Separate names with a comma.
Discussion in 'Tech Talk' started by Singlemalt, Apr 9, 2007.
First, anyone here work with the 11503 Content Switch with the SSL accelerator?
But what is your problem?
Not that particular switch, I've mainly worked with the Cisco Catalyst series, whats up?
My problem or question revolves around the SSl accelerator piice mostly.
Ok, have dual CSS 11503's and a 4-node web cluster into the CSS. These are your basic Windows 2003 IIS 6.0 servers, .NET web site with (4) main sections of secured services (SSL).
Ok, previously this was done as a 4-node cluster NOT on the CSS, we had software load balancing and the SSL certificates were installed on the local IIS servers. This was run for 4 years without one single SSL error.
Ok, migrated to hardware load balancing and moved the SSL to the CSS and here is where it begins. We have some applications that are secured services that during the middle of the application process it will prompt the users browser "You are about to leave a secure page for a non-secure page, click Ok to continue", or at least something close to that wording. Issue is before moving to the CSS that error never happened, not even once.
Would a good starting place be to review the content rules for SSL termination?
Man, you get the prize for the hardest question of the day.
What you are seeing is the effect of the certificate based authentication. When you establish an SSL connection, the browser will check the domainname, IP and root cert of the certificate to make sure everything matches. Since SSL is a stateful connection, the browser will also expect subsequent SSL requests to the same domain to go through that connection.
I.E. is, of course, more anal than other browsers so it's warning you to the fact that something isn't quite right.
You should be terminating SSL at the content switch and doing everything in the clear back to the web servers. You will also probably have to have your certificate reissued to make sure it matches the single domainname of your switch. After that, the switch can load balance freely to any of the back end web servers and the SSL certs won't be an issue since they stop at the CSS.