Guest

Cisco SCA 11000 Series Secure Content Accelerators

Configuring CSS and SCA for One-Armed Proxy Mode

Cisco - Configuring CSS and SCA for One-Armed Proxy Mode

Document ID: 20600

Updated: Jan 30, 2006

   Print

Introduction

This document provides a sample configuration for one-armed proxy setup using a Content Services Switch (CSS) 11000 Content Smart Switch and the CSS 11000 Secure Content Accelerator (SCA). This is the most scalable configuration, and is easy to troubleshoot. Using this configuration hides the IP address of the Secure Socket Layer (SSL) clients from the web servers. The Web server sees the SCA's address as the source IP address on all connections to port 81 (the decrypted SSL session).

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

The information in this document is based on the software and hardware versions below.

  • CSCA3.0.5 on the SCA and 5.0 (build 18) on a CSS 11800

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In this section, you are presented with the information to configure the features described in this document.

Network Diagram

This document uses the network setup shown in the diagram below.

css_sca_1arm_proxy_20600.gif

Configuring the Address and Interfaces on the SCA

In a one-armed configuration only, one port is used on the SCA. This port is named network on the SCA chassis, and referred to as Enet0 or Network in the internal configuration. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link.

A sample configuration of the SCA using only the network port in a one-armed configuration is shown below.

Configuration
SCA# show version
CSCA Release 3.0.5.3
CSS-SCA-2FE-K9 version 2.3 build 200108071342

SCA# config
(config[SCA])# ip address 10.1.1.2 netmask 255.255.255.0
(config[SCA])# mode one-port
(config[SCA])# exit
SCA# show device
Device Hostname : SCA
Device Type     : CSS-SCA
Hardware Address: 00:60:f5:11:81:42
Internet Address: 10.1.1.2(255.255.255.0) Default Router: 10.1.1.1
Uptime          : 00:16:50, 0.13% system, 0.00% interrupt, 99.87% idle
Firmware Version: MaxOS 2.5.1 build 200108071341
Product Version : CSS-SCA Release 3.0.5.3 
Syslog sent to  : n/a
RemoteManagement: enabled
SNMP access     : disabled
Telnet access   : enabled
Web Management  : enabled
Operational Mode: single-port
SCA# 

Verify that the interface Enet0 is up by issuing the show interface command, as shown below.

SCA# show interface
Intf  Name               Status     Duplex Speed   Type
-------------------------------------------------------------
   0  Enet0             connected   auto  auto     TX (auto)
   1  Enet1             notconnect  auto  auto     TX (auto)
SCA# 

Configuration of the VLANs and the IP Addresses on the CSS

Configuration
!*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 10.48.66.1 1   

!--- Route to the default gateway to the internet.

!************************* INTERFACE *************************
interface e2
  bridge vlan 2

interface e4
  bridge vlan 4

!************************** CIRCUIT **************************
circuit VLAN1
  ip address 10.48.66.128 255.255.254.0

circuit VLAN2
  ip address 10.2.2.2 255.255.255.0  

!--- Default gateway for the SCA.


circuit VLAN4
  ip address 10.1.1.1 255.255.255.0  

!--- Default gateway for the servers.

Configure the default gateway of the SCA. This is normally the IP address of the circuit VLAN on the CSS (VLAN 4 in this example). A different path can be configured as long as the path from the SCA to the virtual IP address of the server goes to the CSS.

(config[SCA])# ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1
(config[SCA])# 

At this point, make sure that you can ping the following from the SCA:

  • The CSS circuit's IP address directly connected (the circuit VLAN 4's IP address).

  • The servers.

The server's return path to the SCA must go through CSS.

Use the default SSL certificates for the initial deployment. This approach is useful to bring up the setup without having to consider if the keys and certificates have been installed correctly. Installation of certificates is beyond the scope of this document.

