10-05-2009 06:26 AM
I am working at a simple SSL offload setup but it does not work for some reason. I want to ensure I am not missing anything simple here. The configuration is pretty simple:
ssl profile myprofile
server port 80
tcp keepalive 30 1
server real rs-xyz a.b.c.d
server virtual vs-xyz q.w.e.r
port ssl ssl-terminate myprofile
bind ssl rs-xyz http
I guess this should work... This is just the part of the config which seems to be important - the config is of course a bit bigger because the box is offering plain-text http as well and I do have redundancy configured as well with a second ServerIron 4G-SSL being backup for the first one.
10-05-2009 08:23 AM
I do see that you have source-nat enabled in your setup. I do not see special source-nat-ip address (lines starting with: server source-nat-ip...) - do you have source-nat-ip's configured or not?
10-05-2009 08:39 AM
There is no such source-nat-ip in my configuration - do I need one? I thought the ServerIron is going to use the VEs IP address for source-nat doing it the way I did it. It is working perfectly for plain-text HTTP traffic to other VIPs including source-nat.
10-05-2009 09:02 AM
You do have to define a special source-nat-ip for SSL related traffic - it is not going to work if that is not part of the configuration. Out of the security guide:
Use the server source-ip <ip> <mask> <gateway> port-range <range> for-ssl command when source-nat is configured.
For ServerIron router code, use the server source-nat-ip <ip> <mask> <gateway> port-range <range> for-ssl command.
The RESET directly after the SSL handshake is something you get if you have not done so.