0% found this document useful (0 votes)

729 views447 pages

A10 5.2.1-P3 SSLi

Uploaded by

Выползень Семечкин

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

729 views447 pages

A10 5.2.1-P3 SSLi

Uploaded by

Выползень Семечкин

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 447

ACOS 5.2.

1-P3
SSL Insight (SSLi) Configuration Guide
September, 2021
© 2021 A10 Networks, Inc.CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED.
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks, Inc. products are protected by patents in the U.S. and elsewhere. The following website is provided
to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking pro-
visions of the America Invents Act. A10 Networks, Inc. products, including all Thunder Series products, are pro-
tected by one or more of U.S. patents and patents pending listed at:

a10-virtual-patent-marking.

TRADEMARKS
A10 Networks, Inc. trademarks are listed at: a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc.. This document and information
and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc.
without prior written consent of A10 Networks, Inc..

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks, Inc. or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks, Inc. has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks, Inc.
assumes no responsibility for its use. All information is provided "as-is." The product specifications and features
described in this publication are based on the latest information available; however, specifications are subject to
change without notice, and certain features may not be available upon initial product release. Contact A10 Net-
works, Inc. for current information regarding its products or services. A10 Networks, Inc. products and services
are subject to A10 Networks, Inc. standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific com-
ponent types, please contact the manufacturer of that component. Always consult local authorities for regulations
regarding proper disposal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest
A10 Networks, Inc. location, which can be found by visiting www.a10networks.com.
Table of Contents
Chapter 1: Getting Started 14
Overview 15
Architecture 15
Features 18
Limitations 18
Terminology 19
Real Server 19
Virtual Server and Virtual IP (VIP) 19
Wildcard VIPs, Ports, Virtual Ports, and ACL 20
Service Groups 21
ACOS_decrypt and ACOS_encrypt Partition or Device 21

Chapter 2: Topologies 23
Overview 24
SSLi in L2 Mode 24
SSLi in L3 Mode 26

Chapter 3: Deployments 29
Single ACOS Device with One Partition Deployment 30
Features 31
Single ACOS Device with Two Partitions Deployment 33
Features 33
Two ACOS Devices, Each with One Partition Deployment 36
Features 36

Chapter 4: Single Partition Deployment 39

Architecture 40
Deployment Types 42
L2 Deployment with Tagged VLANs 43
CLI Configuration 43
Step 1: Initial Configuration 44
Step 2: Configuring the Network VLANs 44
Step 3: Configuring the SSLi Services 45

3
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Step 4: Configuring Network IP Addresses 47

Step 5: Configuring the Security Device 48
Step 6: Configuring Handling of Incoming Traffic 49
Step 7: Configuring Handling of Outgoing Traffic 50
Consolidated Configuration 51
GUI Configuration 56
Step 1: Configuring the Network VLANs 57
Step 2: Configuring the SSLi Services 57
Step 3: Configuring the VIPs 62
Step 4: Configuring the Security Device 62
Step 5: Configuring Handling of Incoming Traffic 64
Step 6: Configuring Handling of Outgoing Traffic 65
L2 Deployment with Untagged VLANs 67
CLI Configuration 67
Step 1: Initial Configuration 68
Step 2: Configuring the Default VLAN 68
Step 3: Configuring the SSLi services 69
Step 4: Configuring Network IP Addresses 71
Step 5: Configuring the Security Device 71
Step 6: Configuring Handling of Incoming Traffic 73
Step 7: Configuring Handling of Outgoing Traffic 74
Consolidated Configuration 75

Chapter 5: Outbound Static Port Type HTTPS 80

Prerequisites 81
Two ACOS Devices, Each With Single Partition Deployment 82
CLI Configuration 84
ACOS_decrypt Configuration 84
ACOS_encrypt Configuration 88
GUI Configuration 92
ACOS_decrypt Configuration 92
ACOS_encrypt Configuration 99
Consolidated Configuration 101
Checking the Status and Operation 104

4
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Single ACOS Device With Two Partitions Deployment 105

CLI Configuration 106
GUI Configuration 106
Single vThunder Device With Two Partitions Deployment 107

Chapter 6: Outbound Static Port Type STARTTLS 109

Deployment Example 110
CLI Configuration 112
ACOS_decrypt Configuration 112
Step 1. Configuring the Network VLANs 113
Step 2. Configuring the Network IP Addresses 113
Step 3. Configuring the SSLi Services 113
Step 4. Configuring the SSLi Service Groups 116
Step 5. Configuring the Virtual Server 116
ACOS_encrypt Configuration 118
Step 1. Configuring the Network VLANs 118
Step 2. Configuring the Network IP Addresses 119
Step 3. Configuring the SSLi Services 119
Step 4. Configuring the SSLi Service Groups 121
Step 5. Configuring the Virtual Server 121
Consolidated Configuration Examples 123

Chapter 7: Inbound Static-Port Type HTTPS 131

Deployment Example 132
Configure the External Inbound ACOS device 133
Configure the Internal Inbound ACOS device 138

Chapter 8: Dynamic-Port Inspection 143

Configuration Workflow 143
ACOS_decrypt Configuration 144
ACOS_encrypt Configuration 145
CLI Configuration 145
Inside ACOS Configuration 146
ACOS_encrypt Configuration 147
ACOS_decrypt Configuration 149
Consolidated Configuration 152

5
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

DSCP Inspection 155

Deployment Example 156
Traffic WorkFlow 157
CLI Configuration 158
ACOS_decrypt Configuration 158
ACOS_encrypt Configuration 162
Consolidated Configuration 164

Chapter 9: Static Port SSH Insight 169

Overview 170
Deployment 171
CLI Configuration 173
ACOS_decrypt Configuration 173
ACOS_encrypt Configuration 176
Configuring RSA Keys 181
Generating a Key using Remote Client 182
Generating a Key using Windows 183
Importing the Key to ACOS Device 184

Chapter 10: Bypass, Inspect, and Exception 186

Overview 187
Priority of Rules 188
SNI and Server Certificate Based Inspection 192
Convert an SNI List to an AC Class List 192
User Name and Group Name Based Bypass 193
HTTPS Traffic Bypass 194
CLI Configuration 194
Creating a Class List 196
Importing a Class List 197
Showing the System Resource Usage 198
GUI Configuration 198
Creating a Class List 199
Importing a Class List 200
"no shared cipher" Error Bypass 201
CLI Configuration 201

6
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

GUI Configuration for “no shared cipher” Error 202

Consolidated Configuration 202
“no-shared-cipher” Error 203
AAM, User Name, AD Group, Explicit Proxy, and SSLi 203
AAM, User Name, AD Group Name, Transparent Proxy, and SSLi 204

Chapter 11: Client Authentication Bypass 206

WorkFlow 207
CLI Configuration 208
GUI Configuration 209
Consolidated Configuration 209
Show Running-Config of the ACOS_decrypt 209
Show Running-Config of the Outside ACOS device 211
Troubleshooting 213

Chapter 12: Web Category and Web Reputation Bypass 214

Web Category Bypass 215
Installing Web Category License 215
Step 1: Installing the Web Category License 215
Step 2: Verifying the Web Category License Installation 216
Step 3: Activating the Web Category License 217
Step 4: Verifying the Web Category Library 217
Step 5: Checking Web Category License Status and Expiration 217
Using a Proxy Server for BrightCloud Servers 218
Filtering Web Category for SSLi Bypass 219
Configuring SSLi Bypass Filtering 219
Viewing the Statistics 220
Deleting or Reimporting the Database 223
Troubleshooting 223
Logging 224
Implementing Lookup Enforcement 226
Implementing URL Filtering 226
Implementing SSLi Bypass 227
Web Reputation Bypass 227
Configuring the Forward Policy 228

7
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Configuring the SSLi Bypass Filtering 229

Viewing the Statistics 229

Chapter 13: URL Filtering 231

Overview 232
CLI Configuration 233
GUI Configuration 234
Consolidated Configuration 235

Chapter 14: Explicit and Transparent Proxy 239

Overview 240
Deployment Example 240
CLI Configuration 241
ACOS_decrypt Configuration 242
ACOS_encrypt Configuration 243
Verifying the Configuration 244
Consolidated Configuration 245
Proxy Chaining SSLi 249
Configuration with Explicit Proxy 249
Configuration with Transparent Proxy 250
ACOS_decrypt configuration 250
ACOS_encrypt configuration 252
Drop and Drop-Redirect-URL Message Responses 253
ACOS_decrypt Configuration 254
Consolidated Configuration 256
Drop and Drop-Redirect-URL Priorities 257
Virtual Wire with SSLi Deployment 258
SSLi IP-Less Deployment 259
SSLi IP-Less Deployment with Explicit Proxy and Cert Validation 262
AAM for SSLi Transparent Proxy 264
Topology Example 264
Decrypt_VIP Support 266
Forward-Policy JWT (JSon Web Token) Authorization Support 266
HTTP Authenticate Logon Support 266
CLI Configuration 267

8
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Chapter 15: ICAP Services 270

Overview 271
Topology Example 271
Configuration Options 272
Inside Partition/Device Configuration 273
CLI Configuration 273
GUI Configuration 275
Outside Partition/Device Configuration 276
Show Commands 277
Configuration Options 277
Pre-Filtering Traffic Before ICAP 277
Include Protocol and Port in HTTP URI 278
ICAP Templates Configuration 279
Configuring ACOS Logging 280
Log Example 281

Chapter 16: Certificate and Keys Management 282

SSL Certificate Management 283
CA Certificate Chaining 284
CA-Signed and Self-Signed Certificates 286
CA Certificate Versus SSL Certificate 287
SSL Handshake WorkFlow 287
Certificates in SSL Templates 291
Client-SSL Template Configuration and Usage Guidelines 291
Server-SSL Template Configuration and Usage Guidelines 294
Cipher Template Configuration and Usage Guidelines 296
Certificate Fetching and Forging 297
CLI Configuration 298
GUI Configuration 298
Certificate Pinning Candidate List 299
Websites Workflow 299
TLS Server Name Indication (SNI) Support 301
Default Certificate and Key 301
SNI Extension Support 302

9
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Configuring TLS Server Name Indication 308

TLS SNI Support on vThunder 308
TLS 1.3 Support 310
Configuring TLS 1.3 310
Configuring Certificate Key Pair 311
CAs and CSRs Management 312
Importing a Certificate and Key 312
Importing Individual Files 313
SSL Certificate and Key Files Bulk Import 314
Generating a Certificate Signing Request (CSR) 315
Generating a Self-Signed Certificate and Key 316
Generating an SSL Cert – Private Key File with a CSR 318
Installing Certificates 322
Requesting and Installing a CA-Signed Certificate 322
Installing a Self-Signed Certificate 324
Implementing Certificates to SSL Templates 325
Creating Multiple CA Certificate in Server-SSL Templates 326
Multiple Certificates in Single File – Preparing the File 327
Binding Server-SSL Templates to Individual Real Ports 328
Configuring Email Notification for SSL Certificate Expiration 330
Converting Certificates and CRLs to PEM Format 330
Importing a Certificate Revocation List (CRL) 332
Exporting Certificates, Keys, and CRLs 333
Importing a CA Cert and Private Key 334
Configuring Forward Proxy Alternate Signing Cert 335
Deleting Certificate Files 336
Configuring Simple Certificate Enrollment Protocol (SCEP) Certificates 336
Enrollment and Renewal Process 337
Configuring SCEP Certificate 338
Copying SCEP Certificate 338
Viewing SCEP Certificate 339
CLI Configuration 339
Configuring Automatic Certificate Management Environment (ACME) Certificates 341

10
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Enrollment and Renewal Process 342

ACME Directory URL 343
Configuring ACME Certificate 343
Viewing ACME Certificate 344
Configuration Examples 344
OCSP Certificate Management 346
Overview 346
ACOS Server Certificate Verification 346
CLI Configuration 349
Certificate Revocation List 352
CLI Configuration 352
IP-less OCSP and CRL Requests 354
CLI Configuration 354
Invalid Certificates Customizable Message 355
CLI Configuration 355
Revoking Certificates 356
CLI Configuration 356

Chapter 17: SSLi with IPv6 Deployment 360

Overview 361
Prerequisites 362
CLI Configuration 362
ACOS_decrypt Configuration 363
Step 1. Configuring the Network VLANs 363
Step 2. Configuring the Network IP Addresses 364
Step 3. Configuring the SSLi Services 364
Step 4. Configuring the SSLi Service Groups 365
Step 5. Configuring the Virtual Server 365
Consolidated Configuration for SSLi_Inside 367
ACOS_encrypt Configuration 370
Step 1. Configuring the Network VLANs 370
Step 2. Configuring the Network IP Addresses 370
Step 3. Configuring the SSLi Services 371
Step 4. Configuring the SSLi Service Groups 371

11
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Step 5. Configuring the Virtual Server 371

Consolidated Configuration 372
GUI Configuration 375

Chapter 18: SSLi in VRRP-A Deployment 376

Deployment Example 377
Inside Primary ACOS device Configuration 379
Inside Secondary ACOS device Configuration 383
Outside Primary ACOS device Configuration 388
Outside Secondary ACOS device Configuration 392

Chapter 19: Miscellaneous Features 396

File Inspection 397
CLI Configuration 397
Verifying the Device has a Cylance License 397
Creating a File Inspection Template 397
Binding the File Inspection Template to a Port 399
Importing a Cylance BW List 399
Implementing File Inspection on ADP 399
SSLi Source NAT 400
Static Source NAT CLI Configuration 400
Auto Source NAT CLI Configuration 402
Consolidated Configuration 405
Self-Signed Certificates 408
CLI Configuration 408
Show Configuration 409
Persistent Proxied Certificates 409
Creating a Persistent Forward-Proxy Class List 410
Binding a Separate Client-SSL Template 411
Chrome Browser Configuration Options 411
Global Commands 411

Chapter 20: Error Logging 413

Overview 414
CLI Configuration 415
Failure Event Error Reasons 416

12
Contents
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

Examples 438
CEF Error Log 439
Generic Failure Logs 439
SSLi Bypass Logs 439
SSL CA Verification Failure Logs 440
Example 440
Additional Failure Logs 440
Event-based Logging 442

Glossary 443

13
Chapter 1: Getting Started
This section cover how to get started with SSL Insight (SSLi).

The following topics are covered:

Overview 15

Architecture 15

Features 18

Limitations 18

Terminology 19

14
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
Traditional security devices have the ability to inspect HTTP traffic, however, such devices
cannot inspect SSL or encrypted traffic without incurring heavy CPU resources. This limited
functionality of traditional security devices is a concern as the volume of encrypted traffic is
increasing and is expected to surpass the volume of unencrypted traffic. Considering the
immense possibility of cyber threats propagating through encrypted traffic, it is essential
that organizations configure their security devices to inspect both encrypted and unen-
crypted traffic.

Deploy SSLi in your organization to dedicatedly decrypt SSL traffic, which can then be ana-
lyzed by a security device. Since the encryption and decryption functions are performed by
the SSLi device, there is minimum latency in the network.

SSLi is configurable by using any of the supported ACOS devices. SSLi can detect and
decrypt encryption on even non-proprietary TCP protocols. SSLi is deployable in a number of
different ways, customizable for your network environment, with added HA. SSLi is also scal-
able to address the requirements of an expanding organization. The integrated load bal-
ancing capability of SSLi helps to optimize the SSLi performance.

For more information on the supported ACOS devices for deploying SSLi, refer to the SSLi
Technical Specifications document.

Architecture
In the following deployment example, the client network is connected to the SSLi solution
which is then connected through a gateway to the external network such as the Internet. All
the encrypted traffic between the Internet and the client network is passed through the SSLi
solution for inspection.

In the following deployment example, the client network is connected to the SSLi solution
which is then connected through a gateway to the external network such as the Internet. All
the encrypted traffic between the Internet and the client network is passed through the SSLi
solution for inspection.

15
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 1-1: SSLi Architecture

Deploy the SSLi solution in a number of ways by using one or more supported ACOS devices,
reducing the disruption to your existing network to a minimum. In this example, the SSLi solu-
tion consists of two ACOS devices and a number of sample security devices that perform the
traffic inspection on the clear decrypted text. Some examples of sample security devices are
a next-generation firewall (NGFW), an intrusion detection system (IDS), a unified threat man-

16
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

agement (UTM), and so on. The ACOS devices can also be configured as an ICAP client to off-
load traffic inspection to an ICAP server.

NOTE: While configuring SSLi, it is recommended to have separate inter-

faces for management and data in your network, as the man-
agement network frequently uses SSL.

You can deploy the SSLi solution with a single ACOS device or multiple ACOS devices. The
ACOS devices in the SSLi solution consists of two parts:

l ACOS_decrypt—The ACOS partition or ACOS device(s) that connects to the client net-
work. This part of the SSLi solution decrypts the traffic from the client and passes the
clear traffic to the security devices for inspection. In some implementations, this part is
also referred to as ACOS_inside.
l ACOS_encrypt—The ACOS partition or ACOS device(s) that connects to the server net-
work. This part of the SSLi solution re-encrypts the clear traffic which it receives from
the security device and passes it to the external server network by using SLB oper-
ations. In some implementations, this part is also referred to as ACOS_outside.

The following is an explanation of the workflow of the SSLi solution:

l The client network sends an encrypted request to a remote server.

l After a session is established, the traffic is intercepted and decrypted by the SSLi solu-
tion (ACOS_decrypt). Clear-text traffic is sent to the security devices.
l The security device inspects the clear-text request data and, if approved, forwards it to
the SSLi solution to be re-encrypted (ACOS_encrypt).
l The traffic is intercepted by ACOS_encrypt, re-encrypted, and sent to the default gate-
way.
l The remote server receives an encrypted request.
l The remote server sends back an encrypted response.
l The SSLi solution (ACOS_encrypt) decrypts the response and forwards it to the same
security device that sourced the request.
l The security device inspects the clear-text response data and, if approved, forwards it
to the SSLi solution to be re-encrypted (ACOS_decrypt).

17
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l The traffic is intercepted by ACOS_decrypt, encrypted again, and sent to the client.
l The client receives the encrypted response.

Features
As discussed previously, the SSLi solution is a requirement of organizations to decrypt traffic
for analyzing the security devices data. SSLi has a number of advantages and high per-
formance ratio as compared to other available similar products.

Here are few advantages available when deploying the SSLi:

l Transparent or Explicit proxy deployment in the network

l URL classification services for meeting compliance standards
l Dynamic port inspection of SSL and TLS traffic
l ICAP client to an ICAP server for DLP and AV security devices
l Utilize extensive SSL cipher including support for ECDHE and DHE
l Load balancing capabilities to support scaling of the security infrastructure
l End-to-end HTTP/2 support to enable full request and response multiplexing
l SSLi support for Intel QuickAssist Technology (QAT) and Nitrox V (N5) Hardware Accel-
eration modules

l SSLi intercepts SMTP, POP, FTP, LDAP, and XMPP sessions that are running over SSL

Limitations
SSLi has the following limitations.

l ACOS device cannot pass packets when the device has a failure or is powered down. To
configure this functionality, a second ACOS device or a bypass switch is required.
l Explicit proxy cannot be placed in the ACOS_decrypt zone
l HTTP/2 support is available for static-port SSLi with and without forward-proxy, and
dynamic-port SSLi. It is not supported for STARTTLS SSLi.

18
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Use of a native VLAN with tagged VLANs is not supported

l Sites which use hard certificate pinning cannot be decrypted

Terminology
Before deploying SSLi, there are some terms provided in the following sections to help you
understand how SSLi functions. For more information on ACOS terminology, refer to the
Application Delivery and Server Load Balancing Guide.

The following topics are covered:

Real Server 19

Virtual Server and Virtual IP (VIP) 19

Wildcard VIPs, Ports, Virtual Ports, and ACL 20

Service Groups 21

ACOS_decrypt and ACOS_encrypt Partition or Device 21

Real Server

A real server is the logical representation of physical servers (either individual servers, or serv-
ers in a server farm) connected to an ACOS device, or to another router in the network. To
configure a real server, a name, an IP address, and a port are required.

In SSLi operation, the security device or collection of security devices is configured as a real
server.

The following is an example of configuring a security device in an SSLi solution as a real

server:
ACOS_decrypt(config)# slb server GW 1.1.1.254
ACOS_decrypt(config-slb server)# port 0 tcp

Virtual Server and Virtual IP (VIP)

A virtual server is the combination of real servers and an ACOS device(s), which together
appear as a single server to the client.

19
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

A virtual IP (VIP) is the IP address of the virtual server. The VIP is used to access a group of
servers or it can be a default gateway for users accessing the Internet. To configure a virtual
server, a name, an IP address, and a port are required.

In SSLi operation, the security device or collection of security devices together with the
ACOS device or devices is configured as a virtual server. The virtual server port or port 0 is
configured for a virtual server with the no-destination-nat option enabled. This con-
figuration enables SSLi to accept traffic for any destination port and send it to any des-
tination port.

The following is an example of configuring a virtual server for incoming traffic:

ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver)# port 0 tcp
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

If the port-translation option is used, and the response traffic passes through the ACOS
device, the ACOS device translates the source port of the server-reply back into the des-
tination port to which the client sent the request, before forwarding the reply to the client.
The port-translation option is supported only for the following virtual port types: TCP, UDP,
and HTTP/HTTPS.

Wildcard VIPs, Ports, Virtual Ports, and ACL

A wildcard VIP is a VIP that does not have a specific IP address. Instead, wildcard VIPs have IP
address 0.0.0.0 (for IPv4) or :: (for IPv6). The client requests sent to any IP address is accep-
ted when they are received at a wildcard VIP.

Wildcard VIPs enable you to configure a feature that applies to multiple VIPs, without the
need to reconfigure the feature separately for each VIP. To specify the subset of VIP
addresses and ports for which a feature is applicable, use an Access Control List (ACL). ACLs
also specify the subset of clients allowed to access the VIPs, thus ensuring that only legit-
imate requests are allowed through. Wildcard VIPs can be used for any type of load bal-
ancing. Port 0 is used as a wildcard port to match on any port number.

In SSLi operations, a wildcard VIP is configured to intercept supported encrypted traffic such
as HTTPS, STARTTLS, IMAPS, SSH and so on, on any port. Use ACLs to specify the clients
whose traffic is to be intercepted. The virtual server port or port 0 is configured for a virtual
server with the

20
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-destination-nat option enabled. This configuration enables SSLi to accept traffic for any
destination port and send it to any destination port.

The following is an example configuration for a wildcard VIP that accepts HTTPS requests on
port 443:
ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

The following is an example configuration where on VLAN 10, all IP traffic is intercepted by
ACOS_decrypt by using an ACL 100:
ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10
ACOS_decrypt(config)# slb virtual-server ACOS_decrypt 0.0.0.0 acl 100

Service Groups

A service group is a group of servers that fulfill a service. Service groups are where load bal-
ancing algorithms are applied. The minimum configuration for a service group include a
name, the type of protocol, the load balancing algorithm, and at least one real server and
port.

In SSLi operations, configure service groups to handle different types of encrypted traffic
that is intercepted by the SSLi solution. In the following configuration example, a real server
FW1_Inspect is created on ACOS_decrypt. A service group named FW1_Inspect_SG is also cre-
ated on ACOS_decrypt to forward decrypted traffic over protocol TCP on port 8080.

In the following configuration example, a real server FW1_Inspect is created and added to the
also created service group FW1_Inspect_SG. All the traffic will be decrypted and forward to
members of the group (in this case) over protocol TCP on port 8080.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12
ACOS_decrypt(config-real server)# port 8080 tcp
ACOS_decrypt(config-real server)# exit
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 8080

ACOS_decrypt and ACOS_encrypt Partition or Device

The SSLi solution sandwiches the security device or devices between the ACOS_decrypt and
ACOS_encrypt partition or device.

21
Chapter 1: Getting Started
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: ACOS_ decrypt and ACOS_ encrypt can be configured on sep-

arate ACOS devices or in a single ACOS device by using par-
titions. There are also examples of single partition SSLi
deployments where ACOS_decrypt and ACOS_encrypt zones are
created by using a combination of virtual servers and ACLs. In a
single partition deployment, a VIP represents the client and
server sides.

ACOS_decrypt decrypts all SSL traffic originating from the client. All clear-text traffic
decrypted by
ACOS_decrypt is passed to the security device.

Some guidelines for configuring ACOS_decrypt are as follows:

l Provision ACOS _decrypt with either a CA or a subordinate CA certificate and the

accompanying private key. Refer to CA Certificate Chaining.
l With HTTPS to HTTP conversion, the destination port is changed from 443 to any other
port such as 8080.
l Create a client-SSLi template with forward-proxy-enable configured.
l Any TCP or UDP traffic that is intercepted must have an access control list (ACL) con-
figured within the wildcard VIP to define the traffic flow.
l Incoming HTTPS sessions that are intercepted and decrypted are forwarded as clear
text over HTTP on a configurable port such as 8080 through a third-party security
device.
l The ACOS_encrypt zone re-encrypts the HTTP traffic received on the port such as
8080 from the security device after inspection. The clear-text traffic is encrypted to
HTTPS 443 and sent to the default router or Internet by using the port 443. You must
configure a server-SSLi template with forward-proxy-enable for this zone.

22
Chapter 2: Topologies
This section provides an overview of the different types topologies for SSLi.

The following topics are covered:

Overview 24

SSLi in L2 Mode 24

SSLi in L3 Mode 26

23
Chapter 2: Topologies
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
SSLi can be deployed in different topologies. Topologies can differ based on the mode of the
SSLi deployment. The security device can be either in-line or in a passive mode.

For in-line deployment of the security device(s), the following topological combinations are
supported:

l SSLi in L2 mode and the in-line security device in L2 mode

l SSLi in L2 mode and the in-line security device in L3 mode
l SSLi in L3 mode and the in-line security device in L2 mode
l SSLi in L3 model and the in-line security device in L3 mode

Security devices can be deployed in passive (tap) mode by using a mirror port on the SSLi
device. This deployment is independent of whether the security device or the SSLi device is
in L2 or L3 mode. In this mode, the physical link is established between ACOS_decrypt and
ACOS_encrypt appliances and the decrypted traffic is mirrored out to the passive security
device. The tap mode supports up to eight security devices. Support for RST from the secur-
ity device (over a separate link) to terminate compromised connections is also included.

If you are configuring SSLi on a single vThunder device, then only two bi-directional or four
unidirectional ports are required. For configuring SSLi on two vThunder devices, four bi-dir-
ectional ports or 8 unidirectional ports are required.

SSLi in L2 Mode
In this topology, the SSLi solution consist of the ACOS device(s) in L2 mode and the security
device(s) in L2 mode or L3 mode and these devices sit between the client and the external
gateway. All of the devices are in the same subnet. For a single security device, four physical
interfaces are required on the ACOS device, as shown in FIGURE 2-1.

NOTE: On Thunder platforms with the older version of the FTA chipset, a
cpu-process command must be run for the L2 mode to work. For
more informatio, see “Configuring L2 SSli on FTA-enabled ACOS
Devices” on page 37.

24
Chapter 2: Topologies
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 2-1: SSLi Deployment in L2 Mode, Security Device in L2 Mode

In this topology, there is minimal change to the existing IP network. Each additional security
device requires two more physical interfaces on the ACOS device. Each additional security
device must be in a separate subnet for load balancing purposes.

In this topology, if the security device is in L3 mode, two separate subnets are required, as
shown in SSLi Deployment in L2 Mode, Security Device in L3 Mode.

25
Chapter 2: Topologies
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 2-2: SSLi Deployment in L2 Mode, Security Device in L3 Mode

SSLi in L3 Mode
This topology configures the SSLi solution as a routed hop between the client network and
the external gateway, which are on different subnets. The security device can either be
deployed in an L2 or L3 mode. For a single security device, four physical interfaces are
required on the ACOS device. Separate IP addresses are required for each interface. With a
single security device in L2 mode, this topology requires three subnets, as shown in FIGURE
2-3

26
Chapter 2: Topologies
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 2-3: SSLi Deployment in L3 Mode, Security Device in L2 Mode

For each additional security device, two more physical interfaces are required on the ACOS
device. Each additional security device must be in a separate subnet for load balancing pur-
poses. With a single security device in L3 mode, this topology requires four subnets, as shown
in SSLi Deployment in L3 Mode, Security Device in L3 Mode.

27
Chapter 2: Topologies
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 2-4: SSLi Deployment in L3 Mode, Security Device in L3 Mode

28
Chapter 3: Deployments
This section provides an overview of the different types of deployments SSLi.

The following topics are covered:

Single ACOS Device with One Partition Deployment 30

Single ACOS Device with Two Partitions Deployment 33

Two ACOS Devices, Each with One Partition Deployment 36

29
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Single ACOS Device with One Partition Deployment

In this deployment, a single ACOS device with one partition is configured as part of the SSLi
solution. In a single partition deployment, the ACOS device is in L2 mode and requires one IP
address at the minimum irrespective of the number of VLANs to be inspected. All interfaces
used for the SSLi deployment must be assigned the same VLANs.

FIGURE 3-1: Deployment of a Single ACOS Device with One Partition

In the sample deployment as shown in FIGURE 3-1, the client device is connected to the SSLi
solution, which is then connected to the external gateway. The SSLi solution consists of an
ACOS device in L2 mode and a single security device in L2 mode. The encrypted traffic from
the client is passed to the ACOS device on interface e1. The ACOS device decrypts the traffic
and forwards the clear traffic to the security device on interface e2. After inspection, the
security device passes the clear traffic to the ACOS device on interface e3. The ACOS device
re-encrypts the traffic and passes it to the external gateway on interface e4.

30
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Features

The following table lists the features for a single ACOS device with one partition deployment.

TABLE 3-2 : Features for Single ACOS Device with One Partition

Features Description Notes

General Supported across all ACOS releases L3 firewalls supported across all
Features ACOS releases.
SSLi Solution delivered in a single
device L2 firewalls supported from
ACOS 4.1.1-P3 version onwards.
Web-category license add-on for the
same device Number of physical ports avail-
able to the solution is roughly
halved.

SSLi Features Static port inspection: Firewall Load Balancing (FWLB) is

not supported.
SNI-based bypass
URL filtering, explicit proxy, and
Web category-based bypass
proxy chaining are available with
URL Filtering L3 firewall only.

Explicit proxy For dynamic port inspection, a

special header is not pre-pended
Proxy chaining
to the client request.
ICAP

Dynamic port inspection

STARTTLS inspection

31
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Features Description Notes

Security Inline L2 or vWire transparent firewalls For inline L2 and L3 security

Devices devices, both tagged and
Inline L3 or NAT’ed transparent firewalls
untagged VLANs are supported.
Inline L7 or transparent proxy
For inline L7 security devices,
One-armed transparent proxy only transparent proxy is sup-
ported.
Non-inline passive IDS
One-armed transparent proxy is
ICAP-based DLP/AV
supported with L3 firewalls only.

For non-inline passive IDs, up to

four passive devices are sup-
ported.

Topologies Full L2 with the deployment behind For an L2 deployment, both

SSLi and STP-based active-standby HA tagged and untagged VLANs are
supported.
L2 with L3 security device and VRRP-A
based active-standby HA L2 deployment does not support
VRRP-A.
L3 with A10 Thunder SSLi and VRRP-A
based active-standby HA L3 deployment and both types of
explicit proxy deployments are
Explicit proxy with A10 Thunder SSLi as
supported with L3 firewalls only.
the explicit proxy for client web
browsers Explicit proxy with upstream
explicit proxy set on client web
Explicit proxy with upstream explicit
browsers require two IP
proxy set on client web browsers
addresses from the network.

32
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Single ACOS Device with Two Partitions Deployment

In this deployment, two L3V partitions are configured in the ACOS device. The partition
ACOS_decrypt is connected to the client and the partition ACOS_encrypt is connected to
the external network by using a gateway. Configure system ve-mac-scheme system-mac on
the shared partition to eliminate the MAC address duplication across partitions. If the ACOS
device is a vThunder, also configure system promiscuous-mode on the shared partition.

FIGURE 3-3: Deployment of a Single ACOS Device with a Two-Partition SSLi Solution

In the sample deployment as shown in FIGURE 3-3, the client device is connected to the SSLi
solution, which is then connected to the external gateway. The SSLi solution consists of an
ACOS device and a single security device. The ACOS device has two partitions, ACOS_
decrypt is connected to the client network and ACOS_encrypt is connected to the server net-
work. The encrypted traffic from the client is passed to the ACOS_decrypt partition on inter-
face e1. The ACOS_decrypt partition decrypts the traffic and forwards the clear traffic to the
security device on interface e2. After inspection, the security device passes the clear traffic
to the ACOS_encrypt partition on interface e3. The ACOS_encrypt partition re-encrypts the
traffic and passes it to the external gateway on interface e4.

Features

The following table lists the features for a single ACOS device with two partitions deploy-
ment.

33
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

TABLE 3-4 : Features for Single ACOS Device with Two Partitions

Features Description Notes

General Supported across all ACOS releases Number of physical ports available
Features to the solution is roughly halved.
SSLi solution delivered in a single
ACOS device

Web-category license add-on for the

same device

Full separation of L2 and L3 in ADPs

Firewall Load Balancing (FWLB) sup-

port

SSLi Features Static port inspection: For dynamic port inspection, a spe-
cial header ‘A10FP’ gets pre-pen-
SNI-based bypass
ded to client requests and is
Web category-based bypass visible to the security device.

URL Filtering

Explicit proxy

Proxy chaining

ICAP

Dynamic port inspection

STARTTLS inspection

34
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Features Description Notes

Security Inline untagged L2 or vWire trans- For inline L2 deployment, only

Devices parent firewalls untagged VLANs are supported.

Inline L3 or NAT’ed transparent fire- For inline L3, both tagged and
walls untagged VLANs are supported.

Inline L7 or transparent proxy For inline L7, only transparent

proxy is supported.
One-armed transparent proxy
For non-inline passive IDs, up to
Non-inline passive IDS
two passive devices are supported.
ICAP-based DLP/AV

Topologies Full L2 with the deployment behind For a full L2 deployment, only
SSLi and STP-based active-standby untagged VLANs are supported.
HA VRR-A is not supported.

L2 with L3 security device as the For explicit proxy, two IP

deployment and VRRP-A based active- addresses are required from the
standby HA network segment in which the
Thunder SSi is deployed.
L3 with A10 Thunder SSLi as the
deployment and VRRP-A based active-
standby HA

Explicit proxy with Thunder SSLi as

the explicit proxy for client web
browsers

Explicit proxy with upstream explicit

proxy set on client web browsers

35
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Two ACOS Devices, Each with One Partition Deployment

In this deployment, a dedicated ACOS device is configured each for the ACOS_decrypt and
ACOS_encrypt partitions. This deployment provides a greater throughput than a single
device deployment.

FIGURE 3-5: Deployment of a Double ACOS Device SSLi Solution

In the sample deployment as shown in FIGURE 3-5, the client device is connected to the SSLi
solution, which is then connected to the external gateway. The SSLi solution consists of two
ACOS devices and a single security device. The ACOS device connected to the client has a par-
tition called ACOS_decrypt. The ACOS device connected to the external gateway has a par-
tition called ACOS_encrypt. The encrypted traffic from the client is passed to the ACOS_
decrypt partition on interface e1. The ACOS_decrypt partition decrypts the traffic and for-
wards the clear traffic to the security device on interface e2. After inspection, the security
device passes the clear traffic to the ACOS_encrypt partition on interface e3. The ACOS_
encrypt partition re-encrypts the traffic and passes it to the external gateway on interface
e4.

Features

The following table lists the features for two ACOS devices, each with one partition deploy-
ment.

36
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

TABLE 3-6 : Features for Two ACOS Devices, Each With One Partition

Features Description Notes

General Supported across all ACOS releases Number of physical ports

Features available to the solution is
Throughput is about 1.8x more than that of a
roughly doubled.
single-device deployment

SSLi Solution is delivered with two ACOS

devices

Web-category license add-on only for one

device

Full separation of L2/L3 in two physical

devices

Firewall Load Balancing (FWLB) support

SSLi Features Static Port inspection: For dynamic port inspec-

tion, a special header
SNI-based bypass
‘A10FP’ gets pre-pended to
Web category-based bypass client request and is vis-
ible to the security device.
URL Filtering

Explicit proxy

Proxy chaining

ICAP

Dynamic port inspection

STARTTLS inspection

37
Chapter 3: Deployments
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Features Description Notes

Security Inline L2 or vWire transparent firewalls For inline L2 and L3, both
Devices tagged and untagged
Inline L3 or NAT’ed transparent firewalls
VLANs are supported.
Inline L7 or transparent proxy
For inline L7, only trans-
One-armed transparent proxy parent proxy is supported.

Non-inline passive IDS For non-inline passive IDs,

up to four passive devices
ICAP-based DLP/AV
are supported.

Topologies Full L2 with the deployment behind SSLi and For a full L2 deployment,
STP-based active-standby HA only untagged VLANs are
supported. VRR-A is not
L2 with L3 security device and VRRP-A based
supported.
active-standby HA
For explicit proxy, two IP
L3 with A10 Thunder SSLi as the deployment
addresses are required
and VRRP-A based active-standby HA
from the network segment
Explicit proxy with A10 Thunder SSLi as the in which the Thunder SSi
explicit proxy for client web browsers is deployed.

Explicit proxy with upstream explicit proxy

set on client web browsers

38
Chapter 4: Single Partition Deployment
This section describes the how to deploy SSLi by using a single partition instead of two par-
titions. The single partition approach allows for a bump-in-the-wire deployment that
requires minimal changes to the existing network infrastructure.

The following topics are covered:

Architecture 40

Deployment Types 42

L2 Deployment with Tagged VLANs 43

L2 Deployment with Untagged VLANs 67

39
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Architecture
In a single partition deployment, the ACOS device is in L2 mode and requires one IP address
irrespective of the number of VLANs to be inspected. The VLAN ID and the source and des-
tination MAC addresses of the incoming packets are completely preserved as the traffic
passes through the ACOS device. For this type of deployment, all the four interfaces, e1, e2,
e3, and e4 (as shown in A Single Partition Deployment for SSLi), related to the SSLi deploy-
ment must be assigned the same set of VLANs.

In the following example deployment, as shown in A Single Partition Deployment for SSLi, the
client network is connected through a layer 3 switch to the ACOS device. The ACOS device,
which has a single partition, is in turn connected to a security device for traffic inspection
purposes. The ACOS device is then connected through a layer 3 switch to the Internet.

The traffic flows for the single partition deployment is described in the following section:

l Traffic flows from the client network to the Internet—The traffic flow from the cli-
ent network is sent to the ACOS device on the e1 interface. The traffic flow is decrypted
by the ACOS device. The traffic from the ACOS device is redirected to the security
device in the forward direction. The traffic flow is
forwarded from e1 to e2 by using the redirect-fwd command. From the security
device, the traffic is directed back to the ACOS device on the e3 interface. The ACOS
device re-encrypts the traffic and
forwards the traffic to the gateway by using normal SLB operation.
l Traffic flows from the client network to the Internet—The traffic flow from the cli-
ent network is sent to the ACOS device on the e1 interface. The traffic flow is decrypted
by the ACOS device. The traffic from the ACOS device is redirected to the security
device in the forward direction. The traffic flow is
forwarded from e1 to e2 by using the redirect-fwd command. From the security
device, the traffic is directed back to the ACOS device on the e3 interface. The ACOS
device re-encrypts the traffic and
forwards the traffic to the gateway by using normal SLB operation.

40
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The security device is a L2 transparent device that preserves the L2 header while processing
the traffic flows. For both scenarios, the L2 header is also preserved for the following traffic
flows:

l Traffic flows between the client and the security device, on interfaces (e1 <- -> e2).
l Traffic flows between the client and the security device, on interfaces (e1 <- -> e2).

FIGURE 4-1: A Single Partition Deployment for SSLi

The single partition SSLi deployment requires the ACOS device to have four interfaces. The
functions of the interfaces is explained in the following list by using the logic of the traffic
flow from the client network to the Internet:

l e1—This interface connects the layer 3 switch and the ACOS device. Traffic from the
user network is channeled through the layer 3 switch to the ACOS device by using e1.
An ACL rule is applied at e1 to forward only relevant traffic that is required to be inspec-
ted.
l e1—This interface connects the layer 3 switch and the ACOS device. Traffic from the
user network is channeled through the layer 3 switch to the ACOS device by using e1.
An ACL rule is applied at e1 to forward only relevant traffic that is required to be inspec-
ted.

41
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l e3—This interface connects the ACOS device and the security device. The inspected
traffic from the security device is forwarded to the ACOS device by using e3. An ACL
rule is applied at e3 to forward only relevant traffic.
l e3—This interface connects the ACOS device and the security device. The inspected
traffic from the security device is forwarded to the ACOS device by using e3. An ACL
rule is applied at e3 to forward only relevant traffic.

The redirect-fwd and redirect-rev commands disable MAC learning on the interfaces spe-
cified in these commands and instead forwards packets to the specified ethernet port. The
redirect-fwd configuration command redirects the client traffic to the security device. The
redirect-rev configuration command redirects server traffic back to the security device.
See the port command in the “Config Commands: SLB Virtual Servers” section of the Command Line
Interface Reference for more information.

NOTE: To ensure that all traffic is routed to the security device for
inspection, you must define the traffic flow with respect to port-
0-tcp, port-0-udp, and port-0-others as shown in the following
configuration examples. Undefined traffic flows bypass the secur-
ity device. Instead, configure SSLi Bypass to govern traffic that is
not required to be inspected. See Bypass, Inspect, and Exception.

Deployment Types
In single partition deployment, two types are supported and described in subsequent sec-
tions:

l L2 deployment with tagged VLANs

Tagged ports can be members of multiple VLANs. The port can recognize the VLAN to which a
packet belongs based on the VLAN tag included in the packet. In the deployment scenario
involving tagged VLANs, you can specify multiple VLANs for traffic inspection. All the ports of
the security device are tagged.

Untagged ports can belong to only a single VLAN. By default, all Ethernet data ports are
untagged members of a default VLAN.

42
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

If there is only one VLAN, whether tagged or untagged, Source-NAT is supported if the
Source-NAT pool belongs to the same subnet as the VEs.

L2 Deployment with Tagged VLANs

L2 Deployment with Tagged VLANs is an example of an SSLi L2 deployment by using tagged
VLANs. In this example, traffic from tagged VLANs 10 and 20 is inspected by the security
device. To understand how the traffic flows in this deployment, see FIGURE 4-2.

FIGURE 4-2: L2 Deployment with Tagged VLANs

CLI Configuration

The following sections describe how to configure SSLi for this deployment by using the AOCS
CLI. The work-flow includes the following:

The following topics are covered:

Step 1: Initial Configuration 44

Step 2: Configuring the Network VLANs 44

Step 3: Configuring the SSLi Services 45

Step 4: Configuring Network IP Addresses 47

Step 5: Configuring the Security Device 48

43
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 6: Configuring Handling of Incoming Traffic 49

Step 7: Configuring Handling of Outgoing Traffic 50

Consolidated Configuration 51

Step 1: Initial Configuration

1. Enter the configuration mode for the ACOS device:

ACOS>
ACOS>enable
Password:
ACOS#config
ACOS(config)#

The configuration mode is denoted by the ACOS(config)# prompt.

2. (Applicable to deployments using vThunder) The single-partition configuration for SSLi

requires VE MAC address assignment changes, and since vThunder does not support VE
MAC address assignment scheme changes in non-promiscuous mode, you must enable
promiscuous mode.

3. To avoid a duplicate MAC address because of the VLAN that is shared, add the global
command of system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

4. Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.101.7.103 255.255.252.0
ACOS(config-if:management)# ip default-gateway 10.101.4.1
ACOS(config-if:management)# exit

Step 2: Configuring the Network VLANs

1. Configure VLAN 10. Bind ethernet ports 1 to 4 to VLAN 10. Also, bind a virtual interface
VE 10 to VLAN 10.
ACOS(config)# vlan 10
ACOS(config-vlan:10)# tagged ethernet 1 to 4
ACOS(config-vlan:10)# router-interface ve 10
ACOS(config-vlan:10)# exit

2. Configure VLAN 20. Bind ethernet port 1 to 4 to VLAN 20. Also, bind a virtual interface
VE 20 to VLAN 20.
ACOS(config) #vlan 20

44
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-vlan:20)# tagged ethernet 1 to 4

ACOS(config-vlan:20)# router-interface ve 20
ACOS(config-vlan:20)# exit

3. Enable the ethernet interfaces 1 to 4 on the ACOS device that are associated with the
VLANs:
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit
ACOS(config)# interface ethernet 2
ACOS(config-if:ethernet:2)# enable
ACOS(config-if:ethernet:2)# exit
ACOS(config)# interface ethernet 3
ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# exit
ACOS(config)# interface ethernet 4
ACOS(config-if:ethernet:4)# enable
ACOS(config-if:ethernet:4)# exit

4. Verify the operational state of the interfaces by running the show interfaces command.
ACOS(config)# show interfaces brief

Step 3: Configuring the SSLi Services

1. Configure a cipher settings template called cl_cipher_template. This template is asso-
ciated with the SSL client template.
ACOS(config)# slb template cipher cl_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

2. Configure a cipher settings template called sr_cipher_template. This template is asso-

45
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

3. Create a server SSL template called sr_ssl so that the VIP on the SSLi device can oper-
ate as an SSL
client and handshake with an external server. Enable forward proxy services on the tem-
plate to enable SSLi operation on the VIP. Associate the sr_cipher_template with the
server SSL template.
ACOS(config)# slb template server-ssl sr_ssl
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# cipher sr_cipher_template

4. Traffic selected to be forwarded to the security device is governed by the redirect-

fwd configuration. All the IP traffic passing the vport that has the redirect-fwd com-
mand configured is redirected to the security device. Configure the client SSL template
to provide the attributes which enable SSLi, specify the SSLi self-signed certificate,
and private key. Associate the cl_cipher_template with the client SSL template.

ACOS(config)# slb template client-ssl cl_ssl

ACOS(config-client ssl)# template cipher cl_cipher_template
ACOS(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key
key123
ACOS(config-client ssl)# forward-proxy-enable

5. Within the client SSL template, disable OCSP Stapling for SSL forward proxy.

ACOS(config-client ssl)# forward-proxy-ocsp-disable

6. Within the client SSL template, disable Certificate Revocation List (CRL) services for
SSLi (forward-proxy).

ACOS(config-client ssl)# forward-proxy-crl-disable

7. Within the client SSL template, disable support for SSLv3.

ACOS(config-client ssl)# disable-sslv3

ACOS(config-client ssl)# exit

8. Configure an ACL called ssli_in for incoming traffic to the ACOS device. Configure the

46
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACL to permit IP traffic from any source to any destination for VLAN 10 and VLAN 20 on
the interface Ethernet 1:
ACOS(config)# access-list 190 remark ssli_in
ACOS(config)# access-list 190 permit ip any any vlan 10 ethernet 1
ACOS(config)# access-list 190 permit ip any any vlan 20 ethernet 1

9. Configure an ACL for dropping traffic called block_quic. Configure the ACL to drop
UDP-based traffic from any source to any destination on ports 80 and 443. If the traffic
is IP-based, it is allowed to be forwarded.
ACOS(config)# access-list 191 remark block_quic
ACOS(config)# access-list 191 deny udp any any eq 80
ACOS(config)# access-list 191 deny udp any any eq 443
ACOS(config)# access-list 191 permit ip any any

10. Configure an ACL for outgoing traffic from the ACOS device called ssli_out. Configure
the ACL to permit IP traffic from any source to any destination for VLAN 10 and VLAN
20 on the interface Ethernet 3:
ACOS(config)# access-list 192 remark ssli_out
ACOS(config)# access-list 192 permit ip any any vlan 10 ethernet 3
ACOS(config)# access-list 192 permit ip any any vlan 20 ethernet

Step 4: Configuring Network IP Addresses

On each virtual interface, enable promiscous VIP support. When you enable promiscuous VIP
support on a VE, the option is automatically enabled on each ethernet data port in the VE. Pro-
vision the virtual interfaces to allow promiscuous IP in order to subject traffic to the rules
enabled on each interface. In addition, for any of the VLANs, assign an IP address and a
default gateway. In this example, we assign the IP address and gateway to interface ve 10
associated with VLAN 10. Additionally, bind ACL 191 to the interfaces.
ACOS(config)# interface ve 10
ACOS(config-if:ve10)# access-list 191 in
ACOS(config-if:ve10)# ip address 1.1.1.1 255.255.255.0
ACOS(config-if:ve10)# ip allow-promiscuous-vip
ACOS(config-if:ve10)# exit

ACOS(config)# interface ve 20
ACOS(config-if:ve20)# access-list 191 in
ACOS(config-if:ve20)# ip allow-promiscuous-vip
ACOS(config-if:ve20)# exit

47
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 5: Configuring the Security Device

1. Configure a server GW and its ports.
ACOS(config)# slb server GW 1.1.1.254
ACOS(config-real server)# port 0 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 0 udp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 443 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 8080 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit

2. Configure the server service group called GW_TCP_0 of type TCP. Associate GW and port 0
with the service group.
ACOS(config)# slb service-group GW_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# exit

3. Configure the server service group called GW_TCP_8080 of type TCP. Associate GW and
port 443 with the service group.
ACOS(config)# slb service-group GW_TCP_8080 tcp
ACOS(config-slb svc group)# member GW 443
ACOS(config-slb svc group-member:443)# exit
ACOS(config-slb svc group)# exit

4. Configure the server service group called SSLi_TCP_443 of type TCP. Associate GW and
port 8080 with the service group.
ACOS(config)# slb service-group SSLi_TCP_443 tcp
ACOS(config-slb svc group)# member GW 8080
ACOS(config-slb svc group-member:8080)# exit
ACOS(config-slb svc group)# exit

5. Configure the server service group called SSLi_TCP_0 of type TCP. Associate GW and

48
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 with the service group.

ACOS(config)# slb service-group SSLi_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit
6. Configure the server service group called SSLi_UDP_0 of type UDP. Associate GW and
port 0 with the service group.

7. Configure the server service group called GW_UDP_0 of type UDP. Associate GW and port
0 with the service group.
ACOS(config)# slb service-group GW_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

Step 6: Configuring Handling of Incoming Traffic

1. Create the wildcard VIP called SSLi_in_ingress at IP address 0.0.0.0 to handle traffic
from the client network to the ACOS device. The ACL 190 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190

2. Associate port 0 of type TCP with service group SSLi_TCP_0. Disable destination NAT.
Within the virtual server command level, use the redirect-fwd command to select the
forward direction for steering the IP traffic from the client destined for the security
device through ethernet 2. Use the use-rcv-hop-for-resp command to send reply
traffic for the session back through the same hop where the traffic was received.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group SSLi_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 2
ACOS(config-slb vserver-vport)# exit

3. Within the virtual server command level, associate port 443 of type HTTPS with the ser-
vice group SSLi_TCP_443 and the client SSL template cl_ssl. Disable destination NAT.
Within the virtual server command level, use the redirect-fwd command to select the
forward direction for steering the layer 2 traffic from the security device to the Inter-
net through ethernet 3. Use the use-rcv-hop-for-resp command to send reply traffic
for the session back through the same hop where the traffic was received.

ACOS(config-slb vserver)# port 443 https

ACOS(config-slb vserver-vport)# service-group SSLi_TCP_443
ACOS(config-slb vserver-vport)# template client-ssl cl_ssl

49
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-slb vserver-vport)# no-dest-nat port-translation

ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

4. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)#service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)#redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

Step 7: Configuring Handling of Outgoing Traffic

1. Create the wildcard VIP called SSLi_out_ingress at IP address 0.0.0.0 to handle traffic
from the ACOS device to the outside network. The ACL 192 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192

2. Associate port 0 of type TCP with service group GW_TCP_0. Disable destination NAT.
Within the virtual server command level, use the redirect-rev command to select the
reverse direction for steering the layer 2 traffic from the security device to the ACOS
device through ethernet 3. Use the use-rcv-hop-for-resp command to send reply
traffic for the session back through the same hop where the traffic was received.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

3. Associate port 443 of type TCP with service group GW_TCP_0. Disable destination NAT.
Within the virtual server command level, use the redirect-rev command to select the
reverse direction for steering the layer 2 traffic from the security device to the ACOS
device through ethernet 3. Use the use-rcv-hop-for-resp command to send reply

50
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

traffic for the session back through the same hop where the traffic was received.
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

4. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 8080 http

ACOS(config-slb vserver-vport)# service-group GW_TCP_8080
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# template server-ssl sr_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# exit

Consolidated Configuration
ACOS(config)# show run
!Current configuration: 2593 bytes
!Configuration last updated at 17:01:10 PDT Fri May 19 2017
!Configuration last saved at 14:15:38 PDT Wed May 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 28 (May-12-2017,04:15)
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 10 ethernet 1
!
access-list 190 permit ip any any vlan 20 ethernet 1

51
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out
!
access-list 192 permit ip any any vlan 10 ethernet 3
!
access-list 192 permit ip any any vlan 20 ethernet 3
!
multi-config enable
!
system ve-mac-scheme system-mac
!
vlan 10
tagged ethernet 1 to 4
router-interface ve 10
!
vlan 20
tagged ethernet 1 to 4
router-interface ve 20
!
interface management
ip address 10.101.7.103 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!

52
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
!
interface ve 10
access-list 191 in
ip address 1.1.1.1 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
access-list 191 in
ip allow-promiscuous-vip
!
!
ip route 0.0.0.0 /0 1.1.1.254
!
slb template cipher cl_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
user-tag Security,ssli_in
!
slb template cipher sr_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
user-tag Security,ssli_out
!
slb template server-ssl sr_ssl

53
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

forward-proxy-enable
template cipher sr_cipher_template
!
slb server GW 1.1.1.254
user-tag Security,ssli_in
port 0 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_0_tcp
port 0 udp
health-check-disable
user-tag Security,ssli_in_srv_port_0_udp
port 443 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_443_tcp
port 8080 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_8080_tcp
!

slb server GW 1.1.1.254

user-tag Security,ssli_in
port 0 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_0_tcp
port 0 udp
health-check-disable
user-tag Security,ssli_in_srv_port_0_udp
port 443 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_443_tcp
port 8080 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_8080_tcp

slb service-group GW_TCP_0 tcp

member GW 0
!
slb service-group GW_TCP_8080 tcp
member GW 443
!
slb service-group GW_UDP_0 udp
member GW 0
!

54
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb service-group SSLi_TCP_0 tcp

member GW 0
!
slb service-group SSLi_TCP_443 tcp
member GW 8080
!
slb service-group SSLi_UDP_0 udp
member GW 0
!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-enable
disable-sslv3
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
port 0 tcp
service-group SSLi_TCP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 udp
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 others
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 443 https
service-group SSLi_TCP_443
use-rcv-hop-for-resp
redirect-fwd ethernet 2
template client-ssl cl_ssl
no-dest-nat port-translation
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192
port 0 tcp
service-group GW_TCP_0

55
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 8080 http
service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation
!
end

GUI Configuration

This section describe how to configure SSLi for this deployment by using the AOCS GUI.

The following topics are covered:

Step 1: Configuring the Network VLANs 57

Step 2: Configuring the SSLi Services 57

Step 3: Configuring the VIPs 62

Step 4: Configuring the Security Device 62

Step 5: Configuring Handling of Incoming Traffic 64

Step 6: Configuring Handling of Outgoing Traffic 65

56
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 1: Configuring the Network VLANs

In this section, first create the VLANs 10 and 20 and the interfaces e1, e2, e3, and e4. Asso-
ciate the e1, e2, e3, and e4 interfaces with the VLANs. Finally, enable the interfaces.

To create the VLANs:

1. Navigate to Network > VLAN.

2. Click Create.
The Create VLAN page is displayed.

3. Enter the following details to create VLAN 10.

VLAN ID: 10

Name: VLAN10
4. Select Create Virtual Interface. For Tagged Ethernet, select 1,2,3, and 4.
5. Click Create VLAN.
VLAN10 is created.

6. Similarly follow the above steps to create VLAN 20.

The tagged VLANs are created. You must now enable the interfaces associated with the
VLANs.

To enable the network interfaces associated with the tagged VLANs:

1. Navigate to Network > Interfaces.

2. Select e1, e2, e3, and e4.
3. Click Enable to enable the interfaces.
The icons for the interfaces change to a green up-arrow.

You can now proceed to configuring the SSLi services.

Step 2: Configuring the SSLi Services

In this section, create the two cipher templates to be associated with the SSL templates.
Next, create the server SSL and client SSL templates. Associate the client cipher template
with the client SSL template. Associate the server cipher template with the server SSL tem-
plate. Finally, create the ACL lists to define how to handle incoming traffic, outgoing traffic,
and which traffic to drop for inspection.

57
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Creating the Client and Server Cipher Templates

A cipher template contains a list of ciphers. A client or server, that connects to a virtual port,
can use only the ciphers that are listed in the template. A cipher template must be bound to
a client or server SSL template.

