Cisco ACE: SSL Offload

SSL offload (or SSL termination) is when your load balancer handles SSL connections from clients and then hands off unencrypted connections to the backend servers. This lessens the CPU load on the servers and can dramatically increase application performance, since the load balancer frequently has dedicated hardware to handle the encryption/decryption of traffic.

These are the basic steps to configure SSL offload on the Cisco ACE. This assumes you already have an existing HTTP load balancer configuration. See my Basic Load Balancing post for details.

**(option one) Import an existing SSL certificate and private RSA key. **

crypto import tftp 192.168.1.100 mykey.pem mykey.pem
crypto import tftp 192.168.1.100 mycert.pem mycert.pem

(option two) Generate a new SSL certificate signing request (CSR) and key.

! should NOT be marked "non-exportable" if you're running an HA pair
crypto generate key 2048 mykey.pem

crypto csr-params MY_PARAMS
  common-name myservice.example.com
  country US
  state Georgia
  locality Atlanta
  organization-name My Company
  organization-unit IT Operations

crypto generate csr MY_PARAMS mycsr.pem

Once you receive the signed certificate from your CA, you’ll need to import it.

crypto import sftp 1.1.1.1 mysftpuser /home/user/cert.pem mycert.pem
  OR
crypto import terminal mycert.pem

Create the SSL Proxy service

ssl-proxy service MY_SSL_OFFLOAD
  key mykey.pem
  cert mycert.pem
!

Create a VIP to handle HTTPS traffic

class-map match-all HTTPS_VIP
  2 match virtual-address 10.210.7.10 tcp eq https
!

Update your load balancing policy map to apply the SSL service to the new VIP

policy-map multi-match VIPs
  class HTTPS_VIP
    ssl-proxy MY_SSL_OFFLOAD
    sticky-serverfarm HTTP_FARM
!