Transparent Local-Listen - Cisco CSS11501S-C-K9 Configuration Manual

Appendix B Deployment Examples

Transparent Local-Listen

Note If you are using IIS and have a redirection in your Web page, the
URL must have a trailing slash ("/") to work properly, e.g.,
<href="/issamples/default/learn/">.
Transparent Local-Listen
The transparent local-listen mode of operation was added to broaden
compatibility between offloaders and some models of load-balancing and
content-switching gear. Additionally, it enables transparent mode interoperation
with the CSS without having to use the type transparent-cache or the no
cache-bypass directives within the services definitions. This simplifies ACL
implementations, as well as the overall configuration on the CSS.
Transparent local-listen is a hybrid of transparent and no transparent modes,
and can be defined only when a logical SSL server is operating in transparent
mode. If a logical SSL server is operating in no transparent mode, transparent
mode must first be enabled before attempting to define transparent local-listen or
a warning will be issued and the command will fail.
Since—as the name implies—transparent local-listen uses a local-listening
socket for inbound SSL connections (precisely as no transparent does) unique
listening ports must be defined to host multiple logical SSL servers. Unlike
conventional transparent mode, the IP address specified within the configuration
will not be used to listen for inbound traffic, but rather only for sending outbound
(decrypted) traffic. Unlike traditional no transparent mode, however, when the
offloader sends the outbound traffic, it will use the client's IP address rather than
its own IP address in fashioning these packets; thus the hybridity of the proxy.
The CSS (or other load-balancer) will be responsible for performing port address
translation from the default SSL port 443 to a unique port for each additional
logical SSL server hosted on each offloader. Again, this is different from
traditional transparent proxy mode wherein the differentiation between
certificate/key pairs is offered by uniqueness in the listening IP address on the
offloader.
The content and services portion of the CSS configuration is nearly identical to
the configuration used in non-transparent proxy mode, while the network portion
of the CSS configuration mirrors that used in transparent mode.
Cisco 11000 Series Secure Content Accelerator Configuration Guide
B-31
78-13124-06