CSS 11000 SCA/SCA2 Version 4.0
Deployment Examples
Download this chapter
Deployment ExamplesDeployment Examples
Download the complete book
Cisco CSS 11000 Secure Content Accelerator Configuration Guide (Software Version 4.0.0), Book-Length PDF Cisco CSS 11000 Secure Content Accelerator Configuration Guide (Software Version 4.0.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table of Contents

Deployment Examples

Deployment Examples

The following examples demonstrate how the Secure Content Accelerator can be integrated into a network.

This appendix contains the following sections:

Single Device

A single Secure Content Accelerator provides SSL offloading and processing for an entire server farm, as shown in Figure B-1.


Figure B-1: Single Secure Content Accelerator Installation




1. Install the appliance as instructed previously.

2. Connect the "Network" Ethernet interface to the Internet.

3. Connect the "Server" Ethernet interface to Web server access.

Load Balancing

Secure Content Accelerator devices can be installed in front of or behind a load balancer. If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure B-2 shows a typical installation.


Figure B-2: Secure Content Accelerator Installation with a Load Balancer




1. Install the appliance as instructed previously.

2. Connect the "Network" Ethernet interface to the Internet. Connect the "Server" Ethernet interface to the load balancer.

For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch (hereinafter referred to as the CSS), see "Use with the CSS".

Use with the CSS

Using the Secure Content Accelerator with the CSS allows Layer 4 load balancing of the Secure Content Accelerator and Layer 5 routing and load balancing for content decrypted by the Secure Content Accelerator. Four deployment scenarios are recommended:

In-Line

Placing the Secure Content Accelerator in front of the CSS increases performance of the server farm by offloading all SSL processing from the servers. The Secure Content Accelerator is completely transparent to the CSS and servers.

This deployment is the simplest to configure because it requires no specific inter-operational configuration on either the Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure B-3.


Figure B-3: Secure Content Accelerator In-Line Installation




The CSS is used to front-end one or more Secure Content Accelerator devices. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created. If multiple Secure Content Accelerator devices are used, each must be attached to a separate VLAN on the CSS and/or the upstream Layer 2 switch. The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table B-1 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-1: In-Line Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN for the servers

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content
  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)


The following listing shows a sample configuration for the CSS.

!Generated on 11/18/2000 11:01:18
!Active version: ap0400007s
 
configure
 
!*************************** GLOBAL ***************************
  bridge spanning-tree disabled 
  no restrict web-mgmt 
 
  ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 
 
!************************* INTERFACE *************************
interface ethernet-8
  bridge vlan 8 
 
!************************** CIRCUIT **************************
circuit VLAN1
  ip address 10.176.10.1 255.255.255.0 
 
circuit VLAN8
  ip address 10.176.11.2 255.255.255.0 
 
!************************** SERVICE **************************
service s1 
  ip address 10.176.10.10 
  protocol tcp 
  active 
 
service s2 
  ip address 10.176.10.11 
  protocol tcp 
  active 
 
service s3 
  ip address 10.176.10.12 
  protocol tcp 
  active 
 
service s4 
  ip address 10.176.10.13 
  protocol tcp 
  active 
 
!*************************** OWNER ***************************
owner test 
 
  content http-non-secure-port-80
    vip address 10.176.11.100 
    protocol tcp 
    port 80 
    url "/*" 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    active 
 
  content http-secure-port-81 
    vip address 10.176.11.100 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 81 
    url "/secure/*" 
    active

Transparent Sandwich

This deployment places one or more Secure Content Accelerator devices between two CSS devices, allowing load balancing of up to 15 Secure Content Accelerator devices. Applications such as reverse proxy caching and content type separation can be enabled.

The transparent sandwich deployment is moderately difficult to configure with good scalability. A minimum of two CSS devices are required. Figure B-4 shows a typical deployment.


Figure B-4: Secure Content Accelerator Transparent Sandwich Installation




The upstream CSS is configured as if the Secure Content Accelerator devices are transparent caches with redirection at Layer 4. Port 80 traffic is forwarded via Layer 3 to the downstream CSS, avoiding any potential Port 80 bottleneck at the Secure Content Accelerator level. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created.

The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the downstream CSS. The downstream CSS is configured with Layer 5 rules for all origin servers and multiple ECMP routes, each to a different upstream VLAN. The default ECMP configuration is to prefer ingress, ensuring that outbound traffic needing to be encrypted is routed to the Secure Content Accelerator responsible for decrypting traffic for that session. Outbound Port 80 traffic bypasses the Secure Content Accelerator devices completely.

