Cisco Application Networking :: 4710 Appliance / HTTP To HTTPS Redirection URL
Sep 25, 2011
i have a 4710 appliance (one armed) and i am load balancing with two webservers. In the URL, there are links that need to be redirected to https:
[URL]
i am using the
rserver redirect REDIRECT-TO-HTTPS[URL]
The https is working but i have a problem. when i access the Main link "first" it is redirected to https to the Main link.But if i access one of the Sublinks directly(without having to click on the main link first) the page is redirected to https but to the Main Link. i have to click the Sublink again in order to get the page.How can i redirect to https and stay on the same page? What might be the general link in the webserver-redirection?
View 4 Replies
ADVERTISEMENT
Feb 27, 2012
For a CSS with a SSL module (performing SSL termination) - is it possible to impliment a redirect on https URL to send to equivalent http URL.If my understanding is correct, the CSS will do SSL termination and then use an http content rule on the resultant http stream as it is recursively handled by the CSS ? This would mean that the SSL module has no way of seeing/acting on layer 5 and above data (i.e. picking up on a specific URL) and can not itself issue a redirect - i.e. you could not associate a redirect statement or service with the following ssl content rule ? [code]The CSS would instead rely on a http content rule to impliment a redirect - i.e. you would have to associate a redirect statement or service to the following http content rule instead?
But if the CSS is already handling traffic for existing url... traffic that is going to cause a loop when a client goes direct to. url...I realise the requirment is uncommon / a bit convoluted, its one of those don't ask type scenarios - aimed at achieving a specific requirement.Would the ACE 4710 be able to handle such a scenario any differently ?
View 7 Replies
View Related
Jun 21, 2012
I am trying to make a redirect from http to https. the goal is whenever a user writes in http://10.80.199.71 it should be redirected to https://10.80.199.71 I am just haveing some trouble making it work.
View 4 Replies
View Related
Jun 26, 2011
I am configuring a GSS to check an Web server that responds to https requests.I put 443 as the port but I don´t see replies from the server and the Answer Status is always offline.Other servers using http on port 80 are showing OK.The appliance is a GSS-4492-k9 Version 3.1(0).
View 2 Replies
View Related
Sep 18, 2011
We want to mask part of the path prefix to hide development content: For example: the site(s) are: [URL]However we don't want anything with acme showing...so we would want the loadbalanced url to be: [URL] ...for requests and responses. I think this would be an http re-write request/response scenario?Is this possible to configure this on the ACE Device? We've got the load balance configuration down...not sure how to do this re-write type scenario?
View 2 Replies
View Related
Jun 19, 2012
I am wondering if there is a method to redirect particular URLs to individual real servers in a server farm.Scenario: We have an url which is setup on our ACE4710s (A3 2.4) to load balancer to a particular server farm as per standard setup i.e.Customers access [URL] on an external VIP, this is then load balanced to a server farm "SF_WEBSITE" consisting of 2 real servers "Server_A" and "Server_B". Nothing difficult in this set up. However, I have eeen asked if it is possible to redirect certain urls to individual servers within the server farm "SF_WEBSITE": e.g.
Action 1 - Customers access [URL] is redirected to "Server_A" only
Action 2 - Customers access [URL] is redirected to "Server_B" only
Default Action - Customer access [URL] anything else is redirected to server farm "SF_WEBSITE" and is load balanced between "Server_A" and "Server_B"
The Standard Class Maps and Policy would be something like:
policy-map type loadbalance first-match SLB_WEBSITE
class class-default
serverfarm SF_WEBSITE
Where I thought I would need something like:
class-map type http loadbalance match-all CMAP_AREA1
description CMAP used to capture specific URL for area 1
2 match http url /area1
class-map type http loadbalance match-all CMAP_AREA2
description CMAP used to capture specific URL for area 2
2 match http url /area2
[code]...
I think the above method is ok for 1 instance, but if it test successfully, my company would want to to roll this out across dozens of server farm configurations each consisting of numerous real servers, which will make the administration and implementation time overheads massive, not to mention complicating and lengthening the configuration.
