178 ServerIron ADX Security Guide
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
Example
Create Client Side SSL profile with required settings
ServerIronADX(config)# ssl profile clientprofile
ServerIronADX(config-ssl-profile-clientprofile)# keypair-file rsakey-file
ServerIronADX(config-ssl-profile-clientprofile)# certificate-file mycert
ServerIronADX(config-ssl-profile-clientprofile)# cipher-suite all
ServerIronADX(config-ssl-profile-clientprofile)# exit
Create server side SSL profile with required settings
ServerIronADX(config)# ssl profile serverprofile
ServerIronADX(config-ssl-profile-serverprofile)# ca-cert-file ca.cert
ServerIronADX(config-ssl-profile-clientprofile)# cipher-suite all
Define SSL ports on real servers
ServerIronADX(config)# server real rs1 10.1.1.1
ServerIronADX(config-rs-rs1)# port ssl
Within virtual server: Define SSL port, specify server profile and enable SSL proxy
ServerIronADX(config)# server virtual-name-or-ip vip3 10.1.1.3
ServerIronADX(config-vs-vip3)# port ssl
ServerIronADX(config-vs-vip3)# port ssl ssl-proxy clientprofile serverprofile
Bind SSL in virtual server to real server SSL ports
ServerIronADX(config-vs-vip3)# bind ssl rs1 ssl
TCP configuration issues with SSL Terminate and SSL Proxy
When SSL terminate or SSL proxy are enabled, the ServerIron ADX uses TCP full stack. In such
case, the Nagle Algorithm and delayed ACK mechanism are ON by default. There are instances
where both of these features should be disabled.
For example, a customer may be experiencing slow response time because the ServerIron ADX is
sending one packet at a time, and waiting for an ACK from the server before sending the next
packet. The server is sending ACKs with a delay of 200 ms, causing a delay of 200 ms between
every successive packet. This results in extremely poor performance. Packet traces taken from the
client and server sides explain this situation in detail, as shown in the following figures.
Figure 15 shows the client ptrace information. Figure 16 shows the server ptrace information.