This morning I saw the following from Alasdair Patton under Matt's question on "Location has # of users, but many show no requests"
"...if i monitor a proxy server on port 8080 and i choose the
HTTP decode, if the traffic to that server on port 8080 could be HTTP or
SSL I would only see operations for the HTTP traffic as SSL traffic
doesn't match the software service analyzer..."
So my question is how do people typically decode the HTTP and HTTPS traffic given this situation? Is it better to use the "Generic (with Transaction)" decode here, or is something else typically done?
I did notice a previous post that suggested using two AMD's and to send the same traffic to both and run HTTP on one, and HTTPS on the other. Is this still the best way as it doesn't appear to be extremely cost efficient to have to run a second AMD?
Solved! Go to Solution.
Considering the mentioned host to be monitored is a proxy, I would recommend either HTTP or generic with transactions; SSL hitting a proxy is usually using the CONNECT method at the proxy itself, and the certificates/keys would be related to the various target servers, not the proxy itself. The are generally not available unless you also control the target servers, and the target servers can be more cleanly monitored directly themselves if you do.
The only caveat to that statement would be if you control the proxy and are forcibly terminating the SSL session at the proxy and creating a new SSL session to the requested server. In that instance, you control the proxy and configurations, and should be able to configure a separate port on the proxy for SSL traffic, and then use the HTTPS analyzer with the correct key on the dedicated port.
Thanks Erik. Yes, we are using the former method I believe where everything goes through the proxy, most likely using the CONNECT method as you suggest. And no, we don't have any certs to utilize, nor are we forcefully terminating and re-establishing sessions.
I have noticed that I can capture the URL with the HTTP traffic, using the HTTP decode however when I use the Generic (with transaction) I don't appear to get it. Is this to be expected or have I missed a configuration component somewhere?