serveriron | Rogierm's Blog

When setting up SSL offloading on a Foundry ServerIron 4G-SSL the default installation allows weak (eg. DES, 56bit) ciphers and SSLv2. This is not a recommended setup, especially if you have to comply to certain security certifications, like PCI. The Foundry documentation does not give a lot of information on the ciphers that are supported. Below the commands to disable SSLv2 and allow only strong ciphers on an ssl accelerated host.

To change the ssl profile of a virtual server, always follow the following steps:

Remove the ssl profile from the virtual server
Change the ssl profile settings
Enable the ssl profile on the virtual server

server virtual vservername no port ssl ssl-terminate sslprofilename


exit
ssl profile sslprofilename

disable-ssl-v2

no  cipher-suite all-cipher-suites

cipher-suite rsa-with-3des-ede-cbc-sha

cipher-suite rsa-with-aes-128-sha

cipher-suite rsa-with-aes-256-sha

cipher-suite rsa-with-rc4-128-md5

cipher-suite rsa-with-rc4-128-sha
exit

server virtual vservername port ssl ssl-terminate sslprofilename

I’ve had to configure a couple of ServerIron loadbalancers over the last couple of month’s, and each time it surprised me that there are very little example configurations available. I’ve included a diagram with a sample network and the basic (not secured) configuration of the ServerIron to do basic http loadbalancer in a one-armed setup.

The ‘server source ip’ statement is used to connect the realservers in a different subnet then the loadbalancer is in. You can define source IP addresses on a ServerIron system running switch code to place it in multi-netted environment. These source IP addresses could potentially be used as default gateways for real servers. You can also define source NAT IP addresses while using source NAT. The ‘source nat’ statement changes the source ip addres of each request. This causes that the ip adres of the loadbalancer is shown in the access logs on the webserver. This might cause problems for log analysis or geo-ip processing. The example config does not use the ‘source nat’ function.

I’m aware of the fact that this configuration can be improved in many ways, but as stated before, this is just an example for people that are strugling to get their first ServerIron up and running, and can’t find any working config for their situation.

serveriron-diagram

server source-ip 192.168.11.2 255.255.255.0 192.168.11.1

!

context default


!
server real web01 192.168.11.10
port http
port http url "HEAD /"
!
server real web02 192.168.11.20
port http
port http url "HEAD /"
!
server real web03 192.168.11.30
port http
port http url "HEAD /"
!
!
server virtual wts-virt1 192.168.11.100
predictor least-conn
port http
bind http web01 http web02 http web03 http
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 by port
!
aaa authentication web-server default local
no enable aaa console
ip address 192.168.11.254 255.255.255.0
ip default-gateway 192.168.11.1
username admin XXX
!
end

server source-ip 192.168.10.2 255.255.255.0 192.168.10.1 ! context default ! server real web01 192.168.10.10 port http port http url "HEAD /" ! server real web02 192.168.10.20 port http port http url "HEAD /" ! server real web03 192.168.10.30 port http port http url "HEAD /" ! ! server virtual wts-virt1 192.168.10.100 predictor least-conn port http bind http web01 http web02 http web03 http ! vlan 1 name DEFAULT-VLAN by port ! vlan 2 by port ! aaa authentication web-server default local no enable aaa console ip address 192.168.10.254 255.255.255.0 ip default-gateway 192.168.10.1 telnet server username admin password ..... password-change telnet-cli snmp-server ! en

Rogierm's Blog

Just another blog with technical stuff

Tag Archives: serveriron

Strong ciphers on Foundry ServerIron

ServerIron 4G Example Config