Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/virt <server number>/service/ssl
Virtual Server SSL Service Configuration Menu
The following menu example is application-specific and includes only the application-specific commands. For all common commands, refer to /cfg/slb/virt <server id>/service/basic-slb Virtual Server Basic SLB Service Configuration Menu.
 
[Virtual Server 33 125 ssl Service Menu]
ssl - SSL Load Balancing Menu
appshape - AppShape++ Menu
tcpopt - TCP Optimization Menu
pip - Proxy IP Menu
group - Set real server group number
rport - Set real port
hname - Set hostname
cont - Set BW contract for this virtual service
pbind - Set persistent binding type
thash - Set hash parameter
tmout - Set minutes inactive connection remains open
ptmout - Set in minutes for inactive persistent connection
dbind - Enable/disable/forceproxy delayed binding
clsrst - Enable/disable send RST on connection close
nonat - Enable/disable only substituting MAC addresses
direct - Enable/disable direct access mode
mirror - Enable/disable session mirroring
winsize0 - Enable/disable using window size zero in SYN+ACK
sesslog - Enable/disable session logging
del - Delete virtual service
cur - Display current virtual service configuration
 
Virtual Server SSL Service Configuration Options (/cfg/slb/virt/service/ssl) 
Command Syntax and Usage
ssl <srvrcert|sslpol|cur>
 
Displays the SSL Load Balancing menu. To view this menu, see /cfg/slb/virt <server number>/service/ssl SSL Load Balancing Menu.
appshape++
 
Displays the AppShape++ menu for managing AppShape++ scripts. To view this menu, see /cfg/slb/virt/service/basic-slb/appshape AppShape++ Menu.
tcpopt
 
Displays the TCP Optimization menu for adding a TCP optimization policy to the client-side and server-side flows of a virtual service. To view this menu, see /cfg/slb/virt/service/basic-slb/tcpopt TCP Optimization Menu.
pip
 
Displays the Proxy IP menu. To view this menu, see /cfg/slb/virt/service/basic-slb/pip Proxy IP Menu.
group <real server group ID (alphanumeric)>
 
rport <real server port (0, 1, 5-65534)>
 
Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number> /service <virtual port>, Alteon maps the virtual port to this real port.
When configuring an SSL-based virtual service, how the rport value is set is usually dependent on whether encryption between Alteon and the back-end servers is enabled (meaning that there is back-end encryption). The back-end encryption setting is part of the associated SSL policy configuration using the bessl (back-end listening port) command (see a description of this command in /cfg/slb/ssl/sslpol SSL Policy Menu). The following describes how rport is set based on the bessl setting:
*When Alteon offloads SSL traffic from the servers, and back-end encryption is not used, the servers are usually configured to listen on port 80. Therefore, rport is automatically set to 80.
*When Alteon offloads SSL traffic from the servers, and back-end encryption is used, the servers are usually configured to listen on port 443. Therefore, rport is automatically set to 443. For more information, see /cfg/slb/virt <server id>/service/basic-slb Virtual Server Basic SLB Service Configuration Menu.
Notes:
You can also configure SSL offloading for other protocols encrypted by SSL by using SSL as the application type. To select the virtual service application type, see /cfg/slb/virt <server number> /service <virtual port or application name> Virtual Server Service Configuration.
When using the SSL application type, HTTP-based capabilities such as setting HTTP redirection conversion, setting the SSL client information, or passing authentication policy information to the back-end servers are not available. Also, this capability is not supported for protocols that include special treatment of SSL, such as FTPS, SMPTS and POPS.
If your network environment requires it, you can change the default back-end listening port.
Note: If you have associated an SSL policy to a virtual service but have not yet configured the SSL policy, the default value of the listening port is set as the same value as the virtual service port. When you eventually set the back-end encryption using the bessl command, you receive a message similar to the following, based on how you configure the back-end listening port:

Note: You may want to update rport in the following virtual services associating this SSL policy:

virt 1 service 443 HTTPS
virt 3 service 8080 HTTPS
Note: If you set rport to 0 (meaning that no specific port is defined), Alteon determines the back-end listening port based on the SSL policy definition and dynamically sets the real port as appropriate.
hname <hostname> |none
 
cont <BWM Contract (0-1024), 0 for VIP default>
 
pbind clientip|sslid|disable
 
Specifies the parameter that defines a persistent session.
Values:
*clientip — Uses the client IP address as the session identifier, and associates all connections from the same client with the same real server until the client becomes inactive, and the persistent entry is aged out of the session table.
Different services from the same client may not map to the same server.
The real server connection timeout value (/cfg/slb/real/tmout) controls how long these inactive but persistent connections remain associated with their real servers.
When the client resumes activity after their connection has been aged out, they are connected to the most appropriate real server based on the load balancing metric.
An alternative approach may be to use the /cfg/slb/group/content/metric command to set the minmisses or hash real server group metrics.
With clientip enabled, Alteon maps HTTP and HTTPS traffic from the same client to the same server regardless of the load balancing metric used because the services are related.
For more information, see Server Load Balancing Metrics.
*sslid — Alteon records the SSL session ID and server, and directs all subsequent SSL sessions which present the same session ID to the same real server.
Available only for HTTPS and SSL services without SSL offload.
Alteon does not support the sslid option when you set the virtual service /cfg/slb/virt/service/dbind command to forceproxy.
*disable — Disables persistence for this service.
Default: disable
thash sip|sip+sport
 
tmout
 
ptmout
 
dbind disable|forceproxy
 
clsrst disable|enable
 
Enables or disables client reset.
Values:
*disable — When Alteon receives a FIN message from the client, it performs a graceful closure of both client-side and server-side sessions.
*enable — When Alteon receives a FIN message from the client, it closes the server-side session entry using RST for fastage.
Note: To enable session reset on connection close, full proxy mode (forceproxy) must be enabled.
Default: disable
nonat disable|enable
 
direct disable|enable
 
mirror disable|enable
 
winsize0 disable|enable
 
sesslog disable|enable
 
Specifies whether to enable or disable session logging.
Session logs are sent to the syslog servers via the data port when the sessions are deleted or aged out. The Alteon switch processor sends the buffered session logging data to the syslog server at regular intervals (every 30 seconds) if the buffer is not completely filled. There will be no session syslog if no sessions have aged out during this duration of 30 seconds.
Note: Syslog servers configured on Alteon must be accessible via the data ports.
Default: disable
del
 
cur