Guest

Cisco LocalDirector 400 Series

Configuring LocalDirector and SCA 11000 for One-Armed Proxy Mode

Document ID: 18658

Updated: Jan 30, 2006

   Print

Introduction

This document provides a sample configuration for the Cisco LocalDirector and the Cisco Secure Content Accelerator (SCA) 11000 in one-armed proxy mode. One-armed proxy mode allows the SCA to terminate all Secure Socket Layer (SSL) sessions, and initiate clear text requests to the web server. This is beneficial for these reasons:

  • Offloading SSL sessions helps to reduce the work that the Web servers are doing.

  • By allowing the SCA to initiate a clear text connection to the Web servers, load balancers can more evenly distribute the load and maintain persistence to the back end Web server. This limits the possibility that a client loses their shopping cart during a session.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

The information in this document is based on the LocalDirector 430 running 4.2.3 and an SCA 11000 running 3.0.5.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.

ld_sca_oap_18658.jpg

Configurations

This document uses these configurations:

  • Local Director 430

  • SCA 11000

Local Director 430
Building configuration...
: Saved
: LocalDirector 430 Version 4.2.3
: Uptime is 0 weeks, 0 days, 1 hours, 3 minutes, 35 seconds
syslog output 20.3
no syslog console
enable password 000000000000000000000000000000 encrypted
hostname localdirector
no shutdown ethernet 0
no shutdown ethernet 1
no shutdown ethernet 2
no shutdown ethernet 3
interface ethernet 0 auto
interface ethernet 1 auto
interface ethernet 2 auto
interface ethernet 3 auto
mtu 0 1500
mtu 1 1500
mtu 2 1500
mtu 3 1500
multiring all
no secure  0
no secure  1
no secure  2
no secure  3
no ping-allow 0
no ping-allow 1
no ping-allow 2
no ping-allow 3
ip address 172.16.1.213 255.255.255.192
route 0.0.0.0 0.0.0.0 172.16.1.193 1
arp timeout 30
no rip passive
rip version 1
failover ip address 0.0.0.0
no failover
failover hellotime 30
password dfeaf10390e560aea745ccba53e044ed encrypted
snmp-server enable traps
snmp-server community public
no snmp-server contact
no snmp-server location

virtual 172.16.1.195:443:0:tcp is


!--- Virtual for the secure connection from the client
!--- to the SCA.


virtual 172.16.1.195:81:0:tcp is


!--- Virtual for the clear text communication from the
!--- SCA to the backend web server.


virtual 172.16.1.195:80:0:tcp is


!--- Virtual for regular port 80 traffic to 
!--- the web site (optional).


real 172.16.1.201:443:0:tcp is


!--- SCA.


real 172.16.1.25:80:0:tcp is


!--- Web server.


bind 172.16.1.195:443:0:tcp 172.16.1.201:443:0:tcp


!--- Binds the secure virtual to the SCA.


bind 172.16.1.195:81:0:tcp 172.16.1.25:80:0:tcp


!--- Binds the non-secure virtual to the web server.


bind 172.16.1.195:80:0:tcp 172.16.1.25:80:0:tcp


!--- Binds the regular port 80 virtual to 
!--- the web server (optional).


: end         
[OK]

SCA 11000
SCA-1# sho run
#
# Cisco CSCA Device Configuration File
#
# Written:      Sat Dec 15 07:24:13 2001
# Inxcfg:       version 2.3 build 200108071342
# Device Type:  CSS-SCA
# Device Id:    S/N 118032
# Device OS:    MaxOS version 2.5.1 build 200108071341 by Dan L. Reading

### Device ###

mode one-port


!--- Allows one-armed configuration.


ip address 172.16.1.201 netmask 255.255.255.192
hostname SCA-1
password enable "243124676824697552563169414659636C7644757033644E514B632E"
no ip domain-name
no rdate-server
timezone ""
rip
ip route 0.0.0.0 0.0.0.0 172.16.1.193 metric 1

### Interfaces ###

interface network
  auto  
end
interface server
  auto
end

### Remote Management ###

no remote-management access-list
remote-management enable

### SNMP Subsystem ###

no snmp
telnet enable
no telnet access-list
web-mgmt enable
no web-mgmt access-list

### SSL Subsystem ###

ssl
  server chiptest1 create
    ip address 172.16.1.195
    sslport 443


!--- Secure connection port.

    remoteport 81


!--- Non-secure connection port.

    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent


!--- Enables proxy or non-transparent behavior.

  end
end

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 30, 2006
Document ID: 18658