When an ACE is configured in one-arm mode and only L3/L4 load balancing is enabled for a web site, is SSL termination on the ACE required? I'm trying to wrap my head around how the client's traffic will be encrypted if the ACE does NOT terminate SSL, since one arm mode creates two connections - one to the client and one to the rserver.

There's a few ways you can do it. You can go without SSL termination, you can have the ACE terminate the SSL connection and pass on unencrypted, or you can have the ACE terminate SSL, then in turn use SSL to connect to the server.

It's really up to you.

_________________
blog.brokennetwork.ca

I'm familiar with the various SSL options (termination, backend, and end-to-end), but I wasn't sure if either of the 3 were a requirement when load balancing SSL traffic. It doesn't sound like they are.

Nope, none are required.

Mobile Post

_________________
blog.brokennetwork.ca

I would do this and offload the ssl unencrypted back to the servers/reals you are load balancing to. Its always easiest to apply the cert on the Ace.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

if you have monitoring requirements, you should terminate the SSL on the firewall, then send it on to the server unencrypted through the trusted network, so the traffic can be monitored. monitoring SSL encrypted traffic is difficult.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw