cc/td/doc/product/webscale/css/css_sca
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Installing the Hardware and Software

Installing the Hardware and Software

This chapter describes how to install the Secure Content Accelerator as a free-standing or rack-mount unit. Network deployment suggestions are included.

This chapter contains the following sections:

Site Requirements

Before you select an installation site for the Secure Content Accelerator, read the electrical, environmental, and physical requirements as described in Appendix A.

Warning Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system. Please see Appendix A.

Required Tools and Equipment

To install the Secure Content Accelerator, you need the following tools and equipment:

Shipment Contents

The Secure Content Accelerator shipment contains the following items:

Unpacking the Secure Content Accelerator

The Secure Content Accelerator is shipped in a protective carton. The appliance is a self-contained chassis; no modules or components can be added or removed.

To unpack the Secure Content Accelerator:

    1. Remove all enclosed packing materials. Save the packing materials in case you need to repack the Secure Content Accelerator later.

    2. Remove all accessories from the shipping carton.

    3. Check the accessories against the items listed in the section "Shipment Contents".

Installing the Secure Content Accelerator

Warning Before working on a system that has an on/off switch, turn OFF the power and unplug the power cord. This unit has more than one power cord. To reduce the risk of electric shock, disconnect the two power supply cords before servicing the unit. The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards.

The Secure Content Accelerator can be placed on a flat surface as a free-standing unit or rack-mounted in an equipment cabinet. The following sections describe the steps to install the Secure Content Accelerator as a:

Prior to installing the Secure Content Accelerator, observe the following installation requirements:
Warning Review nameplate ratings for correct voltage and load requirements. For safety, this equipment is required to be grounded through the ground conductor of the AC power cords. Do not remove the cover of the Secure Content Accelerator. There are electrical shock hazards present in the unit if the cover is removed. To reduce the risk of fire or electric shock, do not expose the Secure Content Accelerator to rain or moisture. To disconnect power, remove both power cords. Please review the caution label on the Secure Content Accelerator.

Installing as a Free-Standing Unit

Position the Secure Content Accelerator on a level surface in an area with access to your network cabling. When installing the Secure Content Accelerator note that Ethernet and serial cables attach to the front of the chassis and power cables attach to the back.

Installing as a Rack-Mounted Unit

Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: 1) This unit should be mounted at the bottom of the rack if it is the only unit in the rack. 2) When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack. 3) If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack.

Before you begin, you will need the mounting brackets and six screws shipped with the Secure Content Accelerator, a #2 Phillips screwdriver, rack-mounting screws and an appropriate screwdriver.

    1. Position the Secure Content Accelerator with the front panel facing you.

    2. Position a mounting bracket on one side of the chassis, aligning the holes in the bracket with the screw holes on the chassis.

    3. Secure the bracket to the chassis with three screws and the Phillips screwdriver.

    4. Repeat steps 2 and 3 to install a mounting bracket on the other side of the chassis.

    5. Raise the Secure Content Accelerator to the installation height. Align the screw holes of the mounting brackets with the holes on the equipment rack.

    6. Use the appropriate screwdriver and screws to secure each mounting bracket to each side of the rack.

Panel Descriptions

The front panel of the Secure Content Accelerator, shown in Figure 2-1, contains the following connectors, switches, and LEDs:


Figure 2-1: Secure Content Accelerator Front Panel




The rear panel of the Secure Content Accelerator, shown in Figure 2-2, contains the following connectors and switches:


Figure 2-2: Secure Content Accelerator Rear Panel





Table 2-1: Secure Content Accelerator LED Descriptions
LED Name Color State Indicates

LK

Green

Off

No link established

On

Link established

TX

Amber

Blinking

Transmit activity detected

RX

Green

Blinking

Receive activity detected

Power

White

Off

Power supply is not working

On

Power supply is working

Test

Amber

Off

Self-diagnostics are successful

On

Self-diagnostics are running
Table 2-1 describes the functional LEDs on the Secure Content Accelerator.

Connecting to Power

The Secure Content Accelerator is powered by dual AC power supplies. Before you install the power cords, ensure that you have read Appendix A for electrical specifications.

    1. Ensure that the Secure Content Accelerator power switches are in the 0 (off) position.

    2. Attach the power cables to the Secure Content Accelerator by plugging the AC power cord connector into the power receptacle at the rear panel.

    3. Plug the power cords into dedicated three-wire grounding receptacles.

    4. Switch the power switches to the 1 (on) position.

    Note   Connect the power supplies to different circuits to further ensure appliance availability.

