Ssl Tunnel To One Data Center With Server Authentication - Cisco 11503 - CSS Content Services Switch Configuration Manual

Chapter 8 Examples of CSS SSL Configurations

SSL Tunnel to One Data Center with Server Authentication

OL-5655-01
In Figure 8-8, an office contains a CSS 11506 with two SSL modules. Clients
connect to the CSS VIP 192.168.7.101 using clear text. The CSS load balances
(by applying the advanced-balance arrowpoint-cookie sticky commands),
NATs, and sends the connection to an SSL initiation service.
The service of type ssl-init tells the CSS to send the connection to the SSL module
defined by the slot command. The service also defines the IP address of the
destination (data center).
When the traffic leaves the service and enters the appropriate SSL module (in this
case, slot 2), the SSL proxy list must contain the destination IP address (the
ssl-init service IP address). The SSL module encrypts the traffic and sends it to
the configured destination. By adding the certificate of the CA that signed the SSL
server certificate, the CSS can authenticate the server during the SSL handshake.
Be aware of the following configuration requirements:
To optimally utilize multiple SSL modules, you must balance the SSL
•
initiation VIPs and the SSL modules in your configuration.
You must apply the SSL initiation proxy list to the SSL module using a
•
service of type ssl-init.
You must obtain the certificate of the CA that issued the SSL server
•
certificate. After you import it and associate it, define the CA certificate as a
cacert within the SSL proxy list.
Cisco Content Services Switch SSL Configuration Guide
8-25