Trans-wich Mode

This configuration method employs a minimum of two content switches—one on either side of an SSL-x device or devices—to form an easily scalable SSL Offloading solution. This design utilizes both an upstream and the downstream content switch. The following are the characteristics of the upstream content switch:

It will be the content switch closest to the perimeter of the network

It will require that one separate VLAN be configured for each sandwiched SSL-x.

It will be required to balance and transparently redirect traffic received on a particular TCP Port (e.g. port 443) to the IP address of the complementary VLAN on the downstream content switch. All non-SSL traffic could be directed to the downstream content switch via an alternate or dedicated link.

Transparent Sandwich Configuration

High-availability is offered in this configuration via the content switch’s health-check mechanism; if one of the SSL-x devices, one of the complementary VLAN ports, or one of the real-server farms fails, the content switch should recognize its unavailability and remove it from its eligible redirection list.

The downstream content switch is configured in much the same fashion as is the single content switch in the In-Line configuration. Its only specific configuration requirement isthe need for complementary VLANs. Through its VLAN definitions, it receives decrypted traffic redirected from the upstream content switch through the SSL-x. The actual packet flow is depicted in figure 7. The downstream content switch is also responsible for the Virtual IP address, i.e. the destination IP address to which clients will connect, and for the associated real-servers belonging to that VIP.

The SSL-x sits inline between the two content switches. When the upstream content switch receives TCP port 443 traffic, it redirects it to the IP address of the downstream content switch’s VLAN. During this redirection, the SSL-x intercepts traffic designated within its SSL-Server definition, decrypts it, and forwards the unencrypted traffic to the downstream content switch where it is balanced to the real-server farm. The return traffic flow is the effective reverse of this.