4 Replies Latest reply: Oct 13, 2017 4:15 AM by rgirdlestone . RSS

In-Path Rule Issue

Ken Vance

Hi All,

 

We have an in-path rule:

 

Pre-optimisation Policy : Oracle Forms

Latency policy : HTTP

Data Reduction : Normal

 

Pointing to a set of server IPs and a Port-Label.

 

Now the customer is migrating this application to SSL, using the same ports and IP addressing.

 

Can we differentiate between the two using in-path rules, even with the ports and IP addressing identical?

 

Thanks in advance

  • Re: In-Path Rule Issue
    Jitesh Gohil

    To optimize any SSL application you need Server Certificate first to be installed on Server Side SteelHead.

     

    This statement is not clear, can you elaborate ?

    Can we differentiate between the two using in-path rules, even with the ports and IP addressing identical?

    • Re: In-Path Rule Issue
      Ken Vance

      Hi,

       

      Apologies, let me clarify.

       

      Proxy certificate creation is not the issue. Thats the easy bit

       

      Our customer has a custom application. This application has 'live' servers and 'development' servers on the same subnet.

       

      Currently we match traffic for this application for this application using an in-path rule, matching the whole destination subnet and a port-label (custom ports are used).

       

      Auto discovery

      Correct addressing

      Pre-optimisation Policy : Oracle Forms

      Latency policy : HTTP

      Data Reduction : Normal

       

      Now the customer is adding SSL to the development side, which will need an additional in-path rule to optimise properly.

       

      The new SSL-enabled version of the application will be running on the same IP subnet and custom ports which is leading to the question.

       

      With two rules matching the same subnet and ports (I suspect we just need to change the preop policy to SSL on the new rule) will the Riverbed be able to differentiate and match sessions on both rules or will it just pass through after matching the original rule?

       

      Both versions of the app will need to coexist and (if possible) be optimised at the same time.

       

      Is this possible?

       

      Thanks in advance.

      • Re: In-Path Rule Issue
        Jitesh Gohil

        Scenario is much clear now. Thanks.

         

        Yes, I think that is the right way to do.

        Be sure to place new rule (SSL) above the original rule.

         

        Now, when SH receives traffic from SSL based application then it will match the new rule.

        When it sees normal traffic from that subnet then it will simply ignore new SSL rule and check for next rule in the list for better match.

         

        Share your test results to see if this works or needs some more tweaking.

        Good Luck.

         

        Regards,

        Jitesh Gohil

      • Re: In-Path Rule Issue
        rgirdlestone .

        Hi Ken

         

        Remember the law.  A SYN message is processed by exactly one in-path rule.  If it fails it is pass-through.  Is there a way they can let you know the exact IP addresses they are using on SSL to differentiate them, I was thinking perhaps to use a host label to define them...

         

        R