View 7 Replies
View Related
Jun 21, 2012
In 2008-2010 timeframe, I used the ace 4710 appliances at one customer and kind of liked them. The deployment was not too SSL intensive and B/W requirements were low, but I configured a few HA pairs and that worked well. The configuration was pretty comparable to other Cisco devices; so easy to learn/pick-up.Fast forward to 2011: stepped into an environment, where customer purchased 3 - ACE 20 modules (before I got here), and had multiple issues with them. I found 4 documented TAC cases, and 1 was still open. I started working from December 2011 on getting Cisco to own-up WRT modules but customer by that time had had enough.
The most serious issue was a random reboot, hang or lockup. I wasn’t here to work with them to verify, but that’s eventually what the deal breaker was. Around the February 2012 timeframe, talking to Cisco SE, he revealed Cisco had an independent lab in Switzerland verify that some hardware component on the device had a terminal defect, in which a bit would flip, and force the device to lock or reboot - subject ot radioactive decay or interference.Cisco and the lab attributed this to improper shielding, coupled with defective material in the electronic component; hence the device was highly susceptible to radiation-type errors. This is the kind of stuff you read in doomsday reports! As a result, Cisco was EOL-ing the ACE-20 module. I am trying to get Cisco to replace the ACE-20 modules with something else, but they haven’t been too cooperative. They have also limited their SE/Salseperson presence where I work (Pacific Northwest); and are not too responsive.
I have gotten a verbal agreement to get a credit on prior purchases for the amount this customer spent on the ACE-20 modules. However, the credit is only a few points off their normal discounting model. And Cisco will not go into loss on new product sales. Using example, $100 product would cost me $55 with standard Cisco discounting. Cisco’s cost might be $45 so I will only get another $10 credit on this new purchase.The 3 Cisco ACE-20’s originally cost customer about $100K, so to dwindle this credit down, we would need to purchase about $1-$2 million of new hardware - that's a lot of new gear! And I don’t have any real way of knowing that Cisco is applying the credit honestly, and they won’t put anything in writing. This entire issue has really dampened customer’s impression of Cisco. They had smartnet on the ACE-20’s for 2+ years, but then dumped that after losing faith in the product. Now I am trying to resurrect smartnet to see if Cisco will give us an alternate product.
And to cap it all off, the original Cisco salesperson (who sold customer the ACE’s), has left and went to work for F5! And yes, he has been calling on customer to try to sell some big-IP's! At least there is some humor in all of this. So... Has anyone else had bad experience with ACE-20 module? How about ACE 4710? How to get a reliable working ACE module from Cisco?
View 6 Replies
View Related
May 26, 2011
My TCOM guys say they do not see the ACE as a CDP neighbor on their switches. Is CDP enabled by default? I cannot find any documentation that suggests this is configuration (like on the Cisco CSS - where it can be enabled, but cannot see its' CDP neighbors).
BTW - The ACE 4710 Appliance documentation uses CDP as acronym for Certificate Revocation List Discovery Point (for SSL CRL's).
View 2 Replies
View Related
Jan 21, 2013
I have a pair of ACE 4710's that I am deploying within a datacenter. The primary and secondary ACE appliances have identical configurations except for the IP addressing and priorities for FT. The FT peer is going into a TL error state.
On the primary ACE appliance, I am able to ping and telnet from/to it without any issues. All of the routing works as it should and everything is seen in the ARP table as it should. The secondary appliance is able to ping everywhere, but telnet out of or into that appliance does not work.
I am able to see the IP addresses in the arp table and can successfully ping end to end from the secondary device, just unable to telnet into or out of it. When I try to telnet out of the secondary device, it reports that there is no route, even though the IP's I am trying to telnet to are directly connected and those interfaces are up and working (otherwise ping would fail). The exact same filters (access-lists, service-policies) are configured in the exact same format and applied to the exact same interfaces.
I tried removing all of the fault tolerance configurations and just created a Layer 3 vlan interface for management and I am still unable to telnet into or out of the appliance. This is not a complicated setup and I have to think there is something obvious that I'm missing, but I'm hung up on the fact that the config's are almost identical while one works exactly as intended and the other reports no route to host for a directly connected interface.
View 2 Replies
View Related
Mar 19, 2012
what is that mean-"Redundancy is not supported between an ACE module and an ACE appliance operating as peers" I'm designing network in which I plan to use ACE-4710-0.5F-K9 appliances.