1. Navigate to ADC > Templates > SSL.

2. Select Create > SSL Cipher.
The Create SSL Cipher Template is displayed.

3. Enter the name as cl_cipher_template.

l For Cipher Config, click Add.
l For Cipher Suite, select TLS1_RSA_AES_256_SHA.

4. Add the following ciphers by clicking Add for each cipher and selecting the appropriate
one from the drop-down menu:
l TLS1_RSA_AES_128_GCM_SHA256
l TLS1_RSA_AES_256_GCM_SHA384
l TLS1_ECDHE_RSA_AES_128_SHA
l TLS1_ECDHE_RSA_AES_256_SHA
l TLS1_ECDHE_RSA_AES_128_SHA256
l TLS1_ECDHE_RSA_AES_128_GCM_SHA256

NOTE: Priority values are supported only for client-SSL templates.

If a cipher template is used by a server-SSL template, the
priority values in the cipher template are ignored. In this
example, since all the ciphers have equal priority, ACOS
selects the strongest available cipher.

5. Click Create.

The cl_cipher_template cipher template is created.

6. Repeat the procedure to create a server cipher template called sr_cipher_template
and configured with the following ciphers:

58
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l TLS1_RSA_AES_128_SHA
l TLS1_RSA_AES_128_SHA

l TLS1_RSA_AES_128_GCM_SHA256
l TLS1_RSA_AES_128_GCM_SHA256

l TLS1_ECDHE_RSA_AES_128_SHA
l TLS1_ECDHE_RSA_AES_128_SHA

l TLS1_ECDHE_RSA_AES_128_SHA256
l TLS1_ECDHE_RSA_AES_128_SHA256

Proceed to create the client SSL template and the server SSL template and associating these
templates with the correct SSL cipher template.

Creating the Client SSL Template

1. Navigate to Security > SSLi > Templates.

2. Select Create > Client SSL.
The Create Client SSL Template is displayed.
3. For Name, enter cl_ssl.
4. Under the Basic tab, select Forward Proxy Enable for SSLi.
5. For SSLi Forward Proxy CA Cert, select your appropriate certificate.
6. For SSLi Forward Proxy CA Key, select your appropriate key.

7. Under Ciphers, select Template. From the drop-down menu, select cl_cipher_tem-
plate.

NOTE: You had already created the client cipher template in Creat-
ing the Client and Server Cipher Templates.

8. Under Advanced tab, select Forward Proxy OCSP Disable.

9. Click OK to create the client SSL template.

Creating the Server SSL Template

1. Navigate to Security > SSLi > Templates.

59
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

2. Select Create > Server SSL.

The Create Server SSL Template is displayed.
3. For Name, enter sr_ssl.
4. Select SSL Forward Proxy Enable.

5. For Cipher, select Template.

From the drop-down menu, select sr_cipher_template.

NOTE: You had already created the server cipher template in Creat-
ing the Client and Server Cipher Templates.

6. Click Create.
The server SSL template is created.

Creating an ACL
You must create three ACLS to govern three types of traffic: incoming traffic, traffic to be
dropped, and
outgoing traffic. To create the ACL 190 for incoming traffic:

1. Navigate to Security > Access List > Extended.

2. Click Create.
The Create Extended Access List page is displayed.
3. For ID, enter 190.
4. For Sequence number, enter 1.
5. Select Remark.
6. For Remark, enter ssli_in.
7. Select Create.
The ACL 190 is created.

You can now add rules to the ACL.

Adding Rules to an ACL

To add a rule to ACL 190 that allows IP traffic on VLAN 10 and on e1 to pass through.

60
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. Select ACL 190 and click Add New Rule.

2. Enter the Sequence Number as 2.
3. Select Entry.
4. For Action, select Permit.
5. For Service, select Protocol and IP.
6. For Source Address, select Source Address and Any.
7. For Destination Address, select Destination Address and Any.
8. For Match Type, select VLAN.
9. Enter VLAN value as 10.
10. For Interface Type, select Ethernet.
11. Select the Ethernet number from the drop down as 1.
12. Click Create.
A new rule is added to ACL 190.

You can repeat the procedure to add another rule for ACL 190 that allows IP traffic on VLAN
20 e1 to pass through.

Similarly, create ACL 191 and ACL 192.

The configuration statements are provided for reference:

access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out
!
access-list 192 permit ip any any vlan 10 ethernet 3
!
access-list 192 permit ip any any vlan 20 ethernet 3

You can now associate the ACLs with the VIPS.

61
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 3: Configuring the VIPs

The virtual interfaces or VIPs are already created as VE 10 and VE 20 in section Step 1: Con-
figuring the Network VLANs. The following section modifies the properties of the VIPs.

You are now ready to define the real server and its ports.

Step 4: Configuring the Security Device

In this section, first create the real server GW. Then, create service groups and associate the
real server and a port to each of the service groups.

Creating the Real Server and its Ports

To create the real server GW and its ports:

1. Navigate to ADC > SLB > Servers.

2. Click Create and configure the following real server settings:

l Name: GW
l Type: IPv4
l Host: 1.1.1.254
l Action: Enable

62
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

3. Select Disable Health Check.

4. Under Port, click Create, and configure the following port settings:
5. Port Number: 0
6. Protocol: TCP
7. Select Disable Health Check.
8. Click Create.
Port 0 of type TCP is now associated with GW.
9. Similarly, associate the following ports with GW:
10. Port 0 of type UDP.
11. Port 443 of type TCP.
12. Port 8080 of type TCP.
13. Click Update to create the real server GW.

Proceed to creating the service groups.

Creating the Service Groups

To create and associate the service group GW_TCP_0 with GW and port 0:

1. Navigate to ADC > SLB > Service Groups.

2. Click Create and configure the following settings:
3. Name: GW_TCP_0
4. Protocol: TCP
5. Under Member, select Create.
The Create Member page is displayed.
6. Under Choose Creation Type, select Existing Server.
7. For Server, select GW from the drop-down menu.
8. For Port, select O.
9. Select State as Enable.
10. Click Create.
GW and port 0 are now associated with the service group GW_TCP_0 tcp.

11. Repeat the procedure to configure the following:

63
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Service group GW_TCP_8080 of type TCP.

Associate GW and port 8080 with this service group.
l Service group GW_TCP_8080 of type TCP.
Associate GW and port 8080 with this service group.

l Service group SSLi_TCP_0 of type TCP.

Associate GW and port 0 with this service group.
l Service group SSLi_TCP_0 of type TCP.
Associate GW and port 0 with this service group.
l Service group GW_UDP_0 of type UDP.
Associate GW and port 0 with this service group.

Step 5: Configuring Handling of Incoming Traffic

Create a virtual server for incoming traffic called SSLi_in_ingress.

1. Navigate to ADC > SLB > Virtual Servers.

2. Click Create.
The Create Virtual Server page is displayed.
3. For Name, enter SSLi_in_ingress, and configure the following
4. Select Wildcard.
5. For Address Type, select IPv4.
6. For Action, select Enable.
7. For Access List, select 190.
8. Under Virtual Port, click Create.
The Create Virtual Port page is displayed. Configure the following:
9. For Protocol, select TCP.
10. For Port, select 0.
11. For Action, select Enable.
12. For Service Group, select SSLi_TCP_0.

13. Expand General Fields and select the following:

64
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l No Dest NAT
l Use Rcv Hop For Resp
l For Redirect Forward, select Ethernet
14. Click Create.
The Virtual Port is created and added to the virtual server.

15. Similarly, create and add ports of the following properties:

port 0 udp
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 others
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 443 https
service-group SSLi_TCP_443
use-rcv-hop-for-resp
redirect-fwd ethernet 2
template client-ssl cl_ssl
no-dest-nat port-translation

Step 6: Configuring Handling of Outgoing Traffic

Create a virtual server for outgoing traffic called SSLi_out_ingress.

1. Navigate to ADC > SLB > Virtual Servers.

2. Click Create.
The Create Virtual Server page is displayed.

3. For Name, enter SSLi_out_ingress, and configure the following:

a. Select Wildcard.
b. For Address Type, select IPv4.
c. For Action, select Enable.
d. For Access List, select 192.

65
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

4. Under Virtual Port, click Create.

The Create Virtual Port page is displayed. Configure the following:
a. For Protocol, select TCP.
b. For Port, select 0.
c. For Action, select Enable.
d. For Service Group, select GW_TCP_0.

5. Expand General Fields and select the following:

a. No Dest NAT.
b. Use Rcv Hop For Resp.
c. For Redirect Reverse, select Ethernet, and then select 3.
6. Click Create.
The Virtual Port is created and added to the virtual server.

7. Similarly, create and add ports of the following properties:

port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 8080 http
service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation
8. Finally, click Update to complete creating the virtual server.

66
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

L2 Deployment with Untagged VLANs

FIGURE 4-3is an example of an SSLi L2 deployment by using untagged VLANs. To understand
how the traffic flows in this deployment, see Architecture.

NOTE: To perform the procedure by using the GUI, see GUI

Configuration . Refer to the Consolidated Configuration while
using the GUI for deviations in values and configurations.

FIGURE 4-3: L2 Deployment with Untagged VLANs

CLI Configuration

This section describes how to configure SSLi for this deployment by using the AOCS CLI.

The following topics are covered:

Step 1: Initial Configuration 68

Step 2: Configuring the Default VLAN 68

Step 3: Configuring the SSLi services 69

Step 4: Configuring Network IP Addresses 71

Step 5: Configuring the Security Device 71

Step 6: Configuring Handling of Incoming Traffic 73

67
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 7: Configuring Handling of Outgoing Traffic 74

Consolidated Configuration 75

Step 1: Initial Configuration

1. Enter the configuration mode for the ACOS device:

ACOS>
ACOS>enable
Password:
ACOS#config
ACOS(config)#

The configuration mode is denoted by the ACOS(config)# prompt.

2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global
command of system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

3. Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.101.7.103 255.255.252.0
ACOS(config-if:management)# ip default-gateway 10.101.4.1
ACOS(config-if:management)# exit

Step 2: Configuring the Default VLAN

1. Configure the default VLAN. Bind ethernet ports 1 to 4 to the VLAN. Also, bind a virtual
interface ve to the VLAN. In this example, a default VLAN of 850 is configured.
ACOS(config)# vlan 850
ACOS(config-vlan:850)# untagged ethernet 1 to 4
ACOS(config-vlan:850)# router-interface ve 850
ACOS(config-vlan:850)# exit

2. Enable the ethernet interfaces 1 to 4 on the ACOS device that are associated with the
VLAN:
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit

ACOS(config)# interface ethernet 2

ACOS(config-if:ethernet:2)# enable
ACOS(config-if:ethernet:2)# exit

68
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config)# interface ethernet 3

ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# exit

ACOS(config)# interface ethernet 4

ACOS(config-if:ethernet:4)# enable
ACOS(config-if:ethernet:4)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS(config)# show interfaces brief

Step 3: Configuring the SSLi services

2. Configure a cipher settings template called sr_cipher_template. This template is asso-

ciated with the SSL server template.
ACOS(config)# slb template cipher sr_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

3. Create a server SSL template called sr_ssl so that the VIP on the SSLi device can oper-
ate as an SSL
client and handshake with an external server. Enable forward proxy services on the

69
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

template to enable SSLi operation on the VIP. Associate the sr_cipher_template with
the server SSL template.
ACOS(config)# slb template server-ssl sr_ssl
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# cipher sr_cipher_template

4. Configure an SLB template of type TCP.

ACOS(config)# slb template tcp tcp

5. Configure an SLB template of type tcp-proxy.

ACOS(config)# slb template tcp-proxy tcp-proxy

6. Traffic selected to be forwarded to the security device is governed by the redirect-

fwd configuration. All the IP traffic passing the vport that has the redirect-fwd com-
mand configured is redirected to the
security device. Configure the client SSL template to provide the attributes which
enable SSLi, specify the SSLi self-signed certificate, and private key. Associate the cl_
cipher_template with the client SSL template.

ACOS(config)# slb template client-ssl cl_ssl

ACOS(config-client ssl)# template cipher cl_cipher_template
ACOS(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key
key123
ACOS(config-client ssl)# forward-proxy-enable

7. Within the client SSL template, disable OCSP Stapling for SSL forward proxy.
ACOS(config-client ssl)# forward-proxy-ocsp-disable

8. Within the client SSL template, disable Certificate Revocation List (CRL) services for
SSLi (forward-proxy).
ACOS(config-client ssl)# forward-proxy-crl-disable

9. Within the client SSL template, disable support for SSLv3.

ACOS(config-client ssl)# disable-sslv3

ACOS(config-client ssl)# exit

10. Configure the ACL to permit IP traffic from any source to any destination for the VLAN
on the interface Ethernet 1:
ACOS(config)# access-list 190 remark ssli_in
ACOS(config)# access-list 190 permit ip any any vlan 850 ethernet 1

11. Configure an ACL for dropping traffic called block_quic. Configure the ACL to drop

70
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

UDP-based traffic from any source to any destination on ports 80 and 443. If the traffic
is IP-based, it is allowed to be forwarded.
ACOS(config)# access-list 191 remark block_quic
ACOS(config)# access-list 191 deny udp any any eq 80
ACOS(config)# access-list 191 deny udp any any eq 443
ACOS(config)# access-list 191 permit ip any any

12. Configure an ACL for outgoing traffic from the ACOS device called ssli_out. Configure
the ACL to permit IP traffic from any source to any destination for the VLAN on the
interface Ethernet 3:
ACOS(config)# access-list 192 remark ssli_out
ACOS(config)# access-list 192 permit ip any any vlan 850 ethernet 3

Step 4: Configuring Network IP Addresses

On the virtual interface 850, enable promiscous VIP support. When you enable promiscuous
VIP support on a VE, the option is automatically enabled on each ethernet data port in the VE.
Provision the virtual interfaces to allow promiscuous IP in order to subject traffic to the rules
enabled on each interface. In addition, assign an IP address and a default gateway to the
VLAN. In this example, we assign the IP address and gateway to interface ve 850. Addi-
tionally, bind ACL 191 to the interface.
ACOS(config)# interface ve 850
ACOS(config-if:ve850)# access-list 191 in
ACOS(config-if:ve850)# ip address 1.1.1.1 255.255.255.0
ACOS(config-if:ve850)# ip allow-promiscuous-vip
ACOS(config-if:ve850)# exit

Step 5: Configuring the Security Device

1. Configure the server GW and its ports.
ACOS(config)# slb server GW 1.1.1.254
ACOS(config-real server)# port 0 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 0 udp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 443 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

71
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-real server)# port 8080 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit

5. Configure the server service group called SSLi_TCP_0 of type TCP. Associate GW and
port 0 with the service group.
ACOS(config)# slb service-group SSLi_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

6. Configure the server service group called SSLi_UDP_0 of type UDP. Associate GW and
port 0 with the service group.
ACOS(config)# slb service-group SSLi_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

7. Configure the server service group called GW_UDP_0 of type UDP. Associate GW and port
0 with the service group.
ACOS(config)# slb service-group GW_UDP_0 udp

72
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-slb svc group)# member GW 0

ACOS(config-slb svc group)# exit

Step 6: Configuring Handling of Incoming Traffic

2. Associate port 0 of type TCP with service group SSLi_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group SSLi_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat

3. Within the virtual server command level, use the redirect-fwd command to select the
forward direction for steering the layer 2 traffic from the client destined for the secur-
ity device through
ethernet 2. Use the use-rcv-hop-for-resp command to send reply traffic for the ses-
sion back through the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

4. Within the virtual server command level, associate port 443 of type HTTPS with the ser-
vice group SSLi_TCP_443 and the client SSL template cl_ssl. Disable destination NAT.

ACOS(config-slb vserver)# port 443 https

ACOS(config-slb vserver-vport)# service-group SSLi_TCP_443
ACOS(config-slb vserver-vport)# template client-ssl cl_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation

5. Within the virtual server command level, use the redirect-fwd command to select the
forward direction for steering the layer 2 traffic from the security device to the Inter-
net through ethernet 3. Use the use-rcv-hop-for-resp command to send reply traffic
for the session back through the same hop where the traffic was received.

ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp

ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

6. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group SSLi_UDP_0

73
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp

ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)#service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

Step 7: Configuring Handling of Outgoing Traffic

2. Associate port 0 of type TCP with service group GW_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat

3. Within the virtual server command level, use the redirect-rev command to select the
reverse direction for steering the layer 2 traffic from the security device to the ACOS
device through ethernet 3. Use the use-rcv-hop-for-resp command to send reply
traffic for the session back through the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

4. Associate port 443 of type TCP with service group GW_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat port-translation

5. Within the virtual server command level, use the redirect-rev command to select the
reverse direction for steering the layer 2 traffic from the security device to the ACOS
device through ethernet 3. Use the use-rcv-hop-for-resp command to send reply
traffic for the session back through the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

74
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

6. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver)# port 8080 http

Consolidated Configuration
TH3230S#show run
!Current configuration: 2333 bytes
!Configuration last updated at 17:03:06 PDT Fri May 19 2017
!Configuration last saved at 14:15:38 PDT Wed May 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 28 (May-12-2017,04:15)
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850 ethernet 1
!
access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out

75
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
access-list 192 permit ip any any vlan 850 ethernet 3
!
multi-config enable
!
!
system ve-mac-scheme system-mac
!
vlan 850
untagged ethernet 1 to 4
router-interface ve 850
!

!
interface management
ip address 10.101.7.103 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
!
interface ve 850
access-list 191 in
ip address 1.1.1.1 255.255.255.0
ip allow-promiscuous-vip
!

76
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ip route 0.0.0.0 /0 1.1.1.254

!
slb template cipher cl_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
!
slb template cipher sr_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
!
slb template server-ssl sr_ssl
forward-proxy-enable
template cipher sr_cipher_template
!
slb server GW 1.1.1.254
user-tag Security,ssli_in
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
port 8080 tcp
health-check-disable
!
slb service-group GW_TCP_0 tcp
member GW 0
!
slb service-group GW_TCP_8080 tcp
member GW 443
!

77
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb service-group GW_UDP_0 udp

member GW 0
!
slb service-group SSLi_TCP_0 tcp
member GW 0
!
slb service-group SSLi_TCP_443 tcp
member GW 8080
!
slb service-group SSLi_UDP_0 udp
member GW 0
!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-enable
disable-sslv3
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
user-tag Security,ssli_in
port 0 tcp
service-group SSLi_TCP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 udp
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 others
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 443 https
service-group SSLi_TCP_443
use-rcv-hop-for-resp
redirect-fwd ethernet 2
template client-ssl cl_ssl
no-dest-nat port-translation

78
Chapter 4: Single Partition Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192
user-tag Security,ssli_out
port 0 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 8080 http
service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation
!
end

79
Chapter 5: Outbound Static Port Type HTTPS
This section provides instructions on configuring SSLi by using an example configuration of
an outbound SSLi with a static port type HTTPS deployment. To implement the configuration
you can use both the GUI and CLI configuration examples explained the this section.

Although A10 Networks supports various SSLi deployments based on different SSLi features,
the overall steps for configuring SSLi for each deployment are similar.

NOTE: Subsequent sections refer to the procedures documented for Two

ACOS Devices, Each With Single Partition Deployment. It is recom-
mended that you understand the workflow described in this sec-
tion, even if your SSLi deployment differs from this example.

The following topics are covered:

Prerequisites 81

Two ACOS Devices, Each With Single Partition Deployment 82

Single ACOS Device With Two Partitions Deployment 105

Single vThunder Device With Two Partitions Deployment 107

80
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Prerequisites
l A10 Networks Advanced Core Operating System (ACOS®) 4.0.1 SP9 or higher. ACOS ver-
sion 4.1.0 or higher is recommended.
l For single-partition SSLi deployments, ACOS version 4.1.1 or higher is required.
l Supported A10 Thunder or vThunder device(s)
For more information on the supported ACOS devices for deploying SSLi, refer to the
SSLi Technical Specifications document at https://www.a10net-
works.com/products/ssl-inspection.
l Security appliance or ICAP-based (RFC3507) antivirus or DLP solution
l A self-signed certificate or a certification authority (CA) certificate with a known
private key

NOTE: If not already provisioned, push an internal PKI CA root cer-

tificate to all the client machines.

l The ACOS device supports both CLI and GUI for configuration. Change the default man-
agement port IP address for GUI or CLI access.
l If you are using two separate ACOS devices to deploy SSLi, make sure that both sys-
tems are configured with management addresses. For more information on how to
access an ACOS device, refer to System Configuration and Administration Guide.
l Unless you are using a single ACOS device with a single partition to deploy SSLi, you
require two partitions, one to decrypt SSL traffic and the second to encrypt SSL traffic.
Make sure that you are on the correct partition when creating configurations.
l In a single device solution, use the command system ve-mac-scheme system-mac to sup-
port MAC address duplication .

81
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Two ACOS Devices, Each With Single Partition Deploy-

ment
In a static-port type deployment, each intercepted protocol is configured with its own static
virtual port enabled for SSLi. For example, to intercept SMTP running over SSL, the wildcard
VIP configuration includes the command line port 25 ssli where 25 is the port number identi-
fying SMTP. For static port type SSLi deployment configured to intercept HTTPS traffic, the
wildcard VIP includes the command line port 443 https where port 443 is the port number
identifying HTTPS. In such deployments, only the traffic for the specified protocol is inter-
cepted. All other SSL and non-SSL traffic is bypassed.

You can configure static port inspection for both inbound and outbound traffic. The inter-
cepted and decrypted traffic is said to be outbound when it flows from clients in a private
network to the SSL servers on the Internet. If the traffic is intercepted and decrypted as it
flows from the Internet to the client network, it is called as inbound. Inbound and outbound
SSLi can also be configured together. In such a deployment, traffic flowing in both directions
is decrypted and re-encrypted. However, the command lines that configure the inbound vir-
tual servers must go before the command lines that configure the outbound virtual servers.

Static port inspection is supported for all the three types of SSLi deployments discussed in
Deployments.

82
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 5-1: Static Port Type HTTPS in a Two ACOS Device each with Single Partition
Deployment

The following table provides the VLAN IDs, Virtual Ethernet (VE) addresses, and interfaces
used to configure the SSLi network topology illustrated in FIGURE 5-1.

TABLE 5-2 : Details of the SSLi Deployment

Partition Tagged VLAN VE IP Address Ethernet Port Number

ACOS_decrypt 10 10.10.1.2 /24 eth1

15 10.15.1.2 /24 eth2

83
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Partition Tagged VLAN VE IP Address Ethernet Port Number

ACOS_encrypt 20 20.1.1.2 /24 eth2

15 10.15.1.12 /24 eth1

In this example, the outbound SSLi with static-port type HTTPS deployment consists of two
ACOS devices, each with a single partition, and the security device set in between. The ACOS
devices are in L3 mode, while the security device is in L2 mode.

The encrypted traffic from the client is passed to the ACOS_decrypt partition. The ACOS_
decrypt partition decrypts the HTTPS traffic and forwards the clear traffic to the security
device. After inspection, the security device passes the clear traffic to the ACOS_encrypt par-
tition. The ACOS_encrypt partition re-encrypts the HTTPS traffic and passes it to the
external gateway. All other SSL traffic is bypassed.

CLI Configuration

In order to configure SSLi for two ACOS devices each with a single partition deployment, you
must first configure the two partitions, ACOS_decrypt and ACOS_encrypt. Also, for a list of
prerequisites, see Prerequisites.

The following topics are covered:

ACOS_decrypt Configuration 84

ACOS_encrypt Configuration 88

ACOS_decrypt Configuration
Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs

1. Create tagged VLANs 10 and 15 on the ethernet 1 and ethernet 2 interfaces respect-
ively.

Enable the interface ethernet 1 and 2 by running the following commands:

ACOS_decrypt(config)# interface ethernet 1
ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# exit
ACOS_decrypt(config)# interface ethernet 2

84
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-if:ethernet:2)# enable
ACOS_decrypt(config-if:ethernet:2)# exit

2. Create a tagged VLAN 10. Bind ethernet 1 to the tagged VLAN 10. Also, bind a virtual
interface VE 10 to VLAN 10.
ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# tagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config-vlan:10)# exit

3. Create a tagged VLAN 15. Bind ethernet 2 to the tagged VLAN 15. Also, bind a virtual
interface VE 15 to VLAN 15.
ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2
ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

On each VE, enable promiscuous VIP support, which is required for wildcard VIPs. When you
enable promiscuous VIP support on a VE, the option is automatically enabled on each Eth-
ernet data port associated with the VE. Perform the following steps:
ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve10)# ip address 10.10.1.2 /24
ACOS_decrypt(config-if:ve10)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve10)# exit
ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services

1. Create a client SSL template with forward-proxy enable configured. This con-
figuration enables the ACOS_decrypt device to proxy for the remote SSL servers and
bring up SSL sessions with the clients.

Configure the client SSL template called SSLInsight_DecryptSide by running the fol-
lowing commands:
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable

85
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: There already may be a CA Root Certificate installed. If the

CA has signed the A10 certificate as a subordinate, the cer-
tificate-chaining command is used to make the chain a trus-
ted one.

2. Create a real server called FW1_Inspect on ACOS_decrypt. Configure the port 8080 for
decrypted SSLi traffic.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12
ACOS_decrypt(config-real server)# port 8080 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable

3. Configure wildcard ports for all non-HTTPS traffic that is to be bypassed.

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit
ACOS_decrypt(config-real server)# port 0 udp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

Step 4. Configuring the SSLi Service Groups

1. Configuring the SSLi service groups enable you to manage how the different types of
traffic coming from the clients is handled by ACOS_decrypt.
2. Create a service group named FW1_Inspect_SG for decrypted SSL traffic. The FW1_
Inspect_SG service group is configured on FW1_Inspect to forward HTTPS assigned
over protocol 8080 to the ACOS_encrypt device.
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 8080

3. For the non-HTTPS traffic that is to be bypassed, configure two other service groups
called ALL_TCP_SG for TCP and ALL_UDP_SG for UDP traffic.
ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit
ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server

A virtual server called Decypt_VIP is created and is associated to the wildcard outbound VIP

86
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

to intercept traffic from clients. The following virtual ports are configured on this VIP:

l 443 (HTTPS)—Intercepts SSL-encrypted traffic from the clients. Port 443 on the wild-
card outbound VIP is bound to a service group called FW1_Inspect_SG that contains the
path through the security device to the ACOS_encrypt device. Consider the following
information:
o The destination NAT is disabled, and ACOS_decrypt does not change the source or
destination IP addresses of the traffic.
o Port translation is enabled and required because the ACOS device must change the
destination protocol port from 443 to the port number on which the security
device listens for traffic.
o The client-SSL template is bound to the virtual port 443 HTTPS.
l 0 (TCP), 0 (UDP), and 0 (Others) —Intercepts the client traffic that is not HTTPS in the
following ways:
o The TCP port intercepts all other TCP traffic from clients. The TCP wildcard port is
bound to a TCP service group called ALL_TCP_SG that contains the path through the
security device to the ACOS_encrypt device.
o The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is
bound to a UDP service group called ALL_UDP_SG that contains the path through
the security device to the ACOS_encrypt device.
o The Others port intercepts the client traffic types that are not listed. The Others
port is for IP traffic not included by the TCP and UDP all-ports sections. The Others
wildcard port is bound to a UDP service group called ALL_UDP_SG that contains the
path through the security device to the ACOS_encrypt device.
o The destination NAT and port translation are disabled for the aforementioned ports.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL

template, you must unbind the template from the virtual ports
that use it and then rebind the template to the virtual ports.

1. Create an ACL to permit IP traffic from any source to any destination. Create the virtual
server Decrypt_VIP. Bind the wildcard VIP to the virtual server and associate the ACL

87
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

with the VIP.

ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10
ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

2. Bind the port 443 to the wildcard outbound VIP and associate the port with the service
group called FW1_Inspect_SG that contains the path through the security device to the
ACOS_encrypt device.
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

3. Bind the client SSL template to the virtual port.

ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# exit

4. Configure the virtual server to assign wildcard ports to incoming non-HTTPS traffic and
to forward that traffic over the non-HTTPS service groups.
ACOS_decrypt(config-slb vserver)# port 0 tcp
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# port 0 udp
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# port 0 other
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat

ACOS_encrypt Configuration
Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs

1. Create tagged VLANs 15 and 20 on the ethernet 1 interface. Perform the following
steps:

2. Enable the interface ethernet 1 by running the following commands:

ACOS_encrypt(config)# interface ethernet 1
ACOS_encrypt(config-if:ethernet:1)# enable

88
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-if:ethernet:1)# exit
ACOS_encrypt(config)# interface ethernet 2
ACOS_encrypt(config-if:ethernet:2)# enable
ACOS_encrypt(config-if:ethernet:2)# exit

3. Create a tagged VLAN 20. Bind ethernet 2 to the tagged VLAN 20. Also, bind a virtual
interface VE 20 to VLAN 20.
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:10)# tagged ethernet 2
ACOS_encrypt(config-vlan:10)#router-interface ve 20
ACOS_encrypt(config-vlan:10)# exit

4. Create a tagged VLAN 15. Bind ethernet 1 to the tagged VLAN 15. Also, bind a virtual
interface VE 15 to VLAN 15.
ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1
ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

On each VE, enable promiscuous VIP support, which is required for wildcard VIPs. When you
enable promiscuous VIP support on a VE, the option is automatically enabled on each Eth-
ernet data port associated with the VE. Perform the following steps:
ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24
ACOS_encrypt(config-if:ve20)# exit
ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# ip allow-promiscuous-vip
ACOS_encrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services

1. Create an SSL server template called SSLInsight_EncryptSide on ACOS_encrypt so

that the VIP on ACOS_encrypt can operate as an SSL client and handshake with the
ExternalABC server. Enable forward proxy services on the template to allow SSLi oper-
ation on the VIP.
ACOS_encrypt(config)# slb template server-ssl SSLInsight_EncryptSide
ACOS_encrypt(config-server ssl)# forward-proxy-enable

2. Create a real server called Default_Gateway on ACOS_encrypt. Configure port 443 for
the intercepted HTTPS traffic. ACOS_encrypt forwards the traffic on these ports over

89
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

VLAN 20 to the default gateway at IP address 20.1.1.10. The default gateway has a route
to the ExternalABC server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 443 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

3. Configure wildcard ports for all non-HTTPS traffic.

ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit
ACOS_encrypt(config-real server)# port 0 udp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

Step 4. Configuring the SSLi Service Groups

1. Create a service group called DG_SSL_SG and provide a path for the intercepted HTTPS
traffic by binding the service group to ports 443 of the real server Default_Gateway.
ACOS_encrypt(config)# slb service-group DG_SSL_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 443

2. Create a service group called DG_TCP_SG and provide a path to Default_Gateway for all
other TCP traffic by binding the service group to the wildcard port 0 tcp.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

3. Create a service group called DG_UDP_SG and provide a path to Default_Gateway for all
UDP traffic by binding the service group to the wildcard port 0 udp.
ACOS_encrypt(config)# slb service-group DG_UDP_SG udp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

Step 5. Configuring the Virtual Server

A virtual server called Encrypt_VIP is created and is associated to the wildcard VIP to inter-
cept traffic from the security device. The following virtual ports are configured on this VIP:

l 8080 (HTTP)—Intercepts decrypted client traffic that is allowed by the security

devices. Port 8080 is bound to a service group called DG_SSL_SG that contains a mem-
ber for the gateway router to the Internet. This member consists of the router’s IP
address and protocol port 443. Consider the following information:

90
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

o The destination NAT is disabled, but port translation is enabled.

o Port translation is required because ACOS_encrypt must change the destination
protocol port to 443 before sending the re-encrypted traffic to the gateway router.
l 0 (TCP), 0 (UDP), and 0 (Others)—Intercepts all client traffic that is not SSL-encryp-
ted traffic in the following ways:
o The TCP port intercepts all other TCP traffic from clients. The TCP port is bound to
a TCP service group called DG_TCP_SG that contains a member for the gateway
router to the Internet.
o The UDP port intercepts all other UDP traffic from clients.
o The Others port intercepts client traffic of types other than those listed above. The
UDP wildcard port and others wildcard port is bound to a UDP service group called
DG_UDP_SG that contains a member for the gateway router.
o The destination NAT and port translation are disabled for the aforementioned ports.

1. Create an ACL to permit IP traffic from any source to any destination for VLAN 15.
Create a virtual server called Encrypt_VIP and associate the ACL to the virtual server.
ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15
ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

2. Bind the port 8080 to the wildcard VIP and associate the port with the service group
called DG_SSL_SG that contains the path through from ACOS_encrypt to the gateway
router.
ACOS_encrypt(config-slb vserver)# port 8080 http
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG

3. Bind the server SSL template to the virtual port.

ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_
EncryptSide
ACOS_encrypt(config-slb vserver-vport)# exit

4. Create wildcard ports for all other traffic. Disable destination NAT to preserve the des-
tination IP address on load-balanced traffic. Bind the wildcard virtual port 0 tcp to the
DG_TCP_SG service-group. Bind the wildcard virtual port 0 udp to the DG_UDP_SG ser-
vice-group. Bind the wildcard virtual port 0 others to any wildcard service group such
as DG_UDP_SG.

91
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-slb vserver)# port 0 tcp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# port 0 udp
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# port 0 others
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# exit

5. If you provision SSLi on an FTA-enabled ACOS device with any partition that is
deployed in a L2 mode, configure the interfaces by using the cpu-process command.
For example, to enable ethernet 1, the following steps are applicable:
ACOS_decrypt(config)# interface ethernet 1
ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# cpu-process

GUI Configuration

In order to configure SSLi for a two ACOS device single partition deployment, you must first
configure the two partitions.

Also, for a list of prerequisites, see Prerequisites.

The following topics are covered:

ACOS_decrypt Configuration 92

ACOS_encrypt Configuration 99

ACOS_decrypt Configuration
Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs

Create tagged VLANs 10 and 15 on the ethernet 1 and ethernet 2 interfaces respectively.

To create VLAN 10, perform the following steps:

92
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. Navigate to Network > Interfaces > LAN.

2. Click Edit in the Actions column for interface 1 (Interface field).
3. On the Update Ethernet page, select Enable in the Status field.
4. Click Update.
5. Navigate to Network > VLAN.
6. Click + Create.
7. Enter 10 in the VLAN ID field.
8. Click the checkbox in the Create Virtual Interface field.
9. Select 1 from the list of interfaces in the Tagged Ethernet field
10. Click Create VLAN.
11. Repeat the steps to create VLAN 15 for interface 2.

Step 2. Configuring the Network IP Addresses

Configure the parameters for VE 10 by performing the following steps:

1. Navigate to Network > Interfaces > Virtual Ethernets.

2. Click Edit in the Actions column for virtual interface (ve)10 (ifnum field).
3. Enter 10.10.1.2 in the IPv4 Address field
4. Enter 255.255.255.0 in the NetMask field.
5. Click the icon to save the new row.
6. Click the Allow Promiscuous VIP box.
7. Click Update.
8. Repeat the procedure for the ve 15 parameters, IPv4 address is 10.15.1.2.

Step 3. Creating an Access List

1. Create an ACL to permit IP traffic from any source to any destination.

2. Click Security >> Access List.
3. Click Create.
4. The Create Standard Access List page is displayed.
5. Enter the details:

93
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

6. Access List Number: 100

7. Sequence Number: 1
8. Action: Permit Any for Entry
9. Click Create to create ACL 100.

Step 4. Configuring the SSLi Service

In the GUI configuration, the red asterisk (*) indicates a required parameter. Some required
parameters are filled in automatically, while some must be manually configured. Before
attempting to create an SSLi service, the CA certificate you import and upon which your prox-
ied certificates are based, must be imported. In the CLI, the import cert command imports
certificates that can be used in the SSLi service.

NOTE: This example of GUI configuration covers only the SSLi VIP and all
the other SSL ACOS objects that are needed for the basic static-
port https 443 configuration. For a complete list of available
options and their associated descriptions, refer to the Online Help
for the ACOS GUI.

1. Navigate to Security > SSLi > Services > +Create and click +Create.

The Create SSLi Service page is displayed.

2. Enter the following details:
3. Type: Inside(Decrypt)
4. Name: SSLInsight_DecryptSide
5. Enable static port.
6. Click Next.
7. Under Basic, select Forward Proxy Enable.
8. Under SSLi proxy, select the CA cert and Key.
9. Click Next.
10. Continue clicking Next till you get to the end page and then click Done.

Step 5. Configuring the Real Server

Create a real server called FW1_Inspect on ACOS_decrypt. Configure the port 8080 for
decrypted SSLi traffic. Configure wildcard ports for all non-HTTPS traffic that is to be

94
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

bypassed.

1. Go to Security >> SSLi >> Servers.

2. Click Create.
3. The Create Server page is displayed.

4. Enter the following details:

l Name: FW1_Inspect
l Type: IPv4
l Host: 10.15.1.12

5. Click Add Port, and enter the following details.

l Port: 8080
l Protocol: TCP
6. Click Apply under Actions.

7. Click Add Port, and enter the following details:

l Port: 0
l Protocol: TCP
8. Click Apply under Actions.

9. Click Add Port, and enter the following details:

l Port: 0
l Protocol: UDP
10. Click Apply under Actions.
11. Click OK to create the server FW1_Inspect.

Step 6 Creating the Service Group and its Members

Create a service group named FW1_Inspect_SG for decrypted SSL traffic. The FW1_
Inspect_SG service group is configured on FW1_Inspect real server to forward HTTPS
assigned over protocol 8080 to the ACOS_encrypt device. The real server is already created
in the previous section.

1. Go to Security >> SSLi >> Service Group.

2. Click Create.

95
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

3. The Create Service Group page is displayed.

4. Enter the following details to create a service group named FW1_Inspect_SG:

l Name: FW1_Inspect_SG
l Protocol: TCP
5. Under Members, click Add Member.
6. The Create Member page is displayed.
7. Select Existing.
8. Select FW1_Inspect from the drop-down under Name and enter the Port: 8080.

9. Click Apply.

The member FW1_Inspect is added to the service group.

10. Click Create again to create the Service Group.
11. For the non-HTTPS traffic that is to be bypassed, configure two other service groups
called ALL_TCP_SG for TCP and ALL_UDP_SG for UDP traffic.
12. Go to Security >> SSLi >> Service Group.
13. Click Create.
14. The Create Service Group page is displayed.

15. Enter the following details to create a service group named ALL_TCP_SG.
l Name: ALL_TCP_SG
l Protocol: TCP
16. Under Members, click Add Member.
17. The Create Member page is displayed.
18. Select Existing.
19. Select FW1_Inspect from the drop-down under Name and enter the following details:
20. Port: 0
21. Click Apply.
22. The member FW1_Inspect is added to the service group.
23. Click Create again to create the Service Group.

96
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

24. To create the service group, ALL_UDP_SG, here are the details:
l Name: ALL_UDP_SG
l Protocol: UDP
25. Under Members, click Add Member.
26. The Create Member page is displayed.
27. Select Existing.
28. Select FW1_Inspect from the drop-down under Name and Port 0.

29. Click Apply.

The member FW1_Inspect is added to the service group.

30. Click Create again to create the Service Group.

Step 7. Creating the Virtual Server

A virtual server called Decypt_VIP is created and is associated to the wildcard outbound VIP
to intercept traffic from clients. The following virtual ports are configured on this VIP:

97
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

o The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is
bound to a UDP service group called ALL_UDP_SG that contains the path through
the security device to the ACOS_encrypt device.
o The Others port intercepts the client traffic types that are not listed. The Others
port is for IP traffic not included by the TCP and UDP all-ports sections. The Others
wildcard port is bound to a UDP service group called ALL_UDP_SG that contains
the path through the security device to the ACOS_encrypt device.
o The destination NAT and port translation are disabled for the aforementioned ports.

Perform the following steps:

1. Go to ADC >> SLB >> Virtual Servers.

2. Click Create.

The Create Virtual Server page is displayed.

3. Enter the Name: Decrypt_VIP.
4. Enable Wildcard.

5. Under Virtual Port, click Create.

The Create Virtual Port page is displayed.

6. Enter the following details:

l Protocol: HTTPS
l Port: 443
l Service Group:FW1_Inspect_SG
l Template Client SSL: SSLInsight_DecryptSide
7. Enable No Dest Nat and Port Translation.
8. Click Create.

9. Click Create to add another virtual port.

The Create Virtual Port page is displayed.

10. Enter the following details:

98
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Protocol: TCP
l Port: 0
l Service Group:ALL_TCP_SG
11. Click Create.

12. Click Create to add another virtual port.

The Create Virtual Port page is displayed.

13. Enter the following details:

l Protocol: UPD
l Port: 0
l Service Group:ALL_UDP_SG
14. Click Create.

15. Click Create to add another virtual port.

The Create Virtual Port page is displayed.

16. Enter the following details:

l Protocol: Other
l Port: 0
l Service Group:ALL_UDP_SG
17. Click Create.

ACOS_encrypt Configuration
Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs

Create tagged VLANs 15 and 20 on the ethernet 1 interface and ethernet interface 2 respe-
citvely.
Follow the instructions in Step 1. Configuring the Network VLANs.

Step 2. Configuring the Network IP Addresses

Assign IP address 20.1.1.2 to ve 20 and IP address 10.15.1.12 to ve 15 respectively.

Follow the instructions in Step 2. Configuring the Network IP Addresses.

99
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 3. Configuring an Access List.

Create an ACL to permit IP traffic from any source to any destination for VLAN 15. Create a
virtual server called Encrypt_VIP and associate the ACL to the virtual server.
Follow the instructions in Step 3. Creating an Access List.

Step 4. Configuring SSLi Services

Create an SSLi service called SSLInsight_EncryptSide. Enable forward proxy enable.

Follow the instructions in Step 4. Configuring the SSLi Service.

Step 5. Configuring the Real Server

Create a real server called Default_Gateway on ACOS_encrypt. Configure port 443 for the
intercepted HTTPS traffic. ACOS_encrypt forwards the traffic on these ports over VLAN 20 to
the default gateway at IP address 20.1.1.10. The default gateway has a route to the Extern-
alABC server.
Follow the instructions in Step 5. Configuring the Real Server.

Step 6. Configuring the Service Groups

Create a service group called DG_SSL_SG and provide a path for the intercepted HTTPS
traffic by binding the service group to ports 443 of the real server Default_Gateway.

Create a service group called DG_TCP_SG and provide a path to Default_Gateway for all
other TCP traffic by binding the service group to the wildcard port 0 tcp.

Create a service group called DG_UDP_SG and provide a path to Default_Gateway for all
UDP traffic by binding the service group to the wildcard port 0 udp.

Follow the instructions in Step 6 Creating the Service Group and its Members.

Step 7. Creating the Virtual Server

A virtual server called Encrypt_VIP is created and is associated to the wildcard VIP to inter-
cept traffic from the security device. The following virtual ports are configured on this VIP:

8080 (HTTP)—Intercepts decrypted client traffic that is allowed by the security devices. Port
8080 is bound to a service group called DG_SSL_SG that contains a member for the gateway
router to the Internet. This member consists of the router’s IP address and protocol port 443.
Consider the following information:

100
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The destination NAT is disabled, but port translation is enabled.

Port translation is required because ACOS_encrypt must change the destination protocol
port to 443 before sending the re-encrypted traffic to the gateway router.

0 (TCP), 0 (UDP), and 0 (Others)—Intercepts all client traffic that is not SSL-encrypted traffic
in the followingways:

The TCP port intercepts all other TCP traffic from clients. The TCP port is bound to a TCP ser-
vice grou called DG_TCP_SG that contains a member for the gateway router to the Internet.

The UDP port intercepts all other UDP traffic from clients.

The Others port intercepts client traffic of types other than those listed above. The UDP wild-
card port and others wildcard port is bound to a UDP service group called DG_UDP_SG that
contains a member for the gateway router.

The destination NAT and port translation are disabled for the aforementioned ports.

Follow the instructions in Step 7. Creating the Virtual Server.

Consolidated Configuration

The configuration developed in the preceding section is the basic building block for other
SSLi features. It is referred to as the reference configuration for Static-Port SSLi.

Use the show running-config command to check your configuration for both ACOS_decrypt
and ACOS_encrypt.
ACOS_decrypt# show running-config
!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 2
router-interface ve 15
!
hostname ACOS_decrypt
!

101
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

interface ethernet 1
enable
!
interface ethernet 2
enable

!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
no-dest-nat port-translation
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat

102
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

ACOS_encrypt# show running-config

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 2
router-interface ve 20
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS_encrypt
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable

103
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
slb service-group DG_SSL_SG tcp
member Default_Gateway 443

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssl SSLInsight_EncryptSide
forward-proxy-enable
!
slb virtual-server Encrypt_VIP 0.0.0.0 acl 101
!
port 8080 http
no-dest-nat port-translation
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG
!
end

Checking the Status and Operation

Run the show slb ssl-forward-proxy-cert command to check the status and operation of
ACOS_decrypt.
ACOS_decrypt# show slb ssl-forward-proxy-cert Decrypt_VIP 443 all
Virtual server(VIP1 : 443):

----Start One Certificate---

Real Server : 52.8.106.9 :443 tcp
Server name: bnc.lt
state: cert verifying

104
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

----End One Certificate---

----Start One Certificate---

Real Server : 209.170.210.156 :443 tcp
Server name: stats.ebizautos.com
state: cert proxying

----End One Certificate---

----Start One Certificate---

Real Server : 54.215.175.93 :443 tcp
Server name: api.branch.io
state: ready to proxy cert

----End One Certificate---

----Start One Certificate---

Real Server : 216.58.192.46 :443 tcp
Server name: maps.google.com
state: ready
hit times : 6
idle time : 0 seconds
timeout after 3600 seconds
expires after 603641 seconds

----End One Certificate---

Run the show slb ssl-forward-proxy-stats command to check the SSLi counters such as
the certificates created and expired, hit times, idle times, the SSL connections that were
inspected and those that were bypassed.

Run the clear slb ssl-forward-proxy-cert command to reset the ssl-forward-proxy-

cert counters.

Single ACOS Device With Two Partitions Deployment

You can implement SSLi in a single device by creating a separate partition for ACOS_decrypt
and ACOS_encrypt. The deployment architecture and the flow of traffic is similar to that of
Two ACOS Devices, Each With Single Partition Deployment.

105
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

CLI Configuration

To configure SSLi for a single device two partition deployment, perform the following steps:

Follow the prerequisites discussed in Prerequisites.

1. To avoid a duplicate MAC address because of the VLAN that is shared, add the global
command of system ve-mac-scheme system-mac in the shared partition:
ACOS(config)# system ve-mac-scheme system-mac

2. Create the ACOS_decrypt and ACOS_encrypt partitions by running the following com-
mands:
ACOS(config)# partition ACOS_encrypt id 1 application-type adc
ACOS(config-partition: ACOS_encrypt)# exit
ACOS(config)# active-partition ACOS_encrypt
ACOS[ACOS_encrypt](config)#
ACOS[ACOS_encrypt](config)# active-partition shared
ACOS(config)# partition ACOS_decrypt id 2 application-type adc
ACOS[ACOS_decrypt](config)#
3. Bind the VLANs as shown in Step 1. Configuring the Network VLANs and continue with
the remaining steps shown in CLI Configuration.

GUI Configuration

To configure SSLi for a single device two partition deployment, perform the following steps:

Follow the prerequisites discussed in Prerequisites.

To create the ACOS_decrypt and ACOS_encrypt partitions, perform the following steps:

1. Navigate to System >> Admin Partitions.

2. Click Create+.
3. Specify ACOS_encrypt for Partition Name and 1 for the Partition ID.
4. Specify ADC for the Type.
5. Enable Shared VLAN.
6. Repeat the preceding steps for the ACOS_decrypt partition.
7. Continue with the configuration steps shown in GUI Configuration.

106
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Single vThunder Device With Two Partitions Deployment

The vThunder instance can run in promiscuous mode or non-promiscuous mode. By default,
vThunder runs in non-promiscuous mode in order to help optimize system performance.
However, the following limitations apply when running vThunder in non-promiscuous mode:

l VE interfaces can be bound to only 1 tagged or untagged physical interface.

The two-partition configuration for SSLi requires VE MAC address assignment changes, and
vThunder does not support VE MAC address assignment scheme changes in non-promiscuous
mode. Therefore, run the vThunder instance in promiscuous mode. Perform the following
steps:

To change the vThunder mode to promiscuous mode, use the following command:
ACOS(config)# system promiscuous-mode
Settings will take effect on reload. Please save the configuration by issuing
the "write
memory" command followed by the "reload" command
ACOS(config)# write memory
Building configuration...
Write configuration to primary default startup-config
[OK]
ACOS(config)# exit
ACOS# exit
WARNING:System configuration has been modified

When the reload completes, enter the following command to permit VE MAC address assign-
ment scheme changes:
ACOS# config
ACOS(config)# system ve-mac-scheme system-mac

Create the ACOS_decrypt and ACOS_encrypt partitions by running the following commands:
ACOS(config)# partition ACOS_encrypt id 1 application-type adc
ACOS(config-partition:ACOS_encrypt)# exit
ACOS(config)# active-partition ACOS_encrypt
ACOS[ACOS_encrypt](config)#
ACOS[ACOS_encrypt](config)# active-partition shared
ACOS(config)# partition ACOS_decrypt id 2 application-type adc
ACOS[ACOS_decrypt](config)#

107
Chapter 5: Outbound Static Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Bind the VLANs as shown in Step 1. Configuring the Network VLANs and continue with the
remaining steps shown in CLI Configuration.

108
Chapter 6: Outbound Static Port Type
STARTTLS
This section describes how to configure outbound SSLi for static port type STARTTLS.
Inbound and outbound SSLi can be configured together. In such a deployment, traffic flow-
ing in both directions is decrypted and re-encrypted. However, the command lines that con-
figure the inbound virtual servers must go before the command lines that configure the
outbound virtual servers.

The following topics are covered:

Deployment Example 110

CLI Configuration 112

Consolidated Configuration Examples 123

109
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Deployment Example
Static port inspection is supported by all SSLi deployments discussed in SSLi-Deployments.
The SSLi deployment for static port type STARTTLS intercepts XMPP, POP, and SMTP ses-
sions. The virtual ports are specified by using the port port-number ssli command. The
keyword, ssli, specifies that the port is treated as a STARTTLS type. In addition, each
STARTLS type port is defined in an SLB SSLi template which is bound to an SSLi port with the
keyword type.

In static port type SSLi, each intercepted protocol is configured with its own static virtual
port enabled for SSLi. For example, to intercept SMTP running over SSL, the wildcard VIP con-
figuration includes the command line port 25 ssli where 25 is the port number identifying
SMTP.

In this example, the outbound SSLi with static port type STARTLS deployment consists of two
ACOS devices, each with a single partition, and the security device set in between. The ACOS
devices are in L2 mode, while the security device is in L3 mode. In this example, SSLi inter-
cepts SMTP, POP, FTP, LDAP,and XMPP sessions that are running over SSL.

110
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 6-1: Static Port Type STARTLS in a Two-Device Deployment, Each with Single
Partition

The encrypted traffic from the client is passed to the ACOS_decrypt partition. The ACOS_
decrypt partition decrypts the STARTTLS traffic and forwards the clear traffic to the security
device. After inspection, the security device passes the clear traffic to the ACOS_encrypt par-
tition. The ACOS_encrypt partition re-encrypts the HTTPS traffic and passes it to the

111
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

external gateway. All other HTTPS traffic is bypassed. The following table provides the VLAN
IDs, Virtual Ethernet (VE) addresses, and interfaces used to configure the SSLi network topo-
logy illustrated in FIGURE 6-1.

TABLE 6-2 : SSLi Deployment Details

Partition Tagged VLAN VE IP Address Ethernet Port Number

ACOS_decrypt 10 10.10.1.2 /24 eth 1

15 10.15.1.2 /24 eth 2

ACOS_encrypt 20 20.1.1.2 /24 eth 2

15 10.15.1.12 /24 eth 1

CLI Configuration
In order to configure SSLi for a two ACOS device single partition deployment, you must first
configure the two partitions, ACOS_decrypt and ACOS_encrypt. Also, for a list of pre-
requisites, see Prerequisites.

The following topics are covered:

ACOS_decrypt Configuration 112

ACOS_encrypt Configuration 118

ACOS_decrypt Configuration

Perform the steps for the ACOS_decrypt partition:

The following topics are covered:

Step 1. Configuring the Network VLANs 113

Step 2. Configuring the Network IP Addresses 113

Step 3. Configuring the SSLi Services 113

Step 4. Configuring the SSLi Service Groups 116

Step 5. Configuring the Virtual Server 116

112
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2
ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

For an explanation of the procedure, refer to a similar procedure discussed in Step 2. Con-
figuring the Network IP Addresses.
ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve10)# ip address 10.10.1.2 /24
ACOS_decrypt(config-if:ve10)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve10)# exit
ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services

1. Configure an SSLi client template, by running the following commands.
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# exit

113
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

a. Create an SSLi client template to configure explicit FTPS for TLS data transmission.
ACOS_decrypt(config)# slb template client-ssl Explicit_FTPS
ACOS_decrypt(config-client ssl)# ssli-logging all
ACOS_decrypt(config-client ssl)# close-notify
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cer-
t123.pem key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# exit

b. Create an SSLi client template to configure implicit FTPS for TLS data transmission,
DSCP, and enable ssli FTP.
ACOS_decrypt(config)# slb template client-ssl Implicit_FTPS
ACOS_decrypt(config-client ssl)# ssli-logging all
ACOS_decrypt(config-client ssl)# close-notify
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cer-
t123.pem key key123
ACOS_decrypt(config-client ssl)# forward-proxy-decrypted dscp 10 2
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# enable-ssli-ftp-alg 990
ACOS_decrypt(config-client ssl)# exit

NOTE: There already may be a CA Root Certificate installed. If

the CA has signed the A10 certificate as a subordinate,
the certificate-chaining command is used to make the
chain a trusted one.

2. Configure a real server called FW1_Inspect with the IP address 10.15.1.12. This IP
address matches the virtual IP address of ACOS_decrypt so that the real server con-
nects to ACOS_decrypt over VLAN 15. Bind FW1_Inspect interface to TCP ports 25, 110,
and 5522 so that ACOS_decrypt forwards decrypted SMTP, POP, FTP, LDAP, and SMPP
over VLAN 15 to the security device. All other UDP and TCP traffic is forwarded on VLAN
15 by using the wildcard ports port 0 tcp and port 0 udp.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12
ACOS_decrypt(config-real server)# port 25 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 110 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

114
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-real server)# port 5522 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit
ACOS_decrypt(config-real server)# exit

ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 0 udp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

NOTE: You can configure ACOS_ decrypt to bypass the security

devices based on the website category, client authen-
tication, or the domain SNI (Service Name Indication). For
more information, see the relevant section for the specific
SSLi feature.

3. Create an SSLi template for each non-HTTP protocol running over SSL that ACOS_
decrypt must intercept. The subcommand type specifies the intercepted protocols run-
ning over SSL. The default protocol service is HTTPS.
ACOS_decrypt(config)# slb template ssli xmpp_insight
ACOS_decrypt(config-ssli)# type xmpp
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli smtp_insight

ACOS_decrypt(config-ssli)# type smtp
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli pop_insight

ACOS_decrypt(config-ssli)# type pop
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli ftp_insight

ACOS_decrypt(config-ssli)# type ftp
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli ldap_insight

115
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-ssli)# type ldap

ACOS_decrypt(config-ssli)# exit

Step 4. Configuring the SSLi Service Groups

For an explanation of the procedure, refer to a similar procedure discussed in Step 4. Con-
figuring the SSLi Service Groups.

The only deviation is that the service group FW1_Inspect_SG in this example is associated
with ports 25, 5522, and 110 as the SSLi solution inspects POP, SMTP, FTP, LDAP, and XMPP
traffic.
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 25
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 5522
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 110
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server

For an explanation of the procedure, refer to a similar procedure discussed in Step 5. Con-
figuring the Virtual Server.

