«

»

Aug 20

SSL Offload configuration on Brocade ADX via CLI

Categories:

Brocade ADX, Load Balancer

by admin

brocadelogo
Application load balancers provide many functions in hosting environment, one of the most typical is SSL offloading. Instead of using CPU and RAM memory on WEB server you can use LB (with appropriate license) to provide secure connection to client.

In this example we are going to encrypt traffic between client and Brocade ADX load balancer and then send it as a clear, unencrypted traffic to the WEB server. This is the most typical configuration in most environments with proper physical security.

Note: Remember, if connections between LB and WEB server are not encrypted your network need to be isolated from potential attacker or any unauthorized personnel.

Configuration example:

Create SSL profile which later on will be specified under VIP port (typically 443).

ssl profile ssl_profile_1
 keypair-file ssl_key_1.pem
 certificate-file ssl_cert_1.pem
 cipher-suite all-cipher-suites
 enable-certificate-chaining
 ca-cert-file ca_cert_primary
 ca-cert-file ca_cert_secondary
 session-cache off
!



Configure port profile for port 81 and set it to TCP.

server port 81
 no udp
 tcp

Note: By default all non well known ports like 80, 443, 21 and few others are treated as UDP ports. UDP and TCP protocols use different health check mechanisms so it’s important to create profile to make sure correct test behaviour.



Add real servers for ports 80 and 81. Port 81 will be used for offloaded traffic, in other words load balancer will perform port redirection from port TCP 443 to TCP 81. You can use any other port.

server real real_1
 port http
 port http keepalive
 port 81
  port 81 keepalive
!
server real real_2
 port http
 port http keepalive
 port 81
 port 81 keepalive
!



Finally configure virtual server and assign SSL profile called ssl_profile_1 to port https

server virtual VIP_1 30.30.30.1
 description www.domain1.com
 predictor least-conn
 port ssl sticky
 port ssl ssl-terminate ssl_profile_1
 port http
 bind ssl real_1 81 real_2 81
 bind http real_1 http real_2 http
!



Once configuration is ready remember to save configuration

write memory



NOTE: ADX is showing max. 30 characters for key and certificate file names. It will allow you to use longer names but will be confusing because display and real name will be different.

For more details about SSL profile configuration this link.

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>