Connecting to Ethernet

This section describes how to attach the Secure Content Accelerator to Ethernet.

Caution   If you are using the Secure Content Accelerator in two-port mode, you must connect the cables to it so that client requests (inbound) and server requests (outbound) move through different ports. Inbound traffic uses the "Network" port; outbound traffic uses the "Server" port. If you are using the appliance in one-port mode, you must connect it so that both client requests and server traffic travel through the "Network" port. Use only Category 5 UTP cables with RJ-45 connectors. The Secure Content Accelerator Ethernet interfaces are configured as NIC ports. Use a straight-through cable to connect the Secure Content Accelerator to a hub or switch. Use a crossover cable to connect the Secure Content Accelerator to a NIC.

    1. Connect the "Network" port to the Internet.

    2. Connect the "Server" port to the servers.

    3. Check the LK LEDs for connection viability. If one or both LK LEDs are not lit, see Appendix B for troubleshooting suggestions.

Deployment Examples

The following examples demonstrate how the Secure Content Accelerator can be integrated into a network.

Single Device

A single Secure Content Accelerator provides SSL offloading and processing for an entire server farm, as shown in Figure 2-3.


Figure 2-3: Single Secure Content Accelerator Installation




    1. Install the appliance as instructed previously.

    2. Connect the "Network" Ethernet interface to the Internet.

    3. Connect the "Server" Ethernet interface to Web server access.

Load Balancing

Secure Content Accelerator devices can be installed in front of or behind a load balancer. If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure 2-4 shows a typical installation.


Figure 2-4: Secure Content Accelerator Installation with a Load Balancer




    1. Install the appliance as instructed previously.

    2. Connect the "Network" Ethernet interface to the Internet. Connect the "Server" Ethernet interface to the load balancer.

For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch (hereinafter referred to as the CSS), see "Use with the CSS".

Use with the CSS

Using the Secure Content Accelerator with the CSS allows Layer 4 load balancing of the Secure Content Accelerator and Layer 5 routing and load balancing for content decrypted by the Secure Content Accelerator. Four deployment scenarios are recommended:

In-Line

Placing the Secure Content Accelerator in front of the CSS increases performance of the server farm by offloading all SSL processing from the servers. The Secure Content Accelerator is completely transparent to the CSS and servers.

This deployment is the simplest to configure because it requires no specific inter-operational configuration on either the Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure 2-5.


Figure 2-5: Secure Content Accelerator In-Line Installation




The CSS is used to front-end one or more Secure Content Accelerator devices. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created. If multiple Secure Content Accelerator devices are used, each must be attached to a separate VLAN on the CSS and/or the upstream Layer 2 switch. The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table 2-2 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table 2-2: In-Line Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN for the servers

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 4) or configuration manager (Chapter 5)

The following listing shows a sample configuration for the CSS.

!Generated on 11/18/2000 11:01:18 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled no restrict web-mgmt ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active !*************************** OWNER *************************** owner test content http-non-secure-port-80 vip address 10.176.11.100 protocol tcp port 80 url "/*" add service s1 add service s2 add service s3 add service s4 active content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active

Transparent Sandwich

This deployment places one or more Secure Content Accelerator devices between two CSS devices, allowing load balancing of up to 15 Secure Content Accelerator devices. Applications such as reverse proxy caching and content type separation can be enabled.

The transparent sandwich deployment is moderately difficult to configure with good scalability. A minimum of two CSS devices are required. Figure 2-6 shows a typical deployment.


Figure 2-6: Secure Content Accelerator Transparent Sandwich Installation




The upstream CSS is configured as if the Secure Content Accelerator devices are transparent caches with redirection at Layer 4. Port 80 traffic is forwarded via Layer 3 to the downstream CSS, avoiding any potential Port 80 bottleneck at the Secure Content Accelerator level. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created.

The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the downstream CSS. The downstream CSS is configured with Layer 5 rules for all origin servers and multiple ECMP routes, each to a different upstream VLAN. The default ECMP configuration is to prefer ingress, ensuring that outbound traffic needing to be encrypted is routed to the Secure Content Accelerator responsible for decrypting traffic for that session. Outbound Port 80 traffic bypasses the Secure Content Accelerator devices completely.

Traffic "sourced" from a server in the server farm can be routed through one of the Secure Content Accelerator devices. There is no way to differentiate between equal cost paths without mapping to an ingress flow. Table 2-3 shows basic configuration actions for the CSS devices and Secure Content Accelerator.