The only deviation is that the port 21 ssli, port 25 ssli, port 110 ssli, port 389 ssli
and port 5522 ssli in this example must be configured as members of the service group
FW1_Inspect_SG and also associated with the client SSLi template.
ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10

ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 21 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli ftp_insight
ACOS_decrypt(config-slb vserver-vport)# exit

116
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: If you configure ssli virtual port along with ssli-sni-hash-enable

on ACOS_decrypt or ACOS_encrypt, then you cannot configure
the source-nat virtual port on the ACOS_decrypt. However, you
can configure it on the ACOS-encrypt.
ACOS_decrypt(config-slb vserver)# port 21 ssli
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Explicit_FTPS
ACOS_decrypt(config-slb vserver-vport)# template ssli ftp_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 ssl-proxy

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Implicit_FTPS
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 25 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli smtp_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 110 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli pop_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 5522 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli xmpp_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 389 ssli

117
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat

ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli ldap_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 tcp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 others

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# exit

ACOS_encrypt Configuration

Perform the following steps for the ACOS_encrypt partition:

The following topics are covered:

Step 1. Configuring the Network VLANs 118

Step 2. Configuring the Network IP Addresses 119

Step 3. Configuring the SSLi Services 119

Step 4. Configuring the SSLi Service Groups 121

Step 5. Configuring the Virtual Server 121

Step 1. Configuring the Network VLANs

ACOS(config)# hostname ACOS_encrypt
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# tagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20

118
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-vlan:20)# exit

ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1
ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24
ACOS_encrypt(config-if:ve20)# exit

ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services

1. Create an SSL server template on ACOS_encrypt so that the VIP on ACOS_encrypt can
operate as an SSL client and handshake with the EnterpriseABC server.
ACOS_encrypt(config)# slb template server-ssl SSLInsight_EncryptSide
ACOS_encrypt(config-server ssl)# forward-proxy-enable
ACOS_encrypt(config-server ssl)# exit

a. Create an SSL server template to configure implicit FTPS for TLS data transmission
and enable SSLi FTP. If you want to enable TLS reuse then configure session-ticket-
enable as well.
ACOS_encrypt(config)# slb template server-ssl Implicit_FTPS
ACOS_encrypt(config-server ssl)# close-notify
ACOS_encrypt(config-server ssl)# forward-proxy-enable
ACOS_encrypt(config-server ssl)# session-ticket-enable
ACOS_encrypt(config-server ssl)# enable-ssli-ftp-alg 990
ACOS_encrypt(config-server ssl)# exit

b. Create an SSLi server template to configure explicit FTPS for TLS data trans-
mission.
ACOS_encrypt(config)# slb template server-ssl Explicit_FTPS
ACOS_encrypt(config-server ssl)# ssli-logging all
ACOS_encrypt(config-server ssl)# close-notify
ACOS_encrypt(config-server ssl)# forward-proxy-enable
ACOS_encrypt(config-server ssl)# exit

2. Create the real server Default_Gateway. Bind the SLB ports of the intercepted non-

119
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

HTTP protocols (ports 25, 100, and 5522) to Default_Gateway. ACOS_encrypt forwards
the traffic on these ports over VLAN 20 to the default gateway at IP address 20.1.1.10.
The default gateway has a route to the EnterpriseABC server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 25 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 5522 tcp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 110 tcp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit
ACOS_encrypt(config-real server)# exit

3. All other UDP and TCP traffic is forwarded on VLAN 20 to the default gateway using the
wildcard ports: port 0 tcp and port 0 udp.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 0 udp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

4. Create an SSLi template for each service protocol running over SSL that is to be inter-
cepted.
ACOS_encrypt(config)# slb template ssli smtp_insight
ACOS_encrypt(config-ssli)# type smtp
ACOS_encrypt(config-ssli)# exit

ACOS_encrypt(config)# slb template ssli xmpp_insight

ACOS_encrypt(config-ssli)# type xmpp
ACOS_encrypt(config-ssli)# exit

ACOS_encrypt(config)# slb template ssli pop_insight

ACOS_encrypt(config-ssli)# type pop
ACOS_encrypt(config-ssli)# exit

120
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config)# slb template ssli ftp_insight

ACOS_encrypt(config-ssli)# type ftp
ACOS_encrypt(config-ssli)# exit

ACOS_encrypt(config)# slb template ssli ldap_insight

ACOS_encrypt(config-ssli)# type ldap
ACOS_encrypt(config-ssli)# exit

Step 4. Configuring the SSLi Service Groups

Provide a path for intercepted non-HTTPS over SSL traffic by creating a service group called
DG_SSL_SG and binding it to ports 25, 5522, and 110 of the SLB real server.
ACOS_encrypt(config)# slb service-group DG_SSL_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 25
ACOS_encrypt(config-slb svc group)# member Default_Gateway 5522
ACOS_encrypt(config-slb svc group)# member Default_Gateway 110
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

Provide a path to the default gateway for all other traffic by creating two service groups
called DG_TCP_SG and DG_UDP_SG.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server

For an explanation of the procedure, refer to a similar procedure discussed in Step 5. Con-
figuring the Virtual Server.

121
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The only deviation is that the port 21 ssli, port 25 ssli, port 110 ssli, port 389 ssli,
and port 5522 ssli in this example must be configured as part of the virtual server
Encrypt_VIP.
ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15

ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

ACOS_encrypt(config-slb vserver)# port 21 ssli

ACOS_encrypt(config-slb vserver-vport)# source-nat auto
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl Explicit_FTPS
ACOS_encrypt(config-slb vserver-vport)# template ssli ftp_insight
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 25 ssli

ACOS_encrypt(config-slb vserver)# port 110 ssli

ACOS_encrypt(config-slb vserver)# port 5522 ssli

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_
EncryptSide
ACOS_encrypt(config-slb vserver-vport)# template ssli xmpp_insight
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# port 389 ssli
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_
EncryptSide

122
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-slb vserver-vport)# template ssli ldap_insight

ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 tcp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 udp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 others

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# exit

Configure DSCP for Implicit FTPS.

ACOS_encrypt(config)# access-list 102 permit ip any any dscp 10

ACOS_encrypt(config)# slb virtual-server implicit-dscp10 0.0.0.0 acl 102

ACOS_encrypt(config-slb vserver)# port 0 tcp-proxy

ACOS_encrypt(config-slb vserver-vport)# source-nat pool V4_20_NAT
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl Implicit_FTPS
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# exit

Consolidated Configuration Examples

Use the show running-config command to check your configuration for both ACOS_decrypt
and ACOS_encrypt.
ACOS_decrypt# show running-config
!Current configuration: 811 bytes
!!
access-list 100 permit ip any any vlan 10
!
vlan 10

123
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 2
router-interface ve 15
!
hostname ACOS_decrypt
!
interface management
ip address dhcp
!
interface ethernet 1
enable
interface ethernet 2
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb template ssli xmpp_insight
type xmpp
!
slb template ssli smtp_insight
type smtp
!
slb template ssli pop_insight
type pop
!
slb template ssli ftp_insight
type ftp
!
slb template ssli ldap_insight
type ldap
!
slb server FW1_Inspect 10.15.1.12
port 0 tcp
health-check-disable
port 0 udp

124
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

health-check-disable
port 25 tcp
health-check-disable
port 110 tcp
health-check-disable
port 5522 tcp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 25
member FW1_Inspect 5522
member FW1_Inspect 110
!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!
slb template client-ssl Implicit_FTPS
ssli-logging all
close-notify
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
forward-proxy-decrypted dscp 10 2
enable-ssli-ftp-alg 990
!
slb template client-ssl Explicit_FTPS
ssli-logging all
close-notify
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG

125
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
port 0 ssl-proxy
service-group FW1_Inspect_SG
template client-ssl Implicit_FTPS
no-dest-nat
port 21 ssli
service-group FW1_Inspect_SG
template client-ssl Explicit_FTPS
template ssli ftp_insight
no-dest-nat
port 25 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli smtp_insight
no-dest-nat
port 110 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli pop_insight
no-dest-nat
port 5522 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli xmpp_insight
no-dest-nat
port 389 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli ldap_insight
no-dest-nat
!
end

ACOS_Encrypt# show running-config

!Current configuration: 485 bytes
!
access-list 101 permit ip any any vlan 15
!
vlan 15
tagged ethernet 1

126
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

router-interface ve 15
!
vlan 20
tagged ethernet 2
router-interface ve 20
!
hostname ACOS_encrypt
!
interface management
ip address dhcp
!
interface ethernet 1
enable
interface ethernet 2
enable
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
!
slb template server-ssl SSLInsight_EncryptSide
forward-proxy-enable
!
slb template ssli xmpp_insight
type xmpp
!
slb template ssli smtp_insight
type smtp
!
slb template ssli pop_insight
type pop
!
slb template ssli ftp_insight
type ftp
!
slb template ssli ldap_insight
type ldap
!
slb server Default_Gateway 20.1.1.10

127
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 25 tcp
health-check-disable
port 110 tcp
health-check-disable
port 5522 tcp
health-check-disable
!
slb service-group DG_SSL_SG tcp
member Default_Gateway 25
member Default_Gateway 5522
member Default_Gateway 110
!
slb service-group DG_TCP_SG tcp
member Default_Gateway 0
!
slb service-group DG_UDP_SG udp
member Default_Gateway 0
!
slb template server-ssl SSLInsight_EncryptSide
forward-proxy-enable
!
slb template server-ssl Implicit_FTPS
close-notify
forward-proxy-enable
session-ticket-enable
enable-ssli-ftp-alg 990
!
slb template server-ssl Explicit_FTPS
ssli-logging all
close-notify
forward-proxy-enable
!
slb virtual-server Encrypt_VIP 0.0.0.0 acl 101
port 0 tcp
service-group DG_TCP_SG
no-dest-nat
port 0 udp
service-group DG_UDP_SG
no-dest-nat

128
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 others
service-group DG_UDP_SG
no-dest-nat
port 21 ssli
source-nat auto
service-group FW1_Inspect_SG
template server-ssl Explicit_FTPS
template ssli ftp_insight
no-dest-nat
port 25 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli smtp_insight
no-dest-nat
port 110 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli pop_insight
no-dest-nat
port 5522 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli xmpp_insight
no-dest-nat
port 389 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli ldap_insight
no-dest-nat
!
end

<For DSCP Implicit FTPS>

access-list 102 permit ip any any dscp 10
!
.
.
.
slb virtual-server implicit-dscp10 0.0.0.0 acl 102
port 0 tcp-proxy
source-nat pool V4_20_NAT
service-group DG_SSL_SG
template server-ssl Implicit_FTPS

129
Chapter 6: Outbound Static Port Type STARTTLS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-dest-nat
!
end

130
Chapter 7: Inbound Static-Port Type HTTPS
This section describes how to configure inbound SSLi. It refers to the intercepting and
decrypting SSL/TLS traffic originating from the Internet into your internal SSL web applic-
ation servers.

The following topics are covered:

Deployment Example 132

131
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Deployment Example
This section provides detailed steps for configuring SSLi to transparently intercept HTTPS
traffic from clients, decrypt the traffic so that it can be inspected at the firewall, re-encryp-
tion of the traffic and
forwarding it to the SSL server that the clients are trying to reach. The example of SSLi con-
tained in this section intercepts only HTTPS sessions. Using virtual port type HTTPS, the vir-
tual ports are specified using the port 443 https command. All other SSL and non-SSL
traffic is bypassed. The topology for this example is illustrated in FIGURE 7-1.

FIGURE 7-1: Inbound SSLi Network Topology

The configuration of SSLi in this section is one in which the clients are connecting to SSL
servers running on a private network behind a firewall. The session connect “inbound” to the
private network.

Inbound and outbound SSLi can be configured together. Traffic flowing in both directions
would be decrypted and re-encrypted. However the command lines that configure the
inbound virtual-servers must go before the command lines that configure the outbound vir-
tual servers. For the configuration of outbound SSLi, refer Static-Port Type HTTPS SSLi.

132
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Configure the External Inbound ACOS device

Before beginning this configuration, you must import the certificates and private keys of the
SSL/TLS servers that SSLi will be provisioned to decrypt and encrypt. In the configuration
that follows, each server will be mapped by domain to a certificate, private key pair. In addi-
tion, a default certificate and corresponding private key will be configured

See the “Importing Certificate” for information on importing certificates and keys.

1. Configure the access lists. Traffic coming from the Internet is filtered to permit traffic
going to the following three private networks.

access-list 101 permit ip any 10.1.1.0 0.0.0.255

access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255

2. Configure the virtual Ethernet interface, 100, facing the Internet and give an IP
address, 10.10.10.1. Configure a second interface, 882, facing the firewall protecting
the private networks. Assign the public IP address 88.2.0.2 to this interface.
vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 882
untagged ethernet 51
router-interface ve 882
!
hostname Ext-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10
!
interface management
ip address 10.101.6.190 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!

133
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.1 255.255.255.0

!
interface ve 882
ip address 88.2.0.2 255.255.255.0
ip allow-promiscuous-vip
!

3. Configure a default route to an Internet router, and configure static routes from the vir-
tual Ethernet interfaces to the private network.

ip route 0.0.0.0 /0 88.2.0.1

ip route 10.1.1.0 /24 10.10.10.2
ip route 10.2.2.0 /24 10.10.10.2
ip route 10.3.3.0 /24 10.10.10.2
ip route 10.4.4.0 /24 10.10.10.2

4. Configure the SSL-client template for SNI-mapped certificate-key pairs. If a client

includes the Server Name Indication (SNI) extension in its Hello message, the SSLi ses-
sion connects to the server in the specified domain using the certificate and key that
are mapped to the domain requested by the client.

For client-ssl template, the new command is:

certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>]
[chain-cert <chain-cert-name>]

Certificate and key configuration must be put in one line because they should exist at
the same time.
slb template client-ssl inbound-ssli
server abc.com certificate cert1 key key1 pass-phrase Pass1 chain-cert
Cert1
server xyz.com certificate cert2 key key2 pass-phrase Pass2 chain-cert
Cert2
cert default-cert
key default-key
!

5. Configure three protocol ports that forward traffic on real servers to the firewall. Only

134
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 8080 tcp is configured to decrypt the SSL traffic that it receives from the Inter-
net on port 443 https. Protocol port 0 udp and port 0 tcp forward all other traffic
to the firewall.

slb server gw2-bp 10.10.10.2

port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
slb service-group gw2-bp-8080 tcp
member gw2-bp 8080
!
slb service-group gw2-bp-tcp tcp
member gw2-bp 0
!
slb service-group gw2-bp-udp udp
member gw2-bp 0
!

6. Configure the virtual server with the ports configured in the previous. Assign service
groups to
forward the traffic of these ports to the firewall. In addition provision the IP datagrams
to send replies to clients back through the last hop on which the request for the virtual
port's service was received and to use the IP address of the virtual traffic when for-
warding traffic (do not use destination NAT).

slb virtual-server vip1-ext 0.0.0.0 acl 101

port 0 tcp
service-group gw2-bp-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group gw2-bp-udp
use-rcv-hop-for-resp

135
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-dest-nat
port 443 https
service-group gw2-bp-8080
use-rcv-hop-for-resp
template client-ssl inbound-ssli
no-dest-nat port-translation

7. Use the show running-config command to check your configuration of the external
ACOS device.

Ext-Inbound# show running-config

!
access-list 101 permit ip any 10.1.1.0 0.0.0.255
access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255
!
vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 882
untagged ethernet 51
router-interface ve 882
!
hostname Ext-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10
!
interface management
ip address 10.101.6.190 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.1 255.255.255.0

136
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
interface ve 882
ip address 88.2.0.2 255.255.255.0
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 88.2.0.1
ip route 10.1.1.0 /24 10.10.10.2
ip route 10.2.2.0 /24 10.10.10.2
ip route 10.3.3.0 /24 10.10.10.2
ip route 10.4.4.0 /24 10.10.10.2
!
slb template client-ssl inbound-ssli
server abc.com cert
cert1 key key1
server xyz.com cert cert2 key key2
cert default-cert
key default-key
!
slb server gw2-bp 10.10.10.2
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
slb service-group gw2-bp-8080 tcp
member gw2-bp 8080
!
slb service-group gw2-bp-tcp tcp
member gw2-bp 0
!
slb service-group gw2-bp-udp udp
member gw2-bp 0
!
slb virtual-server vip1-ext 0.0.0.0 acl 101
port 0 tcp
service-group gw2-bp-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp

137
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 443 https
service-group gw2-bp-8080
use-rcv-hop-for-resp
template client-ssl inbound-ssli
no-dest-nat port-translation
!

Configure the Internal Inbound ACOS device

1. Configure the access lists. Traffic coming from the Internet is filtered to permit traffic
going to the following three private networks.

access-list 101 permit ip any 10.1.1.0 0.0.0.255

access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255

2. Configure the virtual Ethernet interface, 100, facing the inbound traffic and give it an
IP address, 10.10.10.2. Configure a second interface, 104, facing the outbound dir-
ection and the private networks. Assign the private IP address 10.4.4.2 to this inter-
face.

vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 104
untagged ethernet 51
router-interface ve 104
!
hostname Int-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10

138
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
interface management
ip address 10.101.6.191 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 104
ip address 10.4.4.2 255.255.255.0
!

3. Configure a default route to the private network and specify the service groups that for-
ward traffic to that network.

The ACOS real server, the server-ssl is configured to re-establish SSL sessions that
were intercepted by the external ACOS device.

ip route 0.0.0.0 /0 10.10.10.1ip route 10.1.1.0 /24 10.4.4.1ip route

10.2.2.0 /24 10.4.4.1ip route 10.3.3.0 /24 10.4.4.1!slb server internal-gw
10.4.4.1 port 0 tcp health-check-disable port 0 udp health-check-dis-
able port 443 tcp health-check-disable!slb service-group internal-gw-443
tcp member internal-gw 443!slb service-group internal-gw-tcp tcp member
internal-gw 0!slb service-group internal-gw-udp udp member internal-gw 0!

slb template server-ssl inbound-ssli

forward-proxy-enable
!

4. Configure the virtual server that re-encryted traffic received on port 8080 http. The
non-SSL sessions are received on the wildcard ports 0 udp, 0 tcp, and 0 others.

slb virtual-server vip1-int 0.0.0.0 acl 101

port 0 tcp
service-group internal-gw-tcp

139
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
service-group internal-gw-443
use-rcv-hop-for-resp
template server-ssl inbound-ssli
no-dest-nat port-translation
!

5. Use the show running-config command to check your configuration of the internal
ACOS device.

Int-Inbound# show running-config

!
access-list 101 permit ip any 10.1.1.0 0.0.0.255
access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255
!
vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 104
untagged ethernet 51
router-interface ve 104
!
hostname Int-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10
!
interface management
ip address 10.101.6.191 255.255.252.0

140
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 104
ip address 10.4.4.2 255.255.255.0
!
ip route 0.0.0.0 /0 10.10.10.1
ip route 10.1.1.0 /24 10.4.4.1
ip route 10.2.2.0 /24 10.4.4.1
ip route 10.3.3.0 /24 10.4.4.1
!
slb server internal-gw 10.4.4.1
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group internal-gw-443 tcp
member internal-gw 443
!
slb service-group internal-gw-tcp tcp
member internal-gw 0
!
slb service-group internal-gw-udp udp
member internal-gw 0
!
slb template server-ssl inbound-ssli
forward-proxy-enable
!
slb virtual-server vip1-int 0.0.0.0 acl 101
port 0 tcp

141
Chapter 7: Inbound Static-Port Type HTTPS
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

service-group internal-gw-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
service-group internal-gw-443
use-rcv-hop-for-resp
template server-ssl inbound-ssli
no-dest-nat port-translation
!

142
Chapter 8: Dynamic-Port Inspection
This section describes how to configure dynamic port inspection for SSLi. It allows to decrypt
SSL-wrapped traffic on any port, not just port 443 where most of it happens.

The following topics are covered:

Configuration Workflow 143

CLI Configuration 145

DSCP Inspection 155

Configuration Workflow
Since Dynamic-Port SSLi is configured in parallel with SSLi over known ports, in order to con-
figure Dynamic-Port SSLi you need to address three flows:

l SSL traffic arriving on known ports–This is addressed by standard static-port SSLi con-
figuration, however you will need to explicitly tag this traffic as decrypted using a cus-
tom DSCP value (ex. Dscp=6)
l SSL traffic arriving on known ports–This is addressed by standard static-port SSLi con-
figuration, however you will need to explicitly tag this traffic as decrypted using a cus-
tom DSCP value (ex. Dscp=6)

All SSLi-bypassed & non-SSL (TCP, UDP, ICMP etc.) traffic arriving on unknown ports–This is
addressed with wildcard vPorts and service-groups, however you will need to explicitly tag
this traffic as non-SSK using a custom DSCP value (ex. Dscp=4)

DSCP Dynamic-Port SSLi Example Topology below illustrates the overall DSCP dynamic-port
SSLi configuration workflow.

143
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 8-1: DSCP Dynamic-Port Configuration Workflow

ACOS_decrypt Configuration

Clients_VIP SLB Virtual Server–

l Provides SSL forward proxy service that enables ACOS_decrypt to proxy for the remote
SSL servers and bring up SSL sessions with the clients. SSL traffic from the clients arriv-
ing on unknown ports is decrypted and forwarded to the Outbound-SSLi-0 service
group, whereas bypassed and non-SSL traffic is forwarded to either the Outbound-TCP
service group or the Outbound-UDP service group. SSL traffic arriving on standard SSL
vPort is decrypted and forwarded to the Outbound-SSLi-443 service-group.

l Outbound-SSLi-0 SLB Service Group–Marks all decrypted SSL traffic arriving on

unknown TCP ports with custom DSCP value (ex.6) and forwards it to the security
device.

l Outbound-SSLi-443 SLB Service Group–Marks all decrypted SSL traffic arriving on

known SSL ports (443 in this example) with custom DSCP value (6 in this example) and
forwards it to the security device.

144
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Outbound-TCP and Outbound-UDP SLB Service Groups–Marks all other TCP traffic with
custom DSCP value (4 in this example) and forwards it to the security device. This
traffic stream includes non-SSL traffic as well as any SSL traffic which was pur-
posefully bypassed in SSLi configuration.

ACOS_encrypt Configuration

l Encrypt_SSLi_VIP wildcard SLB Virtual Server–Provides server-SSL services for decryp-

ted traffic that enable ACOS_decrypt to establish SSL connections with the remote
SSL servers through the Gateway SLB real server, completing end-to-end SSL con-
nectivity.
l Encrypt_SSLi_VIP wildcard SLB Virtual Server–Provides server-SSL services for decryp-
ted traffic that enable ACOS_decrypt to establish SSL connections with the remote
SSL servers through the Gateway SLB real server, completing end-to-end SSL con-
nectivity.

l Outbound-SSLi-8080 SLB Service Group–Forwards all decrypted traffic arriving on

static port 8080 to the Internet default gateway.
l Outbound-SSLi-8080 SLB Service Group–Forwards all decrypted traffic arriving on
static port 8080 to the Internet default gateway.

CLI Configuration
The following topics are covered:

Inside ACOS Configuration 146

ACOS_encrypt Configuration 147

ACOS_decrypt Configuration 149

Consolidated Configuration 152

145
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Inside ACOS Configuration

The ACOS_decrypt zone is configured as the client-facing device. Key configuration ele-
ments include the following:

1. Define Access-List to identify traffic of interest.

2. Import a proxied CA certificate, and the certificate’s private key. This certificate must
be trusted by clients.

3. Define two SLB port templates for marking dscp values. In this example, we use dscp=6
for marking decrypted traffic and dscp=4 for marking all bypassed traffic.
!
slb template port decrypt-dscp-6
dscp 6
!
slb template port non-ssli-dscp-4
dscp 4

4. Create an SLB real server for a path through the security device for all TCP and UDP
traffic.
!
slb server FW1 10.10.2.20
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
5. Define an SLB service group for all TCP traffic and bind the port template for dscp=4
under it. This service group will be used for all bypassed TCP traffic.
6. Define an SLB service group for all UDP traffic and bind the port template for dscp=4
under it. This service group will be used for all UDP traffic.
7. Define an SLB service group for all TCP traffic and bind the port template for dscp=6
under it. This service group will be used for all decrypted TCP traffic.
8. Define an SLB service group for all TCP traffic and bind the port template for dscp=6
under it. This service group will be used for all decrypted TCP traffic.

9. Configure the client-SSL template. You must complete the following tasks:

146
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

a. Enable SSL Insight support.

b. Add the proxied CA certificate.
c. Add the CA certificate’s private key.
d. Bind the service-group for bypassed TCP traffic.
10. Configure a wildcard VIP to capture all client traffic, and add a wildcard ssl-Proxy vPort
under it, along with wildcard TCP, UDP and others vPorts.
11. Enable promiscuous VIP mode on the Ethernet interface that is connected to the cli-
ents’ network. This is required by the wild-card VIP.

ACOS_encrypt Configuration

1. On ACOS_encrypt, configure two access lists. The first, access-list 101, filters decryp-
ted traffic arriving with dscp=6, and the second, access-list 102, filters all other traffic
arriving with dscp=4.
ACOS_encrypt(config)# access-list 101 permit ip any any dscp 6
ACOS_encrypt(config)# access-list 102 permit ip any any dscp 4

2. Create vlan 30 and specify its VE interface to be on a subnet that links to the Internet
default gateway.
ACOS_encrypt(config)# vlan 30
ACOS_encrypt(config-vlan:30)# untagged ethernet 1
ACOS_encrypt(config-vlan:30)#router-interface ve 30
ACOS_encrypt(config)# interface ve 30
ACOS_encrypt(config-if:ve:30)# ip address 10.10.3.20 255.255.255.0

3. Configure a VE interface for vlan 20 and configure ip allow-promiscuous-vip under it.

ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# untagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20
ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve:20)# ip address 10.10.2.20 255.255.255.0
ACOS_encrypt(config-if:ve:20)# ip allow-promiscuous-vip

4. The outside ACOS needs to support forward-proxy services for SSLi. The server-ssl tem-
plate: Server-SSL enables this capability when bound to a virtual server.
ACOS_encrypt(config)# slb template server-ssl Server-SSL
ACOS_encrypt(config-server ssl)# forward-proxy-enable

147
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

5. Configure the SLB real server, Gateway, on the IP subnet that links to the default gate-
way. Configure the server with the wildcard port for TCP sessions and disable health
check.
ACOS_encrypt(config)# slb server Gateway 10.10.3.1
ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server)# port 443 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server)# port 0 udp
ACOS_encrypt(config-real server-node port)# health-check-disable

6. Configure TCP and UDP service groups which have Gateway as their only member.
ACOS_encrypt(config)# slb service-group Outbound-TCP tcp
ACOS_encrypt(config-slb svc group)# member Gateway 0
ACOS_encrypt(config)# slb service-group Outbound-UDP tcp
ACOS_encrypt(config-slb svc group)# member Gateway 0
ACOS_encrypt(config)# slb service-group Outbound-SSLi-8080 tcp
ACOS_encrypt(config-slb svc group)# member Gateway 443

7. Create the virtual server, Outside_nonSSLi_VIP, to handle non-SSL and bypassed TCP
connections.
ACOS_encrypt(config)# slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl
102
ACOS_encrypt(config-slb vserver)# port 0 tcp
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-TCP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 0 udp
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 0 others
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp

8. Create the virtual server, Encrypt_SSLi_VIP, to handle SSLi TCP connections. Bind the
previously configured server-ssl template to this server to enable the forward-proxy
process.
ACOS_encrypt(config)# slb virtual-server Encrypt_SSLi_VIP 0.0.0.0 acl 101
ACOS_encrypt(config-slb vserver)# port 0 tcp-proxy
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-TCP

148
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-slb vserver-vport)# template server-ssl Server-SSL

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 8080 http
ACOS_encrypt(config-slb vserver-vport)# name PORT_8080
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-SSLi-8080
ACOS_encrypt(config-slb vserver-vport)# template server-ssl Server-SSL
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp

ACOS_decrypt Configuration

1. On ACOS_decrypt, configure an access list to permit traffic arriving from the clients.
ACOS_decrypt(config)# access-list 101 permit ip 10.10.1.0 0.0.0.255 any

2. Create vlan 10 on Ethernet 1 port for connecting the clients’ network to ACOS_decrypt
and configure a VE interface 10 with an IP address on the same subnet as the clients.
Lastly, configure ip allow-promiscuous-vip under the VE interface.
ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# untagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve:10)# ip address 10.10.1.10 255.255.255.0
ACOS_decrypt(config-if:ve:10)# ip allow-promiscuous-vip

3. Create vlan 20 on Ethernet 2 port for connecting the security device to ACOS_decrypt
and configure a VE interface 20.
ACOS_decrypt(config)# vlan 20
ACOS_decrypt(config-vlan:20)# untagged ethernet 2
ACOS_decrypt(config-vlan:20)#router-interface ve 20
ACOS_decrypt(config)# interface ve 20
ACOS_decrypt(config-if:ve:20)# ip address 10.10.2.10 255.255.255.0

4. Create the SLB real server, FW1 with IP address 10.10.2.20. This would match the IP
address assigned to ve 20 on ACOS_encrypt. Enable wildcard ports for TCP and UDP.
Disable health check.

NOTE: Since port is wildcard port 0, health check will fail if

enabled.
ACOS_decrypt(config)# slb server FW1 10.10.2.20
ACOS_decrypt(config-real server)# port 0 tcp

149
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-real server-node port)# health-check-disable

ACOS_decrypt(config-real server)# port 0 udp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server)# port 8080 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable

5. Define port templates for setting DSCP=6 and DSCP=4.

ACOS_decrypt(config)# slb template port decrypt-dscp-6
ACOS_decrypt(config-rport)# dscp 6
ACOS_decrypt(config)# slb template port non-ssl-dscp-4
ACOS_decrypt(config-rport)# dscp 4

6. Define service-groups for the security device for all bypassed traffic by binding the
non-ssl-dscp-4 port template to server port memberships:
ACOS_decrypt(config)# slb service-group Outbound-UDP udp
ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template non-ssli-dscp-4
ACOS_decrypt(config)# slb service-group Outbound-TCP tcp
ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template non-ssli-dscp-4

7. Define service-groups for the security device for all decrypted traffic by binding the
decrypt-dscp-6 port template to server port memberships:
ACOS_decrypt(config)# slb service-group Outbound-SSLi-0 tcp
ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template decrypt-dscp-6
ACOS_decrypt(config)# slb service-group Outbound-SSLi-443 tcp
ACOS_decrypt(config-slb svc group)# member FW1 8080
ACOS_decrypt(config-slb svc group-member:8080)# template decrypt-dscp-6

8. Configure a client-ssl template: Client-SSL provisioned with the certificate and private
key needed to proxy a certificate that would be accepted by the clients seeking an SSL
session with the remote servers. Enable forward-proxy and non-SSL bypass.

When the SSL client is enabled for forward proxy, ACOS processes intercepted traffic
by default as if it were an HTTPS session. It is therefore necessary to disable the default
HTTPS processing for non-HTTP protocol sessions. The non-ssl-bypass command dis-
ables this processing for non-HTTP protocols.
ACOS_decrypt(config)# slb template client-ssl Client-SSL
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable

150
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-client ssl)# non-ssl-bypass service-group Outbound-TCP

9. Create a virtual server decrypt_SSLi_VIP for ACOS_decrypt facing the clients. Enable
its wildcard port for SSL-proxy service, disable destination NAT, and bind the pre-
viously configured service groups and client-ssl template to it.

When you enable SSL-proxy service on the wildcard VIP, it will dynamically proxy for
any protocol running over SSL; in other words all SSL protocols running over SSL will be
intercepted.
a. Disable destination NAT to preserve the destination IP address on load-balanced
traffic.
b. Bind the wildcard SSL proxy port to the service-group named Outbound-SSLi-0 to
provide a path to the inspection device and the outside ACOS. Also bind an HTTPs
vport to the service-group Outbound-SSLi-443.
c. Bind the wildcard SSL-proxy port to the SSL client template named Client-SSL to
enable forward proxy services (SSLi) on that port.

d. Bind the Outbound-SSLi-443 port to the SSL client template named Client-SSL to
enable forward proxy services (SSLi) on that port.
ACOS_decrypt(config)# slb virtual-server decrypt_SSLi_VIP 0.0.0.0 acl
101
ACOS_decrypt(config-slb vserver)# port 0 ssl-proxy
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-SSLi-0
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Client-SSL
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port translation
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-SSLi-443
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Client-SSL

10. Enable wildcard udp and others ports and provide service groups for them.
ACOS_decrypt(config-slb vserver)# port 0 udp
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_decrypt(config-slb vserver)# port 0 others
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-UDP

151
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Consolidated Configuration

ACOS_decrypt

!
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
interface ve 10
ip address 10.10.1.10 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 10.10.2.10 255.255.255.0
!
slb template port decrypt-dscp-6
dscp 6
!
slb template port non-ssli-dscp-4
dscp 4
!
slb server FW1 10.10.2.20
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!

152
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
slb service-group Outbound-TCP tcp
member FW1 0
template non-ssli-dscp-4
!
slb service-group Outbound-UDP udp
member FW1 0
template non-ssli-dscp-4
!
slb service-group Outbound-SSLi-0 tcp
member FW1 0
template decrypt-dscp-6
!
slb service-group Outbound-SSLi-443 tcp
member FW1 8080
template decrypt-dscp-6
!
slb template client-ssl Client-SSL
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
non-ssl-bypass service-group Outbound-TCP
!
slb virtual-server Clients_VIP 0.0.0.0 acl 101
port 0 ssl-proxy
no-dest-nat
service-group Outbound-SSLi-0
template client-ssl Client-SSL
port 0 udp
no-dest-nat
service-group Outbound-UDP
port 0 others
no-dest-nat
service-group Outbound-UDP
port 443 https
no-dest-nat port-translation
service-group Outbound-SSLi-443
template client-ssl Client-SSL
!
end

ACOS_encrypt

153
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

access-list 101 permit ip any any dscp 6

!
access-list 102 permit ip any any dscp 4
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
vlan 30
untagged ethernet 1
router-interface ve 30
!
ip route 0.0.0.0 /0 10.10.3.1
!
interface ethernet 1 enable
!
interface ve 20
ip address 10.10.2.20 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 30
ip address 10.10.3.20 255.255.255.0
!
slb server Gateway 10.10.3.1
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable po
!
slb service-group Outbound-TCP tcp
member Gateway 0
!
slb service-group Outbound-UDP udp
member Gateway 0
!
slb service-group Outbound-SSLi-8080 tcp
member Gateway 443
!
slb template server-ssl Server-SSL
forward-proxy-enable
!

154
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 102

port 0 tcp
service-group Outbound-TCP
no-dest-nat
use-rcv-hop-for-resp
port 0 udp
service-group Outbound-UDP
no-dest-nat
use-rcv-hop-for-resp
port 0 others
service-group Outbound-UDP
no-dest-nat
use-rcv-hop-for-resp
!
slb virtual-server Encrypt_SSLi_VIP 0.0.0.0 acl 101
port 0 tcp-proxy
service-group Outbound-TCP
template server-ssl Server-SSL
no-dest-nat
use-rcv-hop-for-resp
port 8080 http
name PORT_8080
service-group Outbound-SSLi-8080
template server-ssl Server-SSL
no-dest-nat port-translation
use-rcv-hop-for-resp
!
end

DSCP Inspection
You can set the Differentiated Services Code Point (DSCP) for decrypted and bypassed traffic
by using the forward-proxy-decrypted dscp command without changing service groups.
The configured DSCP is applied to the IP header of the decrypted or bypassed traffic.

NOTE: If the service group has a template with DSCP configured, the for-
ward-proxy-decrypted dscp command takes precedence.

155
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Deployment Example

The following configuration example includes a single SSLi device with two partitions.
ACOS_encrypt and ACOS_decrypt are the two partitions. This L2 configuration example uses
the DSCP argument in the client SSLi template to handle decrypted and bypassed traffic. The
configuration uses DSCP tagging to enable ACOS_decrypt to communicate to ACOS_
encrypt about which traffic was decrypted, and thus needs to be re-encrypted. The DSCP
tagging is achieved with the forward-proxy-decrypted dscp command and is referenced
in the service groups that handle decrypted traffic. As the traffic is decrypted, it gets a DSCP
6 tag. An access-list is configured for the ACOS_encrypt partition that catches traffic with
this tag. All other traffic (without a DSCP 6 tag) is switched by ACOS on the ACOS_encrypt
partition. DSCP enables us to avoid rewriting the port when decrypting SSL traffic.

Single-Device Double-Partition SSLi Configuration with DSCP is an example deployment. In

the following example deployment, the client network is connected through a layer 2 switch
to the ACOS device. The ACOS device, which has two partitions, is in turn connected to a
security device for traffic inspection purposes. The security device is a L2 transparent device
that preserves the L2 header while processing the traffic flows. The ACOS device is then con-
nected through a layer 2 switch to the Internet. Interfaces 1 and 2 belong to the ACOS_
decrypt partition. Interfaces 3 and 4 belong to the ACOS_encrypt partition.

FIGURE 8-2: Single-Device Double-Partition SSLi Configuration with DSCP

156
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Traffic WorkFlow

The traffic flow from the client network is sent to the ACOS_decrypt partition on the e1
interface. The traffic flow is decrypted by the ACOS_decrypt partition. The traffic from the
ACOS_decrypt partition is directed to the security device in the forward direction. From the
security device, the traffic is directed to the ACOS_encrypt partition on the e3 interface.
The ACOS_encrypt partition re-encrypts the traffic and forwards the traffic to the gateway
by using normal SLB operation.

The traffic flow is shown as follows:

HTTPS/443 >>Traffic Decrypted in ACOS_decrypt >>HTTP/443 through security devices

>>Traffic Re-encrypted in ACOS_encrypt >>HTTPS/443 to Internet

The following list includes information about the other kinds of traffic flow:

l UDP/ICMP/Other traffic—This traffic is not caught by any VIP configuration and is

just switched by ACOS.
l UDP/ICMP/Other traffic—This traffic is not caught by any VIP configuration and is
just switched by ACOS.

l HTTP on port 80—Traffic is caught by the wildcard VIP on ACOS_decrypt, and is only
called out in case DLP configuration needs to be added. Otherwise the "port 80 http"
vPort is omitted.
l HTTP on port 80—Traffic is caught by the wildcard VIP on ACOS_decrypt, and is only
called out in case DLP configuration needs to be added. Otherwise the "port 80 http"
vPort is omitted.

l TCP on any other port—Traffic is caught by the wildcard VIP in ACOS_decrypt, but
since it is not SSL it is not tagged with DSCP 6. When it hits the ACOS_encrypt par-
tition, there is no DSCP tag, so the wildcard VIP doesn't see it and it gets switched by
ACOS. In the client-ssl template in ACOS_decrypt, non-ssl traffic is sent to the SG_
SSLi_TCP-bypass service-group, via the "non-ssl-bypass service-group" command
in the client-ssl template.

NOTE: The static port intercept for the HTTP protocol is required
when you have configured either HTTP policy or the ICAP

157
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

feature. Otherwise, you can remove the static port inter-

cept for each virtual server.

CLI Configuration

To avoid a duplicate MAC address because of the VLAN that is shared, add the global com-
mand of
system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.10.30.15 255.255.255.0
ACOS(config-if:management)# ip control-apps-use-mgmt-port
ACOS(config-if:management)# ip default-gateway 10.10.30.1
ACOS(config-if:management)# exit

Create the two partitions of ACOS_decrypt and ACOS_encrypt:

ACOS(config)# partition ACOS_decrypt id 1 application-type adc
ACOS(config)# partition ACOS_encrypt id 2 application-type adc

ACOS_decrypt Configuration
The work-flow for configuring the ACOS_decrypt partition includes the following:

Configuring the Default VLAN

1. Configure the default VLAN. Bind ethernet ports 1 and 2 to the VLAN. Also, bind a vir-
tual interface ve to the VLAN. A VE is required in order to configure an IP address on a
VLAN. In this example, a default VLAN of 850 is configured.
ACOS_decrypt(config)# vlan 850
ACOS_decrypt(config-vlan:850)# untagged ethernet 1 to 2
ACOS_decrypt(config-vlan:850)# router-interface ve 850
ACOS_decrypt(config-vlan:850)# exit

2. Enable the ethernet interfaces 1 and 2 that are associated with the VLAN.
ACOS_decrypt(config)# interface ethernet 1
ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# exit
ACOS_decrypt(config)# interface ethernet 2
ACOS_decrypt(config-if:ethernet:2)# enable

158
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-if:ethernet:2)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS_decrypt(config)# show interfaces brief

Configuring the ACL

1. Configure the access lists. Configure the ACL to drop UDP-based traffic from any
source to any destination on ports 80 and 443. If the traffic is IP-based, it is allowed to
be forwarded.
ACOS_decrypt(config)# access-list 101 deny udp any any eq 80
ACOS_decrypt(config)# access-list 101 deny udp any any eq 443
ACOS_decrypt(config)# access-list 101 permit ip any any

2. Configure the ACL to permit IP traffic from any source to any destination for the VLAN
850:
ACOS_decrypt(config)# access-list 190 permit ip any any vlan 850

Configuring Network IP Addresses for Untagged VLANs

On the virtual interface 850, enable promiscous VIP support. When you enable promiscuous
VIP support on a VE, the option is automatically enabled on each ethernet data port in the VE.
Provision the virtual interfaces to allow promiscuous IP in order to subject traffic to the rules
enabled on each interface. In addition, assign an IP address and a default gateway to the
VLAN. In this example, we assign the IP address and gateway to interface ve 850. Addi-
tionally, bind ACL 101 to the interface for all inbound traffic.
ACOS_decrypt(config)# interface ve 850
ACOS_decrypt(config-if:ve850)# access-list 101 in
ACOS_decrypt(config-if:ve850)# ip address 10.10.10.98 255.255.255.0
ACOS_decrypt(config-if:ve850)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve850)# exit

Configuring the Security Device

1. Configure the server GW and its ports. Configure ports 0, 80, and 443 for TCP traffic.
Disable health check for each port.
ACOS_decrypt(config)# slb server gw 10.10.10.1
ACOS_decrypt(config-real server)# health-check-disable
ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 80 tcp

159
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-real server-node port)# health-check-disable

ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 443 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

2. Configure the server service group called SG_SSLi_HTTP of type TCP. Associate GW
and port 80 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_HTTP tcp
ACOS_decrypt(config-slb svc group)# member gw 80
ACOS_decrypt(config-slb svc group-member:80)# exit
ACOS_decrypt(config-slb svc group)# exiT

3. Configure the server service group called SG_SSLi_HTTPS of type TCP. Associate GW
and port 443 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_HTTPS tcp
ACOS_decrypt(config-slb svc group)# member gw 443
ACOS_decrypt(config-slb svc group-member:443)# exit
ACOS_decrypt(config-slb svc group)# exit

4. Configure the server service group called SG_SSLi_TCP of type TCP. Associate GW and
port 0 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_TCP tcp
ACOS_decrypt(config-slb svc group)# member gw 0
ACOS_decrypt(config-slb svc group-member:0)# exit
ACOS_decrypt(config-slb svc group)# exit

5. Configure the server service group called SG_SSLi_TCP-bypass of type TCP. Asso-
ciate GW and port 0 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_TCP-bypass tcp
ACOS_decrypt(config-slb svc group)# member gw 0
ACOS_decrypt(config-slb svc group-member:0)# exit
ACOS_decrypt(config-slb svc group)# exit

Configuring the SSLi Services for ACOS_decrypt Partition

1. Configure the client SSL template by specifying the SSLi self-signed certificate and
private key. For all encrypted traffic, add a DSCP tag of 6. For all bypassed traffic, add a
DSCP tag of 1.
ACOS_decrypt(config)# slb template client-ssl SSLi
ACOS_decrypt(config-client ssl)# chain-cert abc.home

160
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem

key key123
ACOS_decrypt(config-client ssl)# forward-proxy-decrypted dscp 6 1
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# forward-proxy-failsafe-disable

2. When the SSL client is enabled for forward proxy, ACOS processes intercept traffic by
default as if it were an HTTPS session. It is therefore necessary to disable the default
HTTPS processing for non-HTTP protocol sessions. The non-ssl-bypass command dis-
ables this processing for non-HTTP protocols.
ACOS_decrypt(config-client ssl)# non-ssl-bypass service-group SG_SSLi_TCP-
bypass

Configuring Handling of Incoming Traffic

1. Create a virtual server called ACOS_decrypt for the ACOS_decrypt partition facing
the clients.

2. Enable its wildcard port for SSL-proxy service, disable destination NAT, and bind the
previously configured service groups and client-ssl template to it. The ACL 190 is bound
to the wildcard VIP. When you enable SSL-proxy service on the wildcard VIP, it will
dynamically proxy for any protocol running over SSL; in other words all SSL protocols
running over SSL will be intercepted.
ACOS_decrypt(config)# slb virtual-server ACOS_decrypt 0.0.0.0 acl 190

3. Bind the wildcard SSL proxy port to the service-group named SG_SSLi_TCP to provide
a path to the inspection device and the ACOS_encrypt partition. Bind the wildcard
SSL-proxy port to the SSL client template named SSLi to enable forward proxy services
(SSLi) on that port.
ACOS_decrypt(config-slb vserver)# port 0 ssl-proxy
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_TCP
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLi
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit

4. Bind an HTTPs vport to the service-group SG_SSLi_HTTPS. Bind the Outbound-SSLi-

443 port to the SSL client template named SSLi to enable forward proxy services (SSLi)
on that port.
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_HTTPS
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLi
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat

161
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-slb vserver-vport)# exit

5. Associate port 80 of type HTTP with service group SG_SSLi_HTTP. Disable destination
NAT.
ACOS_decrypt(config-slb vserver)# port 80 http
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_HTTP
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# exit

ACOS_encrypt Configuration
The work-flow for configuring the ACOS_encrypt partition includes the following:

Configuring the ACL

Configure two access lists. The first, access-list 191, filters decrypted traffic arriving with
dscp=6, and the second, access-list 192, filters all other traffic arriving with dscp=1.
ACOS[ACOS_encrypt](config)# access-list 191 permit ip any any dscp 6
ACOS[ACOS_encrypt](config)# access-list 192 permit ip any any dscp 1

Configuring the Default VLAN

Configure the default VLAN. Bind ethernet ports 3 and 4 to the VLAN. Also, bind a virtual
interface ve to the VLAN. In this example, a default VLAN of 860 is configured.
ACOS[ACOS_encrypt](config)# vlan 860
ACOS[ACOS_encrypt](config-vlan:860)# untagged ethernet 3 to 4
ACOS[ACOS_encrypt](config-vlan:860)# router-interface ve 860
ACOS[ACOS_encrypt](config-vlan:860)# exit

ACOS[ACOS_encrypt](config)# interface ethernet 3

ACOS[ACOS_encrypt](config-if:ethernet:3)# enable
ACOS[ACOS_encrypt](config-if:ethernet:3)# exit
ACOS[ACOS_encrypt](config)# interface ethernet 4
ACOS[ACOS_encrypt](config-if:ethernet:4)# enable
ACOS[ACOS_encrypt](config-if:ethernet:4)# exit

Configuring Network IP Addresses for the VLAN

1. On the virtual interface 860, enable promiscous VIP support. When you enable promis-
cuous VIP support on a VE, the option is automatically enabled on each ethernet data
port in the VE. Provision the virtual interfaces to allow promiscuous IP in order to sub-
ject traffic to the rules enabled on each interface. In addition, assign an IP address and

162
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

a default gateway to the VLAN. In this example, we assign the IP address and gateway
to interface ve 860.
ACOS[ACOS_encrypt](config)# interface ve 860
ACOS[ACOS_encrypt](config-if:ve860)# ip address 10.10.10.99 255.255.255.0
ACOS[ACOS_encrypt](config-if:ve860)# ip allow-promiscuous-vip
ACOS[ACOS_encrypt](config-if:ve860)# exit

2. Enable the ethernet interfaces 3 and 4 that are associated with the VLAN.
ACOS[ACOS_encrypt](config)# interface ethernet 3
ACOS[ACOS_encrypt](config-if:ethernet:3)# enable
ACOS[ACOS_encrypt](config-if:ethernet:3)# exit
ACOS[ACOS_encrypt](config)# interface ethernet 4
ACOS[ACOS_encrypt](config-if:ethernet:4)# enable
ACOS[ACOS_encrypt](config-if:ethernet:4)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS[ACOS_encrypt](config)# show interfaces brief

Configuring the Security Device

1. Configure the server GW and its ports.

ACOS[ACOS_encrypt](config)# slb server gw 10.10.10.1
ACOS[ACOS_encrypt](config-real server)# health-check-disable

ACOS[ACOS_encrypt](config-real server)# port 0 tcp

ACOS[ACOS_encrypt](config-real server-node port)# health-check-disable
ACOS[ACOS_encrypt](config-real server-node port)# exit

ACOS[ACOS_encrypt](config-real server)# port 443 tcp

ACOS[ACOS_encrypt](config-real server-node port)# health-check-disable
ACOS[ACOS_encrypt](config-real server-node port)# exit

2. Configure the server service group called SG_SSLi_HTTP of type TCP. Associate GW
and port 443 with the service group.
ACOS[ACOS_encrypt](config)# slb service-group SG_SSLi_HTTP tcp
ACOS[ACOS_encrypt](config-slb svc group)# member gw 443
ACOS[ACOS_encrypt](config-slb svc group-member:443)# exit
ACOS[ACOS_encrypt](config-slb svc group)# exit

3. Configure the server service group called SG_SSLi_TCP of type TCP. Associate GW and
port 0 with the service group.
ACOS[ACOS_encrypt](config)# slb service-group SG_SSLi_TCP
ACOS[ACOS_encrypt](config-slb svc group)# member gw 0

163
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS[ACOS_encrypt](config-slb svc group-member:0)# exit

ACOS[ACOS_encrypt](config-slb svc group)# exit

Configuring the SSLi Services for ACOS_encrypt Partition

Create an SSL server template on the ACOS_encrypt partition so that the VIP can operate as
an SSL client and handshake with the enterprise server. Enable forward proxy services on the
template to enable SSLi operation on the VIP.
ACOS[ACOS_encrypt](config)# slb template server-ssl SSLi
ACOS[ACOS_encrypt](config-server ssl)# forward-proxy-enable
ACOS[ACOS_encrypt](config-server ssl)# exit

Configuring Handling of Outgoing Traffic

1. Create the virtual server ACOS_encrypt filter incoming traffic with a tag of dscp=6.
ACOS[ACOS_encrypt](config)# slb virtual-server ACOS_encrypt 0.0.0.0 acl 191

2. Bind the virtual port port 0 tcp-proxy to the service group SG_SSLi_TCP and the
SSLi server template. Bind the virtual port port 443 http to the service group SG_
SSLi_HTTP and the SSLi server template. Disable destination NAT to preserve the des-
tination IP address on load-balanced traffic. The HTTPS traffic tagged with DSCP=6
arriving at the vport port 0 tcp-proxy is re-encrypted.
ACOS[ACOS_encrypt](config-slb vserver)# port 0 tcp-proxy
ACOS[ACOS_encrypt](config-slb vserver-vport)# service-group SG_SSLi_TCP
ACOS[ACOS_encrypt](config-slb vserver-vport)# template server-ssl SSLi
ACOS[ACOS_encrypt](config-slb vserver-vport)# no-dest-nat
ACOS[ACOS_encrypt](config-slb vserver-vport)# exit

ACOS[ACOS_encrypt](config-slb vserver)# port 443 http

ACOS[ACOS_encrypt](config-slb vserver-vport)# service-group SG_SSLi_HTTP
ACOS[ACOS_encrypt](config-slb vserver-vport)# template server-ssl SSLi
ACOS[ACOS_encrypt](config-slb vserver-vport)# no-dest-nat
ACOS[ACOS_encrypt](config-slb vserver-vport)# exit
3. Create the virtual server, ACOS_encrypt_bypass, to handle non-SSL and bypassed
TCP connections with a tag of dscp=4.
ACOS[ACOS_encrypt](config)# slb virtual-server ACOS_encrypt_bypass 0.0.0.0
acl 192

Consolidated Configuration
!
system ve-mac-scheme system-mac
!

164
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

partition ACOS_decrypt id 1 application-type adc

!
partition ACOS_encrypt id 2 application-type adc

interface management
ip address 10.10.30.15 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 10.10.30.1
!
interface ethernet 1
!
interface ethernet 2
!
interface ethernet 3
!
interface ethernet 4
!
end
active-partition ACOS_decrypt
!
!
access-list 101 deny udp any any eq 80
!
access-list 101 deny udp any any eq 443
!
access-list 101 permit ip any any
!
access-list 190 permit ip any any vlan 850
!
vlan 850
untagged ethernet 1 to 2
router-interface ve 850
name ACOS_decrypt_ingress_egress
user-tag ACOS_decrypt_ingress_egress
!
interface ethernet 1
name ACOS_decrypt_ingress
enable
!
interface ethernet 2
name ACOS_decrypt_egress
enable
!

165
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

interface ve 850
name ACOS_decrypt_ingress_egress
access-list 101 in
ip address 10.10.10.98 255.255.255.0
ip allow-promiscuous-vip
!
!
slb server gw 10.10.10.1
health-check-disable
user-tag ACOS_decrypt
port 0 tcp
health-check-disable
port 80 tcp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group SG_SSLi_HTTP tcp
member gw 80
!
slb service-group SG_SSLi_HTTPS tcp
member gw 443
!
slb service-group SG_SSLi_TCP tcp
member gw 0
!
slb service-group SG_SSLi_TCP-bypass tcp
member gw 0
!
slb template client-ssl SSLi
chain-cert abc.home
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-decrypted dscp 6 1
forward-proxy-enable
forward-proxy-failsafe-disable
non-ssl-bypass service-group SG_SSLi_TCP-bypass
!
slb virtual-server ACOS_decrypt 0.0.0.0 acl 190
port 0 ssl-proxy
service-group SG_SSLi_TCP
template client-ssl SSLi
no-dest-nat
port 80 http

166
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

service-group SG_SSLi_HTTP
no-dest-nat
port 443 https
service-group SG_SSLi_HTTPS
template client-ssl SSLi
no-dest-nat
!
end
active-partition ACOS_encrypt
!
!
access-list 191 permit ip any any dscp 6
!
access-list 192 permit ip any any dscp 1
!
vlan 860
untagged ethernet 3 to 4
router-interface ve 860
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!
interface ve 860
ip address 10.10.10.99 255.255.255.0
ip allow-promiscuous-vip
!
!
slb template server-ssl SSLi
forward-proxy-enable
!
slb server gw 10.10.10.1
health-check-disable
port 0 tcp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group SG_SSLi_HTTP tcp
member gw 443
!

167
Chapter 8: Dynamic-Port Inspection
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb service-group SG_SSLi_TCP tcp

member gw 0
!
slb virtual-server ACOS_encrypt 0.0.0.0 acl 191
port 0 tcp-proxy
service-group SG_SSLi_TCP
template server-ssl SSLi
no-dest-nat
port 443 http
service-group SG_SSLi_HTTP
template server-ssl SSLi
no-dest-nat
!
slb virtual-server ACOS_encrypt_bypass 0.0.0.0 acl 192
!
end
!Current config commit point for partition 2 is 0 & config mode is classical-
mode
TH3030S#

168
Chapter 9: Static Port SSH Insight
This section describes how to configure static port SSH Insight. ACOS supports intercepting,
decrypting, and re-encrypting Secure Shell (SSH) sessions. Only static port SSH Insight
(SSHi) with RSA keys. This feature transparently intercept and decrypt SSH traffic so that it
can be inspected for security reasons, and then re-encrypt the traffic before forwarding it to
the SSH server.

The following topics are covered:

Overview 170

Deployment 171

CLI Configuration 173

Configuring RSA Keys 181

169
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
In the sample deployment as shown in FIGURE 9-1, the client device is connected to the SSHi
solution, which is then connected to the external gateway. The SSHi solution consists of two
ACOS devices and a single security device. The ACOS device connected to the client has a par-
tition called ACOS_decrypt. The ACOS device connected to the external gateway has a par-
tition called ACOS_encrypt. The following steps provide an overview of the SSHi process:

1. The client sets up an SSH connection with ACOS_decrypt and sends an encrypted
request.
2. ACOS_decrypt selects a traffic inspection device, decrypts the request, and sends the
request over a TCP connection to the traffic inspection device.
3. The traffic inspection device inspects the request data.
4. ACOS_encrypt encrypts the request and sends it to the outside server.
5. The server sends the encrypted reply.
6. ACOS_encrypt decrypts the reply and sends it back to the same traffic inspection
device.
7. If the reply traffic is allowed by the traffic inspection device, the reply is forwarded to
ACOS_decrypt.
8. ACOS_decrypt encrypts the reply and sends it to the client.

FIGURE 9-1 shows the SSHi process when applied to SFTP sessions.

170
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 9-1: SSHi Overview

Deployment
In this example, the SSHi solution consists of two ACOS devices, each with a partition with
the inspection device in between. The Decrypt_VIP SLB virtual server provides SSH Forward
Proxy service that enables ACOS_decrypt to proxy for remote SSH servers and bring up SSH
sessions with the clients. SSH traffic from the clients is decrypted and forwarded to the
FW1_Inspect SLB real server. The FW1_Inspect SLB real server forwards decrypted SSH
traffic and all other traffic to the Traffic Inspection device. In this example, the Traffic Inspec-
tion device is operating in layer-2 mode. The Encrypt_VIP wildcard VIP provides server-SSH
services for decrypted traffic that enable the ACOS_encrypt to establish SSH connections
with remote SSH servers through the Default_Gateway SLB real server, completing end-to-
end SSH connectivity. The Default_Gateway SLB real server forwards all traffic to the Inter-
net default gateway.

