Cisco ACE: SSL Offload

SSL offload (or SSL termination) is when your load balancer handles SSL connections from clients and then hands off unencrypted connections to the backend servers. This lessens the CPU load on the servers and can dramatically increase application performance, since the load balancer frequently has dedicated hardware to handle the encryption/decryption of traffic.

These are the basic steps to configure SSL offload on the Cisco ACE. This assumes you already have an existing HTTP load balancer configuration. See my Basic Load Balancing post for details.

**(option one) Import an existing SSL certificate and private RSA key. **

crypto import tftp mykey.pem mykey.pem
crypto import tftp mycert.pem mycert.pem

(option two) Generate a new SSL certificate signing request (CSR) and key.

! should NOT be marked "non-exportable" if you're running an HA pair
crypto generate key 2048 mykey.pem

crypto csr-params MY_PARAMS
  country US
  state Georgia
  locality Atlanta
  organization-name My Company
  organization-unit IT Operations

crypto generate csr MY_PARAMS mycsr.pem

Once you receive the signed certificate from your CA, you’ll need to import it.

crypto import sftp mysftpuser /home/user/cert.pem mycert.pem
crypto import terminal mycert.pem

Create the SSL Proxy service

ssl-proxy service MY_SSL_OFFLOAD
  key mykey.pem
  cert mycert.pem

Create a VIP to handle HTTPS traffic

class-map match-all HTTPS_VIP
  2 match virtual-address tcp eq https

Update your load balancing policy map to apply the SSL service to the new VIP

policy-map multi-match VIPs
  class HTTPS_VIP
    ssl-proxy MY_SSL_OFFLOAD
    sticky-serverfarm HTTP_FARM