Traffic "sourced" from a server in the server farm can be routed through one of the Secure Content Accelerator devices. There is no way to differentiate between equal cost paths without mapping to an ingress flow. Table B-2 shows basic configuration actions for the CSS devices and Secure Content Accelerator.


Table B-2: Transparent Sandwich Installation Device Configuration
Upstream CSS Configuration Secure Content Accelerator Configuration Downstream CSS Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a separate VLAN to connect to the downstream CSS to route port 80 traffic directly

  • Create a service for each Secure Content Accelerator with the IP address of the corresponding circuit address on the downstream Secure Content Accelerator; define the services as type "transparent-cache"

  • Create a Layer 4 content rule to balance the Secure Content Accelerators, using advanced-balance ssl and application ssl to assist SSL v.3 key reuse, in one of the following ways:

    • Without a VIP: if you do not specify a VIP, all port 443 traffic is forwarded to the Secure Content Accelerators

    • With a VIP: when you specify a VIP, any port 443 traffic not destined to that VIP can be routed over the VLAN specified for port 80 and SSL traffic terminated on origin servers
  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the upstream CS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4); you may wish to use TCP service port 81 as the remoteport

  • Assign a static route for the VIP to point to the downstream CSS VLAN circuit IP address
  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN to connect to the upstream CSS to route port 80 traffic directly

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create a default route to the upstream CSS to allow non-SSL traffic to bypass the Secure Content Accelerator

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content


The following is a sample configuration for the upstream CSS.

!Generated on 11/18/2000 11:03:28
!Active version: ap0400007s
 
configure
 
!*************************** GLOBAL ***************************
 
  ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 
  ip route 10.176.10.0 255.255.255.0 10.176.11.0
 
!************************* INTERFACE *************************
interface ethernet-2
  bridge vlan 2 
 
interface ethernet-3
  bridge vlan 3 
 
interface ethernet-4
  bridge vlan 4 
 
interface ethernet-5
  bridge vlan 5 
 
interface ethernet-6
  bridge vlan 6 
 
interface ethernet-7
  bridge vlan 7 
 
interface ethernet-8
  bridge vlan 8 
 
!************************** CIRCUIT **************************
circuit VLAN1
 
  ip address 10.176.1.1 255.255.255.0 
 
circuit VLAN2
 
  ip address 10.176.2.1 255.255.255.0 
 
circuit VLAN3
 
  ip address 10.176.3.1 255.255.255.0 
 
circuit VLAN4
 
  ip address 10.176.4.1 255.255.255.0 
 
circuit VLAN5
 
  ip address 10.176.5.1 255.255.255.0 
 
circuit VLAN6
 
  ip address 10.176.6.1 255.255.255.0 
 
circuit VLAN7
 
  ip address 10.176.11.1 255.255.255.0 
 
circuit VLAN8
 
  ip address 10.100.132.101 255.255.0.0 
 
!************************** SERVICE **************************
service ssl1 
  port 443 
  protocol tcp 
  ip address 10.176.1.3 
  type transparent-cache 
  active 
 
service ssl2 
  port 443 
  protocol tcp 
  ip address 10.176.2.3 
  type transparent-cache 
  active 
 
service ssl3 
  port 443 
  protocol tcp 
  ip address 10.176.3.3 
  type transparent-cache 
  active 
 
service ssl4 
  port 443 
  protocol tcp 
  ip address 10.176.4.3 
  type transparent-cache 
  active 
 
service ssl5 
  port 443 
  protocol tcp 
  ip address 10.176.5.3 
  type transparent-cache 
  active 
 
service ssl6 
  port 443 
  protocol tcp 
  ip address 10.176.6.3 
  type transparent-cache 
  active 
 
!*************************** OWNER ***************************
owner test 
 
  content ssl 
    protocol tcp 
    port 443 
    add service ssl1 
    add service ssl2 
    add service ssl3 
    add service ssl4 
    add service ssl5 
    add service ssl6 
    active

The following is a sample configuration for the downstream CSS.

!Generated on 11/18/2000 11:01:18
!Active version: ap0400007s
 
configure
 
!*************************** GLOBAL ***************************
  bridge spanning-tree disabled 
  no restrict web-mgmt 
 
  ip route 0.0.0.0 0.0.0.0 10.176.1.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.2.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.3.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.4.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.5.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.6.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 
 