Alternately, instead of using two ACOS devices, you can use one device by creating two sep-
arate partitions, one for ACOS_decrypt and the other for ACOS_encrypt. In this case, to
avoid a duplicate MAC address, add the global command of system ve-mac-scheme system-
mac in the shared partition. See Configuring Application Delivery Partitions for further inform-
ation.The key components of the example SSHi deployment are illustrated in FIGURE 9-2.

171
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 9-2: Example SSHi Static Port Network Topology

The following table provides the VLAN IDs, Virtual Ethernet (VE) Addresses, and interface con-
figurations for the SSHi network topology illustrated in FIGURE 9-2.

172
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

TABLE 9-3 : SSHi Deployment Details

Partition Tagged VLAN VE IP Address Ethernet Port Number

ACOS_decrypt 10 10.10.1.2 /24 eth 1

15 10.15.1.2 /24 eth 2

ACOS_encrypt 20 20.1.1.2 /24 eth 2

15 10.15.1.12 /24 eth 1

CLI Configuration
In order to configure SSHi for a two ACOS device single partition deployment, you must first
configure the two partitions, ACOS_decrypt and ACOS_encrypt. Also, for a list of pre-
requisites, see Prerequisites.

ACOS_decrypt Configuration

Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs

ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2

173
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSHi Services

1. Configure an SSHi client template, by running the following commands.

ACOS_decrypt(config)# slb template client-ssh SSHInsight_DecryptSide
ACOS_decrypt(config-client ssh)# forward-proxy-hostkey RSA_key_1234
ACOS_decrypt(config-client ssh)# forward-proxy-enable
ACOS_decrypt(config-client ssh)# exit

2. Configure a real server called FW1_Inspect with the IP address 10.15.1.12. This IP
address matches the virtual IP address of ACOS_decrypt so that the real server con-
nects to ACOS_decrypt over VLAN 15. Bind FW1_Inspect interface to TCP port 2323 so
that ACOS_decrypt forwards decrypted SSH over VLAN 15 to the security device. All
other UDP and TCP traffic is forwarded on VLAN 15 by using the wildcard ports port 0
tcp and port 0 udp.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 2323 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 0 udp

ACOS_decrypt(config-real server-node port)# health-check-disable

174
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-real server-node port)# exit

Step 4. Configuring the SSHi Service Groups

For an explanation of the procedure, refer to a similar procedure discussed in Step 4. Con-
figuring the SSLi Service Groups.
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 2323
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server

For an explanation of the procedure, refer to a similar procedure discussed in Step 5. Con-
figuring the Virtual Server.
ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10

ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 22 ssh

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssh SSHInsight_
DecryptSide
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 tcp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

175
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-slb vserver)# port 0 others

ACOS_encrypt Configuration

Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs

ACOS(config)# hostname ACOS_encrypt
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# tagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20
ACOS_encrypt(config-vlan:20)# exit

ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1
ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses

ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24
ACOS_encrypt(config-if:ve20)# exit

ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# ip allow-promiscuous-vip
ACOS_encrypt(config-if:ve15)# exit

Step 3. Configuring the SSH Services

1. Create an SSH server template on ACOS_encrypt so that the VIP on ACOS_encrypt can
operate as an SSL client and handshake with the EnterpriseABC server.
ACOS(config)# slb template server-ssh SSHInsight_DecryptSide
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# exit

2. Create the real server Default_Gateway. Bind the SLB ports of the intercepted SSH pro-
tocol (port 22) to Default_Gateway. ACOS_encrypt forwards the traffic on these ports

176
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

over VLAN 20 to the default gateway at IP address 20.1.1.10. The default gateway has a
route to the EnterpriseABC server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 22 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 0 udp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

4. Create an SSH template for the SSH service protocol to be intercepted.

ACOS_encrypt(config)# slb template server-ssh SSHInsight_EncryptSide
ACOS_encrypt(config-ssh)# forward-proxy-enable
ACOS_encrypt(config-ssh)# exit

Step 4. Configuring the SSH Service Groups

1. Provide a path for intercepted SSH traffic by creating a service group called DG_SSH_SG
and binding it to port 22 of the SLB real server.
ACOS_encrypt(config)# slb service-group DG_SSH_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 22
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

2. Provide a path to the default gateway for all other traffic by creating two service
groups called DG_TCP_SG and DG_UDP_SG.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp

177
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server

For an explanation of the procedure, refer to a similar procedure discussed in Step 5. Con-
figuring the Virtual Server.
ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15

ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

ACOS_encrypt(config-slb vserver)# port 2323 tcp-proxy

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSH_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssh SSHInsight_
DecryptSide
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 tcp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 udp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 others

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# exit

Consolidated Configuration

Show Running Config ACOS_decrypt

178
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

access-list 100 permit ip any any vlan 10

!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb server FW1_Inspect 10.15.1.12
port 2323 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 2323
!
slb template client-ssh SSHInsight_DecryptSide
forward-proxy-hostkey RSA_key_1234
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

179
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 22 ssh
service-group FW1_Inspect_SG
template client-ssh SSHInsight_DecryptSide
no-dest-nat port-translation
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

Show Running Config ACOS_encrypt

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 1
router-interface ve 20
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
interface ethernet 1
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10
port 22 tcp
health-check-disable

180
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group DG_SSH_SG tcp
member Default_Gateway 22

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssh SSHInsight_EncryptSide
forward-proxy-enable
!
slb virtual-server Outside_VIP 0.0.0.0 acl 101
port 2323 tcp-proxy
no-dest-nat port-translation
service-group DG_SSH_SG
template server-ssh SSHInsight_EncryptSide
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG
!
end

Configuring RSA Keys

The RSA keys are generated either using CLI command or Windows (PuTTy Key Generator).
And then can be imported to ACOS device.

For detailed information on RSA security, see the Application Access Management guide.

The following topics are covered:

181
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Generating a Key using Remote Client 182

Generating a Key using Windows 183

Importing the Key to ACOS Device 184

Generating a Key using Remote Client

The administrator can access CLI (remote client) and generate an RSA key pair using SSH cli-
ent. The key pair consists of both a public and a private key.

NOTE: Although only a single RSA host key is supported, clients can con-
nect to multiple remote SSH hosts if required.

The following example shows you how to generate a key using ssh-keygen command.
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
16:0d:b5:95:76:51:86:2d:2c:28:2b:06:a8:e6:4f:c0 root@user-VirtualBox
The key's randomart image is:
+--[ RSA 2048]----+
| . .....o.=o|
| . . .o.o+ =..|
|.. . .oo. o . |
|.E o .. |
|o . . .S |
| . . . |
| o |
| . |
| |
+-----------------+

After the private/public key is generated, it must be copied to a server as authorized_keys

file.

ssh-copy-id -i /root/.ssh/id_rsa/id_rsa.pub user@host

182
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Generating a Key using Windows

The administrator can launch PuTTY application from the Windows Programs list and gen-
erate an RSA key pair.

1. Launch PuTTYgen application.

FIGURE 9-4: Key Generator

2. Enter the Number of bits in a generated key: value to a minimum of 2048 and then click
Generate.

NOTE: You will be instructed to move the mouse cursor around

within the PuTTY Key generator window as a randomizer to
generate the private key.

183
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 9-5: Generating a Key

3. Click Save private key and Save the private key to the desktop as id_rsa.ppk.
4. Copy the text under Public key for pasting into OpenSSH authorized_keys file.

Importing the Key to ACOS Device

After the keys are generated and saved, perform the following steps to import the private key
to ACOS device:

1. Log in to the ACOS device as a root user having global read-write privileges.
2. Access the configuration level for the administrator account.

3. Import the private key using the following command:

import key <key name> overwrite use-mgmt-port scp://user:<username>@<ip
address>/< Key path>

184
Chapter 9: Static Port SSH Insight
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: You can import public/private keys in separate files or

grouped in one file.

185
Chapter 10: Bypass, Inspect, and Exception
This section describes how to configure outbound SSLi for static port type STARTTLS.

The following topics are covered:

Overview 187

Priority of Rules 188

SNI and Server Certificate Based Inspection 192

Convert an SNI List to an AC Class List 192

User Name and Group Name Based Bypass 193

HTTPS Traffic Bypass 194

CLI Configuration 194

GUI Configuration 198

"no shared cipher" Error Bypass 201

Consolidated Configuration 202

186
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
ACOS enables configuring of rules that determine if a packet is to be bypassed or inspected
based on the configured criteria by using the forward-proxy-bypass command or as con-
figured in the Policies tab of the SSLi services. The exception class list is used to decide if a
packet passing through an SSLi solution is to be inspected even if forward-proxy-bypass is
configured.

For example, a rule can be configured to bypass inspection of all financial services. However,
using an exception-class-list option, it is possible to inspect packets from specific fin-
ancial services. Additionally, ACOS supports client authentication bypass that requires con-
figuring a list of server names that bypass SSLi forward proxy processing when CAC is
requested by the server.

ACOS supports the following criteria for taking inspection decisions:

l Server Name Indication (SNI)

l Certificate Subject Alternative Name (SAN)
l Certificate Subject
l Certificate Issuer

ACOS supports the following criteria for taking bypass decisions:

l SNI
l SAN
l Certificate Subject
l Certificate Issuer
l User Name
l AD Group
l Web Category (requires license)
l Web Reputation (uses Web Category license)

NOTE: If Bypass Decrypt is enabled, exception lists can also be con-

figured so that ACOS is forced to inspect specific packets.

187
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Priority of Rules
There are three ways you can apply rules in ACOS that specify which server connections
bypass ACOS SSLi services or which ones are intercepted. You can add each rule directly, you
can create an Aho-Corasick (AC) class list containing the matching rules, or you can import
an AC class list. The rules and/or class lists are bound to a client SSL template which in turn
is bound to a virtual router port.

Both ACOS CLI and GUI are supported for creating these rules.

The following match options are used by the rules that you configure:

l Equals—Matches only if the value completely matches the specified string.

l Contains—Matches if the specified string appears anywhere within the value.

These match options are always applied in the order shown, regardless of the order in which
the rules appear in the configuration. If a template has more than one rule with the same
match option (equals, starts-with, contains, or ends-with) and a value matches on more than
one of them, the most-specific match is always used.

NOTE: When one string matches multiple rules, the first matched string
wins. Users expecting multiple rule hit should be aware of this
behavior and revise their class-list as needed.

By default, matching is case sensitive. For example, the forward-proxy-bypass contains aa

rule searches for matches on SNI strings that contain “aa” but not on strings that contain
“AA”. You can also enable or disable case-sensitive matching. In this case, the rule shown
above matches SNI strings that contain any of the following: “aa”, “AA”, “aA”, or “Aa”. You can
disable case sensitivity on a template-wide basis. The setting applies to all match rules in the
template.

At a top level, the priority of rules is as follows:

1. aFleX SSLi commands

2. forward-proxy-no-sni-action
3. forward-proxy-inspect commands

188
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

4. forward-proxy-no-sni-action
5. forward-proxy-bypass commands

FIGURE 10-1: Hierarchy of SSLi Rules

NOTE: No Match decision box: If there is no match on Inspect Checking,

SSLi checks if there is bypass configuration available. If there is
no bypass configuration, action is bypass for bypass SSL decrypt.

189
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

If there is bypass configuration available, there is bypass check-

ing done as shown in the figure.

The following is the priority of rules configured for SSLi.

l If no SNI is configured, forward-proxy-no-sni-action is run. For intercept action, the

current decision for the checkpoint is to inspect and the check continues. For bypass
action, the final decision is bypass, and for reset action, the final decision is reset.
l If the SNI inspection class-list is configured but not matched, the final decision is
bypass.
l If forward-proxy-bypass exception-user-name-list or exception-ad-group-list is con-
figured and matched, the final decision is inspect.
l If forward-proxy-bypass user-name-list or ad-group-list is configured and matched,
the final decision is bypass.
l If the SNI bypass strings (contains/starts-with/equals/ends-with) are configured and
matched, the final decision is bypass.
l If the SNI bypass exception class list is configured and matched, the final decision is
inspect.
l If the SNI bypass class-list is configured and matched, the final decision is bypass.
l If web category bypass is configured and matched, the final decision is bypass.
l Else, the decision is inspect for now and continue to perform the remaining checks.

Next, SNI URL filtering is checked as follows:

l If intercepted-sni-enable is not configured (the option is disabled by default), SNI URL

filtering is skipped.
l If bypass-sni-disable is configured for bypassed URL, SNI URL filtering is continued.
l In the event that there is no SNI and if no_sni_allow is not configured, the connection
is dropped.
l If enable-san is configured and there is a match, the server certificate is fetched even
for a bypass decision.

190
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l SNI URL filtering is continued, and if the class-list is matched, the configured action is
run.
l Next, server certificate checkpoint is run as follows:
l If the certificate subject/issuer/SAN inspect class-list is configured but not matched,
then the final decision is bypass.
l If forward-proxy-bypass exception-user-name-list/exception-ad-group-list is con-
figured and matched, the final decision is inspect.
l If forward-proxy-bypass user-name-list/ad-group-list is configured and matched, the
final decision is bypass.
l If the certificate subject/issuer/SAN bypass strings (contains/starts-with/equals/ends-
with) are configured and matched, the final decision is bypass.
l If the certificate subject/issuer/SAN bypass exception class list is configured and
matched, the final decision is inspect.
l If the certificate subject/issuer/SAN bypass class-list is configured and matched, the
final decision is bypass.
l Else, the decision is inspect.

Next, SAN URL filtering is checked as follows:

l If enable-san is not configured, SAN URL filtering is skipped.

l If enable-san is configured, check if intercepted-san-enable is configured for inter-
cepted URL. If the option is not enabled (disabled by default), SAN URL filtering is not
continued.
l Check if bypassed-san-disable is configured for bypassed URL. If the option is disabled
(enabled by default), SAN URL filtering is not continued.
l In NO SAN case, if no_san_allow is not configured, the connection is dropped.
l Else, SAN URL filtering is continued, the class-list is matched against certificate sub-
ject/issuer/SAN and the rule action with the highest priority is run.

191
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SNI and Server Certificate Based Inspection

ACOS supports inspection, bypass, and exception lists that include elements such as IP
addresses, SNIs, and matching certificate subject or issuer. Unless this new option is con-
figured, by default, the SNI in the client-hello message is used for deciding bypass or inspec-
tion.

Server Name Indication (SNI) is an extension of the TLS protocol and indicates the hostname
that is being contacted by the browser at the beginning of the SSL handshake. SNI enables
multiple secure websites to be served off the same IP address without requiring all those
sites to use the same certificate. In an SSL Insight deployment, SNI support allows multiple
self-signed certificates to be used. In SSLi deployments, you can map each certificate to the
domain name of an outside resource that is being accessed by clients.

Subject Alternative Name (SAN) certificates can secure a number of fully qualified domain
names with a single certificate. The SAN field enables you to specify additional host names
such as sites, IP addresses, common names, and so on, to be protected by a single SSL Cer-
tificate. SAN Certificates allow you to secure a primary domain and then add additional
domains to the subject alternative name field of the certificate.

Convert an SNI List to an AC Class List

The class lists used in the SSLi policies must conform to the A10 Aho-Corasick (AC) imple-
mentation. The class-list list-name accommand combined with the contains, ends-with,
equals, and starts-with sub-commands can create the required list, but you must enter
each SNI individually.

To convert a newline-delimited text SNI list to an AC class list for SSLi bypass, use the import
class-list-convert filename class-list-type ac command.

The file mySNIs.txt is a newline delimited list of domain names. Its contents are as follows:
www.armardo.com
www.pickature.com
mail.ispgen.com

The conversion procedure takes the following steps:

192
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. Enter the following command in global configuration mode:

import class-list-convert mySNIs.txt class-list-type ac scp://user-
[email protected]/home/username/test_import

2. Verify the converted list file. Use the show class-list class-list-name debug com-
mand:
AX5100# show class-list mySNIs.txt debug
Name: name
Total String: 2
Total hash chain: 0
Total trie node: 0
Reference count: 0
File size: N/A
File date: N/A
Content:
equals mail.ispgen.com
equals www.pickature.com
equals www.armardo.com
File content:
class-list class-list1 ac file

; AC (Total: 3)
equals mail.ispgen.com
equals www.pickature.com
equals www.armardo.com

3. Use a text editor to edit the class-list as required by your network. For example, you
might wish to alter the first domain in the list:
A10 Aho-Corasick Class-List
ends-with armardo.com
equals www.pickature.com
equals mail.ispgen.com

User Name and Group Name Based Bypass

SSLi traffic can be bypassed based on user name and group name. For example, SSLi can
bypass all traffic from users who belong to a specific group such as optout. SSli can also
bypass traffic for specific users. This feature leverages AAM, or inline authentication and
challenges the user for credentials if no IP information is known.

193
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: Only supported AAM authentication methods for HTTP are

enabled for this feature.

To enable the feature, you must bind an AAM authentication template which contains logon
on virtual port to collect the user names. For user-group based bypassing, enable AAM author-
ization for retrieving group information for authorization service. The authorization server
must be an LDAP server which supports the memberOf attribute.

Since the username and group name is retrieved from the AAM module, the actual matching
procedure is processed in the AAM module (after authentication and authorization pass). The
results are marked in the authentication-session and the SSL module makes a bypass
decision according to the results in the authentication session.

To do group matching, authorization must be configured to retrieve group membership

information.

NOTE: This feature is not applicable to reverse proxy scenarios.

HTTPS Traffic Bypass

Some known internal domains cannot be resolved by Thunder. For these internal domains, the
traffic should bypass SSLi decrypt and be forwarded to the upstream proxy.

When the interception for explicit proxy traffic is enabled, the traffic to specific domains to
be chained to group proxy server through local proxy gateway cannot be established. SSLi
cannot resolve DNS for requested destination and blocks the traffic.

Use ‘bypass’ option added under ‘action’ object under ‘policy template’ to send all the https
traffic to upstream proxy directly. For more information, see Command Line Interface Refer-
ence for ADC guide.

CLI Configuration
Use the forward-proxy-bypass command to create rules for SSLi bypass, inspection, and
exceptions.

In this example, assume that ACOS SSLi is configured and that the client-facing VIP on the
ACOS decrypt device and the client SSL template are configured as follows:

194
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Decrypt# show running-config slb virtual-server

!Section configuration: 722 bytes
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
port 443 https
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat
!
ACOS-Decrypt# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!

1. Enter the configuration mode for the SSL client template named SSLInsight_Cli-
entSide:
ACOS_decrypt# configure
ACOS_decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)#

2. The forward-proxy-bypass CLI command configures the SNI match and case rules
and/or class-lists that determine whether or not a client is enabled for client-authen-
tication bypass. This section describes adding SNI match rules:

Use the forward-proxy-bypass command to enter the SNI match and case rules as
needed to specify which servers bypass ACOS SSLi
ACOS_decrypt(config-client ssl)# forward-proxy-bypass contains jsmith.com
ACOS_decrypt(config-client ssl)# forward-proxy-bypass contains Enter-
priseABC.com
ACOS_decrypt(config-client ssl)# forward-proxy-bypass equals UofKg-
mc.edu/admissions

195
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-client ssl)# forward-proxy-bypass case-insensitive

3. Commit the changes to ACOS memory.

ACOS_decrypt(config-client ssl)# write memory

4. Enter the configuration mode for the “Decrypt_VIP” and bind the modified SSL client
template to the virtual port “port 443 https:”
ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_Cli-
entSide
ACOS_decrypt(config-slb vserver-vport)#

5. Commit the changes to ACOS memory.

ACOS_decrypt(config-slb vserver-vport)# write memory

Creating a Class List

Use the class-list command with the ac option to create a class list in ACOS CLI. Assume
that the VIP and SSL Client template are configured on ACOS decrypt.

1. To create a class list, use the class-list command with the ac option.

The class-list command creates a class list and gives it a name. The file option saves
the list as a file that you can export. Without this option, the class list entries are saved
in the configuration file instead. The ac option is required. This specifies that the list
type is Aho-Corasick.
ACOS_decrypt# configure
ACOS_decrypt(config)# class-list bypassed-servers-CL ac
ACOS_decrypt(config-class list)# contains jsmith.com
ACOS_decrypt(config-class list)# contains EnterpriseABC.com
ACOS_decrypt(config-class list)# equals UofKgmc.edu/admissions

2. Bind the new class list to the SSL client template:

ACOS_decrypt# configure
ACOS_decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)# forward-proxy-bypass class-list bypassed-
servers-CL

3. Bind the modified SSL client template the port 443 https of the VIP:
ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https

196
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_Cli-

entSide
ACOS_decrypt(config-slb vserver-vport)#

4. Commit the changes to ACOS memory.

ACOS_decrypt(config-slb vserver-vport)# write memory

Importing a Class List

Use the import class-list command to import a class list.

Assume that the VIP and SSL Client template are configured on the ACOS Decrypt zone.

The following example shows the importing of a class list file named CL.tgz. The imported
class list is given the name bypassed-servers-CL which identifies it in ACOS commands. The
URL where the file is located is //192.168.20.161, and the file transfer protocol is scp.
ACOS_decrypt# import class-list bypassed-servers-CL scp://192.168.20.161/CL.tgz

Bind the imported class list to the SSL client template:

ACOS_decrypt# configure
ACOS_decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)# forward-proxy-bypass class-list CL.tgz

Bind the modified SSL client template the port 443 https of the VIP:
ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_Cli-
entSide
ACOS_decrypt(config-slb vserver-vport)#

Commit the changes to ACOS memory.

ACOS_decrypt(config-slb vserver-vport)# write memory

The forward-proxy-bypass class-list command bypasses SSLi when the SNI of the out-
side server matches based on the specified class list or class-lists. When enabled by the
multi-class-list command option, you can enter the names of up to 16 file-type class lists
for each slb template client-ssl instance. If not enabled by the multi-class-list com-
mand option, you can enter only one class list name.
ACOS_decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)# forward-proxy-bypass class-list multi-class-
list my-class-list-name1
ACOS_decrypt(config-client ssl)# forward-proxy-bypass class-list multi-class-
list my-class-list-name2

197
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Showing the System Resource Usage

Use the show system resource-usage command to check the AC class-list entry count and
the remaining space available.
ACOS# show system resource-usage
Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 67108864 67108864 16777216 134217728
class-list-ipv6-addr-count 4096000 4096000 4096000 8192000
class-list-ac-entry-count 3072000 3072000 3072000 6144000
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
max-aflex-file-size 32768 32768 16384 262144
aflex-table-entry-count 102400 102400 102400 10485760

GUI Configuration
You can enter match rules directly, you can create an AC class list, or you can import an AC
class list for binding to the client SSL template.

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as
SSLi_vip_001_client_ssl).
2. In the Update Client SSL Template window, click the Policies tab.

3. To create inspection rules, select any or a combination of the following options:

l Inspect if SNI Matches Class List
l Inspect if Certificate SAN Matches Class List
l Inspect if Certificate Subject Matches Class List
l Inspect if Certificate Issue Matches Class List
4. For no SNI, configure the Forward Proxy No SNI Action field to either intercept,
bypass or drop the packet.

5. For each Inspect field, three options are available, select one:
l Select from the drop-down
l Create a class list

198
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Import a class list

6. For Bypass Decrypt, select a Condition from the drop-down.
7. Select a Value and click Apply.
8. To add multiple rules, click Add as needed.

9. For creating exceptions to the SSLi bypass decrypt rules, the following options are avail-
able:
l Exceptions if SNI Matches Class List
l Exceptions if User Name Matches Class List
l Exceptions if AD Group Matches Class List
l Exceptions if Certificate Subject Matches Class List
l Exceptions if Certificate Issuer Matches Class List

10. For each Exception field, three options are available, select one:
l Select from the drop-down
l Create a class list
l Import a class list

Creating a Class List

Configure an AC class list to add to the SSLi inspection, bypass, or exception lists.

The procedure bellow add an AC class list for the Bypass Decrypt option. You can perform
the similar steps for creating AC class lists for other fields in the SSLi Policies tab.

To create an AC class list for the Bypass Decrypt option, perform the following steps:

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as
SSLi_vip_001_client_ssl).
2. In the Update Client SSL Template window, click the Policies tab.
3. For Bypass Decrypt, click Add and then click a condition from the drop-down.
Since the procedure is for adding class lists, select SNI Match Class List:.
4. For Value, click the +
5. In the Name field, enter a name.

199
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

6. To store the list as a file, select Store as a file.

7. For AC, select an option from the drop-down list:

l Contains
l Ends with
l Starts with
l Equals
8. Type the key that you wish to match.
9. Click the save icon.
10. To add another item to the class list, click Add.
11. Repeat step above steps for additional ACs.
12. Click OK.
13. Click Apply on the main page to add the condition.

Importing a Class List

SSLi supports importing an AC class list for configuring the SSLi bypass, inspect, and excep-
tion lists options.

The procedure bellow add an AC class list for the Bypass Decrypt option. You can perform
the similar steps for importing AC class lists for other fields in the SSLi Policies tab.

To import an AC class list, perform the following steps:

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as
SSLi_vip_001_client_ssl).
2. In the Update Client SSL Template window, click the Policies tab.
3. For Bypass Decrypt, click Add.
4. Expand the Condition section and select SNI Match Class List (an example).
5. For Value, click the Import button.
6. Click whether the class list is Local or Remote.
7. Enter the class list Name.
8. Browse to the location if the class list is Local, and skip to step 7.

200
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

9. If the class list is Remote,

10. Click whether or not to Use Mgmt Port.
11. Select the file import Protocol.
12. Enter the Host name.
13. Enter the URL Location.
14. If you selected the FTP Protocol, enter the protocol port used for FTP, the User name,
and the Password.
15. If you selected the SCP or SFTP Protocol, enter the User name, and the Password.
16. Click OK.
17. Click Apply on the main page to add the condition.
18. Either add your newly imported class list to an existing template, or create a new tem-
plate and then add your newly imported class list.

"no shared cipher" Error Bypass

In running earlier ACOS releases, SSLi terminates a connection if there is a "no shared cipher"
error that occurs during the client-side handshake. Additionally, the forward-proxy-
failsafe option does not work in such cases as the cipher check occurs during an early stage
of the SSL handshake. Starting from this release, ACOS supports an additional forward-
proxy-no-shared-cipher-action option that can be configured to either bypass the SSLi pro-
cessing or drop the connection.

The forward-proxy-no-shared-cipher-action option can be enabled either through the

ACOS GUI or ACOS CLI.

CLI Configuration

Perform the following steps to create an client-SSLi template that bypasses SSLi connections
where there is a no-shared-cipher error during the SSLi handshake.

1. Create a client SSL template called SSLInsight_DecryptSide by running the following

command:
ACOS(config)# slb template client-ssl SSLInsight_DecryptSide

201
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

2. Configure bypass for the forward-proxy-no-shared-cipher-action option

ACOS(config-client ssl)#forward-proxy-no-shared-cipher-?
forward-proxy-no-shared-cipher-action Action taken if handshake fails due to
no shared cipher, close the connection by default
ACOS(config-client ssl)# forward-proxy-no-shared-cipher-action ?
bypass bypass SSLi processing
drop close the connection
ACOS(config-client ssl)# forward-proxy-no-shared-cipher-action bypass

GUI Configuration for “no shared cipher” Error

Perform the following steps to create a client-SSL template that bypasses SSLi connections
where there is a no-shared-cipher error during the SSLi handshake.

1. Navigate to Security >> SSLi >> Templates >> Create >> Client SSL.
2. Alternatively, navigate to ADC >> Templates >> SSL >> Create >> Client SSL.
The Create Client SSL Template page is displayed.
3. Fill in the required fields.
4. Under the forward-proxy-no-shared-cipher-action option, select either Drop or
Bypass.
By default, the value is Drop.
5. Click OK.

Consolidated Configuration
You can configure a number of client-ssl templates for SSLi bypass using a combination of
the commands available under forward-proxy-bypass.

The following topics are covered:

“no-shared-cipher” Error 203

AAM, User Name, AD Group, Explicit Proxy, and SSLi 203

AAM, User Name, AD Group Name, Transparent Proxy, and SSLi 204

202
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

“no-shared-cipher” Error

The following client-SSL template bypasses the SSLi connection under three conditions:

l For financial services

For “no-shared-cipher” error

!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-cert-expiry hours 168
forward-proxy-enable
forward-proxy-failsafe-disable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
forward-proxy-no-shared-cipher-action bypass

AAM, User Name, AD Group, Explicit Proxy, and SSLi

In this example, the SSLi solution uses a combination of AAM and user name group and AD
name group to create SSLi bypass decisions.

Three class lists are configured as AC lists. These are UNAME, GROUP, and BYPASS_EXCEPTION.

In this template, BASIC is the profile for HTTP-based logon and it is associated with the AAM
authentication template of SSLi_BYPASS. The SSLi client template is configured as USER_
BYPASS and it includes and exception list of BYPASS_EXCEPTION, a user name list of UNAME and
a AD group list of GROUP for bypass. There is also an explicit policy template of EP_SSLi for for-
ward proxy. Finally, the virtual server is associated with the explicit proxy template, the SSLi
client template, and the AAM authentication template.
class-list UNAME ac
equals asmith
equals jdoe
!
class-list GROUP ac
equals Employee
!

203
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

class-list BYPASS_EXCEPTION ac
equals TEST
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
aam authentication template SSLI_BYPASS
logon BASIC
server AD_LDAP
!
aam aaa-policy SSLI_BYPASS
aaa-rule 1
authentication-template SSLI_BYPASS
!
slb template client-ssl USER_BYPASS
forward-proxy-ca-certificate ...
forward-proxy-enable
forward-proxy-bypass exception-ad-group-list BYPASS_EXCEPTION
forward-proxy-bypass user-name-list UNAME
forward-proxy-bypass ad-group-list GROUP
!
slb template policy EP_SSLI
forward-policy
...
!
slb virtual-server EP 10.0.0.1
port 3128 http
template policy EP_SSLI
template client-ssl USER_BYPASS
aaa-policy SSLI_BYPASS
!

AAM, User Name, AD Group Name, Transparent Proxy, and SSLi

In this example, the SSLi solution uses a combination of AAM and user name group and AD
name group to create SSLi bypass decisions.

A class list of UNAME is configured as an AC list. In this example, BASIC is the profile for HTTP-
based logon and it is associated with the AAM authentication template of SSLi_BYPASS. The
SSLi client template is configured as USER_BYPASS and it includes the user name list of UNAME

204
Chapter 10: Bypass, Inspect, and Exception
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

for bypass. There is also transparent proxy template of TP_SSLi configured with forward-
policy.

Finally, the virtual server at port 443 HTTPS is associated with the transparent proxy tem-
plate, the SSLi client template, and the AAM authentication template. No-destination-nat
and port translation are enabled.
access-list 10 permit 172.16.1.0 0.0.0.255
!
class-list UNAME ac
equals asmith
equals jdoe
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
aam authentication template SSLI_BYPASS
auth-sess-mode ip-based
logon BASIC
server AD_LDAP
!
aam aaa-policy SSLI_BYPASS
aaa-rule 1
authentication-template SSLI_BYPASS
!
slb template client-ssl USER_BYPASS
forward-proxy-ca-certificate ...
forward-proxy-enable
forward-proxy-bypass user-name-list UNAME
!
slb template policy TP_SSLI
forward-policy
...
!
slb virtual-server TP 0.0.0.0 acl 10
port 443 https
service-group DUMMY
template policy TP_SSLI
template client-ssl USER_BYPASS
no-dest-nat port-translation
aaa-policy SSLI_BYPASS
!

205
Chapter 11: Client Authentication Bypass
Some HTTPS servers might require client certificate authentication (CAC/PKI) when the
server
authenticates incoming requests based on the certificate in the client’s certificate store. If
the ACOS SSLi configuration lacks the necessary client certificate and key information, and if
the ACOS SSLi is not enabled for client authentication bypass, CAC fails when requested by
the server.

This section describes how to configure a list of server names that bypass SSLi forward proxy
processing when CAC is requested by the server. The list is configured in the SSL client tem-
plate.

The following topics are covered:

WorkFlow 207

CLI Configuration 208

GUI Configuration 209

Consolidated Configuration 209

Troubleshooting 213

206
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

WorkFlow
Client Authentication Traffic Network Example shows how client authentication bypass
works.

1. After the Inside ACOS device receives the client hello message from the client, the
device checks whether the remote server’s certificate is saved in the cache.
2. If the certificate has not been saved, the Inside ACOS device starts a server SSL con-
nection to the remote server to retrieve the certificate.
3. The Inside ACOS device also detects whether the remote server requires client cer-
tificate
authentication. If the server requires client authentication, the Inside ACOS device
checks whether the server name or web category matches the configuration condition
to bypass this traffic.
4. If a match is found, the Inside ACOS device stops SSLi processing and switches from
HTTPS
processing to basic TCP proxy processing.
5. A TCP connection to the server is established where client and server can directly nego-
tiate the SSL session bypassing the ACOS SSLi.

207
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 11-1: Client Authentication Traffic Network Example

CLI Configuration
The forward-proxy-bypass client-auth CLI command configures the SNI attributes and/or
class-lists that determine whether or not a client is enabled for client-authentication bypass.
These attributes and class-lists are bound to SSL client template which itself is bound to the
inside ACOS device. The forward-proxy-bypass client-auth CLI command options follow:
slb template client-ssl Client-SSL
forward-proxy-bypass client-auth case-insensitive
forward-proxy-bypass client-auth class-list testclass
forward-proxy-bypass client-auth contains jsmith
forward-proxy-bypass client-auth ends-with abc
forward-proxy-bypass client-auth equals test.hello.com
forward-proxy-bypass client-auth starts-with efg

For more details on the forward-proxy-bypass command see the subcommand table under
the slb template-client-ssl command.

208
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

GUI Configuration
1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as
SSLi_vip_001_client_ssl).
2. In the Update Client SSL Template window, click the Policy tab.
3. For Bypass Client Auth, click Add.

4. Expand the Condition section and select an option from the drop-down list:
l SNI Contains
l SNI Ends with
l SNI Starts with
l SNI Equals
5. For Value, enter the matching value of the client to bypass authentication.
6. You can add multiple match rules. Click Add as needed.
7. Click Update.

Consolidated Configuration
Show Running-Config of the ACOS_decrypt
The following sample configuration shows how to configure the inside ACOS device for client
authentication bypass:
ACOS-inside# show running-config
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
!
class-list Client_Auth_Bypass ac
starts-with a10a10
equals ssl-i
contains hello.com
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!

209
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
interface ve 10
ip address 10.10.1.10 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 10.10.2.10 255.255.255.0
!
slb server FW1_SSLi 10.10.2.20
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
!
slb service-group Outbound_TCP tcp
member FW1_SSLi 0
!
slb service-group Outbound_UDP udp
member FW1_SSLi 0
!
slb service-group Outbound_SSLi tcp
member FW1_SSLi 8080
!
slb template client-ssl Client-SSL
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
forward-proxy-bypass client-auth contains abcd
forward-proxy-bypass client-auth class-list Client_Auth_Bypass
!
slb virtual-server Inside_SSLi_VIP 0.0.0.0 acl 101
port 443 https
no-dest-nat port-translation

210
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

service-group Outbound_SSLi
template client-ssl Client-SSL
port 0 tcp
no-dest-nat
service-group Outbound_TCP
port 0 udp
no-dest-nat
service-group Outbound_UDP
port 0 others
no-dest-nat
service-group Outbound_UDP
!
end

Show Running-Config of the Outside ACOS device

The following CLI output shows how to configure the outside ACOS device:
ACOS-outside# show running-config
access-list 101 permit ip any any vlan 20
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
vlan 40
untagged ethernet 1
router-interface ve 40
!
vlan 20
tagged ethernet 2
router-interface ve 20
!
interface ve 40
ip address 10.10.4.20 255.255.255.0
!
interface ve 20
ip address 10.10.2.20 255.255.255.0
ip allow-promiscuous-vip
!
slb server Gateway 10.10.4.1
health-check-disable

211
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
!
!
slb service-group Outbound_TCP tcp
member Gateway 0
!
slb service-group Outbound_UDP udp
member Gateway 0
!
slb service-group Outbound_SSL tcp
member Gateway 443
!
slb template server-ssl Server-SSL
forward-proxy-enable
!
slb template virtual-port ignore-msl
ignore-tcp-msl
!
slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 101
port 8080 http
service-group Outbound_SSL
template server-ssl Server-SSL
no-dest-nat port-translation
use-rcv-hop-for-resp
port 0 tcp
service-group Outbound_TCP
no-dest-nat
use-rcv-hop-for-resp
template virtual-port ignore-msl
port 0 udp
service-group Outbound_UDP
no-dest-nat
use-rcv-hop-for-resp
port 0 others
service-group Outbound_UDP
no-dest-nat
use-rcv-hop-for-resp
!

212
Chapter 11: Client Authentication Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

end

Troubleshooting
SSLi might fail for one of the following reasons:

l If the configuration of client authentication is present on the client SSL template on

the server side but missing on the client side, the ACOS device will not be able retrieve
the server certificate during the SSL handshake.
l If the configuration of client authentication is present on the client SSL template on
the server side but missing on the client side, the ACOS device will not be able retrieve
the server certificate during the SSL handshake.

When SSLi fails, a log is generated that includes the following information:

l SNI
l SNI

When the connection is successful, no logs are generated.

NOTE: The log messages are only seen by the inside ACOS device.

Log Example

When "SSLVerifyClient require" and "SSLVerifyDepth 10" is set up on APACHE ssl.conf, on the
server, there is a failure when retrieving the certificate because no client side authentication
has been configured.

As a result, the following log is generated:

ACOS# show log
Log Buffer: 30000
Nov 30 2014 09:03:19 Info [SYSTEM]:SSL intercept failed, server amogh-server
(ip 20.20.101.50)
ACOS#

213
Chapter 12: Web Category and Web Repu-
tation Bypass

The following topics are covered:

Web Category Bypass 215

Web Reputation Bypass 227

214
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Web Category Bypass

Web Category refers to a set of features that includes URL Classification and Asynchronous
Lookup. Classifying URLs provides this information that is used to filter unwanted content,
adding additional layer of security. The information can also determine which URLs should
bypass SSLi decryption to comply with privacy laws.

Installing Web Category License

Web Category features are accessed through a Web Category license and an active URL Clas-
sification Database.

ACOS connects with third-party servers (specifically, Webroot’s BrightCloud servers), to

obtain this information for enhanced protection. To access these servers, a URL Classification
license is required. Two Webroot license types are available:

l Local – covers top 20 million URLs

The following topics are covered:

Step 1: Installing the Web Category License 215

Step 2: Verifying the Web Category License Installation 216

Step 3: Activating the Web Category License 217

Step 4: Verifying the Web Category Library 217

Step 5: Checking Web Category License Status and Expiration 217

Step 1: Installing the Web Category License

The license import method works for both the local and cloud-based (plus local) licenses. The
following steps install a Web Category License:

1. Configure your ACOS device with a valid ip route and domain name server (DNS).

The following is an example. Use the show run ip command to verify the configuration.
ACOS(config)# ip route 0.0.0.0 /0 192.168.200.1
ACOS(config)# ip dns primary 192.168.1.100
ACOS(config)# show run ip

215
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!Section configuration: 69 bytes

!
ip route 0.0.0.0 /0 192.168.200.1
!
ip dns primary 192.168.1.100

2. Ensure the ACOS device does not block access to the following URLs:
l https://glm.a10networks.com/
l https://database.brightcloud.com
l http://service.brightcloud.com
3. Save your URL Classification license file on an accessible server.

4. Enter the web-category sub-command mode by entering web-category, and configure

the use of the management port for communication with the BrightCloud servers using
the use-mgmt-port CLI command. The the exit, command returns to global con-
figuration mode.
ACOS(config)# web-category
ACOS(config-web-category)# use-mgmt-port
ACOS(config-web-category)# exit

5. Import your Web Category license file using the CLI command at the global con-
figuration mode level. The file-name is the name of the Web Category license file.
import web-category-licensefile-name

The following example shows the output when the URL Classification license file has been
imported.
ACOS(config)# import web-category-license test.json use-mgmt-port
scp://[email protected]/home/example/lic_test/test_URL_C.json
Password []?
Done.

Step 2: Verifying the Web Category License Installation

Verify the URL Classification License on an ACOS device, by using the show log CLI com-
mand verifies the URL Classification license is imported onto the ACOS device.
ACOS(config)# show log | grep WEB-CATEGORY.

This output example displays the relevant portion (highlighted in blue) of a successful Web
Category license installation.
ACOS(config)# show log
Log Buffer: 30000

216
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Oct 30 2015 16:23:39 Info [SYSTEM]:Imported file test.json from

example:192.168.1.200/home/example/lic_test/test_URL_C.json using scp
Oct 30 2015 16:23:39 Info [WEB-CATEGORY]:BrightCloud license activated suc-
cessfully
Oct 30 2015 16:23:38 Info [WEB-CATEGORY]:license key used for activation:
{"id":"581b839aba28b1d39a55a39dae909b9e7383b564b7b1f7eaa215f851d460f73e","sig-
nature":"61f7b36da2e88cfa2fb3943434563cdafe58e221b83ca44d3b8e73d40183f795","current_
time":1446244661.6663604,"payload":"eyJ0b2tlbiI6InZUaGNmOTQ2Y2IxZSJ9\n","account_
id":497,"uuid":"AX25061111340044"}
...

Step 3: Activating the Web Category License

The Web Category license must be enabled before utilizing the database. Use the enable CLI
command from the web-category configuration mode to enable web-category functionality.
ACOS(config)# web-category
ACOS(config-web-category)# enable

Step 4: Verifying the Web Category Library

The Web Category database installation is verified with the show web-category database
command. The following display an example commmand output:
ACOS> show web-category database
Database Name : full_bcdb_rep_7.431.bin
Database Status : Active
Database Size : 351 MB
Database Version : 827
Last Update Time : Wed Jul 6 19:39:59 2016
Next Update Time : Fri Jul 8 00:00:22 2016
Connection Status : GOOD
Last Successful Connection : Thu Jul 7 00:39:22 2016

From the GUI, navigate to Security >> Web Categories and click on License to view the data-
base information.

Step 5: Checking Web Category License Status and Expiration

After installing a Web Category License, check the expiration date and status by entering
show web-category license. The following example displays typical command output.
ACOS> show web-category license
Module Status : Enabled
License Status : License is valid
License Type : Term License
License Expiry : 2016-11-30 00:00:00 GMT
Remaining Period : 145 d 17 hrs 26 min 3 sec
Grace Period Status : License has not expired

217
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Grace Period : Grace period not in effect

UUID/SN : EX00000000000000

From the GUI, navigate to Security >> Web Categories and click on License to view license
status and expiration date information.

Using a Proxy Server for BrightCloud Servers

BrightCloud servers are hosted in a location where the IPs are subject to change. This can be
a issue to administrators with an upstream firewall in their networks when they need to man-
age a list of allowed IPs to allow communication between ACOS and the BrightCloud servers.
One solution is to have all BrightCloud communication go through a proxy server, so IP man-
agement is no longer necessary.

From the web-category sub-configuration, enter proxy-server to go to web-category-

proxy-server sub-configuration. Here, the following minimum requirements are needed for
configuration.

l Authentication protocol - NTLM and BASIC authentication are supported. If NTLM is con-
figured, NTLM version 2 is used. NTLM version 1 is not supported.
l Authentication protocol - NTLM and BASIC authentication are supported. If NTLM is con-
figured, NTLM version 2 is used. NTLM version 1 is not supported.

IP address or hostname of proxy server

port for HTTPS or HTTP communication with proxy server. If only one port type is configured,
both HTTP and HTTPS communication go through the configured port type.

The proxy-server sub-configuration has commands to configure the username and password
for authentication. Refer to “Web Category” in Command Line Interface Reference for ADC.

An example of a configuration to a proxy server is provided. This example configures port

3128 for HTTP communication and port 8080 for HTTPS communication, uses NTLM authen-
tication, with the username exampleadmin and password 0e1x2a3m4p5l6e7 to sign in to a
proxy server at 192.0.2.0.
ACOS(config)# web-category
ACOS(config-web-category)# proxy-server
ACOS(config-web-category-proxy-server)# proxy-host 192.0.2.0
ACOS(config-web-category-proxy-server)# http-port 3128
ACOS(config-web-category-proxy-server)# https-port 8080
ACOS(config-web-category-proxy-server)# auth-type ntlm domain example

218
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-web-category-proxy-server)# username exampleadmin

ACOS(config-web-category-proxy-server)# password 0e1x2a3m4p5l6e7
ACOS(config-web-category-proxy-server)# exit

A number of options to configure how and when ACOS interacts with the BrightCloud Serv-
ers, for example, configuring when an update should occur, is available from the Command
Line Interface Reference for ADC in “Web Category”. These options are available through the
GUI by navigating to Security>>Web Categories >> Configure.

Filtering Web Category for SSLi Bypass

An ACOS device can utilize web category features in forward-policy source rules. This links
destination and matching rules for an slb template policy through a category-list. For spe-
cifying the web categories to SSLi bypass, use the forward-proxy-bypass command in an
slb template client-ssl.

The following topics are covered:

Configuring SSLi Bypass Filtering 219

Viewing the Statistics 220

Deleting or Reimporting the Database 223

Troubleshooting 223

Logging 224

Configuring SSLi Bypass Filtering

This section describes how to configure ACOS device to bypass SSL Insight (SSLi) decryption
of traffic based on traffic category. Dynamic Web Category classification is provided using
the BrightCloud Webroot Web Security Service.

BrightCloud classifies the traffic into one or more web categories. Encrypted traffic from the
client is not intercepted if the web category of the traffic is configured to be bypassed
(example: Healthcare due to HIPPA regulation). If a specific web category is not bypassed,
traffic of that category is decrypted for interception.

When a user’s client browser sends a request to a URL, ACOS checks the category of the URL.

219
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l If the category of the URL is allowed by the configuration, the ACOS_decrypt leaves
the data encrypted and sends it to ACOS_encrypt, which sends the encrypted data to
the server.
l If the category of the URL is allowed by the configuration, the ACOS_decrypt leaves
the data encrypted and sends it to ACOS_encrypt, which sends the encrypted data to
the server.

Similarly, reply traffic from the server is decrypted by the ACOS_encrypt for interception, if
the web category is not bypassed. ACOS_decrypt then sends the encrypted data to the cli-
ent.

To configure ACOS to use BrightCloud to classify URLs for SSLi bypass:

l Configure ACOS_encrypt. (The configuration steps for this feature are described in the
Application and Server Load Balancing Guide. The configuration example later in this
section also shows the syntax.)
l Configure ACOS_encrypt. (The configuration steps for this feature are described in the
Application and Server Load Balancing Guide. The configuration example later in this
section also shows the syntax.)
l Configure forward-proxy-bypass web-category rules on ACOS_decrypt.

The following sections configure SSLi on a pair of ACOS devices. For simplicity, a simple topo-
logy using a single ACOS_decrypt and a single ACOS_encrypt is used.

ACOS_encrypt Configuration

No Web Category classification commands are required on this device. All of the Web Cat-
egory classification configuration takes place on the ACOS_decrypt.

Viewing the Statistics

As per your requirement, the following show commands are available to view various Web Cat-
egory statistics.

l The following command shows the current Web Category URL statistics under Client-
SSL template.

220
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

This lists each bypassed web category, along with the number of times it has been
bypassed. Intercepted web categories are counted under Other Categories. If the
BrightCloud database cannot classify traffic into a Web category, then it is listed under
uncategorized:
ACOS# show slb template client-ssl url-stats
slb template client-ssl ssl_int
Category hits:
uncategorized 0
financial-services 42
nudity-artistic 17
illegal-pornography 17
travel 3
training-and-tools 0
web-based-email 5
Other Categories 83
Reputation hits:
Trustworthy(81-100) 0
Low-risk(61-80) 0
Moderate-risk(41-60) 0
Suspicious(21-40) 0
Malicious(1-20) 0

l The following command shows the Web Category information such as the bypassed-
urls, intercepted-urls, and the BrightCloud database:
ACOS# show web-category ?
bypassed-urls Show list of URL's bypassed
database Show information about currently loaded BrightCloud database
intercepted-urls Show list of URL's intercepted
url-category Show categories returned by BrightCloud library for a URL
version Show BrightCloud library version

l The following command shows the current version of the Web Category engine:
ACOS# show web-category version
version: 4.0

l The following command shows information about the currently loaded BrightCloud
database:
ACOS# show web-category database
Database name : full_bcdb_4.457.bin
Database size : 352 MB
Database version : 457

221
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Last Update Time : Fri Jan 23 00:00:40 2015

Next Update Time : Sat Jan 24 00:00:43 2015
Connection Status : GOOD
Last Successful Connection : Fri Jan 23 15:54:43 2015

l The following command shows the 20 most recently bypassed URLs:

ACOS# show web-category bypassed-urls 20
paper.example.com
paper.example.com
paper.example.com
paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...

l The following command shows the 20 most recently intercepted URLs:

ACOS# show web-category intercepted-urls 20
fhr.data.example.com
fhr.data.example.com
fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org
versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
fhr.data.example.com
...

l The following commands show the web categories to which some individual URLs
belong.

In this example, the categories for the URLs in the ACOS’s local database match the
most recent categorization from the BrightCloud server.
ACOS# show web-category url-category www.google.com
Search Engines
ACOS# show web-category url-category www.google.com local-db-only
Search Engines
ACOS# show web-category url-category http://www.youtube.com

222
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Streaming Media
ACOS# show web-category url-category www.youtube.com local-db-only
Streaming Media

Deleting or Reimporting the Database

Disabling the Web Category classification feature does not delete the database. Likewise, re-
enabling the feature does not cause the database to be downloaded again.

l To delete the database:

ACOS(config)# web-category
ACOS(config-web-category)# noenable
ACOS(config-web-category)# exit
ACOS(config)# delete web-category database

l To re-import the database, first disable the feature and delete the database that is on
the ACOS device (as shown above), then re-enable the Web Category classification fea-
ture:
ACOS(config)# web-category
ACOS(config-web-category)# use-mgmt-port
ACOS(config-web-category)# enable

NOTE: Simply disabling and re- enabling the feature does not
delete and reload the database. In this case, the same data-
base is used.

Troubleshooting
The following troubleshooting commands are used for Webroot on the ACOS_decrypt:
debug web-category
debug monitor

Error during database download of Webroot

If you see the following error messages during enable under web-category configuration:
[WEB-CATEGORY] downloading full_bcdb_4.445.bin
[WEB-CATEGORY] BcDownloadDb: failed to InitializeSsl context
[WEB-CATEGORY] nDownloadAndApplyDatabaseUpdates( ) 0 - call to BcDown-
loadDatabaseUpdates( ) failed.

A required certificate file may be missing. Contact A10 Networks.

Verify the ACOS_decrypt Has Downloaded Certificates from the HTTPS

223
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Server
show slb ssl-forward-proxy-cert SSLi_vip-1 443 all

Verify Traffic Flow

On the ACOS_encrypt: show slb virtual-server

l Bypassed SSL traffic packet and connection counters will go up under port 0.
l Intercepted SSL traffic and HTTP protocol packet and connection counters will go up
under port 8080.

On the ACOS_decrypt: show slb virtual-server

l SSL traffic packet and connection counters will go up under port 443.
l HTTP protocol packet and connection counters will go up under port 0.

Logging
ACOS supports remote logging for the Web Category classification feature. The provided
information includes the URL accessed by the client, to which category the URL belongs to
and action taken by ACOS: intercept or bypass. Logs are provided in Common Event Format
(CEF). Remote logging for the feature is disabled by default.

NOTE: To use remote logging, you also must configure a remote syslog
server on ACOS using the logging host host-ipaddr command.

The current release does not support use of the management

interface for remote logging for Web Category classification.

Log messages for Web Category classification have the following fields:

l Syslog prefix: the starting of the message with timestamp on syslog server and host-
name of ACOS device.

224
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

o Version: Identifies the version of CEF format. ACOS uses version 0.

o Device Vendor, Device Product and Device Version: Used to uniquely identify the
device.

o Signature ID and Name: Unique identifier for an event and “name” is a string giving
a description of this event. For his feature, there are two event types: SSLi con-
nection intercepted and SSL connection bypassed:
o SSLi100 -> SSLi request intercepted
o SSLi101 -> SSLi request bypassed

l Severity: Integer that reflects importance of the event with range 1-10. 10 indicates
most important event. In this example, the value is 5 for both events.
o Extensions: a collection of key-value pairs to provide more information about the
event. A predefined set of keys are provided by CEF format. The following keys are
used in case of Signature ID 1 (URL lookup).
o Request: URL accessed by the client.
o Act stands for deviceAction: Action taken by device. Values are going to be inter-
cepted or bypassed.
o Msg: An additional message about the log. In our case it will be category is xxx,
where xxx is the category into which URL is categorized by the BrightCloud server.
o Src stands for sourceAddress: Source IP address if the address is an IPv4 address.
o Dst stands for destinationAddress: Destination IP address if the address is an IPv4
address.
o C6a2 stands for deviceCustomIPv6Address2: This is a custom field used to show
the source network address in case of an IPV6 address.
o C6a2label stands for deviceCustomIPv6Address2Label: Explains what the field
c6a2 is for. In this case, it will be Source IPv6 address.
o C6a3 stands for deviceCustomIPv6Address3: This is a custom field used to show
the destination network address in case of an IPV6 address.
o C6a3label stands for deviceCustomIPv6Address3Label: Explains what the field
c6a3 is for. In this case, it will be DestinationIPv6 address.

225
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

o Spt stands for sourcePort: Source port number on the client.

o Dpt stands for destinationPort: Destination port number client is trying to access.

Implementing Lookup Enforcement

Web-category lookups in the data plane are performed by querying the local database for a
URL and returning the URL category when the database contains the URL. When the data-
base does not contain the URL, it returns the value "uncategorized" and the resolution of the
unknown URL is delayed and performed in the background. Therefore, lookup result of the
first request of an unknown URL is always "uncategorized". In SSLi / Forward-proxy deploy-
ments, the lapse of proper URL categorization can result in intercepting requests that should
be bypassed or allowing requests that should be dropped.

Web category lookup enforcement resolves the category of unknown (first request) URLs by
pausing the data plane connection. When the result is known and the URL is categorized, the
connection is resumed.

To enable web category lookup enforcement through the ACOS CLI, enter require-web-cat-
egory under the following templates as applicable:

l policy template for URL filtering

l policy template for URL filtering
l client-ssl template for web-reputation-based SSLi bypass

Similarly, Web category lookup enforcement can be utilized for Web Reputation. When the
web-reputation is set, the reputations score will be checked. If the score is 0, means that the
reputation score can not be resolved from server or local library. When it fails and if the
option require-web-category is set, then ACOS will send the query to the BrightCloud to get
the reputation score. And the connection will be in pending status at this time until it
receives the response, and then continue to check if the rules are matched or not. Otherwise,
if the reputation score is not retrieved from the local cache and the option require-web-repu-
tation is not set, the by default it continues to intercept process directly.

Implementing URL Filtering

SSLi when deployed as an Explicit Proxy or a Transparent Proxy, utilize a policy template that
binds a web-category list to destination rules. Web Category Lookup Enforcement is enabled
for these features by adding the require-web-category option to the policy template.

226
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The following example enables Web Category Lookup Enforcement for all actions defined
under the RED policy template.
ACOS(config)# slb template policy RED
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# require-web-category
ACOS(config-policy-forward-policy)#

Implementing SSLi Bypass

The client-ssl template includes:

l forward-proxy-bypass require-web-category - Enables web-category based SSLi

bypass policies under that template.
l forward-proxy-bypass require-web-category - Enables web-category based SSLi
bypass policies under that template.

The following example enables Web Category Lookup Enforcement for web-category based
SSLi bypass policies under the BLUE client-ssl template.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-category financial-services
ACOS(config-client ssl)# forward-proxy-bypass web-category health-and-medicine
ACOS(config-client ssl)# forward-proxy-bypass exception-web-category games
ACOS(config-client ssl)# forward-proxy-bypass require-web-category
ACOS(config-client ssl)#

Web Reputation Bypass

Web Reputation refers to the URL reputation scores, which helps the SSLi to decide whether
to intercept or bypass the URL. This improves the security and limits the inappropriate and
malicious URLs to pass through your network. As per the standards, the Web Reputation
score range from (1-100) with tiers split into the following levels and one customized option:

l Trustworthy (81-100)
l Low Risk (61-80)
l Moderate Risk (41-60)
l Suspicious (21-40)

227
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Malicious (1-20)
l <1-100>

Web Reputation feature can be accessed through the existing Web Category database and
cloud lookup. For more information on:

l Web category installation and configuration, refer Installing Web Category License.
l Web reputation CLI commands, refer Command Line Interface Reference for ADC.

