John,
My company is doing something similar. Our problem started with making
sure a clients web requestes stayed on the same server even while moving
from HTTP to HTTPS requests. We did not want to use redirects, so our Local
Director 416 could not cut it. I have installed a Cisco SCA-11000 SSL
accelerator in front of a Cisco CSS-11000 switch. Here are my thoughts so
far.
- the SCA-11000 passes any non-ssl traffic to the CSS-11000 to be load
balanced. The CSS-11000 does sticky load balancing on all HTTP packets
making sure the user maintains the same server.
- getting the key and cert into the SCA-11000, coming from a Win2K
server was a little interesting and I had to end up consulting some Cisco
TAC documents to find the exact steps to do this (only with a MS solution
though).
- when a customer transitions from a non-secure page to a secure page
(and maintain the same server), the URL will look something like this
"https:whatever.asp". The SCA will
decrypt the inbound stream and hand it off to the CSS to be load balanced.
With the CSS's layer 5 ability to balance by info in the url, I can use the
server name in the URL to make sure the secure connection makes it back to
the same server (and maintains the session the client started). This
requires that our web servers have a directory that is labeled with their
server name and that the code used for the sure site is in that directory on
all the servers (unique for each server, of course). This was the least code
rewrite intensive solution we could find. It's been a real learning
experience too!! :))
If anyone else has been doing some similar things I would love to hear about
it!
Joe
""John Neiberger"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> We're evaluating SSL acceleration for our web servers and the product
> currently up to bat is the Array 500TX. With this device we can offload
> the SSL processing from the origin servers. However, while testing the
> evaluation unit we're discovering that there's a lot more to this than
> simply loading the certs and keys onto the box and turning it on.
>
> For example, it may be that we have to rewrite portions of the code on
> our site to make it compatible with this solution. There are also
> changes required on the web servers themselves to make them play nicely
> with the Array box.
>
> I'm wondering if any of you have implemented SSL accleration (with
> anyone's product) and what gotchas you might have run into. I'm almost
> to the point of dropping the idea of SSL acceleration and simply
> suggesting that we add more servers! :-) That's by far the simplest
> solution and doesn't require any changes to our existing code or
> configurations. We simply plug the server into our existing load
> balancing switch and, with a small tweak of that config, we're off and
> running.
>
> Any thoughts?
>
> John
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47608&t=47596
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
