ON Wed, Feb 20, 2002 at 10:58:34AM -0600, Austad, Jay wrote: 
> > Why don't you just set up an SSL proxy server that sits 
> > between the client
> > and your web farm?
> 
> Because I don't want to send all traffic through it.  Only about 1/4 of our
> traffic is SSL.  I'd need to put Gig interfaces on the SSL device to send
> all traffic through it.  Plus, by sending all traffic through it, it becomes
> a single point of failure.

I meant to suggest that you forward only https/443 traffic to the SSL proxy 
using your load balancer, if such a feature is provided. Add SSL proxies, for 
redundancy and server load, as needed. It might be too expensive but I think
it should work.

You could replace the SSL proxies with SSL accelerator boxes and additional 
server NICs if you wanted. Otherwise, you could consider the PCI SSL 
coprocessors. These two probably don't scale well.

The easiest thing to do is probably to get some case studies from the vendors
and figure out why everybody else wants a bridge and you want a router.

-- 
Michael