The following topics are covered:

Configuring the Forward Policy 228

Configuring the SSLi Bypass Filtering 229

Viewing the Statistics 229

Configuring the Forward Policy

Before you begin to use the web reputation feature, you must perform the following steps:

1. Configure the reputation-scope under the web-category.

2. Bind the above setting to the forward policy template destination.
3. Configure the web reputation feature under forward-policy source rules.

This setting links the destination and matching rules for an slb template policy through a
web-reputation-scope.

NOTE: The reputation-scope can be greater-than or less-than the score

level or customized score. Additionally, only one entry can be set
in one scope for each greater-than or less-than setting.

The following example enables web-reputation based forward policy template:

ACOS(config)# slb template policy BLUE
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# require-web-category
ACOS(config-policy-forward-policy)# action A1
ACOS(config-policy-forward-policy-action)# source S1
ACOS(config-policy-forward-policy-source)# destination web-reputation-scope
scope_1 action A1 url priority 120

228
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The following example defines reputation-scope list in the web-category configuration node
and this can be used in forward policy template:
ACOS(config)# web-category
ACOS(config-web-category)# reputation-scope trustworthy
ACOS(config-web-category-reputation-scope)# greater-than trustworthy

Configuring the SSLi Bypass Filtering

After configuring the forward-policy, you can enable the Web Reputation for SSLi bypass
decision-making by using the client-SSL template. You can also view the web-reputation stat-
istics hits for the client-SSL template:

l forward-proxy-bypass web-reputation - When the web-reputation score is greater

than or equal to the setting level or customized score, the request would be bypassed.
l forward-proxy-bypass web-reputation - When the web-reputation score is greater
than or equal to the setting level or customized score, the request would be bypassed.

The following example enables exception-web-reputation based SSLi bypass policies under
the client-SSL template for the financial-services category. If the reputation score is less
than 40, it will be intercepted or else bypassed.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-category financial-services
ACOS(config-client ssl)# forward-proxy-bypass exception-web-reputation sus-
picious

The following example enables both the web-reputation and exception-web-reputation

based SSLi bypass policies under the client-SSL template.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-reputation low-risk
ACOS(config-client ssl)# forward-proxy-bypass exception-web-reputation mod-
erate-risk

Viewing the Statistics

l The following example shows the web-reputation statistics for the client-ssl template:
ACOS(config)# show slb template client-ssl BLUE
Category hits:
Other Categories 0
Reputation hits:

229
Chapter 12: Web Category and Web Reputation Bypass
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Trustworthy(81-100) 2
Low-risk(61-80) 1
Moderate-risk(41-60) 1
Suspicious(21-40) 1
Malicious(1-20) 1

l The following command shows the URLs bypassed by the web reputation feature:
ACOS(config)# show web-reputation bypassed-urls
Score URL
79 www.77file.com
81 www.testing.com
81 a10networks.com
...

l The following command shows the URLs intercepted by the web reputation feature:
ACOS(config)# show web-reputation intercepted-urls
Score URL
10 17ebook.com
40 gerry90160.a10-tplab.com
54 earn4files.com

l The following commands show the web reputation scores of the URLs:
ACOS(config)# show web-reputation url-reputation www.youtube.com
trustworthy(81)
ACOS(config)# show web-reputation url-reputation www.google.com
trustworthy(81)
ACOS(config)# show web-reputation url-reputation www.abc.com
trustworthy(96)
ACOS(config)# show web-reputation url-reputation www.17ebook.com
malicious(10)

230
Chapter 13: URL Filtering
This section provides guidelines for the implementation of URL Filtering configurations. URL
Filtering can be implemented either by web category or SNI matching.

The following topics are covered:

Overview 232

CLI Configuration 233

GUI Configuration 234

Consolidated Configuration 235

231
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
Forward policy actions follow after the decision has been made in the by the Client-SSL tem-
plate whether to bypass or intercept. In other words, after ACOS processes the incoming
traffic as provisioned the Client-SSL template, then it processes the incoming traffic as pro-
visioned by the forward policy.

The SSLi forward policy handles the traffic of bypassed (non-decrypted) sessions differently
than the traffic of intercepted (decrypted) sessions. This difference is illustrated in FIGURE
13-1.

In a bypassed connection, by default ACOS examines the server name identification (SNI)
field to determine a course of action for the traffic of that connection.

In a intersected connection, by default ACOS looks at the client’s request HTTP header to
determine a course of action.

While these actions work by default for an SSLi configuration, options are available to provide
different ways of handling bypassed and intercepted SSLi packets by using the ssli-url-
filtering CLI command from the forward-policy configuration mode in an SLB template
policy that is applied to a SLB client-SSL template. The specific options for ssli-url-fil-
tering are available under the forward-policy command in the Command Line Reference
for ADC.

232
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 13-1: Transparent Proxy with SSLi SNI Matching and URL Filtering Default Packet
Flow Sequence

CLI Configuration
This section describes how to add transparent HTTP proxy services to the SSLi.

In this example, we create a server load balancing template policy ExamplePolicy, followed
by the forward-policy sub-command and configure ssli-url-filtering to allow trans-
parent SSLi proxy traffic not containing SNI extension information to be forwarded, rather
than being dropped (default action).
ACOS(config)# slb template policy ExamplePolicy
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# ssli-url-filtering no-sni-allow

233
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Other actions that are configurable include disabling SNI inspection on bypassed traffic,
enabling SNI matching for intercepted transparent proxy SSLi traffic and disabling HTTP
header inspection for intercepted transparent proxy SSLi traffic (see ssli-url-filtering in
the Command Line Interface Reference Guide).

Known Limitations:

l From the forward-policy configuration, no-client-conn-reuse is not supported in a

server load balancing template policy consisting of a HTTPS virtual port and a wildcard
VIP. The commands are permitted, but it will be ignored for this specific case.
l From the forward-policy configuration, drop-message and drop-redirect-url are not
supported in the case where the ACOS device acts as a transparent proxy with a SSLi
connection due to the fact that the drop commands are http level messages, but with
SNI matching, the device is inspecting at the SSL handshake level.

GUI Configuration
This section describes the steps to configure SSL Insight URL filtering options using the GUI.

1. Navigate to Security >> Forward Proxy.

2. Click on the Templates tab.
3. Click + Create and click on Policy.

4. In the Add Policy Template page, enter a policy name in the Name field.

NOTE: It does not matter if the Action Policies tab or Source

Policies tab has been selected.

5. In SSLi URL Filtering, click on the check box for the SSLi URL Filtering options you wish
to be active.
l Bypassed SNI Disable
l Intercepted SNI Enable
l Intercepted HTTP Disable
l NO SNI Allow
6. Click Add Template.

234
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Consolidated Configuration
The following example deployment illustrates configurations for SSLi bypass in the Client-
SSL template and URL filtering and SNI matching in the forwarding policy.

In this example, a web-category category-list drops requests from clients trying to connect
to sites classified as various types of security risks. The failsafe-disable option is disabled so
that when an SSL handshake transaction fails, the traffic inspection is not bypassed. Because
of privacy rules, this configuration does not decrypt and inspect the financial transactions
and medical and health categories.

For further information on configuration of the forward-policy, see the “Explicit and Trans-
parent Proxy” section.
Current active partition: ssli_in
ACOS[ssli_in]#show run
!Current configuration: 1546 bytes
!Configuration last updated at 21:21:06 PST Fri Mar 10 2017
!Configuration last saved at 12:57:23 PST Thu Mar 9 2017
!
active-partition ssli_in
!
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850
!
access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
class-list Block_domains ac
contains sslitest
!
web-category
category-list Url_filter_cat
malware-sites
phishing-and-other-fraud

235
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

proxy-avoid-and-anonymizers
spyware-and-adware
bot-nets
confirmed-spam-sources
spam-urls
unconfirmed-spam-sources
!
slb template cipher cl_cipher_template
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256

!
slb server fw1 30.91.11.104

port 0 tcp
health-check-disable
_0_tcp_port
port 0 udp
health-check-disable
_0_udp_port
port 80 tcp
health-check-disable
_80_tcp_port
port 8080 tcp
health-check-disable
user-tag Security,ssli_signaling
!
slb service-group SG_SSLi_HTTP tcp

member fw1 80
!
slb service-group SG_SSLi_TCP tcp

member fw1 0
!
slb service-group SG_SSLi_UDP udp

member fw1 0
!

236
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb service-group SG_SSLi_Xlated tcp

member fw1 8080

!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-cert-expiry hours 168
forward-proxy-enable
forward-proxy-failsafe-disable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
!
slb template http insertHeaders
non-http-bypass service-group SG_SSLi_Xlated
!
slb template policy Url_filter_pl

forward-policy
action Drop
drop
log
action Permit
forward-to-internet SG_SSLi_Xlated
action permi
source Any
match-any
destination class-list Block_domains action Drop url priority 20
destination web-category-list Url_filter_cat action Drop url priority 10
destination any action Permit
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
port 0 tcp
service-group SG_SSLi_TCP
no-dest-nat
port 0 udp
service-group SG_SSLi_UDP
no-dest-nat
port 0 others
service-group SG_SSLi_UDP
no-dest-nat

237
Chapter 13: URL Filtering
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port 80 http
service-group SG_SSLi_Xlated
template policy Url_filter_pl
no-dest-nat port-translation
port 443 https
service-group SG_SSLi_Xlated
template policy Url_filter_pl
template http insertHeaders
template client-ssl cl_ssl
no-dest-nat port-translation
!
end
!Current config commit point for partition 1 is 0 & config mode is classical-
mode
ACOS[ssli_in]#

238
Chapter 14: Explicit and Transparent Proxy

The following topics are covered:

Overview 240

Deployment Example 240

CLI Configuration 241

Proxy Chaining SSLi 249

Drop and Drop-Redirect-URL Message Responses 253

Virtual Wire with SSLi Deployment 258

AAM for SSLi Transparent Proxy 264

239
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
A proxy is an agent that acts in place of the original requester. For a transparent proxy, the
client is not aware of the use of a proxy (proxy server). In the case of an explicit proxy, client
browsers are configured to send requests to a proxy server, hence the name explicit proxy as
the proxy service is known.

In HTTP proxy, browser clients connect to the Internet through proxy servers that make ser-
vice requests on behalf of the clients. The configuration of the browser specifies the proxy
servers it uses. You can configure ACOS to provide both SSLi services and HTTP proxy ser-
vices in the same HTTP session, and on the same virtual router.

Deployment Example
FIGURE 14-1shows the topology of this SSLi example to which explicit HTTP proxy services
are added.To understand the SSLi topology, refer to Two ACOS Devices, Each With Single Par-
tition Deployment.

240
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 14-1: Explicit Proxy with Basic Static-Port SSLi Example

CLI Configuration
This section describes how to add an explicit HTTP proxy to an SSLi solution consisting of two
ACOS devices, ACOS_decrypt and ACOS_encrypt. Both SSLi and explicit proxy are con-
figured on the same virtual port.

The following topics are covered:

241
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt Configuration 242

ACOS_encrypt Configuration 243

Verifying the Configuration 244

Consolidated Configuration 245

ACOS_decrypt Configuration

The following are the recommended steps for configuring explicit proxy on ACOS_decrypt.

Prior to configuring explicit proxy, determine what port number and what IP address are to
be used for explicit proxy. It is this address that the clients will configure in their browser’s
proxy option. In example, 10.10.1.30:1234 will be used.

1. Create the source-NAT pool of IP addresses required by the forward-to-internet

action.

The configuration of the NAT pool used by source-NAT for Internet-bound traffic
provides a source address that is the same as the IP interface of ACOS_decrypt.
ip nat pool Internet_Pool 10.10.1.30 10.10.1.30 netmask /32

2. Enter the following commands to define the template for the explicit proxy policy.

The policy template defines what actions are applied to upstream traffic by the client-
facing virtual server on the ACOS_decrypt device. The configuration of this policy tem-
plate follows:
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet

3. Enter the following commands to create a template that is bound to the client-facing
virtual server to provide the IP addresses of DNS servers used by the VIP. The DNS
dynamic service template points to two DNS servers that enable the ACOS_decrypt to
look up the IP address of the EnterpriseABC servers that the clients request SSL con-
nections to.

242
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb template dynamic-service DNS

dns server 10.10.1.253
dns server 10.10.1.254

4. Configure a static route to a gateway, 10.10.1.2, that can reach the clients on the
192.168.1.0 /24 subnet. No route to the DNS servers is necessary because ACOS_
decrypt and the DNS servers are both on the same subnet, 10.10.1.0 /24.
ip route 192.168.1.0 /24 10.10.1.2
!
5. Modify the configuration of the decrypt_VIP to enable explicit proxy. The decrypt_VIP
is a static-port virtual router that manages explicit proxy traffic and provides SSLi ser-
vices. The policy template, the SSL client template, and the dynamic services template
are all bound to the client-facing virtual router on ACOS_decrypt.
6. Specify the IP address of the decrypt_VIP as 10.10.1.30. The IP address must be expli-
cit and matches the proxy configurations of the clients.
7. Begin the configuration of virtual port 1234 on 10.10.1.30 as the interface of this VIP.
This too matches the proxy configuration on the clients.
8. Bind the Explict_Proxy policy template to the 1234 HTTP port of the VIP.
9. Bind the DNS dynamic services template to the 1234 HTTP port of the VIP.

10. Bind the SSLInsight_decrypt template to the 1234 HTTP port of the VIP.
slb virtual-server decrypt_VIP 10.10.1.30
port 1234 http
service-group FW1_Inspect_SG
template client-ssl SSLInsight_decrypt
template policy Explicit_Proxy
template dynamic-service DNS
no-dest-nat port-translation

ACOS_encrypt Configuration

The only change is the addition of a default route to the gateway router to Internet.
ip route 0.0.0.0 /0 20.1.1.10

243
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Verifying the Configuration

Enter the following commands to verify the configuration and operation of this explicit proxy
example:

1. Show the configuration of the SLB policy template.

ACOS_decrypt# show slb template policy Explicit_Proxy

slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet SSL snat Internet_Pool fallback SSL snat Fallback_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet

2. Show the IP addresses of the source-NAT pool.

ACOS_decrypt# show ip nat pool

Pool Name Start Address End Address Mask Gateway Vrid
--------------------------------------------------------------------------
----------------------
Internet_Pool 203.0.113.5 203.0.113.5 /32 0.0.0.0 default

3. Show the status of the client-facing VIP on ACOS_decrypt.

ACOS_decrypt# show slb virtual-server decrypt_VIP

Virtual server: EP_VIP State: Functional Up IP: 10.10.1.30
Port Curr-conn Total-conn Rsv-Pkt Fwd-Pkt Peak-conn
--------------------------------------------------------------------------
-----
Virtual Port:8080 / service:To_Internet / state:Functional Up
port 8080 http 0 0 0 0 0

4. Show the detailed status of the client-facing VIP on ACOS_decrypt.

ACOS_decrypt# show slb virtual-server decrypt_VIP detail

Virtual server name: decrypt_VIP
Virtual server IP address: 10.10.1.30
Virtual server MAC: 001f:a003:5fc3
Virtual server template: default
Current connection: 0
Current request: 0

244
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connections: 0
Current connection rate: 0 per second

5. Show the statistics of the forward-policy to verify the forward-policy managed packet
flow through the ACOS_decrypt virtual router.

ACOS_decrypt# show slb template policy Explicit_Proxy forward-policy-stats

slb template policy name: Explicit_Proxy
Source NAT failure: 0
Unresolved DNS requests: 0
Outstanding DNS requests: 0
Hits: 0
Requests forward to Internet: 0
Requests forward to Service Group: 0
Requests dropped: 0
Source Match not found: 0
Expected Client HELLO requests not found: 0

Consolidated Configuration

The configuration of ACOS_decrypt is shown first: The highlighted lines of the con-
figuration show items specifically described in the preceding configuration instructions.
ACOS_decrypt# show running-config
!
access-list 100 permit ip any any vlan 10
!
!
ip nat pool Internet_Pool 10.10.1.30 10.10.1.30 netmask /32
!
ip route 192.168.1.0 /24 10.10.1.2
!
vlan 10
tagged ethernet 1
router-interface ve 10
!

245
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS_decrypt
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
!
slb template dynamic-service DNS
dns server 10.10.1.253
dns server 10.10.1.254
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log

246
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

source Any_Source
match-any
destination any action Permit_to_Internet
!
slb template client-ssl SSLInsight_decrypt
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!
slb virtual-server decrypt_VIP 10.10.1.30
port 1234 http
service-group FW1_Inspect_SG
template client-ssl SSLInsight_decrypt
template policy Explicit_Proxy
template dynamic-service DNS
no-dest-nat port-translation
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

Use the show running-config command to check your configuration of ACOS_encrypt. A

default route to the Internet gateway is added; otherwise explicit proxy configuration does
not change the configuration. The highlighted lines of the configuration show items spe-
cifically described in the preceding configuration instructions.

ACOS_encrypt# show running-config

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 1
router-interface ve 20
!
vlan 15
tagged ethernet 1

247
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

router-interface ve 15
!
ip route 0.0.0.0 /0 20.1.1.10
!
hostname ACOS_encrypt
!
interface ethernet 1
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group DG_SSL_SG tcp
member Default_Gateway 443

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssl SSLInsight_encrypt
forward-proxy-enable
!
slb virtual-server decrypt_VIP 0.0.0.0 acl 101
port 8080 http
no-dest-nat port-translation
service-group DG_SSL_SG
template server-ssl SSLInsight_decrypt
use-rcv-hop-for-resp
port 0 tcp

248
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-dest-nat
service-group DG_TCP_SG
use-rcv-hop-for-resp
port 0 udp
no-dest-nat
service-group DG_UDP_SG
use-rcv-hop-for-resp
port 0 others
no-dest-nat
use-rcv-hop-for-resp
service-group DG_UDP_SG
!
end

Proxy Chaining SSLi

For a general overview of proxy chaining, see the Application Delivery Controller Guide.

In an SSLi environment, when traffic is routed to an upstream proxy server, to handle HTTPS
traffic, some configuration points need to be kept in mind to handle upstream proxy explicit
proxy traffic and transparent proxy traffic.

This section provides general explicit proxy configuration steps required for an upstream
proxy server and certificate validation setup in a SSLi deployment.

The following topics are covered:

Configuration with Explicit Proxy 249

Configuration with Transparent Proxy 250

Configuration with Explicit Proxy

Follow the guidelines for ACOS_decrypt device:

l It must contain an SLB server template for the proxy server that includes the upstream
proxy’s IP address and port.
l In a SLB server policy template, replace forward-to-service-group with the forward-
to-proxy CLI command.

249
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l The virtual server template will specify the ACOS_decrypt IP address.

l The virtual server template’s virtual port number must match that of the upstream
proxy server port.

Configuration with Transparent Proxy

Follow the guidelines for ACOS_decrypt device:

1. It must contain an SLB server template for the proxy server that includes the upstream
proxy’s port.
2. In a SLB server policy template, replace forward-to-internet with the forward-to-
proxy CLI command.

3. The virtual server template will have a wildcard VIP (0.0.0.0).

For ACOS_encrypt, the SLB server template must include the following from the upstream
proxy

1. In SLB server template, the port of the upstream proxy sever must be specified.
2. In the virtual server template, bind the upstream proxy port (using the service group)
with the vport (ACOS_encrypt port).
3. Set no-dest-nat port-translation with ACOS_encrypt port in your slb virtual-
server template.

ACOS_decrypt configuration
1. `Create a server template for the upstream proxy server (which is 192.168.90.71) and
define its service group for the ACOS_encrypt (port 8080) and port of the proxy server
(port 3128). The IP address for the upstream proxy server is required for handling expli-
cit proxy and is not necessary for transparent proxy.
slb server proxy 192.168.90.71
health-check-disable
port 8080 tcp
health-check-disable
port 3128 tcp
health-check-disable
slb service-group sg-proxy-8080 tcp
member proxy 8080

250
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb service-group sg-proxy-3128 tcp

member proxy 3128

2. Traffic will need to be distinguished between HTTP and HTTPS. A class-list of Aho-Cor-
asick string type is created to identify http traffic.
class-list HTTP ac
starts-with http://

3. Create a placeholder for ACOS_decrypt and service group for port 80.

slb server svr 2.2.2.2

health-check-disable
port 80 tcp
health-check-disable
slb service-group sg tcp
member svr 80

4. Create a policy template for explicit proxy or transparent proxy. This replaces the prior
explicit proxy template from the prior example (slb template policy Explicit_Proxy).
Create two actions, act-3128 and act-8080. To direct traffic to the upstream proxy
server, the forward-to-proxy CLI command must be used to ensure the HTTP header
remains intact. HTTP traffic is routed through port 3128 directly while HTTPS traffic is
inspected through SSLi.
slb template policy EP-TP
forward-policy
action act-3128
forward-to-proxy sg-proxy-3128 snat Internet_Pool
action act-8080
forward-to-proxy sg-proxy-8080 snat Internet_Pool
source src
match-any
destination class-list HTTP action act-3128 url priority 1
destination any action act-8080

5. Create a policy template for explicit proxy to enable the server certificate to fetch the
traffic and forward it through the explicit proxy instead of the real server as the ori-
ginal SSLi.

slb template policy chain

forward-policy
action act-8080
forward-to-proxy ep8080 support-cert-fetch

251
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

source src
match-any
destination any action act-8080
!

6. Bind everything with the virtual server template VS_EP. With explicit proxy, provide
the ACOS_decrypt ip address (10.10.1.30) and set the upstream proxy’s port (3128). The
virtual port number in VS_EP is configured to match the upstream explicit proxy port
number. The original slb virtual-server template (decrypt_VIP) changes to the fol-
lowing:
slb virtual-server VS_EP 10.10.1.30
port 3128 http
source-nat auto
service-group sg
template policy EP-TP
template dynamic-service DNS
template client-ssl SSLInsight_decrypt

7. With transparent proxy, we use the wildcard vip (0.0.0.0).

slb virtual-server VS_TP 0.0.0.0
port 3128 http
source-nat auto
service-group sg
template policy EP-TP
template dynamic-service DNS
template client-ssl SSLInsight_decrypt

ACOS_encrypt configuration
A placeholder internal server, s1, is created to allow us to add the port and service group, sg-
proxy-server-port, for association with the upstream proxy server’s port (3128).
slb server s1 1.1.1.1
health-check-disable
port 3128 tcp
health-check-disable
slb service-group sg-proxy-server-port tcp
member s1 3128

The slb virtual-server encrypt_VIP will have a minor change made to the original con-
figuration. The port of the ACOS_encrypt device needs to be set (port 8080 http), so leave
this as is. The service group needs to be modified so that the HTTPS traffic that comes in with
destination port 8080 leaves with the destination port of the upstream proxy server. This is
accomplished by changing service-group DG_SSL_SG to service-group sg-proxy-server-

252
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

port, which has the upstream proxy server’s port of 3128 to move traffic from the
ACOS_encrypt device to the upstream proxy server.
slb virtual-server encrypt_VIP 0.0.0.0 acl 101
port 8080 http
no-dest-nat port-translation
service-group sg-proxy-server-port
template server-ssl SSLInsight_encrypt
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG

Drop and Drop-Redirect-URL Message Responses

NOTE: This section requires that the explicit proxy configuration is
known for ACOS_decrypt and ACOS_encrypt. To configure expli-
cit proxy, refer to Deployment Example.

Starting from ACOS 4.1.4, there is support for configuring drop-message and drop-redirect-
url options for HTTPS traffic in explicit proxy for SSLi. This feature enables the network
administrator to either configure a customized drop message or a customized redirect URL
for specific websites tagged under the explicit proxy configuration. The SSLi deployment
must complete the SSL intercept before being able to send a drop or redirect message.

Configure ACOS_decrypt with some additional actions for the explicit proxy template. There
are no additional changes required for ACOS_encrypt. The following are the guidelines for
the configuration of drop and drop-redirect-url messages in ACOS_decrypt:

l Prior to configuring explicit proxy, determine what port number and what IP address
are to be used for explicit proxy.
l Prior to configuring explicit proxy, determine what port number and what IP address
are to be used for explicit proxy.

253
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Create a service group under the vPort for the forward-to-internet action.
l Create a service group under the vPort for the forward-to-internet action.

l Create the explicit proxy template with the drop and drop-redirect actions. Also
include the forward-to-internet option for allowed traffic.
l Create the explicit proxy template with the drop and drop-redirect actions. Also
include the forward-to-internet option for allowed traffic.

ACOS_decrypt Configuration

The following is a sample configuration that displays the following logic:

l If a user accesses www.netflix.com, a drop message is displayed.

l If a user accesses www.netflix.com, a drop message is displayed.
l If a user accesses www.poker.com, the user is redirected to the website configured,
which is http://192.168.98.115.

Configure the explicit proxy policy template called ep-template, with the following prop-
erties:

l For the action FORWARD, the service group sg-8080 is added for forwarding the allowed
traffic to the Internet.
l For the action FORWARD, the service group sg-8080 is added for forwarding the allowed
traffic to the Internet.

l For the action GAME, the action is to drop and the redirect the URL is
https://www.apple.com.

ACOS(config)# slb template policy ep-template

ACOS(config-policy)# forward-policy

ACOS(config-policy-forward-policy)# action forward

ACOS(config-policy-forward-policy-action)# forward-to-internet sg-8080 snat NAT
ACOS(config-policy-forward-policy-action)# exit

254
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-policy-forward-policy)# action GAMBLE

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-redirect-url
http://192.168.98.115
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# action GAME

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-redirect-url https://www.apple.-
com
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# action NETFLIX

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-message "This website is not
allowed, contact your networks admin for more info"
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# source SRC

ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination class-list gamble action
GAMBLE host priority 800
ACOS(config-policy-forward-policy-source)# destination class-list game action
GAME host priority 900
ACOS(config-policy-forward-policy-source)# destination class-list netflix
action NETFLIX host priority 1000
ACOS(config-policy-forward-policy-source)# destination any action FORWARD
ACOS(config-policy-forward-policy-source)# exit
ACOS(config-policy-forward-policy)# exit
ACOS(config-policy)# exit

Configure the client-SSL template called C1 and enable forward proxy.

ACOS(config)# slb template client-ssl c1
ACOS(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key key123
ACOS(config-client ssl)# forward-proxy-enable

Configure the virtual server called VS. Associate the explicit proxy template, the client-SSL
template, and the fake-sg service group to the Vport of port 80.
ACOS(config)# slb virtual-server vs 192.168.91.105
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# source-nat auto
ACOS(config-slb vserver-vport)# service-group fake-sg
ACOS(config-slb vserver-vport)# template policy ep-template
ACOS(config-slb vserver-vport)# template client-ssl c1

255
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-slb vserver-vport)# exit

Consolidated Configuration

The following is an excerpt of the ACOS_decrypt configuration for configuring message-

drop and redirect-URLs:
!Configure the class-list.
class-list gamble ac
contains poker
!
class-list game ac
contains game
!
class-list netflix ac
contains netflix
!
class-list permit
192.168.99.24/32
!
!Configure the NAT pool.
ip nat pool NAT 192.168.91.24 192.168.91.24 netmask /32 gateway 192.168.91.254

!Configure the real servers.

slb server fake 1.1.1.1
health-check-disable
port 1111 tcp
health-check-disable
!
slb server s1 192.168.221.70
health-check-disable
port 80 tcp
health-check-disable
port 8080 tcp
health-check-disable
!Configure the service groups.
slb service-group fake-sg tcp
member fake 1111
!
slb service-group sg-8080 tcp
member s1 8080
!

256
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!Configure the client-ssl template.

slb template client-ssl c1
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
!
!Configure the explicit policy template.
slb template policy ep-template
forward-policy
action FORWARD
forward-to-internet sg-8080 snat NAT
action GAMBLE
drop
drop-redirect-url http://192.168.98.115
action GAME
drop
drop-redirect-url https://www.apple.com
action NETFLIX
drop
drop-message "This website is not allowed, contact your networks admin for more
info"
source SRC
match-any
destination class-list gamble action GAMBLE host priority 800
destination class-list game action GAME host priority 900
destination class-list netflix action NETFLIX host priority 1000
destination any action FORWARD
!
!Configure the virtual server.
slb virtual-server vs 192.168.91.105
port 80 http
source-nat auto
service-group fake-sg
template policy ep-template
template client-ssl c1

Drop and Drop-Redirect-URL Priorities

For an explicit proxy, the priority of the match condition determines which action is selected
for the request. For example, the following is a sample configuration excerpt:
!
class-list cnn ac
contains cnn

257
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
class-list sport ac
contains sport
!
slb template policy ep-template
forward-policy
action A1
forward-to-internet sg-8080 snat NAT
action drop
drop
drop-message "Not allowed"
source ANY
match-any
destination class-list cnn action drop host priority 500
destination class-list sport action A1 url priority 1000

In the configuration sample, if the request contains the word cnn, the action is to drop the
request.

If the request contains the word sport, the action is to forward to internet. The URL cnn.-
com/sport matches both conditions, however the priority of the sport action is higher than
the priority of the cnn action. As a result, the request is forwarded to internet under the
action A1.

For the same configuration, if the priorities are reversed as destination class-list cnn
action drop host priority 1000 and destination class-list sport action A1 url pri-
ority 500, the request cnn.com/sport is dropped and the message "Not Allowed" is dis-
played.

The drop-message and redirect-URL options in the configuration changes the behavior of the
explicit proxy from previous ACOS versions. If none of the options are configured, the ACOS
device drops the CONNECT request immediately, instead of doing an SSL negotiation.

Virtual Wire with SSLi Deployment

ACOS supports virtual wire (vwire) or bump-in-the-wire, which streamlines the deployment
process in an SSLi solution, allowing the Thunder to be inserted into the network using an IP-
Less configuration. Virtual wire logically bridges two Ethernet interfaces like a physical wire,
and VLAN or routing configuration changes are not required. For packets that traverse the
vwire, the Layer 2 headers are not modified.

258
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

In the case of SSLi with Explicit Proxy deployment, the command support-cert-fetch
option under forward-to-proxy is used in a virtual wire deployment for cert fetch traffic to
go to the Explicit Proxy (EP). ACOS uses the management interface to resolve the domain
name of the ca-cert and subsequently uses the virtual wire endpoint to forward the val-
idation.

NOTE: In an virtual wire IP-less SSLi deployment it is required to con-

figure DNS and the default gateway for the management inter-
face to resolve the ca-cert domain name.

For more information on virtual wire configuration, refer the Network Configuration Guide.

The following topics are covered:

SSLi IP-Less Deployment 259

SSLi IP-Less Deployment with Explicit Proxy and Cert Validation 262

SSLi IP-Less Deployment

FIGURE 14-2: Virtual Wire SSLi deployment

The ACOS device in FIGURE 14-2uses multiple virtual wire pairs. SSL traffic is decrypted and
sent to the security device using virtual wire 1, is re-encrypted using virtual wire 2, and sent
to the destination on the Internet.

The virtual wire endpoint configuration:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 192.168.93.140 255.255.255.0

259
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-if:management)# ip default-gateway 192.168.93.1

ACOS(config-if:management)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# virtual-wire
ACOS(config-if:ethernet:1)# ip allow-promiscuous-vip
ACOS(config-if:ethernet:1)# interface ethernet 2
ACOS(config-if:ethernet:2)# enable
ACOS(config-if:ethernet:2)# virtual-wire
ACOS(config-if:ethernet:2)# interface ethernet 3
ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# virtual-wire
ACOS(config-if:ethernet:3)# ip allow-promiscuous-vip
ACOS(config-if:ethernet:3)# interface ethernet 4
ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# virtual-wire
ACOS(config-virtual-wire)# virtual-wire 1
ACOS(config-virtual-wire:1)# ethernet 1 ethernet 2
ACOS(config-virtual-wire:1)# virtual-wire 2
ACOS(config-virtual-wire:2)# ethernet 3 ethernet 4
ACOS(config-virtual-wire:2)# exit

Configure the SLB server and service-group components for the security device:
ACOS(config)# slb server sec-dev 10.20.1.142
ACOS(config-real server)# health-check-disable
ACOS(config-real server)# port 443 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config-real server)# port 8080 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config)# slb service-group sec-dev_tcp443 tcp
ACOS(config-slb svc group)# member sec-dev 443
ACOS(config-slb svc group)# exit
ACOS(config)# slb service-group sec-dev_tcp8080 tcp
ACOS(config-slb svc group)# member sec-dev 8080
ACOS(config-slb svc group)# exit

Configure the Server SSL and Client SSL templates:

ACOS(config)# slb template server-ssl serverssl
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# exit
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key key123

260
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-client ssl)# forward-proxy-enable

ACOS(config-client ssl)# exit

Configure the SLB Virtual Server ssli_in for decrypting traffic client traffic and sending it to
the security device. ACLs are added for permitting traffic to the VIPs from client side and
server side.
ACOS(config)# access-list 198 permit ip any any ethernet 3
ACOS(config)# access-list 199 permit ip any any ethernet 1
ACOS(config)# slb virtual-server ssli_in 0.0.0.0 acl 199
ACOS(config-slb vserver)# port 443 https
ACOS(config-slb vserver-vport)# service-group sec-dev_tcp8080
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# template client-ssl clientssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# exit

Configure the SLB Virtual Server ssli_out for encrypting traffic:

ACOS(config)# slb virtual-server ssli_out 0.0.0.0 acl 198
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group sec-dev_tcp443 tcp
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# port 8080 http
ACOS(config-slb vserver-vport)# service-group sec-dev_tcp443 tcp
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# template server-ssl serverssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation

261
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSLi IP-Less Deployment with Explicit Proxy and Cert Validation

FIGURE 14-3: Virtual Wire and SSLi with Explicit Proxy

The ACOS device in Figure 5 uses virtual wires for SSLi with Explicit Proxy and certificate val-
idation.The following commands configure the ACOS device with virtual wires for SSLi with
Explicit Proxy and certificate validation.

Configure the IP address for the DNS server for domain resolution and the default route for
the management interface. This configuration is required for IP-Less since the interface IP is
not used for ca-cert validation:
ACOS(config)# ip dns primary 8.8.8.8
ACOS(config)# ip route 8.8.8.8 /32 192.168.93.1

Configure the explicit proxy server with TCP ports 3128 and 8080 and the service-group, dis-
able the health checks:
ACOS(config)# slb server ep 10.20.1.145
ACOS(config-real server)# health-check-disable
ACOS(config-real server)# port 3128 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# port 8080 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config)# slb service-group ep3128 tcp
ACOS(config-slb svc group)# member ep 3128
ACOS(config-slb svc group)# exit
ACOS(config)# slb service-group ep8080 tcp
ACOS(config-slb svc group)# member ep 8080

262
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-slb svc group)# exit

Configure the SSL certificate:

ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key key123
ACOS(config-client ssl)# forward-proxy-trusted-ca new_self.crt
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# exit

Configure the SSL template policy. Use the support-cert-fetch command in the virtual wire
deployment:
ACOS(config)# slb template policy chain
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# action act-8080
ACOS(config-policy-forward-policy-action)# forward-to-proxy ep8080 support-
cert-fetch
ACOS(config-policy-forward-policy-action)# exit
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination any action act-8080

Configure the SLB virtual servers, the explicit proxy, and SSL templates:
ACOS(config)# access-list 198 permit ip any any ethernet 3
ACOS(config)# access-list 199 permit ip any any ethernet 1
ACOS(config)# slb virtual-server ssli_in 0.0.0.0 acl 199
ACOS(config-slb vserver)# port 3128 http
ACOS(config-slb vserver-vport)# template policy chain
ACOS(config-slb vserver-vport)# service-group ep8080
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# template client-ssl clientssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# exit

ACOS(config)# slb virtual-server ssli_out 0.0.0.0 acl 198

ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group g_tcp0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# no-dest-nat port
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# port 8080 http
ACOS(config-slb vserver-vport)# service-group ep3128
ACOS(config-slb vserver-vport)# template server-ssl serverssl
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# no-dest-nat port-translation

263
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

AAM for SSLi Transparent Proxy

Starting from ACOS 4.1.4, you can configure AAM for transparent proxy for SSLi. This feature
is applicable to HTTPS and HTTP sessions where AAM performs authentication and author-
ization checking inside the SSL tunnel. For HTTPS, if the auth-session-mode is cookie-based,
the deployment requires an HTTPS server. The hostname of the HTTPS server must be con-
figured in the redirect-hostname command in the auth-template. When the client browser
atttempts a proxy-auth against this hostname, the hostname must be resolvable at the
browser side.

The following are supported for transparent proxy for SSLi:

l Single sign-on including for cross-domains

l IP-based and cookie-based auth-session tracking mode

For Content Security Policy (CSP), this feature provides a new command called modify-con-
tent-security-policy under the auth-template. When the command is enabled, ACOS
checks all packets from the server. If the packet contains a CSP header (keywords: Content-
Security-Policy, X-Content-Security-Policy and X-Webkit-CSP), ACOS inserts a redirect-url
(from redreict-hostname or kerberos SPN) into the 'default-src' field. If no CSP header is
found, ACOS does nothing.

The following topics are covered:

Topology Example 264

Decrypt_VIP Support 266

Forward-Policy JWT (JSon Web Token) Authorization Support 266

HTTP Authenticate Logon Support 266

CLI Configuration 267

Topology Example

The following figure is an example topology for configuring AAM for SSLi and transparent
proxy. T his is a cookie-based auth-session, so there is an HTTPS server connected to ACOS_

264
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

decrypt. The authorization server is LDAP-based and uses basic logon. Since the AAM authen-
tication happens in the SSL tunnel, there are no configuration changes required for ACOS_
encrypt.

NOTE: Esnure that the CA is imported to the user browser.

The expected behavior of the deployment is as follows:

l Clear the auth session.

o Access HTTP page www.apple.com. User is asked for credentials.
o Access HTTP page www.nokia.com which is another domain. User is not asked for
credentials.

l Clear the auth session.

o Access HTTPS page https://www.google.com. User is asked for credentials.
o Access HTTPS page https://github.com which is another domain. User is not
asked for credentials.

FIGURE 14-4: Configuring AAM for SSLi with Transparent Proxy

265
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Decrypt_VIP Support

If you configure ACOS SSLi with explicit proxy, you also can configure the decrypt_VIP with
the AAM features described in the Application Access Management Guide. However, the fol-
lowing limitations apply:

When configuring AAM with an explicit proxy, the HTTP-basic, NTLM, and Kerberos logon
methods are supported for HTTP authentication. Form-based authentication is also sup-
ported. However, SAML authentication is not supported.

Use the aam authentication logon http-authenticate command and its sub-commands to
configure HTTP authentication and its HTTP-basic, NTLM, and Kerberos logon methods. Use
the aam authentication logon form-based command to configure form-based authen-
tication.

Forward-Policy JWT (JSon Web Token) Authorization Support

For SSLi explicit and transparent proxy, AAM authorization policy can also be configured as
the forward-policy source matching criteria. Therefore, the ACOS can provide JWT author-
ization feature for forward-policy.

For instructions on implementing JWT authorization for forward policy, refer to the Author-
izing Forward Policy with JWT section in the Application Access Management (AAM) Con-
figuration Guide.

HTTP Authenticate Logon Support

The following workflow is for the authentication for HTTP-authenticate logon. User tries to
access www.apple.com. The redirectr hostname is tp.a10.com.

266
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 14-5: Workflow for Authentication Flow for HTTP-authenticate Logon

The authetication template has the following configuration:

ACOS_decrypt(config)# aam authentication template TP-AAM
ACOS_decrypt(config-auth template:TP-AAM)#redirect-hostname tp.a10.com
ACOS_decrypt(config-auth template:TP-AAM)# exit

CLI Configuration

1. Configure HTTP-authenticate logon with the profile name as BASIC.

ACOS_decrypt(config)# aam authentication logon http-authenticate BASIC
ACOS_decrypt(config-form-based auth logon:BASIC)# auth-method basic enable
ACOS_decrypt(config-form-based auth logon:BASIC)# exit

2. Configure an authentication-server profile for the LDAP server called LDAP_98_172.

ACOS_decrypt(config)# aam authentication server ldap LDAP_98_172

267
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-ldap auth server)# host 192.168.98.172

ACOS_decrypt(config-ldap auth server)# base ou=People,dc=lex-ldap,dc=com
ACOS_decrypt(config-ldap auth server)# admin-dn cn=Admin,dc=lex-ldap,d-
c=com
ACOS_decrypt(config-ldap auth server)# admin-secret encrypted
37O48xvi8uY8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn dn-attrib-
ute uid
ACOS_decrypt(config-ldap auth server)# exit

3. Configure an authentication template called BASIC_LDAP_C. Associate the logon profile

BASIC and LDAP server LDAP_98_172 with the authentication template. Modify the host-
name as tp.10.com.
ACOS_decrypt(config)# aam authentication template BASIC_LDAP_C
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# logon BASIC
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# server LDAP_98_172
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# redirect-hostname tp.a10.-
com
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# modify-content-security-
policy
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# exit

4. Create a AAA policy called BASIC_LDAP_C and associate the authentication template.
ACOS_decrypt(config)# aam aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-aaa policy:1)# aaa-rule 10
ACOS_decrypt(config-aaa policy:1-aaa rule:10)# authentication-template
BASIC_LDAP_C

5. Create a virtual server called TP_AAM. For port 80 HTTP and port 443 HTTPS, associate
aaa-policy BASIC_LDAP_C.
ACOS_decrypt(config)# slb virtual-server TP_AAM 0.0.0.0 acl 2
ACOS_decrypt(config-slb vserver)# port 80 http
ACOS_decrypt(config-slb vserver-vport)# aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-slb vserver-vport)# exit

Consolidated Configuration
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
!
aam authentication server ldap LDAP_98_172

268
Chapter 14: Explicit and Transparent Proxy
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

host 192.168.98.172
base ou=People,dc=lex-ldap,dc=com
admin-dn cn=Admin,dc=lex-ldap,dc=com
admin-secret encrypted 37O48xvi8uY8EIy41d-
sA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
dn-attribute uid
!
aam authentication template BASIC_LDAP_C
logon BASIC
server LDAP_98_172
redirect-hostname tp.a10.com
modify-content-security-policy
!
aam aaa-policy BASIC_LDAP_C
aaa-rule 10
authentication-template BASIC_LDAP_C
!
slb virtual-server TP_AAM 0.0.0.0 acl 2
port 80 http
aaa-policy BASIC_LDAP_C
port 443 https
aaa-policy BASIC_LDAP_C

269
Chapter 15: ICAP Services
This section provides Information on configuring Internet Content Adaptation Protocol (ICAP)
in a static-port SSLi deployment.

The following topics are covered:

Overview 271

Topology Example 271

Inside Partition/Device Configuration 273

Outside Partition/Device Configuration 276

Configuration Options 277

270
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
ICAP provides security services to HTTTP and HTTPS sessions. On traffic from the client to the
web server, ICAP typically serves to provide data loss prevention (DLP). Whereas, on traffic
from the Web server to the client, ICAP typically provides anti-virus (AV) services.

ICAP services are frequently deployed in conjunction with forward proxy, such as SSLi to
intercept and inspect traffic as the man-in-the-middle.

NOTE: The SSLi virtual port feature described does not support ICAP.
Also, ICAP with proxy chaining is not supported on the same
ACOS device.

Topology Example
FIGURE 15-1below shows a sample ICAP topology. The numbers in the diagram show the mes-
saging steps described in the following section.

FIGURE 15-1: ICAP REQMOD Message Exchange

When the ACOS device is configured as an ICAP client with Request Modification Process
(REQMOD) capability and is also configured as a forward proxy for an HTTP client, the ICAP
message exchange process follows these steps:

271
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. The web client sends an HTTP GET request to the Web server.
2. The ACOS device intercepts the request, processes the HTTP header, and forwards it to
the ICAP server in an ICAP REQMOD message to the ICAP server.
3. The ICAP server sends a REQMOD response to the ACOS device.

4. The ICAP REQMOD response and the actions taken by the ACOS device can be one or
more of the following:
l ICAP REQMOD response has Status Code 200 and contains an HTTP request.
l The ACOS device sends the HTTP request contained in the ICAP response to the
web server (instead of the original intercepted HTTP request).
l ICAP REQMOD response has Status Code 204.
l The ACOS device sends the original intercepted HTTP request to the web server.
l ICAP REQMOD response has Status Code 100.
l The ACOS device the ACOS device needs to send more data to the ICAP server.
l ICAP REQMOD response has Status Code 200 contains an HTTP response.
l The ACOS device does not send an HTTP request to the web server. Instead, it
sends this HTTP response back to client.
l ICAP REQMOD response has any other Status Code.
l The ACOS device treats the ICAP response as if it were Status Code 204.

Configuration Options

1. After HTTP header processing is done, ACOS checks the allowed methods and the min-
imum payload size (if a payload exists). If both checks are passed, ACOS proceeds to the
next step.
a. The allowed HTTP methods are specified by the allowed-http-methods command
under template reqmod-icap.
b. The minimum payload length is specified by the min-payload-size command
under template reqmod-icap.
2. When copying the request, if the include-protocol-in-uri command is configured,
the server URL is converted to an absolute URI with the protocol, host and port number

272
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

in the URI. The user-defined X- headers described in “ICAP Extensions, draft-stecher-

icap-subid-00.txt” are used for this purpose.
3. If secure ICAP is configured by the template server-ssl command, the TCP SSL call-
back routines are used. But, if the template server-ssl command is not enabled, the
regular ICAP handshake proceeds.
4. The ICAP packet is built and sent to the ICAP server.
5. When the ICAP server responds, if the handshake is SSL, ACOS decrypts and calls the
ICAP processing code.
6. ACOS logs the ICAP transaction information.

Inside Partition/Device Configuration

This section refers to the outside and inside ACOS devices in the SSLi configuration. Equi-
valent configurations can be provisioned on a single ACOS device split into an inside and out-
side partitions. The inside partition performs decryption and is often called the decryption
partition, while the outside partition performs re-encryption and is often called the re-
encryption partition.

NOTE: Although this example shows ICAP configured on the inside ACOS
device virtual port 443, it can alternatively be configured on the
outside ACOS device on virtual port 8080 that receives decrypted
traffic. See Outside Partition/Device Configuration.

CLI Configuration

This section describes how to add ICAP services to the SSLi and configures ICAP on the inside
ACOS device.

1. First, configure the IP address of the ICAP server and create an ICAP service group to
provide a path to the ICAP server. This example assumes that the ICAP server is listen-
ing over port 1344.

ACOS-Inside(config)# slb server ICAP_server_1 10.1.260.11

ACOS-Inside(config-real server)# port 1344 tcp
ACOS-Inside(config)# slb service-group SG_ICAP tcp

273
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside(config-slb svc group)# member ICAP_server_1 1344

2. Create the ICAP REQMOD template. Include the ICAP service group and the URL of the
ICAP REQMOD service:

The template reqmod-icap command provisions the ICAP server for ICAP REQMOD mes-
saging, and the template respmod-icap command provisions the ICAP server for ICAP
RESPMOD messaging.
ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd
ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:1344/reqmod

3. Optionally, the REQMOD connection can be secured by enabling SSL with an SSL-server
template, such as is shown in the following commands:

ACOS-Inside(config)# slb template reqmod-icapREQMOD_abcd

ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:11344/reqmod
ACOS-Inside(config-reqmod-icap)# template server-ssl ssl

4. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the
ICAP RESPMOD service:
ACOS-Inside(config)# slb template respmod-icap RESPMOD_abcd
ACOS-Inside(config-respmod-icap)# service-group SG_ICAP
ACOS-Inside(config-respmod-icap)# service-url icap://dlpserver-
:1344/respmod

5. Optionally, the RESPMOD connection can be secured by enabling SSL with an SSL-
server template, such as is shown in the following commands:
ACOS-Inside(config)# slb template reqmod-icap RESPMOD_abcd
ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver-
:11344/respmod
ACOS-Inside(config-reqmod-icap)# template server-ssl ssl

6. Bind the ICAP templates to the HTTPS virtual port of the wildcard VIP configured in the
“Two-Device Static-HTTPS-Port SSLi Configuration” on page 31. The binding command
lines are highlighted.
ACOS-Inside(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Inside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG

274
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside(config-slb vserver-vport)# no-dest-nat port-translation

NOTE: The order of packet processing for HTTP Layer 7 virtual

ports is described in the “Usage Guidelines” section of the
port command (virtual server configuration mode/level) in
the Config Commands: SLB Virtual Servers document.

7. When you bind an ICAP template to the HTTTP or HTTPS port of a virtual server, you are
configuring the ACOS device to operate as an ICAP client. This enables the ACOS device
to forward decrypted intercepted traffic to the ICAP servers specified in the template.

GUI Configuration

Configure the RESPMOD and REQMOD templates.

1. Navigate to ADC >> Templates >> L7 Protocols

2. To begin the creation of the RESPMOD template, click the + Create button and select
RESPMOD.

3. When the Create RESPMOD Template pop-up window appears, the only required field
is the Name of the template. In this example we configure the following fields:
a. The previously configured service group, SG_ICAP provides a path over which
ACOS can connect to the RESPMOD and REQMOD servers. Select SG_ICAP for the
Service Group field.
b. The URL of the RESPMOD server is entered as service-url icap://dlpserver-
:1344/respmod.

4. Click the Create button to complete the creation of the RESPMOD template.
5. To begin the creation of the REQMOD template, click the + Create button and select
REQMOD.

6. When the Create REQMOD Template pop-up window appears, the only required field
is the Name of the template. In this example we configure the following fields:
a. The previously configured service group, SG_ICAP provides a path over which
ACOS can connect to the RESPMOD and REQMOD servers. Select SG_ICAP for the
Service Group field.

275
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

b. The URL of the REQMOD server is entered as service-url icap://dlpserver-

:1344/reqmod.

7. Click the Create button to complete the creation of the REQMOD template.

For a static-port SSLi configuration in which there is an inside virtual server and an outside
virtual server in separate partitions or configured on separate ACOS devices, the following
steps bind the RESPMOD and REQMOD templates to the inside VIP to enable ICAP RESPMOD
and REQMOD services.

Bind the RESPMOD and REQMOD templates to the inside SSLi VIP.

1. Navigate to Security >> SSLi >> Services.

2. Assuming SSLi is already configured, click the Edit button of the inside VIP.
3. When the Update SSLi Service pop-up window appears, click the Edit button of the
https 443 virtual port.
4. When the Update SSLi Service Port pop-up window appears, click More Options...
5. Notice that the client-ssl template that you previously configured on the inside SSLi vir-
tual server appears.
6. In the Templates field, select reqmod-icap from the drop-down list and then click the
+Add button.
7. A new row should appear for the reqmod-icap template above the client-ssl row. For
the Name of the reqmod-icap template, select REQMOD_abcd which was created
above. Click Apply to bind the template to the port.
8. To bind the RESPMOD_abcd template to the port, select respmod-icap, and click
+Add.
9. Select RESPMOD_abcd (also created above) and click Apply to bind the template to
the port.

Outside Partition/Device Configuration

The following example shows ICAP configured on the outside ACOS device.

The ICAP templates are bound to virtual port 8080 because that is the port that receives
decrypted SSL traffic.

276
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside(config)# slb virtual-server Outside_VIP 0.0.0.0 acl 101

ACOS-Outside(config-slb vserver)# port 8080 http
ACOS-Outside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Outside(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS-Outside(config-slb vserver-vport)# template server-ssl SSLInsight_Server-
Side
ACOS-Outside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Outside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Outside(config-slb vserver-vport)# exit

Show Commands

l Use the show slb icap and show slb icap-http commands to view the ICAP counters
and ICAP-HTTP block counters.
l The show slb icap command displays statistics that includes both blocked and not
blocked traffic.
l The show slb icap-http command displays the statistics specific to ICAP blocked
traffic. When traffic is blocked by the ICAP server, it sends the HTTP response to ACOS.

Configuration Options
The following topics are covered:

Pre-Filtering Traffic Before ICAP 277

Include Protocol and Port in HTTP URI 278

ICAP Templates Configuration 279

Pre-Filtering Traffic Before ICAP

In some scenarios, you may wish to control what traffic you forward to ICAP and what traffic
bypasses ICAP. Filtered traffic bypasses ICAP.

l Allowed HTTP methods

277
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The allowed-http-methods command is a REQMOD template option that specifies what

HTTP traffic methods are forwarded to ICAP servers. By default, all methods are for-
warded. The GUI equivalent field is Allowed HTTP Methods.

l Minimum payload size

The min-payload-size command is a REQMOD and RESPMOD template option that spe-
cifies the smallest payload size that is forwarded to ICAP servers. By default, payloads
that are smaller than 4096 bytes bypasses ICAP. The GUI equivalent field is Min Pay-
load Size.

Include Protocol and Port in HTTP URI

When a connection request is forwarded through HTTPS transparent proxy (such as ACOS
SSLi), ICAP forwards the entire URL (including URL scheme and FQDN) of the site requested.

In the scenario where there is a web proxy with authentication, you can configure the web
proxy to relay the user information, and would configure ICAP on the outside ACOS device.
(See FIGURE 15-2.) The following example illustrates this scenario in two configuration steps.

FIGURE 15-2: ICAP Services in a Proxy Chain Topology

1. To provision the outside VIP to relay the original port and protocol that was changed
during decryption functions, the ICAP templates are configured with the include-pro-
tocol-in-uri command.

ACOS(config)# slb template reqmod-icap REQMOD_abcd

ACOS(config-reqmod-icap)# include-protocol-in-uri
ACOS(config)# slb template respmod-icap RESPMOD_abcd

278
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-reqmod-icap)# include-protocol-in-uri
ACOS-Outside(config)# slb virtual-server Outside_VIP 0.0.0.0 acl 101
ACOS-Outside(config-slb vserver)# port 8080 http
ACOS-Outside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Outside(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS-Outside(config-slb vserver-vport)# template server-ssl SSLInsight_
ServerSide
ACOS-Outside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Outside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Outside(config-slb vserver-vport)# exit

2. To use the include-protocol-in-uri for ICAP on the outside ACOS device (or re-
encrypt partition), you also need to have the X-Protocol-Port header injected on the
inside ACOS device (or decrypt partition) via HTTP template.

ACOS-Inside(config)# slb template http insert_port

ACOS-Inside(config-http)# request-header-insert "X-Protocol-Port: https
443"

3. Apply the HTTP template under the virtual port 443 https of the inside ACOS device.

ACOS-Inside(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS-Inside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside(config-slb vserver-vport)# template client-ssl SSLInsight_Cli-
entSide
ACOS-Inside(config-slb vserver-vport)# template http insert_port

ICAP Templates Configuration

The following REQMOD template options are described in detail in the “Config Commands:
SLB REQMOD ICAP Templates” section of the Command Line Interface Reference for ADC.

l allowed-http-methods - List of allowed HTTP methods

l include-protocol-in-uri - Include the protocol and port in the HTTP URI sent to the
ICAP server
l include-protocol-in-uri - Include the protocol and port in the HTTP URI sent to the
ICAP server

279
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l preview - The number of bytes that ACOS forwards to the ICAP server at the begin-
ning of a transaction
l preview - The number of bytes that ACOS forwards to the ICAP server at the begin-
ning of a transaction

l service-url - The URLs of the ICAP servers

The following RESPMOD template options are described in greater detail in the “Config Com-
mands: SLB RESPMOD ICAP Templates” section of the Command Line Interface Reference for
ADC.

l fail-close - Mark the virtual port down when the template service group is down

l min-payload-size - Set the minimum payload size sent to the ICAP server
l min-payload-size - Set the minimum payload size sent to the ICAP server

l service-group - The names of the ICAP service groups

l template - ACOS logging, server-ssl, and tcp-proxy templates applied to this ICAP
transactions

Configuring ACOS Logging

The following steps provision ACOS logging in the ICAP templates, RESPMOD_abcd and REQMOD_
abcd:

1. Create the logging template.

ACOS-Inside(config)# slb template logging log-template
ACOS-Inside(config-logging)# local-logging 1

2. Bind the logging template to the ICAP template.

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd
ACOS-Inside(config-reqmod-icap)# template logging log-template
!
ACOS-Inside(config)# slb template respmod-icap RESPMOD_abcd
ACOS-Inside(config-respmod-icap)# template logging log-template

3. Configure the ICAP service URL. You have two choices.

280
Chapter 15: ICAP Services
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Use TCP port 1344 for a non-secure connection.

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd
ACOS-Inside(config-respmod-icap)# service-url icap://dlpserver-
:1344/reqmod
!

l Use TCP 11344 for a secure ICAP connection.

