8-5
Cisco Content Services Switch SSL Configuration Guide
OL-5655-01
Chapter 8 Examples of CSS SSL Configurations
In step 5 shown in Figure 8-2, the CSS directs the clear text traffic back to the SSL
module through an IP address that maps directly to a back-end SSL server. The
SSL module terminates the clear text connection.
In step 6 of Figure 8-2, the SSL module re-encrypts the traffic and establishes an
SSL connection to the back-end SSL server. The SSL module sends the traffic
through the CSS to the selected back-end SSL server.
SSL Transparent Proxy Configuration — One SSL Module
An SSL transparent proxy server is a proxy server that preserves the client’s IP
address as the source IP address for the back-end connection to the server. When
you configure an SSL transparent proxy on the CSS, the CSS intercepts and
redirects outbound client requests to an HTTP server on the network without
changing the source IP address.
This section provides a simple configuration of an SSL transparent proxy between
a client, a CSS with a single SSL module, and three HTTP servers (ServerABC,
ServerDEF, and ServerGHI). Two content rules are used in this configuration, an
SSL content rule and a HTTP content rule. The SSL content rule is for Layer 4
because there is only a single SSL module and there is no need to maintain
client-to-server (SSL) stickiness. The use of a Layer 4 content rule in this
configuration may improve CSS performance.
Figure 8-3 illustrates this transparent proxy configuration.
For purposes of illustration, the configuration example in Figure 8-3 shows the
VIP address for the SSL content rule (ssl-rule) to be the same as the VIP address
for the HTTP content rule (http-rule). These two VIP addresses do not have to be
identical. Depending on the method that you choose to allow access to secure
content on your HTTP servers, you may require specification of a different VIP
address for the clear-text content rule to place it in non-routable address space. In
this example, instead of specifying a VIP address of 192.168.5.5 for the http-rule
content rule, you could specify a VIP address of 10.1.1.5. The clear-text http-rule
will be unreachable from the Internet, which can offer you more flexibility and
granularity while allowing the CSS to be seamlessly integrated for secure
transactions.
To Next Page
Loading...
Need help?
General