!************************* INTERFACE *************************
interface ethernet-2
  bridge vlan 2 
 
interface ethernet-3
  bridge vlan 3 
 
interface ethernet-4
  bridge vlan 4 
 
interface ethernet-5
  bridge vlan 5 
 
interface ethernet-6
  bridge vlan 6 
 
interface ethernet-7
  bridge vlan 7 
 
interface ethernet-8
  bridge vlan 8 
 
!************************** CIRCUIT **************************
circuit VLAN2
 
  ip address 10.176.2.3 255.255.255.0 
 
circuit VLAN3
 
  ip address 10.176.3.3 255.255.255.0 
 
circuit VLAN4
 
  ip address 10.176.4.3 255.255.255.0 
 
circuit VLAN5
 
  ip address 10.176.5.3 255.255.255.0 
 
circuit VLAN6
 
  ip address 10.176.6.3 255.255.255.0 
 
circuit VLAN7
 
  ip address 10.176.10.1 255.255.255.0 
 
circuit VLAN8
 
  ip address 10.176.11.2 255.255.255.0 
 
circuit VLAN1
 
  ip address 10.176.1.3 255.255.255.0 
 
!************************** SERVICE **************************
service s1 
  ip address 10.176.10.10 
  protocol tcp 
  active 
 
service s2 
  ip address 10.176.10.11 
  protocol tcp 
  active 
 
service s3 
  ip address 10.176.10.12 
  protocol tcp 
  active 
 
service s4 
  ip address 10.176.10.13 
  protocol tcp 
  active 
 
!*************************** OWNER ***************************
owner test 
 
  content http-non-secure-port-80
    vip address 10.176.11.100 
    protocol tcp 
    port 80 
    url "/*" 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    active 
 
  content http-secure-port-81 
    vip address 10.176.11.100 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 81 
    url "/secure/*" 
    active

One-Armed Non-Transparent Proxy

This deployment uses a single CSS for load balancing SSL offloading and Layer 5 switching, allowing load balancing at up to the limit of transactions per second of the CSS. Applications such as reverse proxy caching and content type separation can be enabled.The level depends upon the type of content and the mix of HTTP 1.0 and HTTP 1.1 traffic.

The one-armed non-transparent proxy deployment is complex to configure, but it provides a high degree of scalability. If IP address accounting is required, use the command log-url when configuring the Secure Content Accelerator. This command instructs the device to write a client access log to a specific host. The resulting log file can be utilized by all popular log analysis tools. Figure B-5 shows a typical deployment.


Figure B-5: Secure Content Accelerator One-Armed Non-Transparent Proxy Installation




In this deployment the CSS is configured with both Layer 4 and Layer 5 rules. For each VIP configured on the CSS for services terminating on the Secure Content Accelerator, a service must be defined for the Secure Content Accelerator devices, each with a different destination port definition.

The Secure Content Accelerator does not use the IP address to ensure traffic is sent to the correct server because the CSS changes the destination IP address to that of the Secure Content Accelerator. The Secure Content Accelerator is configured only at Layer 4. This configuration requires setting multiple destination IP/destination port pairs on the Secure Content Accelerator. Bridge loops are not created because all port 443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table B-3 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-3: One-Armed Non-Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for the upstream router

  • Create one VLAN for all connected Secure Content Accelerator devices

  • Create a separate VLAN for the servers

  • Create a service for each Secure Content Accelerator IP address and destination port pair

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create a default route to the upstream router

  • Create Layer 4 rules for each incoming VIP and add appropriate Secure Content Accelerator services

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content
  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using the QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)

  • Set up single-port operation using the mode one-port command (Appendix C)

  • If client IP accounting is necessary, use the log-url command to specify the host for writing the access log


Below is a sample configuration for the CSS.

!Generated on 11/18/2000 17:38:37
!Active version: ap0400007s
 
configure
 
 
!*************************** GLOBAL ***************************
  bridge spanning-tree disabled 
 
  ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 
 
!************************* INTERFACE *************************
interface ethernet-7
  bridge vlan 7 
 
interface ethernet-8
  bridge vlan 8 
 
!************************** CIRCUIT **************************
circuit VLAN1
 
  ip address 10.176.1.1 255.255.255.0 
 
circuit VLAN7
 
  ip address 10.176.10.1 255.255.255.0 
 
circuit VLAN8
 
  ip address 10.100.132.101 255.255.0.0 
 
!************************** SERVICE **************************
service s1 
  ip address 10.176.10.10 
  protocol tcp 
  active 
 