Configuration of the Servers on the SCA

Configuration
ssl
  server Site1 create
    ip address 10.48.66.125  

!--- Address on which to send 
!--- unencrypted packets for website1.

    sslport 443  

!--- Port on which the SCA will listed for encrypted 
!--- packets directed to website1.

    remoteport 81  

!--- Port on which to send the unencrypted 
!--- packets for website1.

    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent  

!--- Specifies to use the no-transparent 
!--- option for this server.

  end

The no-transparent option means that the SCA will be waiting to receive encrypted packets for website1 directed to its IP address (10.1.1.2). This can be seen by issuing the show netstat command once the configuration for the webserver has been entered.

SCA#  show netstat
Pro State Recv-Q Send-Q Local Address        Remote Address        R-Win S-Win
---------------------------------------------------------------------------
udp            0      0 *:4099                *:*                       0     0
udp            0      0 *:4098                *:*                       0     0
tcp LISTN      0      0 *:2932                *:*                       0     0
udp            0      0 *:2932                *:*                       0     0
udp            0      0 *:520                 *:*                       0     0
udp            0      0 *:514                 *:*                       0     0
tcp LISTN      0      0 *:443                 *:*                       0     0
tcp LISTN      0      0 *:80                  *:*                       0     0
tcp LISTN      0      0 *:23                  *:*                       0     0

SCA#  

All the encrypted packets for website1 will be read from port 443. Those packets are directed specifically to the IP address of the SCA. The SCA will decrypt them and forward the unencrypted content to the IP address and on the port of the server specified in the configuration.

If you want the SCA to serve multiple websites, you need to specify a different port to listen on so that the packets for the two destinations do not get confused.

ssl
  server Site2 create
    ip address 10.48.66.239
    sslport 444  

!--- Port on which the SCA will listed for encrypted 
!--- packets directed to website2.

    remoteport 81
    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent
  end
end

The SCA will listen on port 443 for packets belonging to website1 and on port 444 for packets belonging to website2.

Configuration of Content Rules and Services on the CSS

The configuration for website2 has to be arranged on the CSS so that, when the encrypted packet for website2 arrives at the CSS on port 443, it will have to be sent to the SCA with not only the IP destination address set to be the SCA, but also with the destination port changed to 444. This can be easily done by changing the port in the service on the CSS that is associated with the SCA for website2.

Configuration
content 443fromInternet
    protocol tcp
    port 443  

!--- Packet is intercepted on port 443.

    add service SCA-website2
    vip address 10.48.66.239
    active
 
service SCA-website2
  ip address 10.1.1.2
  port 444  

!--- Port is changed from 443 to 444.

  protocol tcp
  active

The remaining part of the configuration is quite straightforward. The CSS must be configured so that it can loadbalance, over the servers, all the unencrypted requests coming from the SCA and from the Internet. To distinguish between the two, set the SCA to send the unencrypted requests on port 81 in order to keep port 80 for the requests coming from the Internet.

 content 80fromInternet
    protocol tcp
    port 80  

!--- Traffic coming from the Internet.

    url "/*"
    add service realserver4
    add service realserver5
    vip address 10.48.66.239
    active
 content fromSCA
    add service realserver4
    add service realserver5
    protocol tcp
    port 81  

!--- Traffic coming from the SCA.

    url "/*"
    vip address 10.48.66.239
    active

Verify

Once the configuration is fully installed, check the basic connectivity. Be sure that you can reach the servers from the CSS and from the SCA. Check that you can reach the CSS from a remote client.

Issue the show summary command.

CSS11800# show summary
Global Bypass Counters:
   No Rule Bypass Count:     0
   Acl Bypass Count:         0
Owner           Content Rules    State     Services        Service Hits
 
website1         81fromSCA       Active    realserver1      0
                                           realserver2      0
                                           realserver3      0

                 80fromInternet   Active   realserver1      0
                                           realserver2      0
                                           realserver3      0

                 443fromInternet  Active   SCA-website1     0

website2         81fromSCA       Active    realserver4      0
                                           realserver5      0

                 80fromInternet   Active   realserver4      0
                                           realserver5      0

                 443fromInternet  Active   SCA-website2     0

CSS11800# 

If you see a service hit in the 80fromInternet content rule, you know that unencrypted packets made their way to the CSS and are redirected to the servers.