View 1 Replies
View Related
Feb 6, 2013
How to configure a redirection on the ACE from HTTP to HTTPS using specific URL example [URL] to [URL], the SSL certificates were installed on the servers.
View 7 Replies
View Related
Sep 20, 2011
i have ACE 4710 appliance that terminate SSL and the connection to the servers is http.
The ACE (one Armed) is load balancing between two web servers and i am using stickness in order to take the connection on the same server based on cookie.I can access the website either by http or https., where on the web page there is a login credential to access using username and password.
When i access the website using https everything works fine and i can login to my account in https mode.When i access the website through http and login to my account the URL is redirected to https...normal because i am using action-list to rewrite the http into https. But when i exit the browser and access the website again using http it is not redirected to https(although i see that i am still login into my account i can see all the inforamtion in my account).
The customer wants the connection to be https even when i exit the browser and access the website again (within short time before the cookie exipres)
View 3 Replies
View Related
Feb 11, 2013
Do you know if it is possible in ACE 4710 appliance to configure a SIP TLS ?The SIP probe we have in the configuration guide it is only for clear text. for Lync 2013 we need to establish first a TLS session and then within it, send an SIP request..IS it possible in any version? I tried also to configure a HTTPS probe but it fails as it sends a GET which the Lync SIP server doesn't understand.
View 1 Replies
View Related
Jan 9, 2013
I would just like to double-check a point with the forum on licensing on 4710 Appliance.If with version 4.2 and above 2Gbps Bandwidth licence is required, the output of the sho license status should be?
View 1 Replies
View Related
Jan 9, 2013
I have an ACE version A5.2 configured in one-armed leg (doing source nat). I have a requirement to add(or copy) the "referer" header value from the original request to the request send by ACE.
I cannot figure out how to copy this value. It is easy to add the source ip address by adding: " insert-http x-forwarded-for header-value "%is".
So how I am going to copy the Refere header?
#Referer
#Address (URI) of the resource from which the URI in the request was obtained
View 2 Replies
View Related
Apr 16, 2012
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later. I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
View 6 Replies
View Related
Nov 15, 2011
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
[Code].....
View 4 Replies
View Related
Oct 10, 2012
We had a PCI security audit of an existing VIP on our ACE 4710. The VIP is set up as HTTPS terminating on the ACE with a http redirect for all 80 traffic. The audit reported this VIP was vunerabled to the Cisco "IOS HTTP Authorization Vulnerability". Which basicly states, http Management is on this IOS device. It does not make any sense, as the VIP is pointed to a pair IIS servers?
[URL]
View 2 Replies
View Related
Feb 1, 2012
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
serverfarm host INHOUSE-EXCHANGE-OWA-vFARM
predictor response app-req-to-resp samples 4
probe 443
probe HTTP-PROBE
rserver INHOUSE-TEST-CAS01-SVR
inservice(code)
View 12 Replies
View Related
Aug 31, 2011
I have been tasked to provide SSL(HTTPS) access to a server farm that will be accessible from the internet. Is this the correct guide to follow?
[URL]
I am assuming I will need to purchase a certificate to import into the load-balance r as well.
View 1 Replies
View Related
Jan 8, 2013
We are using a ACE 4710 with A3(2.6) software release.I had to change our sticky load balancing method for HTTPS to cookie based.However while connections appear to work if I look at the show sticky database table I can not see or confirm sticky entries for the cookie based connections.Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
[code].....
View 22 Replies
View Related
Nov 9, 2011
We are migrating from ACE 20 module to an ACE 4710 appliance. [code] When pasting in the config on the ACE 4710 running A4(2.1) code, I get the subject error message when trying to enter in the highlighted sticky-serverfarm command above. Again, this config works on the older hardware and older code.
View 1 Replies
View Related
Jul 12, 2011
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
View 2 Replies
View Related
Oct 17, 2012
I’m looking for some notes from the field guidance here from those that have much more deployment experience.
I have a GSS and an ACE, and its the ACE that's primarily giving me something to think about, in terms of placement and what mode to adopt.
