ADC Lab 3

HTTPS Virtual Server

Version 4.1.0 (12/16/16)
Lab 3 Overview
In this lab you will configure and verify functionality of a Layer 7 HTTPs Virtual Server in
an SSL Offload scenario.

Continuing from Lab 3: HTTP Virtual Server

When starting this lab immediately after successfully completing Lab 2, proceed to the
Initial Device Verification section.

Starting from all Other Chassis Conditions

When starting this lab from any other starting point, prepare the devices by opening
Appendix A and proceeding to section Device Preparation: Lab 3 – HTTPS Virtual Server.

Initial Device Verification

Open an SSH session to the vMaster (1.0.0.10).
Periodically display aVCS status to monitor reload progress.
repeat 5 show vcs summary
The reload is complete when aVCS output is stable for at least 30 seconds. Exit the
repeat command by pressing Control-C.
Verify the configuration. Contact your instructor if your output differs significantly from
the shown output.
show vcs summary

A10 ADC 4.1.0 (12/16/16) Lab 3: HTTPS Virtual Server Page 2 of 6

 show vrrp-a

Verify connectivity to the servers.

ping 210.0.0.11
ping 210.0.0.12
Verify the servers and service group created in the Load Balancing Concepts lab are
configured on your device.
show slb server config
show slb service-group

A10 ADC 4.1.0 (12/16/16) Lab 3: HTTPS Virtual Server Page 3 of 6

HTTPS Virtual Server with SSL-Offload
Servers and Service Group
The HTTPS Virtual Server uses previously configured servers (S1 and S2) and service
group (SG-HTTP). The Initial Device Verification section includes commands that verify
these objects are configured and functioning.

Source NAT
1. Create a NAT Pool for SSL offload and assign it to VRID 2. Verify the configuration.
ip nat pool NAT-SSL 200.0.0.22 200.0.0.22 netmask /24 vrid 2
show ip nat pool

SSL Certificate and Key

2. Create the CT-CERT1 certificate.
pki create certificate CT-CERT1
The certificate requires the answer to several questions. Fields with values starting
with 0 are optional, 1 or more indicates a required field. Use the listed bold values.
input key bits…default 1024: <Enter>
input Common Name, 1~64: a10training.com
input Division, 0~31: <Enter>
input Organization, 0~63: ADC_Class
input Locality, 0~31: <Enter>
input State or Province, 0~31: <Enter>
input Country, 2 characters: US
input email address, 0~64: <Enter>
input valid days…default 730: <Enter>
3. Verify the certificate.
show pki cert CT-CERT1

SSL Template
4. Create a client SSL template (TP-CSSL). Add the certificate and key. Verify.
slb template client-ssl TP-CSSL
cert CT-CERT1
key CT-CERT1
show slb template client-ssl TP-CSSL

A10 ADC 4.1.0 (12/16/16) Lab 3: HTTPS Virtual Server Page 4 of 6

Virtual Server (VIP)
5. Create a Virtual Server named VIP-SSL and assign it to VRID 2:
slb virtual-server VIP-SSL 100.0.0.22
vrid 2
6. Add the HTTPS Virtual Port and previously configured elements:
port 443 https
service-group SG-HTTP
source-nat pool NAT-SSL
template persist cookie TP-CPERS
template client-ssl TP-CSSL
template http TP-CLIENT-IP
7. Confirm the virtual server configuration.
show running-config | sec VIP-SSL

Verifying functionality
8. In your browser open another tab and connect to https://100.0.0.22/
9. Accept the self-signed certificate to generate the It works! page.
10. Reload page a few times. All images should come from the same server.
11. Verify the certificate sent from the ACOS device.
right click on the It works! page
select View Page Info
click Certificate information to see the certificate
The certificate should display information you previously entered
12. Verify the cookie sent from the ACOS device.
Right click on the It works! web page
Select Inspect
Select Resources in the menu bar
Expand Cookies in the vertical Resource list.
Recognize the cookie.
13. Open an http (NOT https) browser connection to http://100.0.0.22/
This demonstrates the effect of attempting to connect to the virtual server by http
instead of https.
It should eventually time out. The next section solves that problem transparently.

A10 ADC 4.1.0 (12/16/16) Lab 3: HTTPS Virtual Server Page 5 of 6

Transparent redirect
14. Import an aflex script that redirects requests from port 80 to 443 (ACOS enable
prompt command).
import aflex AF-RDRCT ftp://ftp@1.0.0.100/BaseConfig/ADC41/redirect1.tcl

15. Open VIP-SSL, add port 80 http, then apply the redirect1 aFlex script to the port:
slb virtual-server VIP-SSL
port 80 http
aflex AF-RDRCT
16. Display contents of the redirect script, which was applied on port 80. What does it do?
show aflex AF-RDRCT
17. Examine the state of the vip:
show slb virtual-server VIP-SSL
18. Verify that ACOS displays the following states:
VIP-SSL: Functional Up
virtual port 443: All Up
virtual port 80: Functional Up
The port 80 configuration only binds the aFlex script to the port, resulting in a status of
Functional Up to the VIP and HTTP port. Typically, UP status requires the following:
virtual port status of UP requires explicitly configuring a service group to the port
VIP status of UP requires explicitly configuring service groups to all virtual ports.
19. Confirm the script is functioning properly: In a new browser tab, open a connection to
http://100.0.0.22/
You should be automatically redirected to https:// 100.0.0.22/
20. Save your configuration for future use:
write mem

A10 ADC 4.1.0 (12/16/16) Lab 3: HTTPS Virtual Server Page 6 of 6