service s2 
  ip address 10.176.10.11 
  protocol tcp 
  active 
 
service s3 
  ip address 10.176.10.12 
  protocol tcp 
  active 
 
service s4 
  ip address 10.176.10.13 
  protocol tcp 
  active 
 
service ssl1-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.3 
  active 
 
service ssl1-444 
  ip address 10.176.1.3 
  protocol tcp 
  port 444 
  active 
 
service ssl2-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.4 
  active 
 
service ssl2-444 
  port 444 
  protocol tcp 
  ip address 10.176.1.4 
  active 
 
service ssl3-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.5 
  active 
 
service ssl3-444 
  port 444 
  protocol tcp 
  ip address 10.176.1.5 
  active 
 
service ssl4-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.6 
  active 
 
service ssl4-444 
  port 444 
  protocol tcp 
  ip address 10.176.1.6 
  active 
 
service ssl5-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.7 
  active 
 
service ssl5-444 
  port 444 
  protocol tcp 
  ip address 10.176.1.7 
  active 
 
service ssl6-443 
  port 443 
  protocol tcp 
  ip address 10.176.1.8 
  active 
 
service ssl6-444 
  port 444 
  protocol tcp 
  ip address 10.176.1.8 
  active 
 
!*************************** OWNER ***************************
owner test 
 
  content http-secure-port-81 
    vip address 10.176.11.100 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 81 
    url "/secure/*" 
    active 
 
  content http-non-secure-port-80
    vip address 10.176.11.100
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 81 
    url "/*" 
    active 
 
  content ssl 
    vip address 10.176.11.100
    protocol tcp 
    port 443 
    add service ssl1-443 
    add service ssl2-443
    add service ssl3-443 
    add service ssl4-443
    add service ssl5-443 
    add service ssl6-443
    active 
 
  content ssl-444 
    protocol tcp 
    vip address 10.176.11.101 
    port 443 
    add service ssl2-444 
    add service ssl1-444 
    add service ssl3-444 
    add service ssl4-444 
    add service ssl5-444 
    add service ssl6-444 
    active

One-Armed Transparent Proxy

This deployment uses a single CSS for load balancing up to 15 Secure Content Accelerator devices. The deployment combines the single CSS solution of the proxy deployment with the transparency of the sandwich deployment.

The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure B-6 shows a typical deployment.


Figure B-6: Secure Content Accelerator One-Armed Transparent Proxy Installation




This deployment has several constraints:

  • No SSL client can be attached to a directly connected subnet; all SSL clients must pass through an upstream router.

  • ACLs must be written so that Secure Content Accelerator management and other applications are passed through the CSS properly.

  • Static routes must be added to the CSS so that traffic that should not pass through the Secure Content Accelerator devices is routed properly.

Caution   ACLs and static routes must be configured carefully. If a device or network is specified in an ACL or static route in such a way that it will force all traffic to the upstream router's ECMP route, all traffic matching the ACL or static route will bypass the Secure Content Accelerator devices. Thus management of the Secure Content Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing.

Table B-4 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-4: One-Armed Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a VLAN for the upstream router

  • Create a separate VLAN for the servers

  • Create a default route with the upstream router as the gateway

  • Create a default route with each Secure Content Accelerator as a gateway

  • Define a static route for each management workstation not connected to a directly attached subnet

  • Define a service for each Secure Content Accelerator with its IP address, ensuring that the type is "transparent" and that "no cache-bypass" is configured

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create Layer 4 content rules to balance the Secure Content Accelerator devices; you may use "advanced-balance ssl" and "application ssl" to assist with SSL V.3 key reuse

  • Create Layer 5 rules for secure content

  • Create content rules as required for non-secure content

  • Define ACLs and upstream router service to ensure proper routing of traffic not terminated on the CSS
  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)

  • Set up single-port operation using the mode one-port command (Appendix C)


Below is a sample configuration for the CSS.

!Generated on 11/28/2000 16:15:49
!Active version: ap0400007s
 
configure
 
!*************************** GLOBAL ***************************
 
  acl enable
 
  ip route 0.0.0.0 0.0.0.0 10.176.50.1 1 
  ip route 0.0.0.0 0.0.0.0 10.176.1.3 1 
  ip route 0.0.0.0 0.0.0.0 10.176.2.3 1 
  ip route 0.0.0.0 0.0.0.0 10.176.3.3 1 
  ip route 0.0.0.0 0.0.0.0 10.176.4.3 1
  ip route 0.0.0.0 0.0.0.0 10.176.5.3 1
  ip route 0.0.0.0 0.0.0.0 10.176.6.3 1
  ! network management station static route
  ip route 10.176.50.100 255.255.255.255 10.176.50.1 1
 
