It's really your call. If Netscaler can handle SSL in hardware, it would be able to offload the CAS servers from encryption processing. The beauty of this approach is that you only have one certificate and one host that has to match the name in the certificate.
Since CAS cluster commonly does not rely on sticky sessions, your VIP does not have to look at the payload, so it could also just pass through encrypted traffic. Each CAS cluster node would then have to have a copy of a certificate with the same name, and you'd have to make sure that each node accepts the name in the certificate. This would require playing some DNS or /etc/hosts tricks because the end users must accept that your VIP is the CAS host. Adam Rolly Ferolino wrote: > Hello, > > We are in the process of implementing CAS in a four-node cluster > behind a Netscaler VIP. What is the best practice for hosting the SSL > certificate? Do we host it on VIP or the servers? If the VIP is > accepting request on port 443, do we forward that request to CAS > server port 8443 (SSL) or to port 80 or 8080 (non-SSL)? > > Thanks, > > -- > Rolly Ferolino > [email protected] <mailto:[email protected]> > University of Phoenix > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<attachment: arybicki.vcf>>