ACOS-Inside(config)# slb template reqmod-icap Secure_ICAP_Req
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver-
:11344/reqmod

Log Example
The following two logs provide an of an ICAP transaction between an ACOS TH5430 and a
RESPMOD server. Web logging is described in detail in the “Web Logging for HTTP and RAM
Caching” section of the Application Delivery and Server Load Balancing Guide.
CEF:1|A10|TH5430S|4.1.0|ES|Feb 01 2016 08:18:42|RESPONSE|2|src=40.36.1.176 spt-
t=55906 dst=40.36.108.108 Status:200 user:(null) req="POST https://cli-
ents1.google.com:443/tbproxy/af/query?client=Google%20Chrome HTTP/1.1 " 0
msg="RESPMOD"

CEF:1|A10|TH5430S|4.1.0|ES|Feb 01 2016 08:18:42|REQUEST|2|src=40.36.1.176 spt-

t=55906 dst=40.36.108.108 Sent user:(null) req="POST https://cli-
ents1.google.com:443/tbproxy/af/query?client=Google%20Chrome HTTP/1.1 " 0
msg="RESPMOD"

281
Chapter 16: Certificate and Keys Management
This section describes managing SSL certificates, private keys, and Certificate Revocation
Lists (CRLs). An ACOS device can offload SSL processing from servers or, for some types of
traffic, can be used as an SSL proxy.

The following topics are covered:

SSL Certificate Management 283

CAs and CSRs Management 312

OCSP Certificate Management 346

282
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSL Certificate Management

Some types of client-server traffic need to be encrypted for security. For example, traffic for
online shopping must be encrypted to secure sensitive account information from being
stolen.

Commonly, clients and servers use SSL or TLS to secure traffic. For example, a client that is
using a shopping application on a server will encrypt data before sending it to the server. The
server will decrypt the client’s data, then send an encrypted reply to the client. The client will
decrypt the server reply, and so on. SSL is an older version of TLS.

ACOS device supports the following SSL and TLS versions:

l SSL v3.0
l SSL v3.0
l TLS v1.1
l TLS v1.2
l TLS v1.3

By default, the following RFC standards are supported in ACOS:

l RFC 3268 - AES Cipher suites for TLS. For simplicity, elsewhere this document and
other ACOS user documents use the term “SSL” to mean both SSL and TLS.
l RFC 5746 - Renegotiation Indication Extension along with renegotiation_info TLS exten-
sion. It allows ACOS to securely renegotiate TLS connections with clients, using existing
secure connections. SSL renegotiation is supported on Software SSL (TLS 1.3) module
only and not on Software SSL (TLS 1.2) module.
l RFC 1421 - Privacy Enhanced Mail (PEM) format for certificate files and CRLs. It allows
ACOS to process PEM format and RSA encryption.
l RFC 7627 - Extended Master Secret (EMS) (and a TLS extension). It allows ACOS to
define a TLS extension that contextually binds the master secret to a log of the full
handshake that computes and prevents man-in-the-middle (MITM) attacks.

283
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: When an SSL certificate expires or is near expiration, the ACOS

device will automatically send a system log warning, rather than
a system log notice. For information on enabling SNMP traps for
SSL certificate events, refer to the System Configuration and
Administration Guide.

CA Certificate Chaining

SSLi requires a CA certificate and key pair to decrypt traffic between clients and any
external SSL servers that are not controlled by the same organization. When an internal user
from the client network initiates any SSL communication with an external server, the SSLi
solution intercepts the server certificate from the original server, modifies the certificate and
then re-signs it using the CA certificate. This proxy certificate is then sent to the internal
user as a server certificate of the original server.

This CA certificate must be signed by the root CA. Otherwise, internal users see an SSL
untrusted root error whenever they try to connect to an SSL-enabled website. Import the
CA certificate and key pair to the ACOS_decrypt. This CA certificate must be trusted by the
client web browsers. There are a number of third-party certificate distribution solutions avail-
able for this function. Microsoft Group Policy Manager is a recommended tool for Windows-
based clients.

In the following example, the CA certificate for SSLi is signed by another trusted inter-
mediate CA instead of a root CA. A CA certificate chain is required to complete the chain of
trust. The CA certificate chain is created by concatenating the intermediate CA certificates
from the one for SSLi up to the one signed by the root CA. In this example, the intermediate
CA certificate is signed by the root CA. The certificate chain include two certificates and the
root CA (ca.cert.pem).

284
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 16-1: SSLi CA Certificate Chain

After the intermediate CA and certificate chain are ready, you can import both as a cer-
tificate type into the SSLi device. Since CSR is used, the private key (ssli-ca.key) is already on
the SSLi device.

From the client’s perspective, the SSL session is directly between the client and the outside
SSL server. However, the SSL session is actually between the ACOS_decrypt device and the
client.

The following is the workflow for the exchange of security certificates during the SSLi oper-
ation:

1. The client sends a request to set up an SSL session with the outside server.
2. Assuming that ACOS_decrypt has cached a proxied certificate for the outside server, it
presents the certificate to the client.
3. If the client browser contains a copy of the proxied certificate, the client trusts ACOS_
decrypt and allows the SSL session to be set up.
4. If ACOS_decrypt has not cached a proxied certificate for the outside server, then:
a. It opens an SSL session with the server and retrieves the server’s public certificate.

285
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

b. It modifies and resigns with its imported private key to create the needed proxied
certificate. The header information is specifically extracted from the server cer-
tificate.
c. The issuer and the public key are changed as specified in the client-SSLi template.
d. The modified certificate is then re-signed with the CA private key specified in the
client-SSLi template.

The default CA bundle is used for remote certificate validation. The trusted CA certificates
imported from browsers such as Mozilla do not require importing of any private keys.

Ensure that you have the latest root certificate bundle for remote certificate validation. The
default_ca_bundle may not contain the latest certificates. It is highly recommended to
update the default_ca_bundle periodically using either an automated or manual process. For
the most current root certificates, refer Mozilla Certs.

Additionally, the device administrators can automatically update the default CA bundle (a10_
autoupdate_ca) from the GLM server using 'automatic-update' option. The CA bundle file is
from CA Extracts.

NOTE: Before using the automatic- update feature, ensure that the
device is registered with the Global License Manager (GLM).

For more information on:

l How to register the device with GLM, refer 'Activating your Appliance' section in Global
License Manager User Guide.
l How to update the CA bundle, refer 'automatic-update ca-bundle' section in Command
Line Reference Guide.

CA-Signed and Self-Signed Certificates

Typically, clients have a certificate store that includes certificates signed by the various root
CAs. The certificate store may also have some non-CA certificates that can be validated by a
root CA certificate, either directly or through a chain of certificates that end with a root cer-
tificate.

Each certificate is digitally “signed” to validate its authenticity. Certificates can be CA-
signed or self-signed:

286
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l CA-signed – A CA-signed certificate is a certificate that is created and signed by a

recognized Certificate Authority (CA). To obtain a CA-signed certificate, an admin cre-
ates a key and a Certificate Signing Request (CSR), and sends the CSR to the CA.The
CSR includes the key.

The CA then creates and signs a certificate. The admin installs the certificate on the
ACOS device. When a client sends an HTTPS request, the ACOS device sends a copy of
the certificate to the client, to verify the identity of the server (ACOS device).

To ensure that clients receive the required chain of certificates, you also can send cli-
ents a certificate chain in addition to the server certificate. (See Certificate Chain.)

The example in Typical SSL Handshake (simplified) uses a CA-signed certificate.

l Self-signed – A self-signed certificate is a certificate that is created and signed by the

ACOS device. A CA is not used to create or sign the certificate.

CA-signed certificates are considered to be more secure than self-signed certificates.

Likewise, clients are more likely to be able to validate a CA-signed certificate than a
self-signed certificate. If you configure the ACOS device to present a self-signed cer-
tificate to clients, the client’s browser may display a certificate warning. This can be
alarming or confusing to end users. Users can select the option to trust a self-signed
certificate, in which case the warning will not re-appear.

CA Certificate Versus SSL Certificate

Although both terms, CA certificate and SSL certificate, refer to a certificates used in the
SSL protocol, ACOS reserves the term SSL certificate for self-signed certificates that are
used to create proxied certificates for SSL handshaking with clients in the SSLi, SSL Proxy or
SSL offload applications. SSL certificates require a private key to be proxied

CA certificates are issued by publicly recognized certificate authorities. These certificates

are used for other purposes.

SSL Handshake WorkFlow

SSL works using certificates and keys. Typically, a client will begin a secure session by send-
ing an HTTPS request to a VIP. The request begins an SSL handshake. The ACOS device will
respond with a digital certificate, to provide verification of the content server’s identity.

287
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

From the client’s perspective, this certificate comes from the server. Once the SSL handshake
is complete, the client begins an encrypted client-server session with the ACOS device.

FIGURE 16-2shows a simplified example of an SSL handshake. In this example, the ACOS
device is acting as an SSL proxy for backend servers.

FIGURE 16-2: Typical SSL Handshake (simplified)

To begin, the client sends an HTTPS request. The request includes some encryption details
such as the cipher suites supported by the client.

The ACOS device, on behalf of the server, checks for a client-SSL template bound to the VIP.
If a client-SSL template is bound to the VIP, the ACOS device sends all the digital certificates
contained in the template to the client.

288
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The client browser checks its certificate store (sometimes called the certificate list) for a
copy of the server certificate. If the client does not have a copy of the server certificate, the
client will check for a certificate from the Certificate Authority (CA) that signed the server
certificate.

Certificate Chain

Ultimately, a certificate must be validated by a root CA. Certificates from root CAs are the
most trusted. They do not need to be signed by a higher (more trusted) CA.

If the CA that signed the certificate is a root CA, the client browser needs a copy of the root
CA’s certificate. If the CA that signed the server certificate is not a root CA, the client
browser should have another certificate or a certificate chain that includes the CA that
signed the CA’s certificate.

A certificate chain contains the “chain” of signed certificates that leads from the CA to the
signature authority that signed the certificate for the server. Typically, the certificate author-
ity that signs the server certificate also will provide the certificate chain. SSL Certificate
Chain Example shows an example of a certificate chain containing three certificates:

FIGURE 16-3: SSL Certificate Chain Example

289
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The certificate chain file and the server certificate files are text files. Each certificate must
begin with the “-----BEGIN CERTIFICATE-----” line and end with the “-----END
CERTIFICATE-----” line.

The certificate at the top of the certificate chain file is the root CA’s certificate. The next cer-
tificate is an intermediary certificate signed by the root CA. The next certificate is signed by
the intermediate signature authority that was signed the root CA.

A certificate chain in an SSL template must begin at the top with the root CA’s certificate, fol-
lowed in order by the intermediary certificates. If the certificate authority that signs the
server certificate does not provide the certificate chain in a single file, you can use a text
editor to chain the certificates together in a single file as shown in SSL Certificate Chain
Example.

Certificate Warning from Client Browser

After the client browser validates the server certificate, the client accepts the certificate and
begins an encrypted session with the ACOS device.

If the client can not validate the server certificate or the certificate is out of date, the client’s
browser may display a certificate warning. FIGURE 16-3 shows an example of a certificate
warning displayed by Internet Explorer.

FIGURE 16-4: Example of Certificate Warning

290
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: It is normal for the ACOS device to display a certificate warning

when an admin accesses the ACOS management GUI. Certificates
used for SLB are not used by the management GUI.

Certificates in SSL Templates

You can install more than one key-certificate pair on the ACOS device. The ACOS device
selects the
certificate(s) to send a client or server based on the SSL template bound to the VIP. You can
bind the following types of SSL templates to VIPs:

l Client-SSL template – Contains keys and certificates for SSL-encrypted traffic between
clients and the ACOS device. A client-SSL template can also contain a certificate chain.
l Client-SSL template – Contains keys and certificates for SSL-encrypted traffic between
clients and the ACOS device. A client-SSL template can also contain a certificate chain.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL

template, you must unbind the template from the virtual ports
that use it, then rebind the template to the virtual ports, to place
the change into effect.

One Client SSL template can have two certificate-key pairs con-
figured. Thus, once one certificate-key pair is configured, cer-
tificate or key. To update certificate or key, remove the old one
and then add new one.

Client-SSL Template Configuration and Usage Guidelines

Use client-SSL templates for deployments in which traffic between clients and the ACOS
device will be SSL-encrypted. Client-SSL templates have the following options.

For the simple deployment example in Typical SSL Handshake (simplified), only the first
option (Certificate) needs to be configured. You may also need to configure the Certificate
chain option.

A client-SSL template can contain up to 128 certificates or certificate chains.

291
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Certificate – Specifies the server certificate that the VIP will send to a client when con-
figured for SSL proxy, SSL offload, or SSLi operation. The client uses this certificate to
validate the server’s identity. The certificate can be generated on the ACOS device
(self-signed) or can be signed by another entity and imported onto the ACOS device.

Only one certificate can be associated with the client-SSL template. Use the show pki
certcommand to show the list of certificates and private keys stored on the ACOS
device. Additionally, you can also update the CA bundle (a10_autoupdate_ca) installed
on the GLM server.

l Key – Specifies the name of a private key for a server certificate. If the CSR used to
request the server certificate is generated on the ACOS device, the private key is auto-
matically generated by the ACOS device, and then the private key is used to create the
public key sent to the CA in the CSR. Otherwise, the key must be imported.

Only one key can be associated with the client-SSL template. Use the show pki cert
command to show the list of certificates and private keys stored on the ACOS device.

l Early Data - Specifies the early data (0-RTT) for SSL version TLSv1.3. This allows the TLS
client to send encrypted data in the same packet as the Client Hello during the hand-
shake for resumed sessions. Optionally, enable or disable anti-replay for early data.
Additionally, you must configure session-cache-size to do PSK resumption.

l CA-Certificate – Specifies a CA certificate that the ACOS device can use to authen-
ticate the identity of a client the requesting to connect to the ACOS device. If CA cer-
tificates are required, they must be imported onto the ACOS device. The ACOS device is
not configured at the factory to contain a certificate store.

Multiple CA-certificate can be associated with the client-SSL template. Use the show
pki ca-cert command to show the list of ca-certificates.

l Certificate Revocation List (CRL) – Specifies a list of client certificates that have been
revoked by the CAs that signed them. This option is applicable only if the ACOS device
will be required to validate the identities of clients.

The CRL should be signed by the same issuer as the CA certificate. Otherwise, the cli-
ent and ACOS device will not be able to establish a connection.
l SSLv2 bypass – Redirects clients who request SSLv2 sessions to the specified service
group.

292
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Client connection-request response – Specifies the ACOS response to connection

requests from clients. This option is applicable only if the ACOS device will be required
to validate the identities of clients. The response can be one of the following:

o ignore (default) – The ACOS device does not request the client to send its cer-
tificate.

o request – The ACOS device requests the client to send its certificate. With this
action, the SSL handshake proceeds even if either of the following occurs:

o The client sends a NULL certificate (one with zero length).

o The certificate is invalid, causing client verification to fail.

Use this option if you want to the request to trigger an aFleX policy for further
processing.
o require – The ACOS device requires the client certificate. This action requests the
client to send its certificate. However, the SSL handshake does not proceed (it fails)
if the client sends a NULL certificate or the certificate is invalid.
l Session cache size – Specifies the maximum number of cached sessions for SSL session
ID reuse.

l Session cache timeout – Sets the maximum number of seconds a cache entry can
remain unused before being removed from the cache. Cache entries age according to
the ticket age time. The age time is not reset when a cache entry is used.

l Session ticket - Specifies whether the stateless SSL session ticketing feature is enabled
or disabled.
l Session ticket lifetime – Sets the lifetime for stateless SSL session ticketing. After a cli-
ent’s SSL ticket expires, they must complete an SSL handshake in order to set up the
next secure session with ACOS.

l Close-notify – Specifies whether the ACOS device sends a close_notify message when
an SSL transaction ends, before sending a FIN. This behavior is required by certain
types of applications, including PHP cgi.

l SSL False Start – Specifies whether SSL False Start is enabled. SSL False Start is an SSL
modification used by the Google Chrome browser for web optimization.

293
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: The following ciphers are not supported with SSL False
Start: SSL3_RSA_DES_64_CBC_SHA, SSL3_RSA_RC4_
40_ MD5, TLS1_ RSA_ EXPORT1024_ RC4_ 56_ MD5. If no
other ciphers but these are enabled in the client-SSL tem-
plate, SSL False Start handshakes will fail.

l Cipher – Name of a cipher template containing a set of ciphers to use with clients. By
default, the client-SSL template’s own set of ciphers is used. (See Cipher Template Con-
figuration and Usage Guidelines.)

l Forward proxy options – Options that are used for SSL Insight.

l Authentication username attribute – Specifies the field to check in SSL certificates

from clients, to find the client name.

l Cipher Template – Specifies the cipher suites supported by the ACOS device. When the
client sends its connection request, it also sends a list of the cipher suites it can sup-
port. The ACOS device selects the strongest cipher suite supported by the client that is
also enabled in the template, and uses that cipher suite for traffic with the client. For a
list of supported ciphers, refer to the slb template cipher command in the Command
Line Interface Reference

Server-SSL Template Configuration and Usage Guidelines

A server-SSL template is needed only if traffic between the ACOS device and real servers will
be encrypted using SSL. In this case, the ACOS device will be required to validate the iden-
tities of the servers.

l CA-Certificate – Specifies a CA certificate that the ACOS device can use to authen-
ticate the identity of a server the ACOS device is connecting to. If CA certificates are
required, they must be imported onto the ACOS device. The ACOS device is not con-
figured at the factory to contain a certificate store.

Multiple CA-certificate can be associated with the server-SSL template. Use the show
pki ca-cert command to show the list of ca-certificates. If you need to use multiple
CA certificates in a server-SSL template, see Creating Multiple CA Certificate in Server-
SSL Templates.)

l Certificate – Specifies a client certificate that the ACOS device will send to a server
when requested for client authentication. In SSL proxy and SSL Insight, when a server

294
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

requests a client’s digital certificate, the ACOS device responds on behalf of the client.
Following successful authentication, the server and ACOS device communicates over
an SSL-encrypted session.

In SSL Proxy, the client and ACOS device communicate over a non-encrypted session.
From the server’s perspective, the server has an encrypted session with the client.

In SSL Insight, the client and ACOS device communicate over an encrypted session.
From the
client’s and the server’s perspective, the SSL session is fully encrypted.

l Key – Specifies a private key for the client certificate.

l SSL version – Highest (most secure) version of SSL/TLS to use. The ACOS device sup-
ports the following SSL/TLS versions:
o SSL v3.0
o TLS v1.0 (the default)
o TLS v1.1
o TLS v1.2
o TLS v1.3

l Early Data - Specifies the early data (0-RTT) is enabled for SSL version TLSv1.3. This
allows the server to respond immediately by including the requested data in the Server
Hello/Finished message. Additionally, you must configure either Session cache size or
Session Ticket Enable to do PSK resumption.

l Close notification – Specifies whether the ACOS device sends a close_notify message
when an SSL transaction ends, before sending a FIN. This behavior is required by cer-
tain types of applications, including PHP cgi.

The close notification option may not work if connection reuse is also configured on the
same virtual port. In this case, when the server sends a FIN to the ACOS device, the
ACOS device will not send a FIN followed by a close notification. Instead, the ACOS
device will send a RST.

l Cipher template – Name of a cipher template containing a set of ciphers to use with
servers. By default, the server-SSL template’s own set of ciphers is used. (See Cipher

295
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Template Configuration and Usage Guidelines.)

l Forward proxy – Enables support for capabilities required for SSL Intercept.

l Session cache size – Specifies the maximum number of cached sessions for SSL session
ID reuse.

l Session ticket enable – Sets the lifetime for stateless SSL session ticketing. After an SSL
ticket expires, the SSL handshake must be performed again in order to set up the next
secure session with ACOS.

l Cipher list – Specifies the cipher suites supported by the ACOS device. When the server
sends its connection request, it also sends a list of the cipher suites it can support. The
ACOS device selects the strongest cipher suite supported by the server that is also
enabled in the template and uses that cipher suite for traffic with the server. The same
cipher suites supported in client-SSL templates are supported in server-SSL templates,
for CA certificates. Support for all of them is enabled by default.

NOTE: For client certificates, the key length for SSL3_RSA_DES_

40_CBC_SHA and SSL3_RSA_RC4_40_MD5 must be 512
bits or less. The TLS1_ RSA_ EXPORT1024_ RC4_ 56_ MD5
and TLS1_ RSA_ EXPORT1024_ RC4_ 56_ SHA ciphers are
not supported.

Cipher Template Configuration and Usage Guidelines

A cipher template contains a list of ciphers. A client or server who connects to a virtual port
that uses the cipher template can use only the ciphers that are listed in the template.

Optionally, you can assign a priority value to each cipher in the template. In this case, the
ACOS device tries to use the ciphers based on priority. If the client supports the cipher that
has the highest priority, that cipher is used. If the client does not support the highest-pri-
ority cipher, the ACOS device attempts to use the cipher that has the second-highest pri-
ority, and so on.

296
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Cipher priority can be 1-100. The highest priority (most favored) is 100. By default, each
cipher has priority 1. More than one cipher can have the same priority. In this case, the
strongest (most secure) cipher is used.

NOTE:
l An SSL cipher template takes effect only when applied to
a client-SSL template or server-SSL template.
l An SSL cipher template takes effect only when applied to
a client-SSL template or server-SSL template.
l Priority values are supported only for client- SSL tem-
plates. If a cipher template is used by a server-SSL tem-
plate, the priority values in the cipher template are
ignored.

Certificate Fetching and Forging

In earlier SSLi deployments for new connections, when a server certificate fetch request was
sent to a server, the incoming new SSLi connection requests to the same server were either
bypassed or reset (based on configuration) till the time the server certificate was forged and
ready.

However, this behavior may cause a security breach especially during initial connections
when a cache certificate expired and all subsequent connections were either reset or
bypassed till a new forged certificate was ready.

As a solution to this issue, there is a new configuration option available in the client-SSL tem-
plate where you are able to buffer all new connections to a server till the time the forged cer-
tificate is ready. In case of an SSLi deployment with OSCP and CRL implemented, the new
connections are buffered till a verification result response is received from the server.

NOTE: The default option for this SSLi configuration is to bypass all new
connections. Hence, in order to buffer the new connections from
a server, the SSLi connection buffer option must be enabled
either through the CLI or GUI, refer to the next sections.

For the certificate not ready option, the following is the output of the help command.

ACOS_decrypt(config-client ssl)#forward-proxy-cert-not-ready-action ?

297
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

bypass bypass the connection(default)

reset reset the connection

intercept wait for cert and then inspect the connection

CLI Configuration
To enable SSLi connection buffering in CLI, perform the following steps:

1. Configure the client SSL template called SSLInsight_DecryptSide by running the fol-
lowing commands:
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable

2. Enable the option for intercept for the certificate not ready stage.
ACOS_decrypt(config-client ssl)# forward-proxy-cert-not-ready-action inter-
cept
3. Save the configuration.

GUI Configuration
For SSLi, perform the following steps:

1. Navigate to Security > SSLi > Templates > +Create.

The Create Client SSL template page is displayed.
2. Enter the name of the template.
3. Select Forward Proxy Enable.
4. Under SSLi Forward Proxy, select the CA cert and Key.
5. Under Advanced, select Intercept for Forward Proxy Cert Not Ready Action.
6. Click Create to create the template.

For ADC, perform the following steps:

1. Navigate to ADC >> Templates >> SSL >> Create >> Client SSL.
The Create Client SSL template page is displayed.
2. Enter the name of the template.

298
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

3. Select Intercept for Forward Proxy Cert Not Ready Action.

4. Continue with the other fields to create the template.

Certificate Pinning Candidate List

Certificate Pinning is a method used by certain apps to secure traffic and defend against
man-in-the-middle (MITM) attacks. In this case, an app stores or pins a copy of the original
certificate within its code, and if it sees a modified version of that certificate, the app rejects
it and issues RST.

As a solution to support such apps, SSLi provides a certificate pinning candidate list feature.
This feature maintains a list of known domain names that use certificate pinning on their cli-
ent apps.

To view the certificate pinning candidate list, use the following show or clear command.
ACOS(config)# show slb ssl-cert-pinning-candidate-list
ACOS(config)# clear slb ssl-cert-pinning-candidate-list {server-name} <1-255
characters>

Show Output:
SNI Counter TTL
--------------------------
youtube.com 10 1440
gmail.com 6 1440
google.com 5 1440
yahoo.com 3 1440
api.snapcraft.io 1 1430

Websites Workflow

The flow of traffic from the client to the gateway by using an SSLi solution requires a secur-
ity certificate to be configured for the SSLi solution. In this section, the sequence of events,
including the security certificate exchange process, is explained for processing the SSL
traffic in a typical deployment. The process is explained for both new and revisited websites.

299
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 16-5: SSLi Flow of Traffic

In any typical SSLi deployment such as the one displayed in this section, the flow of traffic
from the client network to the outside network or server network is processed by the SSLi
solution as follows for new websites:

1. The client establishes an SSL connection with the remote server and receives a security
certificate from the remote server.
2. In ACOS_decrypt, the header information is extracted from the server certificate.
3. In the client SSLi template defined for ACOS_decrypt, a new security certificate is gen-
erated by using the CA certificate specified in the client SSLi template. This recon-
structed server-hello message is sent to the client instead of the original encrypted
hello message.
4. ACOS_decrypt is now able to intercept traffic, decrypt it and send the clear-text to the
security device.
5. A new SSL session is initiated with the remote server by ACOS_encrypt.
6. Clear text data is passed from the security device to ACOS_encrypt. ACOS_encrypt re-
encrypts the data and sends it to the remote server.
7. The server response is intercepted by ACOS_encrypt which decrypts it and passes it to
the security device.
8. The security device processes the clear text data and passes it to ACOS_decrypt.
ACOS_decrypt re-encrypts the data and sends it to the client.

300
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Now that ACOS_decrypt has a cached certificate and if the client were to make another
request for connection to the remote server, the flow of traffic from the client network to the
outside network or server network is processed by the SSLi solution as follows:

1. The client establishes an SSL connection with the remote server and receives the secur-
ity certificate from the remote server.
2. ACOS_decrypt sends the client the cached certificate of the website.
3. ACOS_decrypt is now able to intercept traffic, decrypt it and send the clear-text to the
security device.
4. A new SSL session is initiated with the remote server by ACOS_encrypt.
5. Clear text data is passed from the security device to ACOS_encrypt. ACOS_encrypt re-
encrypts the data and sends it to the remote server.
6. The server response is intercepted by ACOS_encrypt which decrypts it and passes it to
the security device.
7. The security device processes the clear text data and passes it to ACOS_decrypt.
ACOS_decrypt re-encrypts the data and sends it to the client.

TLS Server Name Indication (SNI) Support

The ACOS device supports the Server Name Indication (SNI) extension for Transport Layer
Security (TLS). The SNI extension enables servers that manage content for multiple domains
at the same IP address to use a separate server certificate for each domain. One use case for
this feature is supporting a web hosting services. The device supports Static and Dynamic
SNI extension support.

To support SNI extensions, the ACOS device allows you to add multiple certificates to a single
client-SSL template, and map individual certificates to their domain names.

NOTE: This feature is supported in both the shared partition and L3V
private partitions.

Default Certificate and Key

The client-SSL template must contain one certificate and private key pair that is not mapped
to a domain. The unmapped certificate and key are the default certificate and key for the tem-

301
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

plate. The ACOS device uses the default template for negotiating the SSL session with the cli-
ent.

If the client includes the SNI extension in its hello message, the ACOS device uses the cer-
tificate that is mapped to the domain requested by the client. Otherwise, the ACOS device
uses the default certificate.

SNI Extension Support

This section describes available SNI extension support methods: Static and Dynamic. SNI
Extension. When an SNI extension matches multiple entities, the selection is based on the fol-
lowing precedence:

l SNI extension matches static mapping configured with server-name command.

l SNI extension matches static mapping configured with server-name-regex command.

l SNI extension matches dynamic mapping.

When an SNI extension does not match any of these entities or the client-hello does not con-
tain an SNI extension, the default cert-key pair is used.

Static SNI Extension Support

You can configure up to 1024 certificate-to-domain mappings in a client-SSL template. Each
mapping is configured using the server-name or the server-name-regex command at the con-
figuration level for the client-SSL template.

Dynamic SNI Extension Support

When dynamic SNI extension support is enabled, a certificate-to-domain mapping is created
when a certificate and key whose file names include the domain name specified by the client
“hello” field of an inbound packet. The number of extensions that can be dynamically support
on each virtual port is limited only by hardware restrictions.

SNI extensions use the default certificate and key when a “hello” field contains a domain
name for which the device does not contains certificate and key with matching file name.

Dynamic SNI extension support is enabled by using the server-name-auto-map command.

SNI Bypass
When the server-name, server-name-regex, and server-name-auto-map is configured under
client-SSL template then you can bypass the SSL traffic in the following scenarios:

302
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Missing cert/key, i.e., client SNI does not match - server-name-bypass missing-cert
l Client SNI matches one of the configured server-name, but the certificate is expired -
server-name-bypass expired-cert

l Client SNI matches the configured SNI bypass AC type class-list - server-name-bypass
class-list sni_bypass

CLI Configuration for Shared Partition (Inside)

class-list sni_bypass ac
contains 135_1
contains 132_1
!
ip access-list sni_bypass
permit ip 172.16.48.131 0.0.0.0 192.168.90.132 0.0.0.0
!
ip dns primary 192.168.90.136
!
partition adc id 1 application-type adc
!
timezone UTC
!
visibility
monitor traffic service
!
glm use-mgmt-port
glm enable-requests
!
interface management
ip address 192.168.90.48 255.255.255.0
ip default-gateway 192.168.90.254
!
interface ethernet 1
enable
!
interface ethernet 2
enable
ip address 192.168.91.48 255.255.255.0
!
interface ethernet 4
enable

303
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ip address 10.10.48.133 255.255.255.0

!
interface ethernet 7
enable
ip address 172.16.48.133 255.255.255.0
ip allow-promiscuous-vip
!
ip nat pool inside_2 10.10.48.140 10.10.48.140 netmask /32
!
ip route 0.0.0.0 /0 10.10.48.143
!
ip route 168.95.1.1 /32 192.168.91.254
!
ip route 192.168.90.0 /24 192.168.90.254
!
ip route 192.168.98.0 /24 192.168.91.254
!
ip route 192.168.99.0 /24 192.168.91.254
!
slb common
ssl-module software
!
slb template cipher all
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_SHA256
TLS1_RSA_AES_256_SHA256
TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_128_SHA
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_256_SHA
TLS1_DHE_RSA_AES_256_SHA256
TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256
TLS1_ECDHE_ECDSA_AES_128_SHA
TLS1_ECDHE_ECDSA_AES_128_SHA256
TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384
TLS1_ECDHE_ECDSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_256_GCM_SHA384

304
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

TLS1_ECDHE_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_256_SHA384
TLS1_ECDHE_ECDSA_AES_256_SHA384
TLS1_ECDHE_RSA_CHACHA20_POLY1305_SHA256 priority 100
TLS1_ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
TLS1_DHE_RSA_CHACHA20_POLY1305_SHA256
!
slb server ad 192.168.90.136
port 443 tcp
!
slb service-group adsg tcp
member ad 443
!
slb service-group sgtcp tcp
member apache1 0
!
slb template client-ssl clissl
certificate acos_a10-tplab_com.pfx
key acos_a10-tplab_com.pfx
server-name 172-16-48-135.a10-tplab.com cert jinling key jinling
server-name 192-168-90-132.a10-tplab.com cert jinling key jinling
server-name-regex 135_2 cert expiring key expiring
server-name-regex 132_2 cert expiring key expiring
server-name-bypass missing-cert
server-name-bypass expired-cert
server-name-bypass explicit-class-list sni_bypass
server-name-bypass enable-log
!
slb virtual-server ep_in_vs 172.16.48.135
port 443 https
source-nat pool inside_2
service-group adsg
template client-ssl clissl
!
slb virtual-server in_https 0.0.0.0 acl name sni_bypass
port 0 https
source-nat pool inside_2
service-group sgtcp
template client-ssl clissl
no-dest-nat

305
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
logging monitor debugging
!
logging syslog debugging
!
logging console debugging
!
logging host 192.168.90.132 port 24680
!
harmony-controller profile
host 192.168.96.250 use-mgmt-port port 443
provider root
user-name _a10_hc_device
cluster-name ck
cluster-id 5359a844-e8eb-11ea-8882-424130b0cd9c
password encrypted QUzWauG4s05NueHYPZASxzwQjLjV2wDnPBCMuNXbAOc8EIy41d-
sA5zwQjLjV2wDn
register
thunder-mgmt-ip 192.168.90.48
!

CLI Configuration for Shared Partition (Outside)

active-partition adc
!
access-list 11 permit 10.10.48.140 0.0.0.0
!
interface ethernet 1
enable
ip address 192.168.92.48 255.255.255.0
ip nat outside
!
interface ethernet 6
enable
ip address 10.10.48.143 255.255.255.0
ip allow-promiscuous-vip
ip nat inside
!
ip nat pool outside 192.168.92.136 192.168.92.139 netmask /30
!
ip route 0.0.0.0 /0 192.168.92.254
!

306
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ip route 172.16.48.0 /24 10.10.48.133

!
slb template server-ssl srvrssl
!
slb server gw 192.168.92.254
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group gw_TCP tcp
health-check-disable
member gw 0
!
slb service-group gw_UDP udp
health-check-disable
member gw 0
!
slb template http bypass
non-http-bypass service-group gw_TCP
!
slb virtual-server out_http 0.0.0.0 acl 11
port 0 http
aflex sni_bypass
source-nat pool outside
service-group gw_TCP
template http bypass
template server-ssl srvrssl
no-dest-nat
!
logging monitor debugging
!
logging syslog debugging
!
logging console debugging
!
logging host partition shared
!

aFleX script used to separate bypassed and decrypted traffic

when CLIENT_ACCEPTED {

307
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSL::disable serverside
}
when HTTP_REQUEST {
SSL::enable serverside
}

Configuring TLS Server Name Indication

Configuring TLS Server Name Indication (GUI Procedure)

Before creating the certificate-domain mappings, import the server certificates onto the
ACOS device.

The configuration page for client-SSL templates has a Server Name Indication section. In this
section, to create a certificate-domain mapping:

1. Enter the domain name in the Server Name field.

2. Select the certificate from the Server Certificate drop-down list.
3. Select the certificate’s private key from the Server Private Key drop-down list.
4. Click Add.
5. Repeat for each mapping.

Configuring Static TLS Server Name Indication (CLI Procedure)

To map a certificate to a domain, use the server-name command at the configuration level
for the client-SSL template:

Configuring Dynamic SNI Extension Support (CLI Procedure)

To enable dynamic SNI extension support, use the server-name-auto-map command at the
configuration level for the client-SSL template:

TLS SNI Support on vThunder

ACOS provides support for the Server Name Indication (SNI) extension to vThunder models.
The SNI is an extension to Transport Layer Security (TLS) that allows a single IP address to
host multiple domain names, with a separate certificate for each domain.

308
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The client-SSL template bound to the virtual port can contain multiple certificates. When you
add a certificate and key to a client-SSL template, you can specify the domain name (“server
name”) that the certificate and key belong to. When a client sends an SSL session setup
request to the VIP, ACOS sends the server certificate for the requested domain name, based
on the configuration in the client-SSL template.

In addition to certificates and keys for individual domain names, a client-SSL template also
can contain one “default” certificate and key. If the template does not have a certificate for
the domain name requested by the client, ACOS sends the default certificate instead.

l ACOS 2.7.2 adds SNI support to vThunder models. Previous releases support the feature
on hardware models but not on vThunder models.
l ACOS 2.7.2 adds SNI support to vThunder models. Previous releases support the feature
on hardware models but not on vThunder models.
l SSL Intercept, a feature on certain hardware models that uses SNI support, is not sup-
ported on vThunder devices. This enhancement does not provide SSL Intercept support
on vThunder
models.

Configuring an SSL VIP TLS SNI (CLI Procedure)

The commands in this section configure an SSL VIP that serves the following domains:

l www.example.com
l www.example.com
l mail.example.com

This configuration allows the ACOS device to set up secure SSL sessions with a client who
sends requests to 192.168.2.69:443. ACOS selects a server certificate to send to the client
based on the domain name requested by the client.

This example assumes the certificates and keys were already imported into or generated in
ACOS.

The slb template client-ssl cssl command configures the client-SSL template and places the CLI in
template configuration mode where the following commands are available:

309
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l The certificate commands add the default certificate and key.

l The “cert2” and “cert3” certificates are used for SSL session setup requests to domains
www.example2.com and mail.example.com, respectively.
l The “def_cert” certificate is used for requests to any other domain name, such as
www.example.com.

Configuring an SSL VIP TLS SNI (CLI Example)

These commands bind the client-SSL template to the SSL virtual port:
ACOS(config)# slb virtual-server example 192.168.2.69
ACOS(config-slb vserver)# port 443 ssli
ACOS(config-slb vserver-vport)# template client-ssl cssl
ACOS(config-slb vserver-vport)# exit

TLS 1.3 Support

ACOS supports RFC 8446, TLS 1.3 protocol to provide faster and more secured channel for
communication. Currently, TLS 1.3 is supported for Software SSL.

The following topics are covered:

Configuring TLS 1.3 310

Configuring Certificate Key Pair 311

Configuring TLS 1.3

By default ACOS SSLi only supports TLS 1.2.

l To enable TLS 1.3:

slb common
ssl-module software-tls13
!

NOTE: Reboot the system after configuring this option to take

effect.

l To configure cipher template with TLS 1.3:

ACOS(config)# slb template cipher c1

310
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l To configure cipher with set of ciphers tls1_3 command:

ACOS(config-cipher)# tls1_3 TLS_AES_256_GCM_SHA384 priority 10

NOTE: Cipher is available under client and server SSL template as

well. If user is working on hardware SSL, TLS 1.3 cipher and
version command displays warning to notify that TLS 1.3 is
only supported in software SSL mode.

Configuring Certificate Key Pair

l For client SSL template, new command is:
certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>]
[chain-cert <chain-cert-name>]

NOTE: If the chain-cert parameter is required, then make sure to con-

figure it in the same line as that of certificate and key. Addi-
tionally, to more about certificate command management during
upgrade, refer ACOS 5.2.1 Release Notes.

l For server SSL template, the new command is:

certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>]

311
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

CAs and CSRs Management

Installing SSL resources on the ACOS device enables the device to provide SSL services on
behalf of real servers.

The following topics are covered:

Importing a Certificate and Key 312

Generating a Certificate Signing Request (CSR) 315

Generating a Self-Signed Certificate and Key 316

Generating an SSL Cert – Private Key File with a CSR 318

Installing Certificates 322

Implementing Certificates to SSL Templates 325

Creating Multiple CA Certificate in Server-SSL Templates 326

Binding Server-SSL Templates to Individual Real Ports 328

Configuring Email Notification for SSL Certificate Expiration 330

Converting Certificates and CRLs to PEM Format 330

Importing a Certificate Revocation List (CRL) 332

Exporting Certificates, Keys, and CRLs 333

Importing a CA Cert and Private Key 334

Configuring Forward Proxy Alternate Signing Cert 335

Deleting Certificate Files 336

Configuring Simple Certificate Enrollment Protocol (SCEP) Certificates 336

Configuring Automatic Certificate Management Environment (ACME) Certificates 341

Importing a Certificate and Key

To import certificate and key files, place them on the PC that is running the ACOS GUI or CLI
session, or onto a PC or file server that ACOS can reach and fetch the files.

The following topics are covered:

312
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Importing Individual Files 313

SSL Certificate and Key Files Bulk Import 314

Importing Individual Files

To import an SSL certificate CA certificate, certificate chain, or private key follow these
instructions.

Importing Certificates (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.

2. Click Import to import a certificate or certificate chain.
3. In the File Name field, enter a name for the certificate.
4. In the Import field, select the item you want to import
5. In the Import Certificate from field, select Local to import from a local drive on your
management PC, Remote to import from a remote location, or Text to import from the
text box that appears
6. In the SSL or CA Certificate field, select either SSL Certificate or CA Certificate.
7. If you are importing a CA-signed certificate for which you used ACOS to generate the
CSR, you do not need to import the key. The key is automatically generated by ACOS
when you generate the CSR.
8. In the Certificate Format field, select the file format of the certificate you are import-
ing. Certificate and private keys in a single file use the PFX format which is auto-
matically chosen.
9. The Certificate Source field provides the location and other fields you need to import
the selected item.
10. Decide whether to enable or disable the Overwrite Existing File option.
11. Click Import.

Importing Certificates (CLI Procedure)

l Use the import cert command to import a certificate or certificate chain that you will
be using with its private key to create proxied certificates for SSL handshaking with

313
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

clients in the SSLi, SSL Proxy or SSL offload applications. If you import the cert and its
key in a single file use the PFX format.

An example of importing a cert for SSLi is found in Importing a CA Cert and Private Key.

l Use the import ca-cert command to import a certificate or a certificate chain for cer-
tificates for verifying SSL servers and authenticating clients and other purposes.
However the CA cert cannot be used for creating proxied signed certificates for hand-
shaking with clients.

NOTE: If you are importing a CA-signed certificate for which you

used ACOS to generate the CSR, you do not need to import
the key. The key is automatically generated by ACOS when
you generate the CSR.

l Use the import cert-key command to import a private key.

SSL Certificate and Key Files Bulk Import

You can import or export SSL files in bulk, as .tgz archives.

Bulk Import and Export of Certificate and Key Files (GUI Procedure)

The steps for importing or exporting SSL files are the same for individual files and for bulk
archives. (For information, see To import an SSL certificate CA certificate, certificate chain,
or private key follow these instructions., the GUI online help.)

Bulk Import and Export of Certificate and Key Files (CLI Procedure)

To import a .tgz archive of SSL certificate files, key files, or CRL files, use the following com-
mands:

l import cert – The archive contains only certificate files.

l import cert-key bulk – The archive contains both certificate and key files

l import crl – The archive contains only CRL files.

l import key – The archive contains only Key files.

314
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Generating a Certificate Signing Request (CSR)

The following procedures generates a CSR that you can send to a server, so that the server
can send the CSR to a CA to request a new CA-signed certificate or renew an existing one.

This process also creates a public key - private key pair. The public key is sent in the CSR. The
private key used to encrypt the CSR.

Generating a CSR (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.

2. Click +Create. The Create SSL Certificates dialog window appears.
3. In the Create As field, select CSR.
4. In the File Name field, type the name you certificate that will be provided by the CA.
5. In the Digest field, select the hashing algorithm used. The default is sha1.
6. In the Cert Type field, select RSA or ECDSA depending on which cryptography stand-
ard you want.

7. The Common Name field is required.

To create a wild card certificate request, use an asterisk for the first part of the com-
mon name. For example, to request a wild card certificate for domain example.com and
it sub-domains, enter *.example.com as the common name.
8. The Division, Organization, Locality, State or Province, and Email fields are optional.
9. Enter a number the Valid Days (how many days the key will remain valid) and Key
Size, or accept the defaults 730 days and 1024 bytes.
10. Click OK.
11. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Cer-
tificates page. Check the matching Name and Common Name fields. The Type should
be key, and the expiration should match the number of days the cert remains valid. See
RFC 6125 for help in reading the Issuer field.

Generating a CSR (CLI Example)

l Use pki create csr command in global configuration mode to generate an RSA type

315
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

of certificate signing request (CSR). In this example, the CSR name is CSR1.

ACOS(config)# pki create csr CSR1 generate certtype rsa

input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64:CSR1
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:
input Country, 2 characters:US
input email address, 0~64:[email protected]
ACOS(config)#
l To create wildcard certificates, use an asterisk as the first part of the common name.
For example, to create a wildcard certificate for domain example.com and it sub-
domains, enter the following common name: *.example.com.
l Use show pki certificate csr1 detail to show the CSR created.

Generating a Self-Signed Certificate and Key

In the following procedure the certificate file also includes the corresponding private key.

See RFC 6125 for help in filling out some of the following fields.

Generating a Self-Signed Certificate and Key (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.

2. Click +Create. The Create SSL Certificates dialog window appears.
3. In the Create As field, select Certificate.
4. In the File Name field, type the name you certificate that will be generated.
5. Do not enable CSR Generate. This checkbox enable the creation of a CSR.
6. In the Cert Type field, select RSA or ECDSA depending on which cryptography stand-
ard you want.

7. The Common Name field is required.

NOTE: If you need to create a request for a wildcard certificate,

use an asterisk as the first part of the common name. For

316
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

example, to request a wildcard certificate for domain

example.com and it sub-domains, enter the following com-
mon name: *.example.com.

8. The Division, Organization, Locality, State or Province, and Email fields are optional.
9. Enter a number the Valid Days (how many days the key will remain valid) and Key
Size, or accept the defaults 730 days and 1024 bytes.
10. Click OK.
11. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Cer-
tificates page. Check matching Name and Common Name fields. The Type should be
certificate/key, and the expiration should match the number of days the cert remains
valid. See RFC 6125 for help in reading the Issuer field.

Generating a Self-Signed Certificate and Key (CLI Example)

To generate a self-signed certificate, use the following command at the global configuration
level of the CLI:

The pki create certificate command generates and initializes a self-signed certificate
and key. When creating a self-signed certificate it must be pushed out to inside clients (cli-
ents on the internal network). If the certificate is not pushed, the internal hosts get an SSL
“untrusted root” error whenever they try to connect.

The key length, common name, and number of days the certificate is valid are required. The
other information is optional. The default key length is 1024 bits. The default number of days
the certificate is valid is 730.
ACOS(config)# pki create certificate enterpriseABC-selfsignd certtype rsa
input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64: enterpriseABC-selfsignd
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:US
input Country, 2 characters:US
input email address, 0~64:
input valid days, 30~3650, default 730:
ACOS(config)#

317
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

To create a wildcard certificate, use an asterisk as the first part of the common name. For
example, to create a wildcard certificate for domain example.com and it sub-domains, enter
the following common name: *.example.com

Generating an SSL Cert – Private Key File with a CSR

The following procedures generates an SSL self-signed cert with private key and also gen-
erates a CSR that you can send to a publicly recognized CA to register you self-signed SSL
cert.

This process also creates a public key - private key pair. The public key is sent in the CSR. The
private key is used to encrypt the CSR and also to create the SSL proxied certificate used in
the ACOS SSLi, SSL-Offload, and SSL-Proxy applications.

Generating an SSL Cert – Private Key File with a CSR (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.

2. Click +Create. The Create SSL Certificates dialog window appears.
3. In the Create As field, select Certificate.
4. In the File Name field, type the name you certificate that will be generated.
5. Click the CSR Generate box to enable the creation of a CSR.
6. In the Cert Type field, select RSA or ECDSA depending on which cryptography stand-
ard you want.

7. The Common Name field is required.

NOTE: If you need to create a request for a wildcard certificate,

use an asterisk as the first part of the common name. For
example, to request a wildcard certificate for domain
example.com and it sub-domains, enter the following com-
mon name: *.example.com.

318
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

11. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Cer-
tificates page. Check the matching Name and Common Name fields. The Type should
be certificate/key, and the expiration should match the number of days the cert
remains valid. See RFC 6125 for help in reading the Issuer field. The GUI does not dis-
play the CSR separately.

Generating an SSL Cert – Private Key File with a CSR (CLI Procedure)

l Use the pki create cert command in global configuration mode to generate a self-
signed SSL certificate and corresponding CSR. In this example, CSR file name is csr,
CSR renewal file name is Cert-CSR-both, the file transport protocol is FTP, and the URL
specifying where the CSR is sent is 192.168.1.10.

ACOS(config)# pki create cert Cert-CSR-both certtype rsa csr-generate

input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64:Cert-CSR-both
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:
input Country, 2 characters: US
input email address, 0~64: [email protected]
o In the above example, the CSR is generated without the root CA extensions. The
syntax for the command that creates a CSR with root CA extensions follows:
ACOS(config)# pki create cert Cert-CSR-both certtype rsa rootca
o If you need to create a wildcard certificate, use an asterisk as the first part of the
common name. For example, to create a wildcard certificate for domain example.-
com and it sub-domains, enter the following common name: *.example.com
l Use show pki csr Cert-CSR-both detail to show the cert created.

l Use show pki certificate Cert-CSR-both detail to show the CSR created.

ACOS(config)# show pki cert Cert-CSR-both detail

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13866059162969540330 (0xc06e2357db5986ea)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AF, CN= Cert-CSR-both

319
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Validity
Not Before: Jan 31 05:20:36 2017 GMT
Not After : Jan 31 05:20:36 2019 GMT
Subject: C=AF, CN=Cert-CSR-both
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:96:fc:1d:cc:63:ea:c1:a9:c7:1d:dd:c5:9c:72:
08:61:27:b7:67:1a:27:c7:f7:39:ca:9c:81:ac:f0:
f8:05:89:1a:66:25:cf:0b:1e:55:cc:cf:8b:89:91:
58:c5:e9:8c:b8:44:f1:d5:42:94:b1:e9:5a:a6:10:
05:28:0d:a2:84:a6:73:a8:64:66:e4:72:cc:c8:1b:
39:c9:4a:9c:a6:b3:67:e1:4a:d8:9d:a3:fa:bd:7c:
0e:ad:c1:35:6c:6f:54:68:0a:5f:54:67:61:fd:6a:
e2:55:2f:85:11:76:f3:96:c0:5c:55:11:63:a6:21:
41:65:6f:da:67:d5:e8:7e:ff
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
7d:ac:29:e8:a9:b5:2f:69:43:d2:a1:8b:7c:6d:8e:b5:21:f8:
30:cc:7a:4f:61:71:23:87:51:2c:da:ce:89:14:29:55:f3:81:
97:c0:2f:a7:e3:8a:4b:7d:d2:f7:cb:00:14:ce:91:db:1f:3a:
db:a0:a0:a9:90:b8:a1:b0:7a:16:e3:54:23:94:e2:48:fb:92:
36:0c:6d:c4:be:fd:79:77:41:6c:3a:19:3f:72:29:c6:95:f1:
c5:41:d8:a8:ed:18:2e:ca:66:1a:af:39:16:79:10:03:d6:f0:
95:10:93:1f:13:c8:96:70:c5:3f:97:8b:96:e1:d5:78:8d:b7:
c7:0c
SHA1 Finger-
print=D5:9A:B6:96:66:5D:B9:77:FE:1F:28:B4:BC:A9:3A:43:5D:2D:C7:98
-----BEGIN CERTIFICATE-----
MIIBxjCCAS+gAwIBAgIJAMBuI1fbWYbqMA0GCSqGSIb3DQEBBQUAMCUxCzAJBgNV
BAYTAkFGMRYwFAYDVQQDEw1DZXJ0LUNTUi1ib3RoMB4XDTE3MDEzMTA1MjAzNloX
DTE5MDEzMTA1MjAzNlowJTELMAkGA1UEBhMCQUYxFjAUBgNVBAMTDUNlcnQtQ1NS
LWJvdGgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJb8Hcxj6sGpxx3dxZxy
CGEnt2caJ8f3Ocqcgazw+AWJGmYlzwseVczPi4mRWMXpjLhE8dVClLHpWqYQBSgN
ooSmc6hkZuRyzMgbOclKnKazZ+FK2J2j+r18Dq3BNWxvVGgKX1RnYf1q4lUvhRF2
85bAXFURY6YhQWVv2mfV6H7/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAfawp6Km1
L2lD0qGLfG2OtSH4MMx6T2FxI4dRLNrOiRQpVfOBl8Avp+OKS33S98sAFM6R2x86
26CgqZC4obB6FuNUI5TiSPuSNgxtxL79eXdBbDoZP3IpxpXxxUHYqO0YLspmGq85
FnkQA9bwlRCTHxPIlnDFP5eLluHVeI23xww=
-----END CERTIFICATE-----

320
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

key size: 1024

ACOS(config)# show pki csr Cert-CSR-both detail
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AF, CN=Cert-CSR-both
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:96:fc:1d:cc:63:ea:c1:a9:c7:1d:dd:c5:9c:72:
08:61:27:b7:67:1a:27:c7:f7:39:ca:9c:81:ac:f0:
f8:05:89:1a:66:25:cf:0b:1e:55:cc:cf:8b:89:91:
58:c5:e9:8c:b8:44:f1:d5:42:94:b1:e9:5a:a6:10:
05:28:0d:a2:84:a6:73:a8:64:66:e4:72:cc:c8:1b:
39:c9:4a:9c:a6:b3:67:e1:4a:d8:9d:a3:fa:bd:7c:
0e:ad:c1:35:6c:6f:54:68:0a:5f:54:67:61:fd:6a:
e2:55:2f:85:11:76:f3:96:c0:5c:55:11:63:a6:21:
41:65:6f:da:67:d5:e8:7e:ff
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
7f:2e:82:ef:b8:ed:5d:bc:78:4a:8c:25:5e:df:46:69:11:21:
74:7e:1e:fa:29:08:d0:ea:27:1a:25:fa:4b:ae:e2:78:08:2a:
63:ed:c9:0b:8d:0b:f6:d7:1e:07:10:dc:12:2b:ff:b0:0f:4a:
d6:68:a0:e1:ac:80:8b:d7:bb:f2:a3:6e:e2:74:c6:31:6c:44:
cc:45:c3:f8:2c:85:58:cb:a9:dc:28:bb:3b:72:0f:38:95:68:
1d:f4:09:9b:08:0f:f4:49:a5:9d:4d:91:d1:df:82:6c:63:60:
b8:74:d6:13:67:dd:81:c1:a6:af:ee:fa:22:7b:b2:a4:1e:e3:
b6:3d
-----BEGIN CERTIFICATE REQUEST-----
MIIBZDCBzgIBADAlMQswCQYDVQQGEwJBRjEWMBQGA1UEAxMNQ2VydC1DU1ItYm90
aDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlvwdzGPqwanHHd3FnHIIYSe3
Zxonx/c5ypyBrPD4BYkaZiXPCx5VzM+LiZFYxemMuETx1UKUselaphAFKA2ihKZz
qGRm5HLMyBs5yUqcprNn4UrYnaP6vXwOrcE1bG9UaApfVGdh/WriVS+FEXbzlsBc
VRFjpiFBZW/aZ9Xofv8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAH8ugu+47V28
eEqMJV7fRmkRIXR+HvopCNDqJxol+kuu4ngIKmPtyQuNC/bXHgcQ3BIr/7APStZo
oOGsgIvXu/KjbuJ0xjFsRMxFw/gshVjLqdwouztyDziVaB30CZsID/RJpZ1NkdHf
gmxjYLh01hNn3YHBpq/u+iJ7sqQe47Y9

321
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

-----END CERTIFICATE REQUEST-----

Installing Certificates

To configure an ACOS device to perform SSL processing on behalf of real servers, you must
install a certificate on the ACOS device. This certificate is the one that the ACOS device will
present to clients during the SSL handshake. You also must configure a client-SSL template,
add the key and certificate to the template, and bind the template to the VIP that will be
requested by clients.

You can install a CA-signed certificate or a self-signed certificate (described in CA-Signed

and Self-Signed Certificates).

This section gives an overview of the process for each type of certificate. Detailed procedures
are provided later in this section.

Requesting and Installing a CA-Signed Certificate

To request and install a CA-signed certificate, use the following process. For detailed steps,
see CAs and CSRs Management and Importing a Certificate and Key.

1. Create an encryption key.

2. Create a Certificate Signing Request (CSR).

The CSR includes the public portion of the key, as well as information you enter when
creating the CSR.

You can create the key and CSR on an ACOS device or a server running openssl or a sim-
ilar application.
3. Submit the CSR to the CA.

4. If the CSR was created on the ACOS device, do one of the following:
l Copy and paste the CSR from the ACOS CLI or GUI onto the CSR submission page
of the CA server.
l Export the CSR to another device, such as the PC from which you access the
ACOS CLI or GUI. Email the CSR to the CA, or copy-and-paste it onto the CSR sub-
mission page of the CA server.

322
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

5. If the CSR was created on another device, email the CSR to the CA, or copy-and-paste
it onto the CSR submission page of the CA server.
6. After receiving a signed certificate and the CA’s public key from the CA, import them to
the ACOS device.
7. If the key and certificate are provided by the CA in separate files (PKCS #7 format),
import the certificate. The key does not need be imported if the CSR was created on the
ACOS device because the key is already on the ACOS device. If the certificate is not in
PEM format, specify the certificate format (type) when importing it.
8. If the CSR was not created on the ACOS device, you do need to import the key also.
9. If the key and certificate are provided by the CA in a single file (PKCS #12 format), spe-
cify the certificate format (type) when you import it. If the CSR was not created on the
ACOS device, you need to import the key also. See Converting SSL Certificates to PEM
Format (Windows PC Procedure).
10. If applicable, import the certificate chain onto the ACOS device. The certificate chain
must be a single text file, beginning with a root CA’s certificate at the top, followed in
order by each intermediate signing authority’s certificate. (See Certificate Chain.)

FIGURE 16-6shows the most common way to obtain and install a CA-signed certificate onto
the ACOS device. You also may need to install a certificate chain file.

