ADC Lab 5

HTTPS Virtual Server

Lab 5 Overview
In this lab you will configure and verify functionality of a Layer 7 HTTPs Virtual Server in an SSL
Offload scenario.
Continuing from Lab 3: HTTP Virtual Server

HTTPS Virtual Server with SSL‐Offload

The HTTPS Virtual Server uses previously configured servers (S1 and S2) and service group (http).
The Initial Device Verification section includes commands that verify these objects are configured and
functioning.
Source NAT
1. Create a NAT Pool for SSL offload. Verify the configuration.
ip nat pool NAT‐SSL 10.254.251.x+4 10.254.251.x+6 netmask /24
show ip nat pool
SSL Certificate and Key
2. Create the CT‐CERT1 certificate.
pki create certificate CT‐CERT1 certtype rsa
The certificate requires the answer to several questions. Fields with values starting
with 0 are optional, 1 or more indicates a required field. Use the listed bold values.
input key bits…default 1024: <Enter>
input Common Name, 1~64: a10training.com
input Division, 0~31: <Enter>
input Organization, 0~63: ADC_Class
input Locality, 0~31: <Enter>
input State or Province, 0~31: <Enter>
input Country, 2 characters: US
input email address, 0~64: <Enter>
input valid days…default 730: <Enter>
3. Verify the certificate.
show pki cert CT‐CERT1
SSL Template
4. Create a client SSL template (TP‐CSSL). Add the certificate and key. Verify.
slb template client‐ssl TP‐CSSL
cert CT‐CERT1
key CT‐CERT1
show slb template client‐ssl TP‐CSSL
Virtual Server (VIP)
5. Create a Virtual Server named VIP‐SSL :
slb virtual‐server VIP‐SSL 10.254.251.x+7
6. Add the HTTPS Virtual Port and previously configured elements:
port 443 https
service‐group SG‐HTTP
source‐nat pool NAT‐SSL
template persist cookie TP‐CPERS
template client‐ssl TP‐CSSL
template http TP‐CLIENT‐IP
7. Confirm the virtual server configuration.
show running‐config | sec VIP‐SSL

Verifying functionality
8. In your browser open another tab and connect to https://10.254.251.x+7/
9. Accept the self‐signed certificate to generate the It works! page.
10. Reload page a few times. All images should come from the same server.
11. Verify the certificate sent from the ACOS device.
right click on the It works! page
select View Page Info
click Certificate information to see the certificate
The certificate should display information you previously entered
12. Verify the cookie sent from the ACOS device.
Right click on the It works! web page
Select Inspect
Select Resources in the menu bar
Expand Cookies in the vertical Resource list.
Recognize the cookie.
13. Open an http (NOT https) browser connection to http://10.254.251.x+7/
This demonstrates the effect of attempting to connect to the virtual server by http
instead of https.
It should eventually time out. The next section solves that problem transparently.
Transparent redirect
14. Import an aflex script that redirects requests from port 80 to 443 (ACOS enable
prompt command).
import aflex AF‐RDRCT ftp://[email protected]/redirect1.tcl
Note: System Already Include the redirect1.tcl .
15.Open VIP‐SSL, add port 80 http, then apply the redirect1 aFlex script to the port:
slb virtual‐server VIP‐SSL
port 80 http
aflex AF‐RDRCT
16. Display contents of the redirect script, which was applied on port 80. What does it do?
show aflex AF‐RDRCT
17. Examine the state of the vip:
show slb virtual‐server VIP‐SSL
18. Verify that ACOS displays the following states:
VIP‐SSL: Functional Up
virtual port 443: All Up
virtual port 80: Functional Up
The port 80 configuration only binds the aFlex script to the port, resulting in a status of
Functional Up to the VIP and HTTP port. Typically, UP status requires the following:
virtual port status of UP requires explicitly configuring a service group to the port
VIP status of UP requires explicitly configuring service groups to all vports.
19. Confirm the script is functioning properly: In a new browser tab, open a connection to
http:// 10.254.251.x+7/
You should be automatically redirected to https://10.254.251.x+7/
20. Save your configuration for future use:
write mem