If you see a service hit in the 443fromInternet content rule, you know that encrypted packets made their way to the CSS and are redirected to the SCA.

If you see a service hit in the 81fromSCA content rule, you know that the SCA has decrypted the packets that it has received and sent them to the CSS, which has then redirected them to the webservers.

Command Output
CSS11800#  sho run
!Generated on 01/31/2002 20:25:05
!Active version: ap0500018s
configure
 
!*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 10.48.66.1 1

!************************* INTERFACE *************************
interface e2
  bridge vlan 2

interface e4
  bridge vlan 4

!************************** CIRCUIT **************************
circuit VLAN1
  ip address 10.48.66.128 255.255.254.0

circuit VLAN2
  ip address 10.2.2.2 255.255.255.0

circuit VLAN4
  ip address 10.1.1.1 255.255.255.0

!************************** SERVICE **************************
service SCA-website1
  ip address 10.1.1.2
  port 443
  protocol tcp
  active

service SCA-website2
  ip address 10.1.1.2
  port 444
  protocol tcp
  active

service realserver1
  ip address 10.2.2.3
  port 80
  protocol tcp
  active

service realserver2
  ip address 10.2.2.4
  port 80
  protocol tcp
  active

service realserver3
  ip address 10.2.2.5
  port 80
  protocol tcp
  active

service realserver4
  ip address 10.2.2.6
  port 80
  protocol tcp
  active

service realserver5
  ip address 10.2.2.7
  port 80
  protocol tcp
  active

!*************************** OWNER ***************************

owner website1

  content 443fromInternet
    protocol tcp
    port 443
    add service SCA-website1
    vip address 10.48.66.125
    active

  content 80fromInternet
    protocol tcp
    port 80
    url "/*"
    add service realserver1
    add service realserver2
    add service realserver3
    vip address 10.48.66.125
    active

  content 81fromSCA
    add service realserver1
    add service realserver2
    add service realserver3
    protocol tcp
    port 81
    url "/*"
    vip address 10.48.66.125
    active

owner website2

  content 443fromInternet
    protocol tcp
    port 443
    add service SCA-website2
    vip address 10.48.66.239
    active

  content 80fromInternet
    protocol tcp
    port 80
    url "/*"
    add service realserver4
    add service realserver5
    vip address 10.48.66.239
    active

  content 81fromSCA
    add service realserver4
    add service realserver5
    protocol tcp
    port 81
    url "/*"
    vip address 10.48.66.239
    active
 
 
 

SCA# sho run
#
# Cisco CSCA Device Configuration File
#
# Written:      Sun Feb  6 00:29:22 2106
# Inxcfg:       version 2.3 build 200108071342
# Device Type:  CSS-SCA
# Device Id:    S/N 118142
# Device OS:    MaxOS version 2.5.1 build 200108071341 by Dan L. Reading

### Device ###

mode one-port
ip address 10.1.1.2 netmask 255.255.255.0
hostname SCA
password access "2431244C362461476C67654D485269494C4634772E586A374E39472F"
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931"
no ip domain-name
no rdate-server
timezone "MST7MDT"
rip
ip route 0.0.0.0 0.0.0.0 10.1.1.1 metric 1

### Interfaces ###

interface network
  auto
end
interface server
  auto
end

### Remote Management ###

no remote-management access-list
remote-management enable

### SNMP Subsystem ###

no snmp
telnet enable
no telnet access-list
web-mgmt enable
no web-mgmt access-list

### SSL Subsystem ###

ssl
  server Site1 create
    ip address 10.48.66.125
    sslport 443
    remoteport 81
    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent
  end
  server Site2 create
    ip address 10.48.66.239
    sslport 444
    remoteport 81
    key default
    cert default
    secpolicy default
    cachesize 20
    no transparent
  end
end

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 30, 2006
Document ID: 20600