Table 2-3: Transparent Sandwich Installation Device Configuration
Upstream CSS Configuration Secure Content Accelerator Configuration Downstream CSS Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a separate VLAN to connect to the downstream CSS to route port 80 traffic directly

  • Create a service for each Secure Content Accelerator with the IP address of the corresponding circuit address on the downstream Secure Content Accelerator; define the services as type "transparent-cache"

  • Create a Layer 4 content rule to balance the Secure Content Accelerators, using advanced-balance ssl and application ssl to assist SSL v.3 key reuse, in one of the following ways:

    • Without a VIP: if you do not specify a VIP, all port 443 traffic is forwarded to the Secure Content Accelerators

    • With a VIP: when you specify a VIP, any port 443 traffic not destined to that VIP can be routed over the VLAN specified for port 80 and SSL traffic terminated on origin servers

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the upstream CS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 4) or configuration manager (Chapter 5); you may wish to use TCP service port 81 as the remoteport

  • Assign a static route for the VIP to point to the downstream CSS VLAN circuit IP address

  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN to connect to the upstream CSS to route port 80 traffic directly

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create a default route to the upstream CSS to allow non-SSL traffic to bypass the Secure Content Accelerator

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

The following is a sample configuration for the upstream CSS.

!Generated on 11/18/2000 11:03:28 !Active version: ap0400007s configure !*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 ip route 10.176.10.0 255.255.255.0 10.176.11.0 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN2 ip address 10.176.2.1 255.255.255.0 circuit VLAN3 ip address 10.176.3.1 255.255.255.0 circuit VLAN4 ip address 10.176.4.1 255.255.255.0 circuit VLAN5 ip address 10.176.5.1 255.255.255.0 circuit VLAN6 ip address 10.176.6.1 255.255.255.0 circuit VLAN7 ip address 10.176.11.1 255.255.255.0 circuit VLAN8 ip address 10.100.132.101 255.255.0.0 !************************** SERVICE ************************** service ssl1 port 443 protocol tcp ip address 10.176.1.3 type transparent-cache active service ssl2 port 443 protocol tcp ip address 10.176.2.3 type transparent-cache active service ssl3 port 443 protocol tcp ip address 10.176.3.3 type transparent-cache active service ssl4 port 443 protocol tcp ip address 10.176.4.3 type transparent-cache active service ssl5 port 443 protocol tcp ip address 10.176.5.3 type transparent-cache active service ssl6 port 443 protocol tcp ip address 10.176.6.3 type transparent-cache active !*************************** OWNER *************************** owner test content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 active

The following is a sample configuration for the downstream CSS.

!Generated on 11/18/2000 11:01:18 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled no restrict web-mgmt ip route 0.0.0.0 0.0.0.0 10.176.1.1 1 ip route 0.0.0.0 0.0.0.0 10.176.2.1 1 ip route 0.0.0.0 0.0.0.0 10.176.3.1 1 ip route 0.0.0.0 0.0.0.0 10.176.4.1 1 ip route 0.0.0.0 0.0.0.0 10.176.5.1 1 ip route 0.0.0.0 0.0.0.0 10.176.6.1 1 ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN2 ip address 10.176.2.3 255.255.255.0 circuit VLAN3 ip address 10.176.3.3 255.255.255.0 circuit VLAN4 ip address 10.176.4.3 255.255.255.0 circuit VLAN5 ip address 10.176.5.3 255.255.255.0 circuit VLAN6 ip address 10.176.6.3 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 circuit VLAN1 ip address 10.176.1.3 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active !*************************** OWNER *************************** owner test content http-non-secure-port-80 vip address 10.176.11.100 protocol tcp port 80 url "/*" add service s1 add service s2 add service s3 add service s4 active content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active

One-Armed Non-Transparent Proxy

This deployment uses a single CSS for load balancing SSL offloading and Layer 5 switching, allowing load balancing at up to the limit of transactions per second of the CSS. Applications such as reverse proxy caching and content type separation can be enabled.The level depends upon the type of content and the mix of HTTP 1.0 and HTTP 1.1 traffic.

The one-armed non-transparent proxy deployment is complex to configure, but it provides a high degree of scalability. If IP address accounting is required, use the command log-url when configuring the Secure Content Accelerator. This command instructs the device to write a client access log to a specific host. The resulting log file can be utilized by all popular log analysis tools. Figure 2-7 shows a typical deployment.