!************************* INTERFACE *************************
interface ethernet-2
  bridge vlan 2 
 
interface ethernet-3
  bridge vlan 3 
 
interface ethernet-4
  bridge vlan 4 
 
interface ethernet-5
  bridge vlan 5 
 
interface ethernet-6
  bridge vlan 6 
 
interface ethernet-7
  bridge vlan 7 
 
interface ethernet-8
  bridge vlan 8 
 
!************************** CIRCUIT **************************
circuit VLAN1
 
  ip address 10.176.1.1 255.255.255.0 
 
circuit VLAN2
 
  ip address 10.176.2.1 255.255.255.0 
 
circuit VLAN3
 
  ip address 10.176.3.1 255.255.255.0 
 
circuit VLAN4
 
  ip address 10.176.4.1 255.255.255.0 
 
circuit VLAN5
 
  ip address 10.176.5.1 255.255.255.0 
 
circuit VLAN6
 
  ip address 10.176.6.1 255.255.255.0 
 
circuit VLAN7
 
  ip address 10.176.10.1 255.255.255.0 
 
circuit VLAN8
 
  ip address 10.176.50.2 255.255.255.0 
 
!************************** SERVICE **************************
service s1 
  ip address 10.176.10.10 
  protocol tcp 
  active 
 
service s2 
  ip address 10.176.10.11 
  protocol tcp 
  active 
 
service s3 
  ip address 10.176.10.12 
  protocol tcp 
  active 
 
service s4 
  ip address 10.176.10.13 
  protocol tcp 
  active 
 
service ssl1 
  port 443 
  protocol tcp 
  ip address 10.176.1.3 
  type transparent-cache 
  no cache-bypass 
  active 
 
service ssl2 
  port 443 
  protocol tcp 
  type transparent-cache 
  no cache-bypass 
  ip address 10.176.2.3 
  active 
 
service ssl3 
  port 443 
  protocol tcp 
  type transparent-cache 
  no cache-bypass 
  ip address 10.176.3.3 
  active 
 
service ssl4 
  port 443 
  protocol tcp 
  type transparent-cache 
  no cache-bypass 
  ip address 10.176.4.3 
  active 
 
service ssl5 
  port 443 
  protocol tcp 
  type transparent-cache 
  no cache-bypass 
  ip address 10.176.5.3 
  active 
 
service ssl6 
  port 443 
  protocol tcp 
  type transparent-cache 
  no cache-bypass 
  ip address 10.176.6.3 
  active 
 
service upstream-router
  ip address 10.176.50.1
  type transparent-cache
  active
 
!*************************** OWNER ***************************
owner test 
 
  content http-secure-port-81 
    vip address 10.176.11.100 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 81 
    url "/secure/*" 
    active 
 
  content http-non-secure-port-80 
    vip address 10.176.11.100 
    add service s1 
    add service s2 
    add service s3 
    add service s4 
    protocol tcp 
    port 80 
    url "/*" 
    active 
 
 
  content ssl 
    protocol tcp 
    port 443 
    add service ssl1 
    add service ssl2 
    add service ssl3 
    add service ssl4 
    add service ssl5 
    add service ssl6 
    vip address 10.176.11.100 
    active 
 
!**************************** ACL ****************************
acl 8 
  clause 10 permit any any destination any 
  apply circuit-(VLAN8) 
 
acl 7 
  clause 10 permit any any destination any 
  apply circuit-(VLAN7) 
 
acl 6 
  clause 10 permit any any destination any eq 443 
  clause 20 permit any any destination any eq 81 
  clause 30 permit tcp any destination any eq 2932
  clause 40 permit udp any destination any eq 2932
  clause 50 permit udp any eq 2932 destination any prefer upstream-router
  clause 99 permit any any destination any 
  apply circuit-(VLAN6) 
  apply circuit-(VLAN5)
  apply circuit-(VLAN4)
  apply circuit-(VLAN3)
  apply circuit-(VLAN2)
  apply circuit-(VLAN1)

Connecting the Device to a Terminal Server

The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01).

1. Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

2. Using an octal cable with RJ45 connectors, attach the terminal server to the Secure Content Accelerator via the RJ45-DB9F adapter.

3. Using the line interface on the terminal server, use these commands:

    line 1
autocommand connect
transport input all
    Note   If you are using firmware older than 3.0.5 on the Secure Content Accelerator, also use the command speed 115200.

Web Site Changes

You must make changes to your existing Web pages before users can access them.

1. Install and configure the Secure Content Accelerator.

2. Create a non-secure ("http://"-prefixed) Web page as an entry point for the Web site. Include some method of transferring the user to the secure ("https://"-prefixed) URL. You may use a button, hypertext link, image map, automatic redirection, or any other method you choose.

3. If your site does not use relative links, change the "http://" portion of every link (including graphic links) to "https://"; otherwise, links should remain the same.

Note   If you are using IIS and have a redirection in your Web page, the URL must have a trailing slash ("/") to work properly, e.g., <href="/issamples/default/learn/">.