Running HTTP and HTTPS connections for a single domain (say, www.example.com) through a Cisco ACE SSL endpoint

Question

My web application config has a Cisco ACE load balancing across a server farm and I want to use the ACE as an SSL endpoint as well. To make this work, the network architect has come up with a design where all secure pages have to be served from secure.my-domain.com, while non-secure pages are served up from www.my-domain.com. The reason for this is apparently that the configuring the Cisco ACE to accept HTTPS requests on port 443 for a particular public IP prevents the simultaneous acceptance of HTTP requests on port 80 for the same IP. While I'm not a networking (or Cisco) expert, this seems to be intuitively wrong, as it would prevent any website using the Cisco ACE to serve pages on http://www.my-domain.com and https://www.my-domain.com simultaneously. In this situation, my questions are:

1. Is this truly a limitation of the Cisco ACE when used as an SSL endpoint?
2. If not, then can I assume that we can set up the ACE to accept connections for a particular IP on ports 80 and 443, and function as an SSL endpoint for the incoming requests on 443? Links to appropriate documentation most welcome here.
3. Assuming the setup in the previous question, can I then redirect both sets of requests to the same server farm on the same port?

Answer 1

This is not true. You can configure an as to loadbalance both HTTP and HTTPS traffic to the same VIP.

Example config:

rserver host web-01
  ip address 10.x.x.x
  probe SIMPLE-ICMP-PROBE
  inservice
rserver host web-02
  ip address 10.x.x.x
  probe SIMPLE-ICMP-PROBE
  inservice


serverfarm host 055-SFARM
  predictor leastconns slowstart 120
  probe SIMPLE-HTTP-PROBE
  rserver web-01 80
    inservice
  rserver web-02 80
    inservice


class-map match-all VIP:443
  10 match virtual-address 10.1.1.2 tcp eq https
class-map match-all VIP:80
  10 match virtual-address 10.1.1.2 tcp eq www


policy-map type loadbalance first-match VIP:443-POLICY
  class class-default
    serverfarm 055-SFARM
policy-map type loadbalance first-match VIP:80-POLICY
  class class-default
    serverfarm 055-SFARM


policy-map multi-match VIP-SPOLICY
  class VIP:80
    loadbalance vip inservice
    loadbalance policy VIP:80-POLICY
    loadbalance vip icmp-reply active
  class VIP:443
    loadbalance vip inservice
    loadbalance policy VIP:443-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server SSL-PROXY-WITH-CERT