Figure 2-7: Secure Content Accelerator One-Armed Non-Transparent Proxy Installation




In this deployment the CSS is configured with both Layer 4 and Layer 5 rules. For each VIP configured on the CSS for services terminating on the Secure Content Accelerator, a service must be defined for the Secure Content Accelerator devices, each with a different destination port definition.

The Secure Content Accelerator does not use the IP address to ensure traffic is sent to the correct server because the CSS changes the destination IP address to that of the Secure Content Accelerator. The Secure Content Accelerator is configured only at Layer 4. This configuration requires setting multiple destination IP/destination port pairs on the Secure Content Accelerator. Bridge loops are not created because all port 443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table 2-4 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table 2-4: One-Armed Non-Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for the upstream router

  • Create one VLAN for all connected Secure Content Accelerator devices

  • Create a separate VLAN for the servers

  • Create a service for each Secure Content Accelerator IP address and destination port pair

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create a default route to the upstream router

  • Create Layer 4 rules for each incoming VIP and add appropriate Secure Content Accelerator services

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using the QuickStart wizard (Chapter 4) or configuration manager (Chapter 5)

  • Set up single-port operation using the mode one-port command (Appendix C)

  • If client IP accounting is necessary, use the log-url command to specify the host for writing the access log

Below is a sample configuration for the CSS.

!Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 !************************* INTERFACE ************************* interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.100.132.101 255.255.0.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1-443 port 443 protocol tcp ip address 10.176.1.3 active service ssl1-444 ip address 10.176.1.3 protocol tcp port 444 active service ssl2-443 port 443 protocol tcp ip address 10.176.1.4 active service ssl2-444 port 444 protocol tcp ip address 10.176.1.4 active service ssl3-443 port 443 protocol tcp ip address 10.176.1.5 active service ssl3-444 port 444 protocol tcp ip address 10.176.1.5 active service ssl4-443 port 443 protocol tcp ip address 10.176.1.6 active service ssl4-444 port 444 protocol tcp ip address 10.176.1.6 active service ssl5-443 port 443 protocol tcp ip address 10.176.1.7 active service ssl5-444 port 444 protocol tcp ip address 10.176.1.7 active service ssl6-443 port 443 protocol tcp ip address 10.176.1.8 active service ssl6-444 port 444 protocol tcp ip address 10.176.1.8 active !*************************** OWNER *************************** owner test content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active content http-non-secure-port-80 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/*" active content ssl vip address 10.176.11.100 protocol tcp port 443 add service ssl1-443 add service ssl2-443 add service ssl3-443 add service ssl4-443 add service ssl5-443 add service ssl6-443 active content ssl-444 protocol tcp vip address 10.176.11.101 port 443 add service ssl2-444 add service ssl1-444 add service ssl3-444 add service ssl4-444 add service ssl5-444 add service ssl6-444 active

One-Armed Transparent Proxy

This deployment uses a single CSS for load balancing up to 15 Secure Content Accelerator devices. The deployment combines the single CSS solution of the proxy deployment with the transparency of the sandwich deployment.

The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure 2-8 shows a typical deployment.


Figure 2-8: Secure Content Accelerator One-Armed Transparent Proxy Installation




This deployment has several constraints:

Caution   ACLs and static routes must be configured carefully. If a device or network is specified in an ACL or static route in such a way that it will force all traffic to the upstream router's ECMP route, all traffic matching the ACL or static route will bypass the Secure Content Accelerator devices. Thus management of the Secure Content Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing.

Table 2-5 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table 2-5: One-Armed Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a VLAN for the upstream router

  • Create a separate VLAN for the servers

  • Create a default route with the upstream router as the gateway

  • Create a default route with each Secure Content Accelerator as a gateway

  • Define a static route for each management workstation not connected to a directly attached subnet

  • Define a service for each Secure Content Accelerator with its IP address, ensuring that the type is "transparent" and that "no cache-bypass" is configured

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create Layer 4 content rules to balance the Secure Content Accelerator devices; you may use "advanced-balance ssl" and "application ssl" to assist with SSL V.3 key reuse

  • Create Layer 5 rules for secure content

  • Create content rules as required for non-secure content

  • Define ACLs and upstream router service to ensure proper routing of traffic not terminated on the CSS

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 4) or configuration manager (Chapter 5)

  • Set up single-port operation using the mode one-port command (Appendix C)

Below is a sample configuration for the CSS.

