Setting-up Static and Dynamic SSLi at the ... - A10 Networks
Transcript of Setting-up Static and Dynamic SSLi at the ... - A10 Networks
Setting-up Static and Dynamic SSLi at the Same Time
Configuring Static and Dynamic SSLi
i
Table of Contents
INTRODUCTION .................................................................................................... 1
TOPOLOGY OF THE EXAMPLE ........................................................................... 1
Sample Configuration for SSLi_Decrypt ............................................................................................................. 2 Sample Configuration for SSLi_Encrypt ............................................................................................................. 3 Verification ............................................................................................................................................................... 4 ABOUT A10 NETWORKS ....................................................................................................................................... 5
Configuring Static and Dynamic SSLi
1
Introduction In a static-port type deployment, each intercepted protocol is configured with its own static virtual port
enabled for SSLi. In such deployments, only the traffic for the specified protocol is intercepted. All other SSL
and non-SSL traffic is bypassed.
For example, consider the following cases:
o To intercept SMTP running over SSL, the wildcard VIP configuration includes the command line port 25
ssli where 25 is the port number identifying SMTP.
o To intercept HTTPS traffic, the wildcard VIP includes the command line port 443 https where port 443 is
the port number identifying HTTPS.
It is recommended that you configure dynamic port inspection along with static port SSLi that uses TCP port
443. Dynamic port inspection makes sure that all encrypted traffic, irrespective of the TCP port used, is
decrypted and inspected by security devices. Dynamic port inspection can be configured by using both the
ACOS CLI and GUI.
Topology of the Example In this example, the SSLi deployment consists of two ACOS devices, each with one partition, and the security
device set in between. The ACOS devices are in L2 mode, the security device is also in L2 mode.
The encrypted traffic from the client is passed to ACOS_decrypt. ACOS_decrypt decrypts the HTTPS traffic
and forwards the clear traffic to the security device. After inspection, the security device passes the clear
traffic to ACOS_encrypt. ACOS_encrypt re-encrypts the traffic and passes it to the external gateway. All other
SSL traffic is bypassed.
ACOS_decrypt is also referred to as SSLi-inside while ACOS_encrypt is referred to as SSLi-outside.
The following is the configuration overview.
o Deploy static ssli for port 443.
o Deploy dynamic ssli for all other ports.
o Bypass the traffic for static ssli and dynamic ssli, which needs a further action from the user.
Configuring Static and Dynamic SSLi
2
Figure 1 SSLi Deployment
Security Device
Decrypted trafficEncrypted traffic
User
ACOS_decrypt ACOS_encrypt
e1 e2 e3 e4
Encrypted traffic.
Sample Configuration for SSLi_Decrypt slb template port dscp6
dscp 6
!
slb template port dscp4
dscp 4
!
slb server ext 10.10.30.131
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
!
slb service-group dynamic tcp
member ext 0
template dscp6
!
slb service-group static tcp
member ext 8080
template dscp6
!
slb service-group tcp0 tcp
member ext 0
template dscp4
!
slb service-group udp0 udp
member ext 0
template dscp4
!
Configuring Static and Dynamic SSLi
3
slb template client-ssl cs
forward-proxy-ca-cert ssli-cert
forward-proxy-ca-key ssli-key
forward-proxy-enable
forward-proxy-bypass class-list bypass
non-ssl-bypass service-group tcp0
!
slb virtual-server vip 0.0.0.0 acl 100
port 0 udp
service-group udp0
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group udp0
use-rcv-hop-for-resp
no-dest-nat
port 0 ssl-proxy
service-group dynamic
use-rcv-hop-for-resp
template client-ssl cs
no-dest-nat
port 443 https
service-group static
use-rcv-hop-for-resp
template client-ssl cs
no-dest-nat port-translation
Sample Configuration for SSLi_Encrypt access-list 101 deny tcp any range 443 443 any // deny all 443 traffic even with dscp 6
access-list 101 permit ip any any dscp 6
access-list 102 permit ip any any dscp 4
access-list 102 permit tcp any range 443 443 any // match 443 traffic
slb template server-ssl ss
forward-proxy-enable
!
slb server gw 10.10.30.1
port 0 tcp
port 0 udp
port 443 tcp
!
slb service-group tcp0 tcp
member gw 0
!
slb service-group tcp443 tcp
member gw 443
!
slb service-group udp0 udp
member gw 0
!
Configuring Static and Dynamic SSLi
4
slb virtual-server non-ssli 0.0.0.0 acl 102 //match non-ssl traffic and ssli bypass
traffic
port 0 tcp
service-group tcp0
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group udp0
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group udp0
use-rcv-hop-for-resp
no-dest-nat
!
slb virtual-server ssli 0.0.0.0 acl 101 //match ssli traffic
port 0 tcp-proxy
service-group tcp0
use-rcv-hop-for-resp
template server-ssl ss
no-dest-nat
port 8080 http
service-group tcp443
use-rcv-hop-for-resp
template server-ssl ss
no-dest-nat port-translation
Verification
You can verify the successful configuration to deploy static and dynamic SSLi with the following steps:
o Run “show access-list" on ACOS_encrypt to check whether the traffic hit is correct on the ACL as it is
designed.
o Run "show slb ssl-forward-proxy-cert" to check whether the certificate fetching is working or not.
5
LEARN MORE ABOUT A10 NETWORKS
CONTACT US
a10networks.com/contact
©2018 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, A10 Thunder, A10 Lightning, A10 Harmony and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.
ABOUT A10 NETWORKS
A10 Networks (NYSE: ATEN) is a Secure Application Services™ company, providing a range of high-performance application
networking solutions that help organizations ensure that their data center applications and networks remain highly
available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers
globally with offices worldwide.
For more information, visit: a10networks.com or tweet @a10Networks