Chapter 8
Examples of CSS SSL Configurations
SSL Initiation Configurations
SSL Tunnel to Four Data Centers
OL-5655-01
SSL initiation is the process whereby a properly configured CSS with an SSL
module receives clear text from a client and connects that flow with an SSL flow
that is originated by a back-end server configured on the SSL module. Use this
configuration for secure site-to-site data tranfers.
This section provides two SSL initiation example:
SSL Tunnel to Four Data Centers
•
SSL Tunnel to One Data Center with Server Authentication
•
In
Figure
8-7, an office contains a CSS 11506 with two SSL modules. Clients
connect to a CSS VIP using clear text. The CSS load balances (by applying one
of the advanced-balance sticky commands), NATs, and sends the connection to
an SSL initiation service.
The service of type ssl-init tells the CSS to send the connection to the SSL module
defined by the slot command. The service also defines the IP address of the
destination (remote site).
When the connection leaves the service and hits the appropriate SSL module, the
SSL proxy list must contain the destination IP address (the ssl-init service IP
address). The SSL module encrypts the traffic and sends it to the configured
destination.
To optimally load balance flows, you must balance the SSL initiation VIPs
•
and the SSL modules when multiple SSL modules exist (as in this example).
The SSL initiation feature requires that the proxy list be applied to the SSL
•
module via a service of type ssl-init.
Cisco Content Services Switch SSL Configuration Guide
8-21