Basic Cisco ACE HTTPS Server Farm

Below is a basic Cisco ACE Server farm.  SSL is terminated on the content switch and connects back to the web servers on port 80 (HTTP).

First create a probe to check the servers are alive.  Note with this probe you are checking the webpage /contentswitch/default.htm and expect a 200 status to be returned:

probe http HTTP_PROBE_WWW.DOMAIN.COM
port 80
interval 10
passdetect interval 10
request method get url /contentswitch/default.htm
expect status 200 200

If you haven’t already configured you web servers, you will need to add them:

rserver host web11-10_0_129_11
ip address 10.0.129.11
inservice
rserver host web12-10_0_129_12
ip address 10.0.129.12
inservice

Now create the server farm

serverfarm host WWW.DOMAIN.COM-SSL-10_0_128.10_443
failaction purge
probe HTTP_PROBE_WWW.DOMAIN.COM
retcode 200 200 check count
rserver web11-10_0_129_11 80
inservice
rserver web12-10_0_129_12 80
inservice

Now set the session affinity (required for SSL, and in this case is sticky IP)

sticky ip-netmask 255.255.255.255 address source SRC-IP-WWW.DOMAIN.COM
timeout 720
replicate sticky
serverfarm WWW.DOMAIN.COM-SSL-10_0_128.10_443

Now specify the SSL certificates to be used

ssl-proxy service SSL-PROXY-LIST-WWW.DOMAIN.COM
key 2012-www.domain.com.key
cert 2012-www.domain.com_cert.cer
chaingroup COMODO-INTERMEDIATE-CERTS
ssl advanced-options rehandshake

Now create a class-map to bind IP address to the server farm

class-map match-any 03-L4-VIP-CLASS-WWW.DOMAIN.COM-SSL-10_0_128.10_443
2 match virtual-address 10.45.128.129 tcp eq https

Now create your layer 7 polcy and add your layer 4 class to your layer 4 policy

policy-map type loadbalance first-match 02-L7-POL-WWW.DOMAIN.COM-SSL-10_0_128.10_443
class class-default
sticky-serverfarm SRC-IP-WWW.DOMAIN.COM
policy-map multi-match 04-L4-POLICY-LIVE-SSL
class 03-L4-VIP-CLASS-WWW.DOMAIN.COM-SSL-10_0_128.10_443
loadbalance vip inservice
loadbalance policy 02-L7-POL-WWW.DOMAIN.COM-SSL-10_0_128.10_443
loadbalance vip icmp-reply
loadbalance vip advertise active
ssl-proxy server SSL-PROXY-LIST-WWW.DOMAIN.COM