Cisco LocalDirector 400 Series

Configuring LocalDirector and SCA 11000 for One-Armed Proxy Mode

Cisco - Configuring Local Director and SCA 11000 for One-Armed Proxy Mode

Document ID: 18658

Updated: Jan 30, 2006



This document provides a sample configuration for the Cisco LocalDirector and the Cisco Secure Content Accelerator (SCA) 11000 in one-armed proxy mode. One-armed proxy mode allows the SCA to terminate all Secure Socket Layer (SSL) sessions, and initiate clear text requests to the web server. This is beneficial for these reasons:

  • Offloading SSL sessions helps to reduce the work that the Web servers are doing.

  • By allowing the SCA to initiate a clear text connection to the Web servers, load balancers can more evenly distribute the load and maintain persistence to the back end Web server. This limits the possibility that a client loses their shopping cart during a session.

Before You Begin


For more information on document conventions, see the Cisco Technical Tips Conventions.


There are no specific prerequisites for this document.

Components Used

The information in this document is based on the LocalDirector 430 running 4.2.3 and an SCA 11000 running 3.0.5.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.


In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.



This document uses these configurations:

  • Local Director 430

  • SCA 11000

Local Director 430
Building configuration...
: Saved
: LocalDirector 430 Version 4.2.3
: Uptime is 0 weeks, 0 days, 1 hours, 3 minutes, 35 seconds
syslog output 20.3
no syslog console
enable password 000000000000000000000000000000 encrypted
hostname localdirector
no shutdown ethernet 0
no shutdown ethernet 1
no shutdown ethernet 2
no shutdown ethernet 3
interface ethernet 0 auto
interface ethernet 1 auto
interface ethernet 2 auto
interface ethernet 3 auto
mtu 0 1500
mtu 1 1500
mtu 2 1500
mtu 3 1500
multiring all
no secure  0
no secure  1
no secure  2
no secure  3
no ping-allow 0
no ping-allow 1
no ping-allow 2
no ping-allow 3
ip address
route 1
arp timeout 30
no rip passive
rip version 1
failover ip address
no failover
failover hellotime 30
password dfeaf10390e560aea745ccba53e044ed encrypted
snmp-server enable traps
snmp-server community public
no snmp-server contact
no snmp-server location

virtual is

!--- Virtual for the secure connection from the client
!--- to the SCA.

virtual is

!--- Virtual for the clear text communication from the
!--- SCA to the backend web server.

virtual is

!--- Virtual for regular port 80 traffic to 
!--- the web site (optional).

real is

!--- SCA.

real is

!--- Web server.


!--- Binds the secure virtual to the SCA.


!--- Binds the non-secure virtual to the web server.


!--- Binds the regular port 80 virtual to 
!--- the web server (optional).

: end         

SCA 11000
SCA-1# sho run
# Cisco CSCA Device Configuration File
# Written:      Sat Dec 15 07:24:13 2001
# Inxcfg:       version 2.3 build 200108071342
# Device Type:  CSS-SCA
# Device Id:    S/N 118032
# Device OS:    MaxOS version 2.5.1 build 200108071341 by Dan L. Reading

### Device ###

mode one-port

!--- Allows one-armed configuration.

ip address netmask
hostname SCA-1
password enable "243124676824697552563169414659636C7644757033644E514B632E"
no ip domain-name
no rdate-server
timezone ""
ip route metric 1

### Interfaces ###

interface network
interface server

### Remote Management ###

no remote-management access-list
remote-management enable

### SNMP Subsystem ###

no snmp
telnet enable
no telnet access-list
web-mgmt enable
no web-mgmt access-list

### SSL Subsystem ###

  server chiptest1 create
    ip address
    sslport 443

!--- Secure connection port.

    remoteport 81

!--- Non-secure connection port.

    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent

!--- Enables proxy or non-transparent behavior.



There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 30, 2006
Document ID: 18658