Solved

SSL Keys on Cisco ASAs

Posted on 2013-01-28
2
171 Views
Last Modified: 2013-03-29
I need to know if the following function is capable on the Cisco ASA. I want to be able to install third party SSL certificates/Keys on the ASA in order to ensure secure (https) connections to respective websites.

Currently the approach we have taken is to install SSL certificates/keys from a third party directly on the server hosting the secure site and then configuring the ASA to allow https traffic to that server. What we would like to do is instead of installing these certificates/keys on the servers directly, install them on the ASA and have it handle the secure connection.

Is this possible? What is it called, so that when I speak to Cisco I am asking for the right thing?

Thanks!!
0
Comment
Question by:dowhatyoudo22
2 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 250 total points
Comment Utility
This would be called SSL Proxy. I don't believe the ASA supports this except for clientless SSL where the ASA will proxy SSL certs between the client and server via the portal. In your case, the ASA probably can't provide the solution. If someone else knows how, I'd love to find out as well.

Most, if not all, load-balancers can handle SSL proxy the way you described. This is partly because it's a nice feature and mostly because it's a requirement to proxy certificates when the end user is being routed/balanced to multiple servers transparently.

Which load-balancer should you choose and how do you configure this magic box? No clue. I have brochure-level knowledge of these, but i do know that in a previous job the load-balancer specialists were doing this all the time because SSL connections were being balanced among dozens of servers in a very high IO datacenter. I was only involved in the routing and switching surrounding this process and never got to see the guts of the load-balancers.
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 250 total points
Comment Utility
This is not possible, unless there have been changes that I am not aware of. You will need a reverse proxy solution to do this.

Something like Microsoft TMG would fill this role. As has already been pointed out, a load balancer can handle this as well. There are many choices depending on your budget, linux options that would only be the price of the hardware, F5, Microsoft, Baracudda, KEMP........

I am using TMG in my environment, so all https connections are proxied through the TMG server. The SSL cert is installed on the web server and the TMG server so the traffic is encrypted all the way through.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now