="true"
  />
       </behavior>
  </serviceBehaviors>
  </behaviors>
  For more information, you could refer to:
  http://www.codeproject.com/Articles/327260/What-s-new-in-WCF-Automatic-HTTPS-endpoint-for
  http://blogs.msdn.com/b/brajens/archive/2007/04/26/accessing-description-metadata-wsdl-of-wcf-web-service.aspx
  Regards

• Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

  Hi There
  I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
  So, RSERVER = SERVER = 192.168.0.1
  Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
  But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
  OUTSIDE:
  website1.abc.com = 172.16.0.1:443
  website2.abc.com = 172.16.0.1:443
  website3.abc.com = 172.16.0.2:443
  website4.abc.com = 172.16.0.2:443
  On the server we have:
  INSIDE: 192.168.0.1
  SERVER:8001 = website1.abc.com
  SERVER:8002 = website2.abc.com
  SERVER:8003 = website3.abc.com
  SERVER:8004 = website4.abc.com
  So, in a nutshell what I need to do is:
  Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
  But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
  I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
  Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
  I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
  But .... things are going hey-wire.
  So, steps are:
  RSERVER
  SFARMs = RSERVER:PORTs
  ACLs = VIPs
  CMAP = HEADER = URL
  LB PMAP = HEADER CMAP & SFARM
  PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
  SVC-POL = PMAP MULTIM

  Hi Surya
  Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
  It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
  regards
  Sent from Cisco Technical Support iPad App

• Load balancing ssl that terminates on servers

  hi,
  right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.
  on the css i have a very simple ssl-balance rule:
  content srv.443
  add service srv1.ssl
  add service srv2.ssl
  advanced-balance sticky-srcip
  protocol tcp
  port 443
  url "/*"
  vip address 10.72.39.17
  active
  service srv1.ssl
  ip address 10.72.39.71
  protocol tcp
  keepalive port 51001
  port 51001
  active
  service srv2.ssl
  ip address 10.72.39.72
  protocol tcp
  port 51001
  keepalive port 51001
  active
  the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.
  it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.
  now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?
  regards,
  c.

  yes, SSL can be terminated on the servers and loadbalancer by the CSS.
  You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.
  If the config is what you indicated, there is no way the CSS can send its own certificate.
  Absolutely no way :-)
  Are you sure your server is sending the correct certificate ?
  Gilles.