323
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 16-6: Obtaining and Installing Signed Certificate from CA

NOTE: As an alternative to using a CA, you can use an application such

as openssl to create a certificate, then use that certificate as a
CA-signed certificate to sign another certificate. However, in this
case, a client’s browser is still likely to display a certificate warn-
ing to the end user.

Installing a Self-Signed Certificate

To install a self-signed certificate instead of a CA-signed certificate:

l Create an encryption key.

l Create the certificate.

See Generating a Self-Signed Certificate and Key.

324
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Implementing Certificates to SSL Templates

After creating or importing certificates and keys on the ACOS device, you must add them to
an SSL template, then bind the template to a VIP, in order for them to take effect.

Creating an SSL Template (GUI Procedure)

1. Navigate to ADC >> Templates >> SSL.

2. Click Create, and:
3. Select Client SSL to create a template for SSL traffic between the ACOS device (VIP)
and
clients.
4. Select Server SSL to create a template for SSL traffic between the ACOS device and
servers.
5. Enter or select the configuration options; refer to the online help for information about
the fields on this GUI page.
6. When finished, click OK.

Creating an SSL Template (CLI Example)

Use one of the following commands at the global configuration level of the CLI:

slb template client-ssl – creates template for SSL traffic between ACOS device (VIP) and
clients.
ACOS(config)# slb template client-ssl TMPLT-C
ACOS(config-client ssl)# exit

slb template server-ssl – creates template for SSL traffic between ACOS device and serv-
ers.
ACOS(config)# slb template server-ssl TMPLT-S
ACOS(config-server ssl)# exit

The command creates the template and changes the CLI to the configuration level for it. Use
the commands at the template configuration level to configure template parameters. (For
information, see Certificates in SSL Templates or the CLI Reference.)

Binding an SSL Template to a VIP (GUI Procedure)

1. Navigate to ADC >> SLB > Virtual Servers.

325
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

2. Click Create to create a new virtual server.

3. Enter the VIP name and IP address.
4. In the Port section, click Create. The Virtual Server Port page appears.
5. Click on “Templates” to expand the Templates section.
6. Select the template from the Client-SSL Template or Server-SSL Template drop-down
list.

Binding an SSL Template to a VIP (CLI Example)

l Use one of the following commands at the configuration level for the virtual port on the
VIP:

template client-ssl – binds client SSL template to the VIP.

ACOS(config)# slb virtual-server VIP-1 10.10.1.1
ACOS(config-slb vserver)# port 80 ssl-proxy
ACOS(config-slb vserver-vport)# template client-ssl TMPLT-C
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

template server-ssl – binds server SSL template to the VIP.

ACOS(config)# slb virtual-server VIP-2 10.10.2.1
ACOS(config-slb vserver)# port 80 ssl-proxy
ACOS(config-slb vserver-vport)# template server-ssl TMPLT-S
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

l Use the same command on each port for which SSL will be used.

Creating Multiple CA Certificate in Server-SSL Templates

If you need to add multiple certificates to a server-SSL template, this section describes how
to
configure it. A server-SSL template can have multiple CA-signed certificates.

You can add the CA certificates to the server-SSL template in either of the following ways:

l As separate files (one for each certificate)

326
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Adding multiple certificates in a single file can simplify configuration. For example, you can
export the CA certificates from a web browser into a single file, then import that file onto the
ACOS device and add it to a server-SSL template.

Previous releases allow a server-SSL template to have only a single CA-signed certificate.

NOTE: A CA-signed certificate is a certificate signed by a Certificate

Authority (CA).

Multiple Certificates in Single File – Preparing the File

You can create the multiple certificate file by exporting the certificates from a browser or
you can assemble the file by hand.

To export the certificates from Internet Explorer (IE) version 9:

1. Select Tools > Internet Options.

2. Click on the Content tab.
3. Click Certificates.
4. Click on the Trusted Root Certification Authorities tab.
5. Select all the certificates.
6. Click Export.
7. Click Next.
8. Select PKCS #12 format (PFX), if not already selected.
9. Click Next.
10. When prompted for a file password, enter a password to secure the certificate file, and
click Next.

11. When prompted for a filename:

a. Click Browse to navigate to the save location for the file.
b. Enter the filename and click Save.
12. Click Next.
13. Click Finish.

14. On the ACOS device:

327
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

a. Import the certificate file as a PFX file.

b. Use the GUI or CLI to add the certificate file to a server-SSL certificate.
c. Bind the server-SSL certificate to the virtual port.

To create the file manually

1. Copy and paste each certificate to a text file. Make sure to include the "-----BEGIN
CERTIFICATE-----" and "-----END CERTIFICATE----- " lines for each certificate. For
example:
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNr
RniZ96LtKIVjNzGs7SjANBg
kqhkiG9w0BAQUFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
U2lnbiwgSW5jLiAtIEZvciBhd
XRob3JpemVkIHVzZSBvbmx
5MUUwQwYDVQQDEzxW
-----END CERTIFICATE-----
2. Save the text file.

3. On the ACOS device:

a. Import the certificate file as a PEM file.
b. Use the GUI or CLI to add the certificate file to a server-SSL certificate.
c. Bind the server-SSL certificate to the virtual port.

Binding Server-SSL Templates to Individual Real Ports

For additional flexibility, the ACOS device supports binding of server-SSL templates to indi-
vidual real ports. This configuration option is useful in cases where the real servers load bal-
anced by a VIP have different SSL settings.

If a server-SSL template is be bound to the virtual port instead, all the real servers load bal-
anced by the VIP must use the same SSL settings.

You can bind a server-SSL template to a real port and also to a virtual port that uses that real
port. In this case, the server-SSL template bound to the real port is used for traffic sent to

328
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

that real port. If you remove the server-SSL template from the real port, the template bound
to the virtual port is used instead.

Binding Server SSL Templates to Real Ports (GUI Procedure)

On the configuration page for the real server, in the Port section, select the template from
the Server-SSL Template drop-down list.

Binding Server SSL Templates to Real Ports (CLI Procedure)

To bind a server-SSL template to a real port, use the template server-ssl command at the
configuration level for the real port:

Binding Server SSL Templates to Real Ports (CLI Example)

The following commands import a CA-signed certificate and key:
ACOS(config)# import ca-cert CACert88.pem tftp:
Address or name of remote host []?192.168.52.254
File name [/]?CACert88.pem
.0 minutes 1 seconds
ACOS(config)# import key CAkey tftp:
Address or name of remote host []?192.168.52.254
File name [/]?CAkey88
.0 minutes 1 seconds

The following commands create a server-SSL template and add the certificate and key to the
template:
ACOS(config)# slb template server-ssl server-ssl1
ACOS(config-server ssl)# ca-cert CACert88.pem key CAkey88
ACOS(config-server ssl)# certificate Cert123.pem key key123 pass-phrase Pass123
ACOS(config-server ssl)# exit

The following commands bind the server-SSL template directly to a port on a real server:
ACOS(config)# slb server rs88 10.8.8.8
ACOS(config-real server)# port 443 tcp
ACOS(config-real server-node port)# template server-ssl server-ssl1

NOTE: New certificate commands will be lost if downgrade one box to

old image that not support new commands.

329
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Configuring Email Notification for SSL Certificate Expiration

The ACOS device can send email notification when an SSL certificate is about to expire. This
feature sends a daily email listing the certificates that are about to expire or that have
recently expired.

By default, this feature is not configured. To configure email notification for certificate expir-
ation, use either of the following methods.

Configuring Email Notification for SSL Certificate Expiration (GUI Procedure)

1. Navigate to ADC >> SSL Management >> Expiration Mail.

2. In the SSL Expire Email Address, enter the email address (twice; both address must
match) where you want the notifications to be sent.
3. Configure the other fields on this screen as desired; refer to the GUI online help for
more information about the fields on this page.
4. Click Update.

Configuring Email Notification for SSL Certificate Expiration (CLI Procedure

and Example)
To configure email notification for certificate expiration, use the slb ssl-expire-check com-
mand.

The following example enables certificate notifications to be sent to email address

“[email protected]”. Expiration notifications are sent beginning 4 days before expiration
and continue for 3 days after expiration.
ACOS(config)# slb ssl-expire-check email-address [email protected] before 4
interval 3

Converting Certificates and CRLs to PEM Format

The ACOS device supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs.

If a certificate or CRL you plan to import onto the ACOS device is not in PEM format, it must
be converted to PEM format.

You do not need to convert the certificate into PEM format before importing it. You can spe-
cify the format when you import the certificate. The ACOS device automatically converts the
imported certificate into PEM format. (See Importing a Certificate and Key.)

330
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

If you prefer to convert a certificate before importing it, see the following sections.

If you have certificates that are in Windows format, use the procedure in this section to con-
vert them to PEM format. For example, you can use this procedure to export SSL certificates
that were created under a Windows IIS environment, for use on servers that are running
Apache.

This procedure requires a Windows PC and a Unix/Linux workstation. Perform Start the
Microsoft Management Console (mmc.exe). through Select Action > All Tasks > Export. on the
Windows PC. Perform Copy the PFX-format file that was created by the Export wizard to a
UNIX machine. through To remove the passphrase from the key, use the following command:
on the Unix/Linux workstation.

Converting SSL Certificates to PEM Format (Windows PC Procedure)

1. Start the Microsoft Management Console (mmc.exe).

2. Add the Certificates snap-in:
3. Select File Add/Remove Snap-In. The Add/Remove Snap-In dialog appears.
4. Click Add. A list of available snap-ins appears.
5. Select Certificates.
6. Click Add.
7. A dialog appears with the following choices: My user account, Service account, and
Computer account.
8. Select Computer Account and click Next. The Select Computer dialog appears.
9. Select Local Computer and click Finish.
10. Click Close.
11. Click OK. The Certificates snap-in appears in the Console Root list.
12. Expand the Certificate folders and navigate to the certificate you want to convert.
13. Select Action > All Tasks > Export.

The Export wizard guides you with instructions. Make sure to export the private key too. The
wizard will ask you to enter a passphrase to use to encrypt the key.

Converting SSL Certificates to PEM Format (Unix / Linux Workstation Pro-

cedure)

331
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. Copy the PFX-format file that was created by the Export wizard to a UNIX machine.

2. Use OpenSSL to convert the PFX file into a PKCS12 format:

$ openssl pkcs12 -in filename.pfx -out pfxoutput.txt

3. This command creates a PKCS12 output file, which contains a concatenation of the
private key and the certificate.
4. Use the vi editor to divide the PKCS12 file into two files, one for the certificate (.crt) and
the other for the private key.

5. To remove the passphrase from the key, use the following command:
$ openssl rsa -in encrypted.key -out unencrypted.key

Although removing the passphrase is optional, A10 Networks recommends that you remove
the passphrase for production environments where Apache must start unattended.

Converting CRLs from DER to PEM Format (Unix / Linux Workstation Pro-
cedure)
If you plan to use a Certificate Revocation List (CRL), the CRL must be in PEM format.

To convert Distinguished Encoding Rules (DER) format to PEM format, use the following com-
mand on a Unix/Linux machine where the file is located:
openssl crl -in filename.der –inform der -outform pem -out filename.pem

Importing a Certificate Revocation List (CRL)

To import a CRL, place it on the PC that is running the GUI or CLI session, or onto a PC or file
server that can be locally reached over the network.

Importing a CRL (GUI Procedure)

1. Navigate to ADC >> SSL Management >> Cert Revocation List.

2. Click Import.
3. Complete the fields on this page to navigate to the location of the CRL.
4. Click Import.

Importing a CRL (CLI Procedure)

To import a CRL, use the import crl command at the Privileged EXEC or global Config level

332
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

of the CLI:

Refer to the Command Line Interface Reference for detailed information about this command.

Exporting Certificates, Keys, and CRLs

This section describes how to export SSL resources from the ACOS device to other devices.

Due to a limitation in Windows, it is recommended to use names shorter than 255 characters.
Windows allows a maximum of 256 characters for both the file name and the directory path.
If the combination of directory path and file name is too long, Windows will not recognize the
file. This limitation is not present on machines running Linux/Unix.

Exporting a Certificate and Key (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.

2. To export a certificate:
3. Select the certificate. (Click the checkbox next to the certificate name.)
4. Click Export.
5. If the browser security settings normally block downloads, you may need to override
the setting. For example, in Internet Explorer, hold the Ctrl key while clicking Export.
6. Click Save.
7. Navigate to the save location.
8. Click Save again.
9. To export a key:
10. Select the key.
11. Click Export.
12. Click Save.
13. Navigate to the save location.
14. Click Save again.

Exporting a Certificate and Key (CLI Procedure)

To export a certificate and its key, use the following commands at the Privileged EXEC or
global Config level of the CLI:

333
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

export cert

export cert-key

Refer to the Command Line Interface Reference for detailed information about these com-
mands.

Exporting a CRL (CLI Procedure)

To export a CRL, use the export crl command at the Privileged EXEC or global Config level
of the CLI:

Exporting a CRL (GUI Procedure)

l Navigate to ADC >> SSL Management >> Cert Revocation List.

l Select the CRL. (Click the checkbox next to the CRL name.)
l Click Export.
l If the browser security settings normally block downloads, you may need to override
the setting. For example, in IE, hold the Ctrl key while clicking Export.
l Click Save.
l Navigate to the save location.
l Click Save again.

Importing a CA Cert and Private Key

Import a self-signed CA certificate and the certificate’s private key (CLI

Example)
The following commands import a self-signed CA certificate trusted by the clients, and the
certificate’s private key:
ACOS-Inside(config)# import cert enterpiseABC-selfsignd scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?enterpiseABC-selfsignd.pem
ACOS-Inside(config)# import key enterpiseABC-key scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********

334
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

File name [/]?enterpiseABC-key.pem

Configuring the client-SSL template to enable SSLi (CLI Example)

The following commands configure the client-SSL template to enable SSLi (forward-proxy). It
also specifies the certificate and private key that the inside ACOS device uses to dynamically
create (and cache) forged server certificates as clients request SSL sessions with external
servers.
ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-client ssl)# forward-proxy-ca-certificate enterpiseABC-self-
signd key enterpiseABC-key
ACOS-Inside(config-client ssl)# forward-proxy-enable

Configuring Forward Proxy Alternate Signing Cert

In the following example, the inside ACOS device is configured with a trusted CA list and an
alternate signing key. When a client requests connection to an external SSL server, the inside
ACOS device determines whether the certificate of SSL site is signed by a trusted CA. If it is
not in the trusted list, the inside ACOS device signs the certificate with the alternate signing
key. Because the alternate signing key is not trusted, the client will be warned that the site is
insecure.

Forward Proxy Alternate Signing Cert (CLI Example)

1. Import the list of trusted list of CAs:

ACOS-Inside(config)# import cert ca-cert enterpiseABC-trusted-CAs scp:
...

2. Import the list of alternate certificate and signing key:

ACOS-Inside(config)# import cert alt-cert scp:
...
ACOS-Inside(config)# import key alt-key scp:
...

3. Bind the list of trusted CAs and the alternate signing key to the Client SSL template
(which in turn is bound to the SSLi virtual port of the inside ACOS device.)
ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-client ssl)# forward-proxy-ca-certificate enterpiseABC-
selfsignd key enterpiseABC-key
ACOS-Inside(config-client ssl)# forward-proxy-enable

335
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside(config-client ssl)# forward-proxy-trusted-ca-list enter-

piseABC-trusted-CAs
ACOS-Inside(config-client ssl)# forward-proxy-alt-sign cert

Deleting Certificate Files

To delete SSL files, use either of the following methods.

SSL File Delete (GUI Procedure)

1. Navigate to one of the following:

l ADC >> SSL Management > SSL Certificates
l ADC >> SSL Management > Cert Revocation List
2. Select the files to delete.
3. Click Delete.

SSL File Delete (CLI Procedure)

Using the CLI, you can delete specific SSL files by name.

Use the pki delete command at the global configuration level of the CLI to delete SSL files.

Configuring Simple Certificate Enrollment Protocol (SCEP) Cer-

tificates

SCEP is a part of the Public key infrastructure (PKI); it simplifies management of security cer-
tificates by providing simplified installation and automated renewal of x.509 certificates. You
can use SCEP certificates with the same ACOS features that support manually imported cer-
tificates. For example, SCEP certificates are supported with SSLi.

NOTE: This feature is not supported for HSM platforms, including Thun-
der 5630.

To configure a SCEP certificate, you need to specify the certificate name, a password, and
the location (URL) of the ES. ACOS handles the rest. Then, to use the certificate, add it to an
SSL template and bind the template to the virtual port in your application. There is no GUI
support for configuring this feature.

The following topics are covered:

336
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Enrollment and Renewal Process 337

Configuring SCEP Certificate 338

Copying SCEP Certificate 338

Viewing SCEP Certificate 339

CLI Configuration 339

Enrollment and Renewal Process

After you configure a SCEP certificate for enrollment, ACOS performs the following steps:

1. Generate a private key. In this step, an RSA key with the specified key length is gen-
erated for the certificate.
2. Fetch CA certificates. ACOS queries the ES for its certificates. In this step, three cer-
tificates are returned: 1 CA certificate and 2 ES certificates, and ES-encryption cer-
tificate and an ES-signature certificate.
3. Generate Certificate Signing Request (CSR). The CSR includes the SCEP password you
assign to the SCEP certificate, and other parameters needed for the certificate.
4. Fetch the certificate. The CSR is encrypted using the public key of the ES-encryption
certificate, and forwarded to the ES.
5. The ES validates the CSR and forwards the request to the CA. The CA then returns the
signed certificate. The certificate is signed using the ES-signature certificate.
6. Store the certificate. After successful verification of the response from the CA, ACOS
accepts the certificate and stores it. SCEP certificates are stored in DER format. SCEP
keys are stored in PEM format.
7. Schedule renewal. ACOS handles automatic renewal of the certificate when its about to
expire. ACOS checks the expiration dates of both the enrolled certificate and the issu-
ing CA’s certificate. ACOS then schedules renewal of the certificate, to occur at a spe-
cific time or periodically, depending on configuration. ACOS bases the new expiration
date on the later of the expiration dates of the enrolled certificate and the CA cer-
tificate.
8. Rotate and store files. After certificate renewal, the old certificate and key files are still
stored for any future reference. Old files are rotated and the new file replace the exist-
ing files.

337
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

9. This step ensures that there is no need to change the configuration for applications
that use the SCEP certificates, because a valid certificate with the correct name is
always stored in the same location. The same applies for private keys as well. ACOS
stores up to 4 old certificate and key files for each SCEP certificate.

Configuring SCEP Certificate

To configure SCEP using the CLI:

1. Use the pki scep-cert command to create the certificate and change the CLI to edit it.

2. Use the url command to specify the location of the ES. The user is the admin name
required by the ES to accept the request.

The user is the admin name required by the ES to accept the request. The host is the ES
IP address or hostname. The file is the path and filename for the SCEP process on the
ES. Example:

url http://192.168.230.101/certsrv/mscep/mscep.dll
3. Specify the password for the certificate. ACOS includes this password in enrollment
and renewal requests for the certificate.

4. (Optional) Configure additional parameters.

l SCEP certificates have the following default settings:
l Interval – 5 seconds
l Log level – 1
l Maximum poll time – 180 seconds
l Method – GET
l The other parameters are not set by default.
5. Use the enroll command to begin the enrollment process for the certificate.

Copying SCEP Certificate

You can copy SCEP certificates and keys using the pki copy-cert and pki copy-key com-
mands.

Refer to the Command Line Interface Reference for details.

338
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Viewing SCEP Certificate

To view SCEP information, use the show pki scep-cert command.

For more details about SCEP CLI commands, refer to Command Line Interface Reference.

CLI Configuration
The following commands configure an ACOS device as the inside device in an SSLi deploy-
ment. The wildcard VIP on this device receives SSL-encrypted traffic from inside users, and
decrypts the traffic before sending it to the traffic inspector.

The deployment uses a certificate administered by an SCEP ES. Based on the configuration,
ACOS automatically renews the certificate on a monthly basis.

For brevity, this example shows only the inside device, where the SCEP configuration occurs,
and uses only one certificate. The certificate is used both as the root certificate and as a for-
ward-proxy certificate, which uses SNI support.

On the outside device, the only required command related to SSLi is forward-proxy-enable,
to enable support for the SSLi feature on the device.

l The following commands enroll the certificate. You need to enroll each certificate only
once. After a certificate is enrolled, ACOS uses SCEP to administer the certificate. This
includes renewing the certificate before it expires. You do not need to manually admin-
ister the certificates after you enroll them.
ACOS(config)# pki scep-cert mycert
ACOS(config-scep cert:mycert)# url http://192.168.230.101/certs-
rv/mscep/mscep.dll
ACOS(config-scep cert:mycert)# password sample_password
ACOS(config-scep cert:mycert)# renew-every month 1

l The following commands configure the client-SSL template:

ACOS(config)# slb template client-ssl ssl_int
ACOS(config-client ssl)# certificate mycert key mycert
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# forward-proxy-ca-certificate mycert key mycert

l The following shows the configuration the wildcard VIP. This includes configuration of
the other resources, in addition to the client-SSL template, that are required by the
wildcard VIP: an ACL that matches on the inside clients, the real server configuration,
and the service group.
access-list 101 permit ip any 10.2.2.0 0.0.0.255 log

339
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
slb server rs1 10.3.3.1
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group sg1-tcp tcp
member rs1:443
!
slb virtual-server vs1-v4 0.0.0.0 acl 101
extended-stats
port 8080 http
service-group sg1-tcp
template client-ssl ssl_int
no-dest-nat port-translation
!

l The following commands show information about the certificate:

ACOS(config)# show pki cert
Name: mycert Type: certificate/key Expiration: Dec 8 22:23:48 2014 GMT
[Expired, Bound] SCEP Enrolled

ACOS(config)# show pki cert mycert

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:5b:42:30:00:00:00:00:24:8f
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=a10lab, CN=AD03-CA
Validity
Not Before: Dec 8 18:23:48 2014 GMT
Not After : Dec 8 22:23:48 2014 GMT
Subject: C=CH, O=Linux strongSwan, CN=AX1030
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:53:59:9C:EC:52:E3:58:6C:E5:84:11:E7:5C:F4:C9:FC:59:6B:A3
X509v3 Authority Key Identifier:
keyid:06:18:97:1C:58:B4:E4:95:5F:61:61:5D:DB:9C:1B:85:39:48:87:37

X509v3 CRL Distribution Points:

URI:ldap:///CN=AD03-CA,CN-

340
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

=AD03,C-
N=CDP,C-
N=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com?certifica

Authority Information Access:

CA Issuers - URI:ldap:///CN=AD03-CA,CN-
=AIA,C-
N=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com?cACertifi
OCSP - URI:http://ad03.a10lab.com/ocsp

X509v3 Key Usage: critical

Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7.....E......+.......Ks...M......d...
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2
1.3.6.1.4.1.311.21.10:
0.0

Configuring Automatic Certificate Management Environment (ACME)

Certificates

ACME is used to obtain the certificates for websites (HTTPS). The purpose is to validate
domain names for issuing certificates in the web PKI. This protocol is based on passing JSON-
formatted messages over HTTPS and was designed by the Internet Security Research Group
(ISRG) in RFC 8555 for their Let's Encrypt service. It also enables automating a few aspects of
certificate management.

Using both Let’s Encrypt and the ACME protocol, you can set up an HTTPS server and auto-
matically obtain a browser-trusted certificate. Generally, ACME client runs as an agent on a
web server and supports ACOS to obtain the certificate and renew it.

The domain verification is done using challenge HTTP-01, for provisioning an HTTP resource
under a well-known URI. The domain must be certificate’s Common Name and the IP address
must be mapped with the ACOS’s virtual IP address. Also, in aVCS and VRRP-A deployment,
aVCS master accepts the configuration, and the master syncs the configuration to the slave
device(s). Data traffic is served by HA primary device(s), so HTTP-01 type challenge from the
CA server is also served by HA primary device(s). If you do not want to use the default vrid(0),
then you can configure it using VRID option.

341
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

To configure an ACME certificate, you need to first enable reply ACME HTTP-01 challenge for
the CA server. Since the CA server verifies whether the ACME client controls the domain, on
the ACOS side, you must manually configure reverse proxy.

NOTE: Currently, A10 supports only HTTP- 01 challenge type. Addi-

tionally, the ACME protocol traffic follows the routing table rule
and DNS setting on the shared partition.

The following topics are covered:

Enrollment and Renewal Process 342

ACME Directory URL 343

Configuring ACME Certificate 343

Viewing ACME Certificate 344

Configuration Examples 344

Enrollment and Renewal Process

After you configure an ACME certificate for enrollment, ACOS performs the following steps:

l Generates an account key and registers this account with the CA server.
l Generates a domain private key and RSA or EC key with the specified key-length for the
certificate.
l ACOS proves the CA server that the user domain is in control. If the domain is already
verified, ACOS skips this step. If the domain is not verified yet, ACOS deploys the chal-
lenge and triggers the CA server to start the verification process.
l Certificate Issuance - Once the CA verification succeeds, the ACOS account key pair is
authorized, requesting, renewing, is just create/send CSR and sign them with the
authorized key pair. Then, ACOS downloads certificates for the domain from the CA
server.
l Store the certificate. After successful verification of the response from the CA, ACOS
accepts the certificate and stores it.
l Notify application layer - The Client-SSL template would accept the ACME certificate.
ACOS notifies the application that the certificate is ready for use.

342
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Schedule renewal - ACOS handles the automatic renewal of the certificate when it is
about to expire. ACOS checks the expiration date, depending on the periodic renewal or
a specific time before the certificate expires configurations.
l Rotate and store files - After certificate renewal, the old certificate and key files are
still stored for any future reference. Old files are rotated and the new file replaces the
existing files.

NOTE: After enrollment, the account- email and domain are already
registered with CA. Hence, account-email and domain cannot be
changed after certificate is enrolled. To change these, you must
remove acme-cert and re-enroll.

ACME Directory URL

By default, Let’s encrypt is used as CA server. Let’s Encrypt have rate limits to ensure fair
usage by as many people as possible.

l Staging URL - https://acme-staging-v02.api.letsencrypt.org/directory

l Production URL - https://acme-v02.api.letsencrypt.org/directory

NOTE: A10 strongly recommend user run with staging environment to

test your configurations, then switch to production environment.

Configuring ACME Certificate

To configure ACME using the CLI:

1. Use the reply-acme-challenge option under HTTP virtual port.

2. Use the pki acme-cert command to create the certificate and change the CLI to edit it.
3. Use the account-email, cert-type, domain, and url command.

4. (Optional) Configure additional parameters.

l Renew Intervals
l Log level
l Staging URL
l SAN domain

343
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l VRID
5. Use the enroll command to begin the enrollment process for the certificate.

NOTE: Make sure that the HTTP port 80 is not blocked by the firewall.
The virtual ports 80 replying ACME challenges must be up and
running.

Viewing ACME Certificate

To view ACME information, use the show pki acme-cert command.

For more details about the ACME CLI commands, refer to Command Line Interface Reference and
Command Line Interface Reference for ADC.

Configuration Examples
l The following commands enroll the certificate with the Let's encrypt CA. You need to
enroll each certificate only once. After a certificate is enrolled, ACOS uses ACME to
administer the certificate. This includes renewing the certificate before it expires. You
do not need to manually administer the certificates after you enroll them.
ACOS(config)# pki acme-cert test
ACOS(config-acme cert:test)# account-email [email protected]
ACOS(config-acme cert:test)# cert-type rsa
ACOS(config-acme cert:test)# domain test.com
ACOS(config-acme cert:test)# enroll
ACOS(config-acme cert:test)# run-with-staging-server
ACOS(config-acme cert:test)# exit

l The following commands show information about the certificate. You can view both the
log and status of the certificate. Also, show pki acme-cert log <cert-name> can be
used to display the detailed log of the ACME protocol happened during the ACME cert
registration or update process.
ACOS(config)# show pki cert acme-test-cert status
Certificate name: test status: SUCCESS
Renew every 2 minutes
rotated files: 4

ACOS(config)# show pki cert acme-test-cert detail

Certificate:
Data:
Version: 3 (0x2)

344
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Serial Number: 1770931951 (0x698e46ef)

Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=aws2020.ddns.net
Validity
Not Before: Oct 15 02:30:26 2019 GMT è issued time
Not After : Oct 14 02:30:26 2021 GMT è cert validity time
Subject: CN=hku_ra, O=MyOrganization, C=SE

345
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

OCSP Certificate Management

The following topics are covered:

Overview

The Online Certificate Status Protocol (OCSP) is an IETF protocol that SSL clients, such as
ACOS SSL, can use to verify the state of a server’s certificate before enabling an SSL session
with that server. The Transport Layer Security Protocol (TLS) also provides SSL servers the
option to staple their OCSP current status information to their SSL/TLS handshake.

In ACOS SSLi, ACOS_decrypt uses its own certificate and private key to proxy certificates
from the outside server when acting as an SSL proxy. Without OCSP, ACOS cannot check
whether the certificate of the outside server has become invalid before the expiration date
indicated by the Certificate Authority (CA). The ACOS Server Certificate Verification for SSLi
feature uses OCSP to dynamically verify the server certification status, whether it is valid or
expired.

The ACOS software verifies the current state of the server certification before proxying the
session certificates used in SSL proxy connections -- whether or not the CA expiration date
has been reached.

ACOS does not support OCSP verification for HTTPS responder URIs in certificate extensions.
OCSP-stapling configuration is not applicable to SSLi. The internal SSLi receives and pro-
cesses the stapled responses.

After a TCP connection has been established between the ACOS device and the client, the
server certificate verification process begins.

ACOS Server Certificate Verification

By default, ACOS server certificate verification is enabled. The forward-proxy-ocsp-disable

command disables OCSP verification. This feature applies to transparent SSLi for HTTPS ses-
sions.

346
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

FIGURE 16-7: ACOS Server Certificate Verification Process

The following is the workflow:

347
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

1. ACOS_decrypt is configured with imported trusted CA certificates that it uses to verify

the outside server’s certificates. The CA certificates are imported prior to the beginning
of the message exchange process.
2. A client initiates an SSL connection to a website which is proxied or intercepted by
ACOS_decrypt. Assuming that ACOS has not already cached a proxied certificate that
it can use to create the requested SSL session, it opens an SSL session with the same
outside server that the client is attempting to reach.

3. If the outside server has enabled OCSP stapling, the server responds with a “Certificate
Status” SSL/TLS handshake message that tells the ACOS device whether or not the
server certificate is valid and the expiration date of that certificate if it is valid.
l If the “Certificate Status” response contains a “good” stapled OCSP status, the cer-
tificate is valid and ACOS_decrypt uses its private key to proxy a public cer-
tificate, which it sends to the client. Assuming the client accepts the proxied
certificate, an SSL session begins and SSL traffic (for SSLi or SSL offload) is for-
warded either to the inspection devices (in SSLi scenarios) or to the outside
server (in SSL offload scenarios).
l If the server response contains a “revoked” staple OCSP status, the certificate is
not valid, and depending on the ACOS configuration, ACOS either drops the con-
nection or bypasses SSL proxy to allow the client to connect directly to the out-
side server.
l If the server does not support OCSP stapling, the process continues with step 4.
4. ACOS_decrypt looks up the location of the OCSP server embedded within the AIA
(Authority Information Access) field in the certificate sent by the Internet Server. An
OCSP request is sent to the OCSP URL within the AIA field in each certificate inside the
chain, for which ACOS_decrypt does not already have an OCSP cache entry. If the
OCSP URL is an HTTP URL, an HTTP connection is initiated to that OCSP responder. If
the OCSP URL is an HTTPs URL, the ACOS device will not continue with OCSP veri-
fication for that certificate/certificate chain.
5. If the OCSP server responds that the certificate is valid, ACOS_decrypt caches the cer-
tificate validity information with its expiration time expressed in seconds. If this OCSP
entry expires while a proxied certificate corresponding to it is still in the cache, then

348
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

that proxied certificate is also aged out. When a new client request comes to the ACOS
device for the same website, the OCSP verification and certificate proxying process
repeats again.
6. If the OCSP server responds that the certificate is not valid then depending on the
ACOS device configuration, ACOS either drops the connection or bypasses SSL proxy to
allow the client to connect directly to the outside server.

The following are some guidelines for the process:

l When ACOS bypasses SSL traffic, it does not proxy the server certificate. It forwards
the Server Hello, Certificate, and other SSL handshake messages received from the out-
side server in response to the client hello message, onto the client. The only changes
made to these packets would be at Layer 2, Layer 3, or Layer 4 as applicable for traffic
forwarding.
l When ACOS bypasses SSL traffic, it does not proxy the server certificate. It forwards
the Server Hello, Certificate, and other SSL handshake messages received from the out-
side server in response to the client hello message, onto the client. The only changes
made to these packets would be at Layer 2, Layer 3, or Layer 4 as applicable for traffic
forwarding.

CLI Configuration
1. Configure the SSL client template.

The following SSL client template is enabled for SSL proxy through the following for-
ward-proxy commands.
ACOS_decrypt(config)#slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# forward-proxy-trusted-ca default_ca_
bundle_jan_2018
ACOS_decrypt(config-client ssl)# forward-proxy-trusted-ca windows_ca_
bundle_jan_2018
ACOS_decrypt(config-client ssl)# enable-tls-alert-logging fatal
ACOS_decrypt(config-client ssl)# forward-proxy-verify-cert-fail-action
drop
ACOS_decrypt(config-client ssl)# forward-proxy-cert-revoke-action drop
ACOS_decrypt(config-client ssl)# forward-proxy-cert-unknown-action drop

349
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

By default, ACOS drops connections to clients in which the certification of the outside
server is invalid. When server verification is configured using the forward-proxy-trus-
ted-ca commands in a client-SSL template, the action is to bypass client connections if
the certification of the outside server is invalid.

2. If you deploy SSLi and ACOS_decrypt is not provisioned with L3V partitions. the con-
figuration of port 443 https of the wildcard VIP on the client is not changed.
ACOS_decrypt(config)#slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)#port 443 https
ACOS_decrypt(config-slb vserver-vport)#no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)#service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)#template client-ssl SSLInsight_Cli-
entSide
ACOS_decrypt(config-slb vserver-vport)#exit

3. If you deploy SSLi and ACOS_decrypt is provisioned with L3V partitions, the con-
figuration of port 443 https of the wildcard VIP must include the route to the DNS
server as shown in the following command lines, and non-HTTP protocols must be
bypassed:
ACOS_decrypt(config)#slb template dynamic-service DNS-FOR-OCSP
ACOS_decrypt(config-dynamic-service)#dns server 192.168.1.110
ACOS_decrypt(config-dynamic-service)#dns server 8.8.8.8
ACOS_decrypt(config-dynamic-service)#exit

The command creates an HTTP template named “non-http-bypass.” When this template
is bound the the HTTPS port, it redirects all non-HTTP traffic to the FW1_Inspect_SG ser-
vice group. By default, the ACOS device will drop non-HTTP requests that are sent to an
HTTP port.
ACOS_decrypt(config)# slb template http non-http-bypass
ACOS_decrypt(config-http)# non-http-bypass service-group FW1_Inspect_SG
ACOS_decrypt(config-http)# exit

4. Bind both templates, non-http-bypass and d1, and the client-SSL template to the vir-
tual server that proxies for the SSL external server.
ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_decrypt(config-slb vserver-vport)# template dynamic-service d1
ACOS_decrypt(config-slb vserver-vport)# template http non-http-bypass

350
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_Cli-

entSide
ACOS_decrypt(config-slb vserver-vport)# exit

5. Whether or not ACOS_decrypt is L3V partitioned, the configuration of the wildcard

ports of the VIP is not changed:
ACOS_decrypt(config-slb vserver)#port 0 tcp
ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)#exit

ACOS_decrypt(config-slb vserver)#port 0 udp

ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)#exit

ACOS_decrypt(config-slb vserver)#port 0 others

ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)#exit
ACOS_decrypt(config-slb vserver)#exit

6. Enable source-NAT pool for use by the ACOS Server Verification Module (SVM) daemon.
Source-NAT is required to dynamically make the TCP connections between ACOS
devices and the resources that SVM OCSP needs to reach. In the following example, the
TCP connection uses a pool of source addresses reserved for OCSP connections.
ACOS_decrypt(config)#ip nat pool OCSP_NAT_vl_50 192.168.51.254
192.168.51.254 netmask /24
ACOS_decrypt(config)#slb svm-source-nat pool OCSP_NAT_vl_50

7. Configure the IP address of a DNS server that ACOS_decrypt can reach to be able to
look up the IP address of the OCSP servers that the ACOS server certificate verification
feature will use. The configuration of a default route, interfaces, ports, and service
groups that enable ACOS_decrypt to connect to the DNS server are not shown.
ACOS_decrypt(config)#ip dns primary 8.8.8.8

8. Use the show slb ssl-ocsp cache command to view the status of the OSCP cache:
ACOS_decrypt#show slb ssl-ocsp cache
Total: 2
Common Name Status
-------------------------------------------------------------------
Company1 Internet Authority G2 Good

351
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Company2 Root Certificate Authority - G2 Good

Certificate Revocation List

Certificate Revocation List (CRL) is an available option for the server-SSL template to val-
idate the service-side server. Each CRL must have a relevant certificate authority (CA) cer-
tificate configured in the same SSL template in order to validate whether incoming
certificates have been revoked. A maximum of 128 files containing CA or CRL may be con-
figured.

Specify the name of the Certificate Revocation List (CRL) to use for verifying whether server
certificates have been revoked. The CRL must be installed on the ACOS device first. The CA
certificate relevant to the CRL must also be specified.

CLI Configuration
When you add a CRL to a server-SSL template, the ACOS device checks the CRL to confirm
whether or not the servers’ certificates have been revoked or not by the issuing Certificate
Authority (CA).

This section provides configuration instructions for adding CRL and CA certificates, viewing
the CRL and OCSP activity, and retrieving the CRL expiration status.

1. Add CRL and CA certificates to a server-SSL template named, SSL-Svr along with the
import of CA certificates. The CRL section is highlighted for clarity.
ACOS(config-server ssl)#slb template server-ssl SSL-Svr
ACOS(config-server ssl)# crl 10_ca.crt_crl.pem
ACOS(config-server ssl)# crl 20_ca.crt_crl.pem
ACOS(config-server ssl)# crl root-ca.pem.crl.pem
ACOS(config-server ssl)#ca-cert 10_ca_crt
ACOS(config-server ssl)# certificate Cert123 key Key123 pass-phrase Pass123
ACOS(config-server ssl)#ca-cert 20_ca.crt
ACOS(config-server ssl)#ca-cert root-ca.pem

2. Use the show slb ssl-cert-revoke-stats command to view both OSCP and CRL activ-
ity:
ACOS(config-client ssl)# show slb ssl-cert-revoke-stats
OCSP stapling response good: 0
Certificate chain status good: 0
Certificate chain status revoked: 0
Certificate chain status unknown: 0

352
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

OCSP requests: 0
OCSP responses: 0
OCSP connection errors: 0
OCSP URI not found: 0
OCSP URI https: 0
OCSP URI unsupported: 0
OCSP response status good: 0
OCSP response status revoked: 0
OCSP response status unknown: 0
OCSP cache status good: 0
OCSP cache status revoked: 0
OCSP cache miss: 0
OCSP cache expired: 0
OCSP other errors: 0
CRL requests: 0
CRL responses: 0
CRL connection errors: 0
CRL URI not found: 0
CRL URI https: 0
CRL URI unsupported: 0
CRL response status good: 0
CRL response status revoked: 0
CRL response status unknown: 0
CRL cache status good: 0
CRL cache status revoked: 0
CRL other errors: 0

3. Use the show slb ssl-crl command to view the retrieved CRL status for a specific vir-
tual port. If the certificate issuers have listed expiration dates for the certificates, then
this command will show you the issuer and the expired or not expired status.
ACOS_decrypt#show slb ssl-crl example_vip_name 443
Virtual server(example_vip_name : 443):
----Retrieved CRL----
Issuer: /O=AlphaSSL/CN=AlphaSSL CA - G2
Status: Expired
Issuer: /O=Cybertrust, Inc/CN=Cybertrust Global Root
Status: Not expired
Issuer: /O=Verizon Cybertrust Security/CN=Cybertrust SureServer EV OCSP CA
Status: Not expired
Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
Status: Expired
Issuer: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

353
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Status: Expired

4. You can disable CRL services for SSLi (forward-proxy) with the forward-proxy-crl-dis-
able command. The following example shows how to disable CRL services in the client-
SSL template named ClientSide_vRouter.
ACOS_decrypt(config)#slb template client-ssl ClientSide_vRouter
ACOS_decrypt(config-client ssl)#forward-proxy-crl-disable

IP-less OCSP and CRL Requests

SVM NAT pool is configured to fetch OCSP and CRL requests for normal SSLi setups.
However, ACOS also supports using the client IP address to fetch OCSP and CRL requests.
This enables the ACOS deployment to be used across different hardware systems as there is
no requirement to configure an IP address for OCSP and CRL requests.

Some of the important guidelines are:

l This feature is supported for IP-less Layer-2 SSLi.

l In order to resolve the OCSP and CRL URLs, the ip dns primary configuration in the
shared partition must be set. The ip dns primary configuration is required in the
shared partition if the ACOS encrypt and ACOS decrypt zones are in private partitions
as it is a global configuration.
l Unlike legacy SSLi, the feature does not need to configure svm-source-nat pool and
dynamic-service template on the shared and L3V partitions respectively.

CLI Configuration
The following is a sample configuration of the shared partition of the ACOS system. The code
in blue highlight is with reference to the afore-mentioned configuration guidelines.
ACOS# show running-config
!
! multi-ctrl-cpu 2
!The IP address used here is also used as the default gateway.
ip dns primary 192.168.1.50
!
partition test id 21
!
interface management
ip address 10.6.29.50 255.255.255.0
ip default-gateway 10.6.29.1

354
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
interface ethernet 1
!
interface ethernet 2
!
interface ethernet 3
!
interface ethernet 4
!
ip route 192.168.1.50 /32 10.6.29.1
!
end

Invalid Certificates Customizable Message

An invalid certificate is defined as an origin certificate that has issues, such as CN mismatch,
self-signed, unknown CA, revoked certificate, expired certificate, broken trust chain, OCSP
issues, and so on. When certificate validation fails or OCSP validation fails, the SSLi log
includes a unique ID that is referenced by the customizable web page displayed to the user.

In case of a certificate verification failure, a certificate revocation, or an unknown certificate,

SSLi enables you to either drop, bypass, or continue the connection. In addition to the three
actions, you can also use the block option that enables you to display an error page with a
customizable message.

CLI Configuration
You can configure a customizable message if you enable the block option for SSLi certificate
errors.

Perform the following steps to configure a customizable error message:

1. Create the client SSL template.

ACOS(config)# slb template client-ssl clientssl

2. Configure the block option for a certificate verification failure.

ACOS(config-client ssl)# forward-proxy-verify-cert-fail-action block

3. Configure the block option for an unknown certificate failure.

ACOS(config-client ssl)# forward-proxy-cert-unknown-action block

4. Configure the block options for a certificate revocation.

355
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-client ssl)# forward-proxy-cert-revoke-action block

5. Configure the message to display if SSLi encounters an invalid certificate.

ACOS(config-client ssl)# forward-proxy-block-message “This website cannot
be displayed as there is a certificate issue.”

Revoking Certificates

ACOS supports revoking certificates generated by SSLi if the certificates are leaked. Revoked
certificates are identified by their serial numbers. If a certificate is revoked from the cache, a
CRL is generated and provided to the clients connected to SSLi providing information about
the revoked certificates.

The following is some important information regarding revoked certificates:

l A certificate, if revoked, cannot be restored.

l The CRL is generated manually and then exported to a location reachable by the cli-
ents.
l The CRL is generated manually and then exported to a location reachable by the cli-
ents.

CLI Configuration
The workflow is as follows, some commands may be different for static port SSLi and
dynamic port SSLi:

The following topics are covered:

Step 1: Checking the Certificate Serial Number

Follow the steps below to obtain the server certificate serial number, depending on the type
of SSLi configured for your system.

Static Port SSLi

The command syntax for checking the certificate serial number for static SSLi vport is:

356
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config)# show slb ssl-forward-proxy-cert vip_name vport_number ipaddress

server_ip_address server_name

For static port SSLi, the following is an example:

ACOS(config)# show slb ssl-forward-proxy-cert internet 443 ipaddress 10.10.10.1

www.example.com

Output similar to the following is displayed, the certificate serial number is in blue higlight:
Virtual server port internet: 443

----Start One Certificate---

Real Server : 10.10.10.1 :443 tcp
Servername: www.example.com
ALPN Protocol: ALPN NONE
state: ready
hash index : 5864
hit times : 1
idle time : 33 seconds
timeout after 3567 seconds
expires after 604758 seconds
version : 3

[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is 1

Dynamic Port SSLi

The command syntax for checking the certificate serial number for dynamic port SSLi is:

ACOS(config)# show slb ssl-forward-proxy-cert vip_name 0 ip server_ip_address

port_number server_name

The port number is the port on which traffic is running. For static port SSLi, the following is
an example:

ACOS(config)# show slb ssl-forward-proxy-cert inside 0 ip 10.10.10.1 443 www.ex-

ample.com

Output similar to the following is displayed, the certificate serial number is in blue higlight:
----Start One Certificate---
Real Server : 10.10.10.1 :443 tcp
Servername: www.example.com

357
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ALPN Protocol: ALPN NONE

state: ready
hash index : 5864
hit times : 1
idle time : 33 seconds
timeout after 3567 seconds
expires after 604758 seconds
version : 3

[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is 1

Step 2: Revoking a Certificate

The following is the syntax for revoking a certificate:

ACOS(config)# pki ssli revoke vip_name vport_number certificate_serial_number_hex

For a static port SSLi configuration where the VIP is called internet and the certificate serial
number is 0123e2, run the following command to revoke the certificate:

ACOS(config)# pki ssli revoke internet 443 0123e2

Step 3: Generating a CRL

The following is the syntax for generating a CRL:

ACOS(config)# pki ssli generate crl vip_name vport_number

Run the following command to generate the CRL for a static port SSLi configuration:

ACOS(config)# pki ssli generate crl internet 443

Step 4: Displaying the CRL

The following is the syntax for displaying the generated CRL:

ACOS(config)# show pki crl

The following is a sample output:

Output similar to the following is displayed:

name: internet-443.crl

358
Chapter 16: Certificate and Keys Management
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Issuer: /O=Example Inc, Inc./OU=IT SSLi/[email protected]/L=San

Jose/ST=CA/C=US/CN=A10_Intermediate_CA_SHA256

Step 5: Clearing Revoked Certificates and Deleting the CRL

The following is the syntax for clearing the list of revoked certificates and deleting the CRL:

ACOS(config)# clear slb ssl-forward-proxy-revoked vip-name vport_number

The following is an example:

ACOS(config)# clear slb ssl-forward-proxy-revoked internet 443

359
Chapter 17: SSLi with IPv6 Deployment
ACOS supports SSLi IPv6 deployment in a single ACOS device with two partitions. Two par-
titions are required for SSLi in this deployment, one to decrypt SSL traffic and the second to
encrypt SSL traffic.

Although A10 Networks supports a number of different types of SSLi deployments, with each
deployment supporting different SSLi features, the overall steps for configuring SSLi for
each deployment are the same.

NOTE: If you are new to SSLi, it is recommended that you first under-
stand the IPv4 static port deployment for both GUI and CLI dis-
cussed in Two ACOS Devices, Each With Single Partition
Deployment.

The following topics are covered:

Overview 361

Prerequisites 362

CLI Configuration 362

360
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
In the sample deployment as shown in FIGURE 17-1, the client device is connected to the SSLi
solution, which is then connected to the external gateway. The SSLi solution consists of a
single ACOS device and a single security device. The ACOS device is connected to the client
with a partition called SSLi_inside. The ACOS device is also connected to the external gate-
way with a partition called SSLi_outside.

FIGURE 17-1: Sample Topology for SSLi for IPV6 Deployment

The following steps provide an overview of the SSLi process:

1. The client sets up an SSLi connection with SSLi_inside and sends an encrypted
request.
2. SSLi_inside selects a traffic inspection device, decrypts the request, and sends the
request over a TCP connection to the traffic inspection device.
3. The traffic inspection device inspects the request data.
4. SSLi_outside encrypts the request and sends it to the outside server.
5. The server sends the encrypted reply.
6. SSLi_outside decrypts the reply and sends it back to the same traffic inspection
device.

361
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

7. If the reply traffic is allowed by the traffic inspection device, the reply is forwarded to
SSLi_inside.
8. SSLi_inside encrypts the reply and sends it to the client.

Prerequisites
To deploy the SSLi solution on a single ACOS device with two partitions for IPv6 addressing,
the following are the prerequisites:

l A10 Networks Advanced Core Operating System (ACOS®) 4.1.4-P3 or higher.

l Security appliance or ICAP-based (RFC3507) antivirus or DLP solution.

NOTE: If not already provisioned, push an internal PKI CA root cer-

tificate to all the client machines.

l The ACOS device supports both CLI and GUI for configuration. Change the default man-
agement port IP address for GUI or CLI access.
l The ACOS device supports both CLI and GUI for configuration. Change the default man-
agement port IP address for GUI or CLI access.
l In a single device solution, use the command system ve-mac-scheme system-mac to
avoid MAC address duplication.

CLI Configuration
Perform the following steps:

1. Follow the prerequisites discussed in Overview.

2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global
command of system ve-mac-scheme system-mac in the shared partition:
ACOS(config)# system ve-mac-scheme system-mac

3. Create the SSLi_inside and SSLi_outside partitions by running the following

362
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

commands:
ACOS(config)# partition SSLi_outside id 1 application-type adc
ACOS(config-partition: SSLi_outside)# exit
ACOS(config)# active-partition SSLi_outside
ACOS[SSLi_outside](config)#
ACOS[SSLi_outside](config)# active-partition shared
ACOS(config)# partition SSLi_inside id 2 application-type adc
ACOS[SSLi_inside](config)# exit

4. Specify the DNS addressing by running the following command:

ACOS(config)# ip dns primary 10.5.3.1

5. Specify the management address and external gateway by running the following com-
mands:
ACOS(config)# interface management
ACOS(config-if:management)#ip address 10.6.23.65 255.255.255.0
ACOS(config-if:management)#ip default-gateway 10.6.22.1
ACOS(config-if:management)# exit

ACOS_decrypt Configuration

The following topics are covered:

Step 1. Configuring the Network VLANs 363

Step 2. Configuring the Network IP Addresses 364

Step 3. Configuring the SSLi Services 364

Step 4. Configuring the SSLi Service Groups 365

Step 5. Configuring the Virtual Server 365

Consolidated Configuration for SSLi_Inside 367

Step 1. Configuring the Network VLANs

1. Configure the default VLAN. Bind ethernet ports 1 and 2 to the VLAN. Also, bind a vir-
tual interface ve to the VLAN. In this example, a default VLAN of 850 is configured.
SSLi_inside(config)# vlan 850
SSLi_inside(config-vlan:850)# untagged ethernet 1 to 2
SSLi_inside(config-vlan:850)# router-interface ve 850
SSLi_inside(config-vlan:850)# exit-module

363
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

2. Enable the ethernet interfaces 1 and 2 that are associated with the VLAN:
SSLi_inside(config)# interface ethernet 1
SSLi_inside(config-if:ethernet:1)# enable
SSLi_inside(config-if:ethernet:1)# cpu-process
SSLi_inside(config-if:ethernet:1)# exit-module

SSLi_inside(config)# interface ethernet 2

SSLi_inside(config-if:ethernet:2)# enable
SSLi_inside(config-if:ethernet:1)# cpu-process
SSLi_inside(config-if:ethernet:2)# exit-module

3. Verify the operational state of the interfaces by running the show interfaces command.
SSLi_inside(config)# show interfaces brief

Step 2. Configuring the Network IP Addresses

Associate the IPv6 address with interface ve 850. Also, specify the IP routes.
SSLi_inside(config)# interface ve 850
SSLi_inside(config-if:ve850)# ip allow-promiscuous-vip
SSLi_inside(config-if:ve850)# ipv6 address 2001:558:3dc:1::9/127
SSLi_inside(config-if:ve850)# exit-module
SSLi_inside(config)# ipv6 route ::/0 2001:558:3dc:1::8

Step 3. Configuring the SSLi Services

1. Create a client SSL template cl_ssl_ipv6 with forward-proxy enable configured. This
configuration enables the SSLi_inside device to proxy for the remote SSL servers and
bring up SSL sessions with the clients. Also, configure the correct service group for
non-SSLi traffic.
SSLi_inside(config)# slb template client-ssl cl_ssl_ipv6
SSLi_inside(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123
SSLi_inside(config-client ssl)# forward-proxy-enable
SSLi_inside(config-client ssl)# exit-module

2. Configure a real server called fw1_ipv6 with the IP address 2001:558:3dc:1::8. Bind
fw1_ipv6 interface to TCP port 8080 so that SSLi_inside forwards decrypted SSLi
over VLAN 850 to the security device. All other UDP and TCP traffic is forwarded by
using the wildcard ports port 0 tcp and port 0 udp.
SSLi_inside(config)# slb server fw1_ipv6 2001:558:3dc:1::8

SSLi_inside(config-real server)# port 8080 tcp

SSLi_inside(config-real server-node port)# health-check-disable

364
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSLi_inside(config-real server-node port)# exit

SSLi_inside(config-real server)# port 0 tcp

SSLi_inside(config-real server-node port)# health-check-disable
SSLi_inside(config-real server-node port)# exit

SSLi_inside(config-real server)# port 0 udp

SSLi_inside(config-real server-node port)# health-check-disable
SSLi_inside(config-real server-node port)# exit

Step 4. Configuring the SSLi Service Groups

1. Configuring the SSLi service groups enable you to manage how the different types of
traffic coming from the clients is handled by SSLi_inside.

