The ServerIron ADX features enhanced support for SSL accelerators by allowing the ServerIron ADX to send return traffic from a real server back to the SSL accelerator from which it was sent.
Normally, when the ServerIron ADX supports SLB for some services and TCS for others, the cache server uses the original client’s IP address as the source IP address for SLB traffic sent from the cache server to the ServerIron ADX. When the ServerIron ADX sends return traffic from the real server back to the client, it goes directly to the original client (bypassing the cache server).
Some configurations however (such as those using an SSL accelerator as a cache server) may require that traffic from a real server first go back to the cache server before going to the original client. Using a technique called
VIP spoofing, the ServerIron ADX, when it receives traffic from a real server on a specified port, forwards it not to the original client, but to the cache server where the SLB traffic was initiated.
Normally, the ServerIron ADX would send the packet directly back to the original client on port 80. However, with the VIP spoofing feature enabled, the ServerIron ADX instead sends the packet to the cache server that initiated the traffic (in this case the SSL accelerator).
You can configure a ServerIron ADX so that the client’s request to the VIP is translated to the real IP address of the cache server (that is, the SSL Accelerator) and then sent there. In this case, the port
ssl cache-enable command is not used in the VIP's configuration. Instead, the cache server is bound to the SSL port on the VIP. In the example above, VIP vip1 would have the following configuration:
ServerIron(config)# server virtual-name-or-ip vip1 10.10.1.100ServerIron(config-vs-vip1)# port http
ServerIron(config-vs-vip1)# port http spoofing
ServerIron(config-vs-vip1)# port ssl
ServerIron(config-vs-vip1)# port ssl sticky
ServerIron(config-vs-vip1)# bind ssl cs1 ssl
ServerIron(config-vs-vip1)# bind http rs1 http
ServerIron(config-vs-vip1)# exit