The traffic flow will look loosely like this:-
Client---Internet---Firewall---GSS---ACE---Servers
Physically, it's like this. The RED line denotes a boundary, and pretty much anything North of that is not accessible to us, we simply have a L3 trunk between our switches and "their" switches (S3/S4) and talk using EIGRP.
There are other servers in the top tier, some that also require load balancing, some that don’t. Typically, I want to load balance HTTPS requests from the internet, to one of the 3 servers in the top half.
I’m not sure what mode to select, routed, one arm? What about placement of the ACE? At the moment, I’ve just configured 1/1 on it and made it part of the MG MT VLAN, it's S VI exists on the S1/S2 switches, so I’m open to change as it's still all in the lab.
View 1 Replies
View Related
Apr 19, 2011
The below is the display that I get on the screen when i boot the device.There are two error's one is when the daughter card is found and device give us login access after which it reboot’s. The second is stated below (this is a screen copy of the error)
INIT: version 2.85 booting/mnt/cf/TN-CONFIG on /TN-CONFIG type ext3 (rw,sync,loop=/dev/loop0)/mnt/cf/TN-CERTKEY-STORAGE on /TN-CERTKEY-STORAGE type ext3 (rw,sync,loop=/dev/loop1)/mnt/cf/TN-LOGFILE on /TN-LOGFILE type ext3 (rw,sync,loop=/dev/loop2)/mnt/cf/TN-HOME on /TN-HOME type ext3 (rw,sync,loop=/dev/loop3)/mnt/cf/TN-COREFILE on /TN-COREFILE type ext3 (rw,sync,loop=/dev/loop4)insmod: error inserting
[Code]...
View 8 Replies
View Related
Oct 21, 2012
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. This is occurring for several different URLs and not just the one above and for multiple web browsers.The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14. A recent ACE software upgrade to A5(2.1) has not fixed the problem.
View 1 Replies
View Related
Aug 16, 2012
Will ACE 4710 support for IPS features?
View 1 Replies
View Related
Mar 17, 2013
I need to setup new ACE 4710 device , after referring to "Establishing a Console Connection on the ACE" i had managed to set up initial console connection. During installtion i had configured vlan (default vlan 1000) , interface ip adess& subnet mask.
Post initial config i understand i should be able to open' Device Manager GUI Login Window' but it is not opening.I also need inputs on setting 4710 for the telnet connection
View 4 Replies
View Related
May 13, 2013
I have a physical server running behind the ACE module ACE20-MOD-K9. The Server has several virtual machines. One of that virtual machines, has a WEB SERVER running virtual https servers. For example, server with IP address 10.0.0.20/24, has serveral virtual HTTPs servers as of urll... So, if you nslookup the servers, they all respond with 10.0.0.20 IP address. So if I do url...goes to 10.0.0.20 and read the VIRTUAL SERVER config and replies back to the request.Now, I am trying to verify that the TCP connection (443) and the HTTPS server itself is up and running but only for the url... site and not for the other 2.The problem that I am facing is tha the HTTPS probe fails randomly. The TCP probe works fine.
View 1 Replies
View Related
Jan 18, 2012
I need configure HTTP Compression by hardware on CSS 11503. I make config like this [URL]
My config:
service s1
ip address 10.1.66.11 (web server)
keepalive type none
[Code].....
View 4 Replies
View Related
Apr 26, 2013
Any info about Exchange 2013 and ACE SLB functions. I know they changed to RPC over HTTPS on exch side and few other items changed as well. Any feedback from a production deployment.
View 1 Replies
View Related
Jan 22, 2013
I am configuring a load balancer from cisco, a ACE 4710.Load blancing is completely new to me, and i am unexpereinced in this field. It has to be configured for a customer that want to load balance HTTP and RTSP traffic over 4 application servers (Back-end),I searched alot on google for possible solutions, and got RTSP in some way to work, but http wont work says my customer.
[Code] .....
View 3 Replies
View Related
May 26, 2011
I'm setting up an ACE 4710 in our test lab before deploying in production. Do the test web servers I am using need to use the ACE as their default gateway? The are currently configured to use a multilayer switch on their vlan as their gateway but I'm guessing the ACE needs to see the return traffic for load balancing to work correctly?
View 2 Replies
View Related