!Generated on 11/28/2000 16:15:49 !Active version: ap0400007s configure !*************************** GLOBAL *************************** acl enable ip route 0.0.0.0 0.0.0.0 10.176.50.1 1 ip route 0.0.0.0 0.0.0.0 10.176.1.3 1 ip route 0.0.0.0 0.0.0.0 10.176.2.3 1 ip route 0.0.0.0 0.0.0.0 10.176.3.3 1 ip route 0.0.0.0 0.0.0.0 10.176.4.3 1 ip route 0.0.0.0 0.0.0.0 10.176.5.3 1 ip route 0.0.0.0 0.0.0.0 10.176.6.3 1 ! network management station static route ip route 10.176.50.100 255.255.255.255 10.176.50.1 1 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN2 ip address 10.176.2.1 255.255.255.0 circuit VLAN3 ip address 10.176.3.1 255.255.255.0 circuit VLAN4 ip address 10.176.4.1 255.255.255.0 circuit VLAN5 ip address 10.176.5.1 255.255.255.0 circuit VLAN6 ip address 10.176.6.1 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.50.2 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1 port 443 protocol tcp ip address 10.176.1.3 type transparent-cache no cache-bypass active service ssl2 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.2.3 active service ssl3 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.3.3 active service ssl4 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.4.3 active service ssl5 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.5.3 active service ssl6 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.6.3 active service upstream-router ip address 10.176.50.1 type transparent-cache active !*************************** OWNER *************************** owner test content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active content http-non-secure-port-80 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 80 url "/*" active content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 vip address 10.176.11.100 active !**************************** ACL **************************** acl 8 clause 10 permit any any destination any apply circuit-(VLAN8) acl 7 clause 10 permit any any destination any apply circuit-(VLAN7) acl 6 clause 10 permit any any destination any eq 443 clause 20 permit any any destination any eq 81 clause 30 permit tcp any destination any eq 2932 clause 40 permit udp any destination any eq 2932 clause 50 permit udp any eq 2932 destination any prefer upstream-router clause 99 permit any any destination any apply circuit-(VLAN6) apply circuit-(VLAN5) apply circuit-(VLAN4) apply circuit-(VLAN3) apply circuit-(VLAN2) apply circuit-(VLAN1)

Installing the Software

A version of the configuration utility is stored on the SSL appliance. You may use a serial or Telnet connection or a Web browser to use the device-stored version for configuration. To install the remote configuration manager, follow the appropriate instructions below.

Note   Certain functions are not available in all configuration methods. See Appendix C for more information.

Linux Software

You must be logged into the system as a root user before installing the software.

    1. Insert the CD-ROM into the computer CD-ROM drive.

    2. Enter the following commands:

    mount -o map=off /mnt/cdrom cd /mnt/cdrom/Linux/i386 ./install_csca

To run the configuration manager, enter csacfg at a Linux shell prompt.

Solaris Software

You must be logged into the system as a root user before installing the software.

    1. Insert the CD-ROM into the computer CD-ROM drive.

    2. Enter the following command:

    pkgadd -d /cdrom/cdrom0/Solaris/Sparc

    3. Respond to the following screen prompt, pressing Enter to install the software:

    The following packages are available: 1. CSCAconfg Cisco Configuration Manager Select package(s) you wish to process (or "all" to process all packages). (default: all) [?,??,q]

    4. Type q to exit after installation.

To run the configuration manager, enter csacfg at a Unix shell prompt.

Windows NT and Windows 2000 Software

    1. Insert the CD-ROM into the computer CD-ROM drive.

    2. Double-click the My Computer icon to open it.

    3. Double-click the CD icon.

    4. Double-click the MSWin icon to open the directory.

    5. Double-click the WinNT4 icon (Windows NT) or Win2K icon (Windows 2000) to open the directory.

    6. Double-click the setup.exe application to run it. An Install Shield application opens. Follow the instructions on the screen to install the configuration manager and OpenSSL.

To start the configuration manager, use the Start menu and point to Programs>Cisco Systems> Cisco Secure Content Acc. Manager, or double-click the shortcut on the desktop.

Web Site Changes

You must make changes to your existing Web pages before users can access them.

    1. Install and configure the Secure Content Accelerator.

    2. Create a non-secure ("http://"-prefixed) Web page as an entry point for the Web site. Include some method of transferring the user to the secure ("https://"-prefixed) URL. You may use a button, hypertext link, image map, automatic redirection, or any other method you choose.

    3. If your site does not use relative links, change the "http://" portion of every link (including graphic links) to "https://"; otherwise, links should remain the same.

    Note   If you are using IIS and have a redirection in your Web page, the URL must have a trailing slash ("/") to work properly, e.g., <href="/issamples/default/learn/">.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Aug 19 22:08:22 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.