Cisco Content Switch question

Discussion in 'Tech Talk' started by Singlemalt, Apr 9, 2007.

  1. Singlemalt

    Singlemalt In the rough

    Messages:
    870
    Likes Received:
    62
    Joined:
    Apr 6, 2004
    First, anyone here work with the 11503 Content Switch with the SSL accelerator?
     
  2. elderboy02

    elderboy02 Cincy Glocker

    Messages:
    141
    Likes Received:
    0
    Joined:
    Feb 11, 2007
    Location:
    Cincinnati, OH
    No,

    But what is your problem?
     

  3. kimigirl

    kimigirl

    Messages:
    54
    Likes Received:
    0
    Joined:
    Mar 11, 2007
    Location:
    Washington State
    Not that particular switch, I've mainly worked with the Cisco Catalyst series, whats up?
     
  4. Singlemalt

    Singlemalt In the rough

    Messages:
    870
    Likes Received:
    62
    Joined:
    Apr 6, 2004
    My problem or question revolves around the SSl accelerator piice mostly.

    Ok, have dual CSS 11503's and a 4-node web cluster into the CSS. These are your basic Windows 2003 IIS 6.0 servers, .NET web site with (4) main sections of secured services (SSL).

    Ok, previously this was done as a 4-node cluster NOT on the CSS, we had software load balancing and the SSL certificates were installed on the local IIS servers. This was run for 4 years without one single SSL error.

    Ok, migrated to hardware load balancing and moved the SSL to the CSS and here is where it begins. We have some applications that are secured services that during the middle of the application process it will prompt the users browser "You are about to leave a secure page for a non-secure page, click Ok to continue", or at least something close to that wording. Issue is before moving to the CSS that error never happened, not even once.

    Would a good starting place be to review the content rules for SSL termination?
     
  5. elderboy02

    elderboy02 Cincy Glocker

    Messages:
    141
    Likes Received:
    0
    Joined:
    Feb 11, 2007
    Location:
    Cincinnati, OH
    :headscratch: Man, you get the prize for the hardest question of the day.
     
  6. stooxie

    stooxie NRA Life Member

    Messages:
    1,069
    Likes Received:
    4
    Joined:
    Apr 10, 2005
    Location:
    Northern Virginia
    What you are seeing is the effect of the certificate based authentication. When you establish an SSL connection, the browser will check the domainname, IP and root cert of the certificate to make sure everything matches. Since SSL is a stateful connection, the browser will also expect subsequent SSL requests to the same domain to go through that connection.

    I.E. is, of course, more anal than other browsers so it's warning you to the fact that something isn't quite right.

    You should be terminating SSL at the content switch and doing everything in the clear back to the web servers. You will also probably have to have your certificate reissued to make sure it matches the single domainname of your switch. After that, the switch can load balance freely to any of the back end web servers and the SSL certs won't be an issue since they stop at the CSS.

    -Stooxie