2. Create a service group named sg_ssli_ipv6_intercept for decrypted SSL traffic.

SSLi_inside(config)# slb service-group sg_ssli_ipv6_intercept tcp
SSLi_inside(config-slb svc group)# member fw1_ipv6 8080
SSLi_inside(config-slb svc group)# exit-module

3. For the non-HTTPS traffic that is to be bypassed, configure three other service groups
called sg_ssli_ipv6_tcp, sg_ssli_ipv6_others, and sg_ssli_ipv6_udp.
SSLi_inside(config)# slb service-group sg_ssli_ipv6_tcp tcp
SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

SSLi_inside(config)# slb service-group sg_ssli_ipv6_others udp

SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

SSLi_inside(config)# slb service-group sg_ssli_ipv6_udp udp

SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

Step 5. Configuring the Virtual Server

1. Configure the access list to permit all IPv6 traffic on VLAN 850 on ethernet 1. You must
bind this ACL to the virtual server that you are going to create in the next step.
SSLi_inside(config)# ipv6 access-list ipv6-decrypt
SSLi_inside(config-access-list:ipv6-decrypt)# permit ipv6 any any vlan 850
ethernet 1
SSLi_inside(config-access-list:ipv6-decrypt)# exit-module

365
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

2. Create a virtual server called ssli_ipv6_decryption and associate it to the wildcard

outbound VIP to intercept traffic from clients. The following virtual ports are con-
figured on this VIP:

l 443 (HTTPS)—Intercepts SSL-encrypted traffic from the clients. Port 443 on the wild-
card outbound VIP is bound to a service group called sg_ssli_ipv6_intercept that con-
tains the path through the security device to the SSLi_outside device. Consider the
following information:
o The destination NAT is disabled, and SSLi_inside does not change the source or
destination IP addresses of the traffic.
o Port translation is enabled and required because the ACOS device must change the
destination protocol port from 443 to the port number on which the security
device listens for traffic.

o The client-SSL template ssl cl_ssl_ipv6 is bound to the virtual port 443 HTTPS.

l 0 (TCP), 0 (UDP), and 0 (Others) —Intercepts the client traffic that is not HTTPS in the
following ways: The TCP port intercepts all other TCP traffic from clients. The TCP wild-
card port is bound to a TCP service group called sg_ssli_ipv6_tcp that contains the
path through the security device to the SSLi_outside device.
l The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is
bound to a UDP service group called sg_ssli_ipv6_udp that contains the path through
the security device to the SSLi_outside device.
l The Others port intercepts the client traffic types that are not listed. The Others port is
for IP traffic not included by the TCP and UDP all-ports sections. The Others wildcard
port is bound to a UDP service group called sg_ssli_ipv6_others that contains the
path through the security device to the SSLi_outside device.
l The destination NAT and port translation are disabled for the aforementioned ports.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL

template, you must unbind the template from the virtual ports
that use it and then rebind the template to the virtual ports.
SSLi_inside(config)# slb virtual-server ssli_ipv6_decryption :: ipv6-acl ipv6-
decrypt
SSLi_inside(config-slb vserver)# port 0 tcp
SSLi_inside(config-slb vserver-vport)# service-group sg_ssli_ipv6_tcp

366
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSLi_inside(config-slb vserver-vport)# no-dest-nat

SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 0 udp

SSLi_inside(config-slb vserver-vport)# service-group sg_ssli_ipv6_udp
SSLi_inside(config-slb vserver-vport)# no-dest-nat
SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 0 others

SSLi_inside(config-slb vserver-vport)# sg_ssli_ipv6_others
SSLi_inside(config-slb vserver-vport)# no-dest-nat
SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 443 https

SSLi_inside(config-slb vserver-vport)# sg_ssli_ipv6_intercept
SSLi_inside(config-slb vserver-vport)# template client-ssl cl_ssl_ipv6
SSLi_inside(config-slb vserver-vport)# no-dest-nat port-translation
SSLi_inside(config-slb vserver-vport)# exit-module

Consolidated Configuration for SSLi_Inside

active-partition ssli_in
!
vlan 850
untagged ethernet 1 to 2
router-interface ve 850
name ssli_in_ingress_egress
user-tag Security,ssli_in_ingress_egress
exit-module
!
ipv6 access-list ipv6-decrypt
permit ipv6 any any vlan 850 ethernet 1
exit-module
!
interface ethernet 1
name ssli_in_ingress
enable
cpu-process
user-tag Security,ssli_in_ingress
exit-module
!
interface ethernet 2
name ssli_in_egress
enable

367
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

cpu-process
user-tag Security,ssli_in_egress
exit-module
!
interface ve 850
name ssli_in_ingress_egress
user-tag Security,ssli_in_ingress_egress
ip address 10.177.253.13 255.255.255.240
ip allow-promiscuous-vip
ipv6 address 2001:558:3dc:1::9/127
exit-module
!
!
ipv6 route ::/0 2001:558:3dc:1::8
!
!
slb server fw1_ipv6 2001:558:3dc:1::8
port 0 tcp
health-check-disable
exit-module
port 0 udp
health-check-disable
exit-module
port 8080 tcp
health-check-disable
exit-module
exit-module
!
!
slb service-group sg_ssli_ipv6_intercept tcp
member fw1_ipv6 8080
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_others udp
member fw1_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_tcp tcp
member fw1_ipv6 0
exit-module
exit-module

368
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

!
slb service-group sg_ssli_ipv6_udp udp
member fw1_ipv6 0
exit-module
exit-module
!
!
slb template client-ssl cl_ssl_ipv6
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
non-ssl-bypass service-group sg_ssli_ipv6_tcp
exit-module
!
!
slb virtual-server ssli_ipv6_decrypion :: ipv6-acl ipv6-decrypt
user-tag Security,ipv6
port 0 tcp
service-group sg_ssli_ipv6_tcp
no-dest-nat
user-tag Security,ipv6_port_0tcp
exit-module
port 0 udp
service-group sg_ssli_ipv6_udp
user-tag Security,ipv6_port_0udp
exit-module
port 0 others
service-group sg_ssli_ipv6_others
no-dest-nat
user-tag Security,ipv6_port_0others
exit-module
port 443 https
service-group sg_ssli_ipv6_intercept
template client-ssl cl_ssl_ipv6
no-dest-nat port-translation
user-tag Security,ipv6_port_443https
exit-module
exit-module
!
end
!Current configuration: 7779 bytes
!Configuration last updated at 06:29:47 UTC Thu Aug 16 2018
!Configuration last saved at 09:12:05 UTC Wed Sep 5 2018
!

369
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS_encrypt Configuration

The following topics are covered:

Step 1. Configuring the Network VLANs 370

Step 2. Configuring the Network IP Addresses 370

Step 3. Configuring the SSLi Services 371

Step 4. Configuring the SSLi Service Groups 371

Step 5. Configuring the Virtual Server 371

Consolidated Configuration 372

Step 1. Configuring the Network VLANs

SSLi_outside(config)# vlan 860
SSLi_outside(config-vlan:860)# untagged ethernet 3 to 4
SSLi_outside(config-vlan:860)# router-interface ve 860
SSLi_outside(config-vlan:860)# exit-module

SSLi_outside(config)# interface ethernet 3

SSLi_outside(config-if:ethernet:3)# enable
SSLi_outside(config-if:ethernet:3)# cpu-process
SSLi_outside(config-if:ethernet:3)# exit-module

SSLi_outside(config)# interface ethernet 4

SSLi_outside(config-if:ethernet:4)# enable
SSLi_outside(config-if:ethernet:4)# cpu-process
SSLi_outside(config-if:ethernet:4)# exit-module

Verify the operational state of the interfaces by running the show interfaces command.
SSLi_outside(config)# show interfaces brief

Step 2. Configuring the Network IP Addresses

SSLi_outside(config)# interface ve 860
SSLi_outside(config-if:ve860)# ip allow-promiscuous-vip
SSLi_outside(config-if:ve860)# ipv6 address 2001:558:3dc:1::5/125
SSLi_outside(config-if:ve860)# exit-module
SSLi_outside(config)# ipv6 route ::/0 2001:558:3dc:1::2
SSLi_outside(config)# exit-module

370
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Step 3. Configuring the SSLi Services

Create a real server called fw2_ipv6 on SSLi_outside. Configure the ports.
SSLi_outside(config)# slb server fw2_ipv6 2001:558:3dc:1::2
SSLi_outside(config-real server)# health-check-disable
SSLi_outside(config-real server)# port 0 tcp
SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit

SSLi_outside(config-real server)# port 0 udp

SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit

SSLi_outside(config-real server)# port 443 tcp

SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit-module

Step 4. Configuring the SSLi Service Groups

1. Create a service group called sg_ssli_ipv6_443 and provide a path for the intercepted
HTTPS traffic by binding the service group to ports 443 of the real server fw2_ipv6.
SSLi_outside(config)# slb service-group sg_ssli_ipv6_443 tcp
SSLi_outside(config-slb svc group)# member fw2_ipv6 443
SSLi_outside(config-slb svc group)# exit-module

2. Create the other service groups to handle the other kinds of traffic.
SSLi_outside(config)# slb service-group sg_ssli_ipv6_tcp tcp
SSLi_outside(config-slb svc group)# member fw2_ipv6 0
SSLi_outside(config-slb svc group)# exit-module

SSLi_outside(config)# slb service-group sg_ssli_ipv6_others udp

SSLi_outside(config-slb svc group)# member fw2_ipv6 0
SSLi_outside(config-slb svc group)# exit-module

SSLi_outside(config)# slb service-group sg_ssli_ipv6_udp udp

SSLi_outside(config-slb svc group)# member fw2_ipv6 0
SSLi_outside(config-slb svc group)# exit-module

Step 5. Configuring the Virtual Server

1. Create the access lists.
SSLi_outside(config)#ipv6 access-list ipv6-permit

371
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSLi_outside(config-access-list:ipv6-permit)#permit ipv6 any any vlan 860

ethernet 3
SSLi_outside(config-access-list:ipv6-permit)# exit-module

2. Create the virtual server for IPv6 traffic. Associate the virtual server ssli_ipv6_
encrypt with the ipv6-permit ACL thst permists all traffic on VLAN 860 on ethernet 3.
SSLi_outside(config)# slb virtual-server ssli_ipv6_encrypt :: ipv6-acl
ipv6-permit
SSLi_outside(config-slb vserver)# port 0 tcp
SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_tcp
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 0 udp

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_udp
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 0 others

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_others
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 443 tcp

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_443
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 8080 http

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_encrypt
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat port-translation
SSLi_outside(config-slb vserver-vport)# exit-module

Consolidated Configuration
active-partition ssli_out
!
!
vlan 860
untagged ethernet 3 to 4

372
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

router-interface ve 860
name ssli_out_ingress_egress
user-tag Security,ssli_out_ingress_egress
exit-module
!
ipv6 access-list ipv6-permit
permit ipv6 any any vlan 860 ethernet 3
exit-module
!
interface ethernet 3
name ssli_out_ingress
enable
cpu-process
user-tag Security,ssli_out_ingress
exit-module
!
interface ethernet 4
name ssli_out_egress
enable
cpu-process
user-tag Security,ssli_out_egress
exit-module
!
interface ve 860
name ssli_out_ingress_egress
user-tag Security,ssli_out_ingress_egress
ip allow-promiscuous-vip
ipv6 address 2001:558:3dc:1::5/125
exit-module
!
!
ipv6 route ::/0 2001:558:3dc:1::2
!
!
slb server fw2_ipv6 2001:558:3dc:1::2
health-check-disable
port 0 tcp
health-check-disable
exit-module
port 0 udp
health-check-disable
exit-module
port 443 tcp

373
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

health-check-disable
exit-module
exit-module
!
!
slb service-group sg_ssli_ipv6_encrypt tcp
member fw2_ipv6 443
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_others udp
member fw2_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_tcp tcp
member fw2_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_udp udp
member fw2_ipv6 0
exit-module
exit-module
!
!
slb virtual-server ssli_ipv6_encrypt :: ipv6-acl ipv6-permit
user-tag Security,ssli_out
port 0 tcp
service-group sg_ssli_ipv6_tcp
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_0tcp
exit-module
port 0 udp
service-group sg_ssli_ipv6_udp
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_0udp
exit-module
port 0 others
service-group sg_ssli_ipv6_others
use-rcv-hop-for-resp

374
Chapter 17: SSLi with IPv6 Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

no-dest-nat
user-tag Security,ssli_out_port_0others
exit-module
port 443 tcp
service-group sg_ssli_ipv6_443
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_443tcp
exit-module
port 8080 http
service-group sg_ssli_ipv6_encrypt
use-rcv-hop-for-resp
no-dest-nat port-translation
user-tag Security,ssli_out_decrypted_port_44380http
exit-module
!
end

GUI Configuration

The procedures for creating the configuration for both SSLi_Inside and SSLi_Outside for
single ACOS device with dual partitions for IPv6 is very similar to the procedure in Two ACOS
Devices, Each With Single Partition Deployment

Follow the steps and make appropriate replacements by consulting the consolidated con-
figurations discussed in the above section.

375
Chapter 18: SSLi in VRRP-A Deployment
This section helps you understand SSL Insight in a VRRP-A deployment.

The following topics are covered:

Deployment Example 377

376
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Deployment Example
The following sections describe the configuration steps needed to create an example SSL
Insight VRRP-A deployment. FIGURE 18-1is the topology of this example.

FIGURE 18-1: SSL Insight Topology Example

377
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

378
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Inside Primary ACOS device Configuration

Hostname Configuration
ACOS(config)# hostname ACOS-Inside-Primary

Layer 2/3 Configuration

Enter the following commands to configure the VLANs:
ACOS-Inside-Primary(config)# vlan 10
ACOS-Inside-Primary(config-vlan:10)# untagged ethernet 20
ACOS-Inside-Primary(config-vlan:10)# router-interface ve 10
ACOS-Inside-Primary(config-vlan:10)# exit
ACOS-Inside-Primary(config)# vlan 15
ACOS-Inside-Primary(config-vlan:15)# untagged ethernet 1
ACOS-Inside-Primary(config-vlan:15)# router-interface ve 15
ACOS-Inside-Primary(config-vlan:15)# exit
ACOS-Inside-Primary(config)# vlan 16
ACOS-Inside-Primary(config-vlan:16)# untagged ethernet 2
ACOS-Inside-Primary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Primary(config-vlan:16)# exit
ACOS-Inside-Primary(config)# vlan 99
ACOS-Inside-Primary(config-vlan:99)# untagged ethernet 18
ACOS-Inside-Primary(config-vlan:99)# router-interface ve 99
ACOS-Inside-Primary(config-vlan:99)# exit

The following commands assign IP addresses to the VEs (router interfaces) that are con-
figured on the VLANs. Since VE 10 is connected to the clients, promiscuous VIP mode is
enabled on this VE. The other VEs do not use promiscuous VIP mode in this deployment.
ACOS-Inside-Primary(config)# interface ve 10
ACOS-Inside-Primary(config-if:ve10)# ip address 10.1.1.2/24
ACOS-Inside-Primary(config-if:ve10)# ip allow-promiscuous-vip
ACOS-Inside-Primary(config-if:ve10)# exit
ACOS-Inside-Primary(config)# interface ve 15
ACOS-Inside-Primary(config-if:ve15)# ip address 10.1.240.2/24
ACOS-Inside-Primary(config-if:ve15)# exit
ACOS-Inside-Primary(config)# interface ve 16
ACOS-Inside-Primary(config-if:ve16)# ip address 10.1.250.2/24
ACOS-Inside-Primary(config-if:ve16)# exit
ACOS-Inside-Primary(config)# interface ve 99

379
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Primary(config-if:ve99)# ip address 55.1.1.1/24

ACOS-Inside-Primary(config-if:ve99)# exit

The following commands configure static routes to the network on the side of the outside
ACOS devices that connects to the Internet. The next-hop IP address of each route is the
floating IP address of a VRID on the outside ACOS devices. Specifically, these are the floating
IP addresses that belong to the VRIDs for the VLANs that contain the security devices.
ACOS-Inside-Primary(config)# ip route 20.1.1.0 /24 10.1.240.11
ACOS-Inside-Primary(config)# ip route 20.1.1.0 /24 10.1.250.11

SSL Configuration
The following commands import the root CA-signed certificate used by the content servers,
and the certificate’s private key:
ACOS-Inside-Primary(config)# import cert ca.cert.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
ACOS-Inside-Primary(config)# import key private-key ca.key.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem

The following commands configure the client-SSL template:

ACOS-Inside-Primary(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside-Primary(config-client SSL template)# forward-proxy-enable
ACOS-Inside-Primary(config-client SSL template)# forward-proxy-ca-certificate
Cert123.pem key key123
ACOS-Inside-Primary(config-client SSL template)# exit

Path Configuration
The following commands configure the paths through the security devices:
ACOS-Inside-Primary(config)# slb server PSG1_Path 10.1.240.11
ACOS-Inside-Primary(config-real server)# port 0 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 0 udp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 8080 tcp

380
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Primary(config-real server-node port)# health-check-disable

ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# exit
ACOS-Inside-Primary(config)# slb server PSG2_Path 10.1.250.11
ACOS-Inside-Primary(config-real server)# port 0 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 0 udp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 8080 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# exit

ACOS-Inside-Primary(config)# slb service-group LB_Paths_UDP udp

ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Primary(config-slb svc group)# exit
ACOS-Inside-Primary(config)# slb service-group LB_Paths_TCP tcp
ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Primary(config-slb svc group)# exit
ACOS-Inside-Primary(config)# slb service-group SSL tcp
ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 8080
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 8080
ACOS-Inside-Primary(config-slb svc group)# exit

The following commands configure the wildcard VIP to intercept all outbound traffic that ori-
ginates from the inside network:
ACOS-Inside-Primary(config)# access-list 100 permit ip any any vlan 10
ACOS-Inside-Primary(config)# slb virtual-server outbound_wildcard 0.0.0.0 acl
100
ACOS-Inside-Primary(config-slb vserver)# port 0 tcp
ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out
ACOS-Inside-Primary(config-slb vserver-vport)# service-group LB_Paths_TCP
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Primary(config-slb vserver-vport)# exit
ACOS-Inside-Primary(config-slb vserver)# port 0 udp
ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out_UDP
ACOS-Inside-Primary(config-slb vserver-vport)# service-group LB_Paths_UDP
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat

381
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Primary(config-slb vserver-vport)# exit

ACOS-Inside-Primary(config-slb vserver)# port 443 https
ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out_443
ACOS-Inside-Primary(config-slb vserver-vport)# service-group SSL
ACOS-Inside-Primary(config-slb vserver-vport)# template client-ssl SSLInsight_
ClientSide
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside-Primary(config-slb vserver-vport)# exit
ACOS-Inside-Primary(config-slb vserver)# exit

VRRP-A Configuration
The following commands specify the VRRP-A device ID for this ACOS device, add the ACOS
device to VRRP-A set 1, and enable VRRP-A on the device:
ACOS-Inside-Primary(config)# vrrp-a common
ACOS-Inside-Primary(config-common)# device-id 1
ACOS-Inside-Primary(config-common)# set-id 1
ACOS-Inside-Primary(config-common)# enable
ACOS-Inside-Primary(config-common)# exit

The following commands configure the VRID for the inside ACOS devices’ interface with the
client network:
ACOS-Inside-Primary(config)# vrrp-a vrid 0
ACOS-Inside-Primary(config-vrid:0)# floating-ip 10.1.1.1
ACOS-Inside-Primary(config-vrid:0)# blade-parameters
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# priority 200
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:0)# exit

The following commands configure the VRID for the VLAN that contains the first security
device (PSG1):
ACOS-Inside-Primary(config)# vrrp-a vrid 15
ACOS-Inside-Primary(config-vrid:15)# floating-ip 10.1.240.1
ACOS-Inside-Primary(config-vrid:15)# blade-parameters
ACOS-Inside-Primary(config-vrid:15-blade-parameters)# priority 200

382
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Primary(config-vrid:15-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:15-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:15)# exit

The following commands configure the VRID for the VLAN that contains the second security
device (PSG2):
ACOS-Inside-Primary(config)# vrrp-a vrid 16
ACOS-Inside-Primary(config-vrid:16)# floating-ip 10.1.250.1
ACOS-Inside-Primary(config-vrid:16)# blade-parameters
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# priority 200
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:16)# exit

The following command configures the VRRP-S interface that connects this ACOS device to
its VRRP-A peer:
ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18
ACOS-Inside-Primary(config-ethernet:18)# vlan 99

Inside Secondary ACOS device Configuration

The configuration on the inside secondary ACOS device is the same as the configuration on
the inside primary ACOS device, except for the following device-specific parameters:

l Hostname – The hostname is configured with a unique value to make it simpler to

identify the device.
l Hostname – The hostname is configured with a unique value to make it simpler to
identify the device.

383
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l Interface IP addresses – The VLAN IDs are the same on both ACOS devices, but the
router interface on each VLAN has a unique IP address. The IP address is unique on
each ACOS device.
l Interface IP addresses – The VLAN IDs are the same on both ACOS devices, but the
router interface on each VLAN has a unique IP address. The IP address is unique on
each ACOS device.

Hostname Configuration
ACOS(config)# hostname ACOS-Inside-Secondary

Layer 2/3 Configuration

ACOS-Inside-Secondary(config)# vlan 10
ACOS-Inside-Secondary(config-vlan:10)# untagged ethernet 20
ACOS-Inside-Secondary(config-vlan:10)# router-interface ve 10
ACOS-Inside-Secondary(config-vlan:10)# exit
ACOS-Inside-Secondary(config)# vlan 15
ACOS-Inside-Secondary(config-vlan:15)# untagged ethernet 1
ACOS-Inside-Secondary(config-vlan:15)# router-interface ve 15
ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Inside-Secondary(config)# vlan 16
ACOS-Inside-Secondary(config-vlan:16)# untagged ethernet 2
ACOS-Inside-Secondary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Inside-Secondary(config)# vlan 99
ACOS-Inside-Secondary(config-vlan:99)# untagged ethernet 18
ACOS-Inside-Secondary(config-vlan:99)# router-interface ve 99
ACOS-Inside-Secondary(config-vlan:99)# exit

ACOS-Inside-Secondary(config)# interface ve 10
ACOS-Inside-Secondary(config-if:ve10)# ip address 10.1.1.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve10)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-if:ve10)# exit
ACOS-Inside-Secondary(config)# interface ve 15
ACOS-Inside-Secondary(config-if:ve15)# ip address 10.1.240.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve15)# exit
ACOS-Inside-Secondary(config)# interface ve 16
ACOS-Inside-Secondary(config-if:ve16)# ip address 10.1.250.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve16)# exit
ACOS-Inside-Secondary(config)# interface ve 99
ACOS-Inside-Secondary(config-if:ve99)# ip address 55.1.1.2 255.255.255.0

384
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Secondary(config-if:ve99)# exit
ACOS-Inside-Secondary(config)# ip route 20.1.1.0 /24 10.1.240.11
ACOS-Inside-Secondary(config)# ip route 20.1.1.0 /24 10.1.250.11

SSL Configuration
ACOS-Inside-Primary(config)# import cert ca.cert.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
ACOS-Inside-Primary(config)# import key private-key ca.key.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
ACOS-Inside-Secondary(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside-Secondary(config-client SSL template)# forward-proxy-enable
ACOS-Inside-Secondary(config-client SSL template)# forward-proxy-ca-certificate
Cert123.pem key key123
ACOS-Inside-Secondary(config-client SSL template)# exit

Path Configuration
ACOS-Inside-Secondary(config)# slb server PSG1_Path 10.1.240.11
ACOS-Inside-Secondary(config-real server)# port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 0 udp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# exit
ACOS-Inside-Secondary(config)# slb server PSG2_Path 10.1.250.11
ACOS-Inside-Secondary(config-real server)# port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 0 udp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit

385
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Secondary(config-real server)# exit

ACOS-Inside-Secondary(config)# slb service-group LB_Paths_UDP udp

ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Secondary(config-slb svc group)# exit
ACOS-Inside-Secondary(config)# slb service-group LB_Paths_TCP tcp
ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path:0
ACOS-Inside-Secondary(config-slb svc group)# exit
ACOS-Inside-Secondary(config)# slb service-group SSL tcp
ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 8080
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path 8080
ACOS-Inside-Secondary(config-slb svc group)# exit

ACOS-Inside-Secondary(config)# access-list 100 permit ip any any vlan 10

ACOS-Inside-Secondary(config)# slb virtual-server outbound_wildcard 0.0.0.0 acl
100
ACOS-Inside-Secondary(config-slb vserver)# port 0 tcp
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group LB_Paths_TCP
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Secondary(config-slb vserver-vport)# exit
ACOS-Inside-Secondary(config-slb vserver)# port 0 udp
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out_UDP
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group LB_Paths_UDP
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Secondary(config-slb vserver-vport)# exit
ACOS-Inside-Secondary(config-slb vserver)# port 443 https
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out_443
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group SSL
ACOS-Inside-Secondary(config-slb vserver-vport)# template client-ssl
SSLInsight_ClientSide
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside-Secondary(config-slb vserver-vport)# exit

VRRP-A Configuration
ACOS-Inside-Secondary(config)# vrrp-a common
ACOS-Inside-Secondary(config-common)# device-id 2
ACOS-Inside-Secondary(config-common)# set-id 1
ACOS-Inside-Secondary(config-common)# enable
ACOS-Inside-Secondary(config-common)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 0

386
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Inside-Secondary(config-vrid:0)# floating-ip 10.1.1.1

ACOS-Inside-Secondary(config-vrid:0)# blade-parameters
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:0)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 15
ACOS-Inside-Secondary(config-vrid:15)# floating-ip 10.1.240.1
ACOS-Inside-Secondary(config-vrid:15)# blade-parameters
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:15)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 16
ACOS-Inside-Secondary(config-vrid:16)# floating-ip 10.1.250.1
ACOS-Inside-Secondary(config-vrid:16)# blade-parameters
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:16)# exit
ACOS-Inside-Secondary(config)# vrrp-a interface ethernet 18
ACOS-Inside-Secondary(config-ethernet:18)# vlan 99

387
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Outside Primary ACOS device Configuration

The following commands access the configuration level of the CLI and change the hostname:
ACOS>enable
Password:********
ACOS# config
ACOS(config)# hostname ACOS-Outside-Primary

Layer 2/3 Configuration

The following commands configure the VLANs:
ACOS-Outside-Primary(config)# vlan 15
ACOS-Outside-Primary(config-vlan:15)# untagged ethernet 1
ACOS-Outside-Primary(config-vlan:15)# router-interface ve 15
ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Outside-Primary(config)# vlan 16
ACOS-Outside-Primary(config-vlan:16)# untagged ethernet 2
ACOS-Outside-Primary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Outside-Primary(config)# vlan 20
ACOS-Outside-Primary(config-vlan:20)# untagged ethernet 20
ACOS-Outside-Primary(config-vlan:20)# router-interface ve 20
ACOS-Inside-Secondary(config-vlan:20)# exit
ACOS-Outside-Primary(config)# vlan 99
ACOS-Outside-Primary(config-vlan:99)# untagged ethernet 18
ACOS-Outside-Primary(config-vlan:99)# router-interface ve 99

The following commands assign IP addresses to the VEs (router interfaces) that are con-
figured on the VLANs.
ACOS-Outside-Primary(config-vlan:99)# interface ve 15
ACOS-Outside-Primary(config-if:ve15)# ip address 10.1.240.12 255.255.255.0
ACOS-Outside-Primary(config-if:ve15)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Outside-Primary(config)# interface ve 16
ACOS-Outside-Primary(config-if:ve16)# ip address 10.1.250.12 255.255.255.0
ACOS-Outside-Primary(config-if:ve16)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Outside-Primary(config)# interface ve 20
ACOS-Outside-Primary(config-if:ve20)# ip address 20.1.1.2 255.255.255.0
ACOS-Inside-Secondary(config-vlan:20)# exit
ACOS-Outside-Primary(config)# interface ve 99
ACOS-Outside-Primary(config-if:ve99)# ip address 99.1.1.1 255.255.255.0

388
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Primary(config-if:ve99)# exit

Promiscuous VIP mode is enabled on the VEs that are in the VLANs that contain the security
devices. The other VEs do not use promiscuous VIP mode in this deployment.

The following commands configure static routes to the network on the client side of the
inside ACOS devices. The next-hop IP address of each route is the floating IP address of a
VRID on the inside ACOS devices. Specifically, these are the floating IP addresses that belong
to the VRIDs for the VLANs that contain the security devices.
ACOS-Outside-Primary(config)# ip route 10.1.1.0 /24 10.1.240.1
ACOS-Outside-Primary(config)# ip route 10.1.1.0 /24 10.1.250.1

SSL Configuration
The following commands configure the server-SSL template:
ACOS-Outside-Primary(config)# slb template server-ssl SSLInsight_ServerSide
ACOS-Outside-Primary(config-server SSL template)# forward-proxy-enable
ACOS-Outside-Primary(config-server SSL template)# exit

Path Configuration
The following commands configure the paths through the security devices to the router on
the client network:
ACOS-Outside-Primary(config)# slb server server-gateway 20.1.1.253
ACOS-Outside-Primary(config-real server)# port 0 tcp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# port 0 udp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# port 443 tcp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# exit

ACOS-Outside-Primary(config)# slb service-group SG_TCP tcp

ACOS-Outside-Primary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Primary(config-slb svc group)# exit
ACOS-Outside-Primary(config)# slb service-group SG_UDP udp
ACOS-Outside-Primary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Primary(config-slb svc group)# exit
ACOS-Outside-Primary(config)# slb service-group SG_443 tcp
ACOS-Outside-Primary(config-slb svc group)# member server-gateway 443

389
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Primary(config-slb svc group)# exit

The following commands configure the wildcard VIP to intercept all outbound traffic that ori-
ginates from the inside network:
ACOS-Outside-Primary(config)# access-list 100 permit ip any any vlan 15
ACOS-Outside-Primary(config)# access-list 100 permit ip any any vlan 16
ACOS-Outside-Primary(config)# slb virtual-server outside_in_to_out 0.0.0.0 acl
100
ACOS-Outside-Primary(config-slb vserver)# port 0 tcp
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_TCP
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Primary(config-slb vserver-vport)# exit
ACOS-Outside-Primary(config-slb vserver)# port 0 udp
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_UDP
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Primary(config-slb vserver-vport)# exit
ACOS-Outside-Primary(config-slb vserver)# port 8080 http
ACOS-Outside-Primary(config-slb vserver-vport)# name ReverseProxy_Wildcard
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_443
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# template server-ssl outside-
intercept
ACOS-Outside-Primary(config-slb vserver-vport)# exit
ACOS-Outside-Primary(config-slb vserver)# exit

VRRP-A Configuration
The following commands specify the VRRP-A device ID for this ACOS device, add the ACOS
device to VRRP-A set 2, and enable VRRP-A on the device:
ACOS-Outside-Primary(config)# vrrp-a common
ACOS-Outside-Primary(config-common)# device-id 3
ACOS-Outside-Primary(config-common)# set-id 2
ACOS-Outside-Primary(config-common)# enable
ACOS-Outside-Primary(config-common)# exit
ACOS-Outside-Primary(config)#

The following commands configure the VRID for the interface with the client network:
ACOS-Outside-Primary(config)# vrrp-a vrid 0
ACOS-Outside-Primary(config-vrid:0)# floating-ip 20.1.1.1
ACOS-Outside-Primary(config-vrid:0)# blade-parameters
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# tracking-options

390
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-

ernet 1 priority-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)#exit
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:0)# exit

The following commands configure the VRID for the VLAN that contains the first security
device (PSG1):
ACOS-Outside-Primary(config)# vrrp-a vrid 5
ACOS-Outside-Primary(config-vrid:5)# floating-ip 10.1.240.11
ACOS-Outside-Primary(config-vrid:5)# blade-parameters
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# tracking-options
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)#exit
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:5)# exit

The following commands configure the VRID for the VLAN that contains the second security
device (PSG2):
ACOS-Outside-Primary(config)# vrrp-a vrid 6
ACOS-Outside-Primary(config-vrid:6)# floating-ip 10.1.250.11
ACOS-Outside-Primary(config-vrid:6)# blade-parameters
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# tracking-options
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# exit
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:6)# exit

391
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The following command configures the VRRP-A interface that connects this ACOS device to
its VRRP-A peer:
ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18
ACOS-Inside-Primary(config-ethernet:18)# vlan 99

Outside Secondary ACOS device Configuration

The configuration on the outside secondary ACOS device is the same as the configuration on
the outside primary ACOS device, with the exception of the following device-specific para-
meters:

l Hostname
l Hostname

l Interface IP addresses
l Interface IP addresses

Hostname Configuration
ACOS(config)# hostname ACOS-Outside-Secondary

Layer 2/3 Configuration

The following commands configure the VLANs:
ACOS-Outside-Secondary(config)# vlan 15
ACOS-Outside-Secondary(config-vlan:15)# untagged ethernet 1
ACOS-Outside-Secondary(config-vlan:15)# router-interface ve 15
ACOS-Outside-Secondary(config-vlan:15)# exit
ACOS-Outside-Secondary(config)# vlan 16
ACOS-Outside-Secondary(config-vlan:16)# untagged ethernet 2
ACOS-Outside-Secondary(config-vlan:16)# router-interface ve 16
ACOS-Outside-Secondary(config-vlan:16)# exit
ACOS-Outside-Secondary(config)# vlan 20
ACOS-Outside-Secondary(config-vlan:20)# untagged ethernet 20
ACOS-Outside-Secondary(config-vlan:20)# router-interface ve 20
ACOS-Outside-Secondary(config-vlan:20)# exit
ACOS-Outside-Secondary(config)# vlan 99
ACOS-Outside-Secondary(config-vlan:99)# untagged ethernet 18
ACOS-Outside-Secondary(config-vlan:99)# router-interface ve 99
ACOS-Outside-Secondary(config-vlan:99)# exit
ACOS-Outside-Secondary(config)# interface ve 15

392
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Secondary(config-if:ve15)# ip address 10.1.240.13 255.255.255.0

ACOS-Outside-Secondary(config-if:ve15)# ip allow-promiscuous-vip
ACOS-Outside-Secondary(config-vlan:15)# exit
ACOS-Outside-Secondary(config)# interface ve 16
ACOS-Outside-Secondary(config-if:ve16)# ip address 10.1.250.13 255.255.255.0
ACOS-Outside-Secondary(config-if:ve16)# ip allow-promiscuous-vip
ACOS-Outside-Secondary(config-vlan:16)# exit
ACOS-Outside-Secondary(config)# interface ve 20
ACOS-Outside-Secondary(config-if:ve20)# ip address 20.1.1.3 255.255.255.0
ACOS-Outside-Secondary(config-vlan:20)# exit
ACOS-Outside-Secondary(config)# interface ve 99
ACOS-Outside-Secondary(config-if:ve99)# ip address 99.1.1.2 255.255.255.0
ACOS-Outside-Secondary(config-if:ve99)# exit
ACOS-Outside-Secondary(config)# ip route 10.1.1.0 /24 10.1.240.1
ACOS-Outside-Secondary(config)# ip route 10.1.1.0 /24 10.1.250.1

SSL Configuration
ACOS-Outside-Secondary(config)# slb template server-ssl SSLInsight_ServerSide
ACOS-Outside-Secondary(config-server SSL template)# forward-proxy-enable
ACOS-Outside-Secondary(config-server SSL template)# exit

Path Configuration
ACOS-Outside-Secondary(config-client ssl)# slb server server-gateway 20.1.1.253
ACOS-Outside-Secondary(config-real server)# port 0 tcp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# port 0 udp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# port 443 tcp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# exit

ACOS-Outside-Secondary(config)# slb service-group SG_TCP tcp

ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Secondary(config-slb svc group)# exit
ACOS-Outside-Secondary(config)# slb service-group SG_UDP UDP
ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Secondary(config-slb svc group)# exit
ACOS-Outside-Secondary(config)# slb service-group SG_443 tcp
ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 443
ACOS-Outside-Secondary(config-slb svc group)# exit

393
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Secondary(config)# access-list 100 permit ip any any vlan 15

ACOS-Outside-Secondary(config)# access-list 100 permit ip any any vlan 16
ACOS-Outside-Secondary(config)# slb virtual-server outside_in_to_out 0.0.0.0
acl 100
ACOS-Outside-Secondary(config-slb vserver)# port 0 tcp
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_TCP
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)# exit
ACOS-Outside-Secondary(config-slb vserver)# port 0 udp
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_UDP
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)# exit
ACOS-Outside-Secondary(config-slb vserver)# port 8080 http
ACOS-Outside-Secondary(config-slb vserver-vport)# name ReverseProxy_Wildcard
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_443
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# template server-ssl outside-
intercept
ACOS-Outside-Secondary(config-slb vserver-vport)# exit
ACOS-Outside-Secondary(config-slb vserver)# exit

VRRP-A Configuration
ACOS-Outside-Secondary(config)# vrrp-a common
ACOS-Outside-Secondary(config-common)# device-id 4
ACOS-Outside-Secondary(config-common)# set-id 2
ACOS-Outside-Secondary(config-common)# enable
ACOS-Outside-Secondary(config-common)# exit
ACOS-Outside-Secondary(config)# vrrp-a vrid 0
ACOS-Outside-Secondary(config-vrid:0)# floating-ip 20.1.1.1
ACOS-Outside-Secondary(config-vrid:0)# blade-parameters
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:0)# exit

394
Chapter 18: SSLi in VRRP-A Deployment
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-Outside-Secondary(config)# vrrp-a vrid 5

ACOS-Outside-Secondary(config-vrid:5)# floating-ip 10.1.240.11
ACOS-Outside-Secondary(config-vrid:5)# blade-parameters
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:5)# exit
ACOS-Outside-Secondary(config)# vrrp-a vrid 6
ACOS-Outside-Secondary(config-vrid:6)# floating-ip 10.1.250.11
ACOS-Outside-Secondary(config-vrid:6)# blade-parameters
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 1 priority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 2 priority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface eth-
ernet 20 priority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:6)# exit

ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18

ACOS-Inside-Primary(config-ethernet:18)# vlan 99

395
Chapter 19: Miscellaneous Features
Unless otherwise stated, the features described in this section apply to both static-port SSLi
and dynamic-port SSLi configurations.

For more information about the commands used in the configuration examples, see Com-
mand Line Interface Reference for ADC.

The following topics are covered:

File Inspection 397

SSLi Source NAT 400

Self-Signed Certificates 408

Persistent Proxied Certificates 409

Chrome Browser Configuration Options 411

Global Commands 411

396
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

File Inspection
File inspection is an ACOS feature that uses an internal Cylance file inspection engine to
examine files in HTTP data streams. The Cylance engine is implemented through an internal
ICAP server and detects malware on the basis of millions of file signatures. The internal
assigns a score to inspected files that ACOS uses as file management criteria. Files can be
passed to their final destination, dropped, or referred to an external ICAP server for further
inspection.The external server can be any ICAP based AMP. The feature supports inspecting
client side download files.

Refer to the Command Line Interface Reference for ADC for more information about com-
mands used in this section.

CLI Configuration

The following topics are covered:

Verifying the Device has a Cylance License 397

Creating a File Inspection Template 397

Binding the File Inspection Template to a Port 399

Importing a Cylance BW List 399

Implementing File Inspection on ADP 399

Verifying the Device has a Cylance License

File inspection requires an enabled Cylance license. The show license-info displays licenses
enabled on a device. The following example indicates that an enabled Cylance license is
installed on the device.
ACOS# show license-info | sec CYLANCE
CYLANCE 21-August-2018
ACOS#

Creating a File Inspection Template

File inspection templates are assigned to HTTP virtual ports to specify the device action upon
files that are inspected. The file-inspection template command creates a template and places
the device in file-inspection template mode for modifying template parameters. When the
command specifies an extant template, the subsequent commands edit that template.

397
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Commands that configure the template include:

l Inspect downloads – enables file inspection for ports upon which the template is
bound; also specifies the data streams that are inspected and the ICAP server that
inspects the files.
l Inspect downloads – enables file inspection for ports upon which the template is
bound; also specifies the data streams that are inspected and the ICAP server that
inspects the files.

l downloads good – specifies the action for files that are evaluated as “good”. Available
actions include allowing the file to pass (default), dropping the file, or resetting the TCP
connection.
l downloads good – specifies the action for files that are evaluated as “good”. Available
actions include allowing the file to pass (default), dropping the file, or resetting the TCP
connection.

To use file inspection, the feature must be enabled globally and on each individual port
where files are to be inspected. The file-inspection service enable command enables file
inspection on the device.

This command enables file inspection globally on the device:

ACOS(config)# file-inspection service enable

This command disables file inspection globally. Virtual ports that are bound to a file-inspec-
tion template does not invoke Cylance inspection while the feature is globally disabled.
ACOS(config)# no file-inspection service enable

The show process system command indicates the status of the a10fi (file inspection) process.
Use this command to verify the file-inspection process is running.
ACOS# show process system | sec a10fi
a10fi is not running
ACOS#

These CLI commands create a file inspection template and configures it to 1) allow good files
to pass; 2) dropping bad files; and 3) sending suspect files to an external ICAP server; and 4)
enables the port for inspecting downloaded client files.
ACOS(config)# file-inspection template FLOW_A
ACOS(config-file-inspection)# downloads bad drop log
ACOS(config-file-inspection)# downloads good reset no-log
ACOS(config-file-inspection)# downloads suspect external-inspect SERVER-1 log

398
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS(config-file-inspection)# inspect downloads

ACOS(config-file-inspection)# exit

These CLI commands implement an external ICAP server for inspecting files
ACOS(config)# slb template respmod-icap SERVER-1
ACOS(config-respmod-icap)# service-url icap://10.10.2.2/c-server
ACOS(config-respmod-icap)# exit

Binding the File Inspection Template to a Port

To implement file inspection, bind a file-inspection template to a HTTP virtual port. These
command create a virtual port and configures that port to utilize the internal Cylance server
for download files.
ACOS(config)# slb virtual-server VIP-1 10.1.1.1
ACOS(config-slb vserver)# port 80 HTTP
ACOS(config-slb vserver-vport)# template file-inspection FLOW_A
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

Importing a Cylance BW List

Cylance maintains a global black and white list that contains files that were determined to be
either good or bad by qualification means that are outside the machine learning algorithm.
The import file-inspection-bw-list and import-period file-inspection-bw-list commands
access this file from Cylance and installs it into the internal Cylance engine.

Refer to the Command Line Interface Reference for instructions on using the import and
import-periodic commands.

Implementing File Inspection on ADP

In addition to the shared partition, file inspection is available in L3V and service partitions.
The following guidelines are applicable to implementing file inspection on private partitions:

l File-inspection service is enabled using a global command in the shared partition.

l Since file-inspection implementation is only available to downloaded content, applying

file-inspection templates to the SSLi re-encrypt partition is recommended
l Since file-inspection implementation is only available to downloaded content, applying
file-inspection templates to the SSLi re-encrypt partition is recommended

399
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

For information about Application Delivery Partitions, refer to the Configuring Application
Delivery Partitions Guide .

SSLi Source NAT

In some applications of SSLi, it is important to choose the source IP address. For example,
when SSLi is configured for transparent HTPP proxy chaining, SSLi source NAT allows the net-
work administrator to specify source IP addresses on a client-initiated FETCH session. The
source NAT addresses can be used by the chained upstream HTTP proxy server to dif-
ferentiate the fetched traffic from all other traffic. It can then apply different policies to the
fetched traffic from the policies it applies to all other traffic.

Static Source NAT CLI Configuration

This section provides detailed steps for configuring SSLi source NAT with statically specified
IP addresses from a NAT address pool. For information on auto-SSLi source NAT, see the for-
ward-proxy-source-nat command in the Command Line Interface Reference for ADC.

ACOS_decrypt CLI Configuration

The blue highlighted sections of this configuration show the commands required to enable
SSLi static source NAT.

l The ip nat pool p199 and ip nat pool p1 commands configure the IP address pools
that provide the IP addresses referred to in the forward-proxy-source-nat and
source-nat pool commands, respectively.

The source-nat pool p1 command under virtual port configurations, enable source NAT and
specifies the NAT pool p1 is used for normally authenticated SSL sessions.

ACOS-Inside# show running-config

!
access-list 100 permit ip any any vlan 10
!

400
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS-Inside
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
ip nat pool p199 192.168.2.100 192.168.2.101 netmask /24
ip nat pool p1 192.168.2.102 192.168.2.103 netmask /24
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-certificate Cert123.pem key key123

401
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

forward-proxy-enable
forward-proxy-source-nat pool p199
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
source-nat pool p1
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat port-translation
port 0 tcp
source-nat pool p1
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
port 0 others
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
!
end

ACOS_encrypt Configuration
No changes to the configuration of the outside ACOS device are needed to support SSLi
source NAT.

Auto Source NAT CLI Configuration

This section provides detailed steps for configuring SSLi source NAT with automatically-
acquired IP addresses matching the IP address of the ACOS interface facing the SSL Server.

The configuration example in this section is identical to Static Source NAT CLI Configuration
except that SSLi auto source NAT is enabled on the virtual server.

Inside ACOS device Configuration

The blue highlighted sections of this configuration show the commands required to enable
SSLi auto source NAT.

402
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l The ip nat pool p1 command configures the IP address pool that provides the IP
addresses referred to in the source-nat pool command.
l The ip nat pool p1 command configures the IP address pool that provides the IP
addresses referred to in the source-nat pool command.

The source-nat pool p1 command under virtual port configurations, enable source NAT and
specifies the NAT pool p1 is used for normally authenticated SSL sessions.

ACOS-Inside# show running-config

!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS-Inside
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
ip nat pool p1 192.168.2.102 192.168.2.103 netmask /24
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp

403
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
forward-proxy-source-nat auto
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
source-nat pool p1
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat port-translation
port 0 tcp
source-nat pool p1
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
port 0 others
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
!
end

Outside ACOS device Configurations

No changes to the configuration of the outside ACOS device are needed.

404
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

However, this sections shows the configuration of the real server, Default_Gateway, and its
interface address, 20.1.1.10, because this IP address is used by SSLi auto source NAT in
fetched SSL sessions.

ACOS-Outside# show running-config

...
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
...

Consolidated Configuration

For SSLi implementations, you can specify source NAT for the forwarding traffic either in the
SLB policy template or in the client SSL template. If you have configured source NAT in both
templates, the source NAT configuration in the SLB policy template has higher precedence
than that of the client SSL template. This is the default behavior.

You can bypass this precedence so that ACOS uses the source NAT configuration defined in
the client SSL template by using the precedence option in the forward-proxy-source-nat
command.

The following is a sample configuration of the ACOS_decrypt. In the configuration example:

l The ip nat pool command configures the IP address pool for source NAT. In this
example, p1, p2, and p3 are the three source NAT pools created.
l The ip nat pool command configures the IP address pool for source NAT. In this
example, p1, p2, and p3 are the three source NAT pools created.

This example uses statically configured source NAT IP addresses. For dynamically configured
IP addresses for source NAT, you can use the forward-proxy-source-nat auto command
with the precedence option.

405
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ip nat pool p1 10.105.1.88 10.105.1.88 netmask /24

ip nat pool p2 10.105.5.100 10.105.5.100 netmask /24

ip nat pool p3 10.105.5.101 10.105.5.101 netmask /24

ip nat alg pptp enable

ip route 10.105.2.0 /24 10.105.5.2

ip route 10.106.0.0 /16 10.105.5.2

slb template dynamic-service DNS

dns server 10.105.1.140

slb server gw1 10.105.5.2

health-check-disable

port 0 tcp

health-check-disable

port 0 udp

health-check-disable

port 8080 tcp

health-check-disable

slb service-group gw1_tcp_0 tcp

406
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

member gw1 0

slb service-group gw1_tcp_8080 tcp

member gw1 8080

slb service-group gw1_udp_0 udp

member gw1 0

slb template client-ssl c-ssl2

forward-proxy-ca-certificate Cert123.pem key key123

forward-proxy-enable

forward-proxy-source-nat pool p3 precedence

!The precedence option provides priority for the source NAT configured here.

slb template policy EP1

forward-policy

action Permit_to_Internet

forward-to-internet gw1_tcp_8080 snat p2

In absence of the precedence option, SNAT p2 is used to fetch the server certificate; oth-
erwise, snat p3 configured in the client-ssl template is used to fetch the server certificate.

log

source any

match-any

destination any action Permit_to_Internet

407
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

slb virtual-server vs_ep 10.105.1.16

port 8080 http

service-group gw1_tcp_8080

template policy EP1

template dynamic-service DNS

template client-ssl c-ssl2

no-dest-nat port-translation

Self-Signed Certificates
A self-signed certificate is one in which the subject and issuer fields are the same. Because a
self-signed certificate is a security risk, the ACOS device does not forward traffic to the self-
signed certificate site.

CLI Configuration

To redirect clients from sites using self-signed certificates, enter the forward-proxy-self-
sign-redir command in the configuration of the Client-SSL template. The ACOS device will
redirect traffic away from the self-signed site and to a warning page in which the client sees,
“The page you have tried to reach uses an untrusted certificate, please contact your admin-
istrator.’

Static-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-inside(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-inside(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key
key123
ACOS-inside(config-client ssl)# forward-proxy-enable
ACOS-inside(config-client ssl)# forward-proxy-selfsign-redir

Dynamic-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-inside(config)# slb template client-ssl Client-SSL
ACOS-inside(config-client ssl)# forward-proxy-ca-certificate Cert123.pem key
key123

408
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ACOS-inside(config-client ssl)# forward-proxy-enable

ACOS-inside(config-client ssl)# forward-proxy-selfsign-redir
ACOS-inside(config-client ssl)# non-ssl-bypass service-group Outbound_TCP

Show Configuration

Static-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-Inside# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
forward-proxy-selfsign-redir

Dynamic-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-Inside# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl Client-SSL
forward-proxy-ca-certificate Cert123.pem key key123
forward-proxy-enable
forward-proxy-selfsign-redir
non-ssl-bypass service-group Outbound_TCP
!

Persistent Proxied Certificates

When an ACOS device restarts, or the forward-proxy process restarts, the cache of proxied
certificates is emptied.

To save a group of proxied certificates that will be automatically re-installed after a restart,
you need to configure a persistent forward-proxy class list and bind that class list to the cli-
ent-SSL template.

Because the saved file of proxied certificates is periodically refreshed, it is possible that some
proxied certificates will not persist if they were cached just before the system reset.

409
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

NOTE: Every unique SSLi virtual port needs a separate client-ssl tem-
plate. This requirement only applies to virtual ports enabled for
SSLi and does not apply to SSL offload or SSL proxy.

Creating a Persistent Forward-Proxy Class List

This example shows how to create the persistent forward-proxy class list and bind it to a cli-
ent-SSL template:

1. To create or change persistent forward-proxy class list, use the class-list command
with the ac option.

The class-list command creates a class list and gives it a name. The file option saves
the list as a file that you can export. Without this option, the class list entries are saved
in the configuration file instead. The ac option is required for the persistent certificates
feature. and specifies that the list type is Aho-Corasick.

If an SNI in a certificate matches an entry in this class list, it is retained; otherwise, it is

dropped.
ACOS-Inside# configure
ACOS-Inside(config)# class-list persist-servers-CL ac
ACOS-Inside(config-class list)# contains jsmith.com
ACOS-Inside(config-class list)# contains EnterpriseABC.com
ACOS-Inside(config-class list)# equals UofKgmc.edu/admissions

2. Bind the new or changed class list to the client-SSL template:

ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide

ACOS-Inside(config-client ssl)# forward-proxy-cache-persistence class-list
persist-servers-CL
ACOS-Inside(config-client ssl)# forward-proxy enable
ACOS-Inside(config-client ssl)# forward-proxy-ca-certificate Cert123.pem
key key123

3. Commit the changes to ACOS memory.

ACOS-Inside(config)# write memory
4. Use the show class-list command to display the persist-servers-CL class-list.

410
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Binding a Separate Client-SSL Template

The following example illustrates the requirement of this feature that a separate client-SSL
template must be bound to each unique SSLi virtual port (port 443 https):
ACOS-Inside(config)# slb virtual-server vip1 0.0.0.0 acl 1
ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template client-ssl test1
ACOS-Inside(config-slb vserver-vport)# exit
ACOS-Inside(config-slb vserver)# exit
ACOS-Inside(config)# slb virtual-server vip2 0.0.0.0 acl 2
ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template client-ssl test2

Chrome Browser Configuration Options

The Chrome browser is popular and so are Google services, such as search and Gmail. Many
enterprise customers want to inspect this Google traffic. However, the Chrome browser can
use the QUIC protocol instead of standard HTTPS. To inspect Google traffic, enforce the use
of HTTPS by denying QUIC messages with an ACL to deny the destination port 443 udp traffic
as shown in the configuration example below.
access-list 103 deny udp any any eq 80
access-list 103 deny udp any any eq 443
access-list 103 permit ip any any
!
interface ethernet 2
enable
access-list 103 in
ip address 172.16.1.1 255.255.255.0
ip allow-promiscuous-vip

Global Commands
The following SSL commands apply to options are described in greater detail in the “Config
Commands: Server Load Balancing” section of the Command Line Interface Reference for
ADC.
AX5100(config)# slb ssl?
ssl-cert-revoke Show ssl-cert-revoke-stats

411
Chapter 19: Miscellaneous Features
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

ssl-expire-check SSL certificate expiration check

ssl-forward-proxy-stats SSL forward proxy stats info

412
Chapter 20: Error Logging
ACOS supports logging all the states of SSL handshake in the system log. Both the client and
server SSL successful and failed event logs are recorded.

The following topics are covered:

Overview 414

CLI Configuration 415

Failure Event Error Reasons 416

Generic Failure Logs 439

Event-based Logging 442

413
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Overview
By default, ACOS supports SSLi logging only for errors. However, the CLI command ssli log-
ging all enables logging of all events. The logging output also displays information such as
web category, certificate valid status, session duration, log id, and so on, in session start,
end, bypass, or error case.

There are two logging levels used for SSLi:

l Error—An event is categorized as an error when there is a failure.

l Information (Info)—An event is categorized as info for intercept and bypass actions.

All the logs are generated in the CEF standard format. A log message compliant with CEF fol-
lows a specific format. The information before “[Extension]” is mandatory and called a CEF
header as shown in the following sample:
Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Ver-
sion|Device Event Class ID|Name|Severity|[Extension]

The following is an example log for an SSLi inspection bypass event:

Log level is info.

ACOS# show log
Nov 19 2017 21:31:12 Info [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi
554313289585131522|Inspection Bypassed|6|src=13.13.13.20 dst=23.23.23.20 spt-
t=53318 dpt=443 act=bypassed dhost=www.hello.com cs1=vipw cs1Label=VIP name cs2-
2=client-ssl cs2Label=SSL template type

NOTE: All the log messages are remote only and will not be displayed in
the show log command. Additionally, ACOS does not support Sys-
log format for SSLi log type. Therefore, if you enable an acos-
events template with Syslog format, the log server will not log
any messages.

Based on SSLi events, three types of SSLi logging is supported:

Inspection successful event

This has two types of logs, one for the start of inspection and the other for the completion of
inspection. The log for these events include session statistics.

414
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

The following is an example log for an SSLi inspection start event, log level is info:
May 15 2018 21:27:19 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440836|Inspection Start|6|src=10.105.11.97 dst=10.105.22.94 spt-
t=52214 dpt=443 act=inspected dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP
name cs2=https cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs4-
4=AES256-GCM-SHA384 cs4Label=Cipher suite cs6=VALID cs6Label=Certificate Valid-
ity status cn1=443 cn1Label=VIP port cn2=16 cn2Label=Log ID

The following is an example log for an SSLi inspection successful event, log level is info:
May 15 2018 21:27:24 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440833|Inspection Successful|6|src=10.105.11.97 dst=10.105.22.94
spt=52214 dpt=443 act=inspected dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP
name cs2=https cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs4-
4=AES256-GCM-SHA384 cs4Label=Cipher suite cs6=VALID cs6Label=Certificate Valid-
ity status cn1=443 cn1Label=VIP port cn2=8 cn2Label=FWD Packets cn3=1769
cn3Label=REV Packets cn4=6 cn4Label=Duration seconds cn5=26 cn5Label=Log ID cn6-
6=962 cn6Label=FWD Bytes Transferred cn7=11 cn7Label=REV Bytes Transferred

Inspection failure event

The log for this event does not include session statistics.

The following is an example log for an SSLi error event, log level is error:
May 15 2018 21:25:56 Error [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440835|Inspection Failed|3|src=10.105.11.97 dst=10.105.22.94 spt-
t=52210 dpt=443 act=dropped dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP
name cs2=https cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs6-
6=INVALID cs6Label=Certificate Validity status cs7=CERT Fetch, Validation Error
cs7Label=Error type cn1=443 cn1Label=VIP port cn2=2 cn2Label=Log ID

Inspection bypass event

The log for this event does not include session statistics.

The following is an example log for an SSLi bypass event, log level is info:
May 15 2018 21:24:11 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440834|Inspection Bypassed|6|src=10.105.11.97 dst=172.217.164.110
spt=59644 dpt=443 act=bypassed dhost=google.com cs1=vs-wildcard-internal cs1La-
bel=VIP name cs2=https cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version
cs5=Search Engines cs5Label=Web Category cs6=UNKNOWN cs6Label=Certificate Valid-
ity status cn1=443 cn1Label=VIP port cn2=6 cn2Label=Log ID

CLI Configuration
By default, SSLi logging is enabled for capturing SSL errors.

415
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

l To enable SSLi logging for all events, run the following commands:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ssli-logging all

l To disable SSLi logging, run the following commands:

ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ssli-logging disable

Failure Event Error Reasons

The following table lists the error reasons and their associated explanations.

Sr.No Error Reason Description

1 CERT Fetch, Receive SSL Fatal Alert ACOS receives an SSL fatal alert packet while
fetching the SSL certificate.

The below section lists the error when the SSL handshake occurs between ACOS_decrypt and
the server, and a TCP FIN/RST packets are received by ACOS_decrypt.

2 Handshake Failure A failure occurred during SSL handshake.

3 CERT Fetch, connection finish by peer The server finishes the connection while fetching
OR the SSL certificate.
Connection finish by peer

4 CERT Fetch, DNS resolved error The DNS server could not resolve the domain
OR name while fetching the SSL certificate.
DNS resolved error

5 CERT Fetch, DNS timeout The DNS server connection timed out while fetch-
OR ing the SSL certificate.
DNS timeout

6 CERT Fetch, DNS server failed The DNS server failed while fetching the SSL cer-
OR tificate.
DNS server failed

7 CERT Fetch, TCP timeout The TCP connection or session timed out while
OR fetching the SSL certificate.
TCP timeout

416
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

8 CERT Fetch, UDP timeout The UDP connection or session timed out while
OR fetching the SSL certificate.
UDP timeout

9 CERT Fetch, connection reset by peer The server resets the connection while fetching
OR the SSL certificate.
Connection reset by peer

10 CERT Fetch, delete connection failed The connection could not be deleted after failure
OR to fetch the SSL certificate.
Delete connection failed

11 CERT Fetch, create connection failed The connection could not be created or estab-
OR lished before fetching the SSL certificate.
Create connection failed

12 CERT Fetch, port not found The server port was not found while fetching the
OR SSL certificate.
Port not found

13 CERT Fetch, IP not foundIP not found The server IP address was not found while fetch-
ing the SSL certificate.

14 CERT Fetch, cannot obtain NAT address The server NAT address was not obtained while
OR fetching the SSL certificate.
Cannot obtain NAT address

15 CERT Fetch, invalid session Invalid session The server session was invalid while fetching the
SSL certificate.

16 CERT Fetch, TCP process data event error The data process failed while fetching the SSL
OR certificate.
TCP process data event error

17 CERT Fetch, TCP process error The TCP process failed while fetching the SSL
OR certificate.
TCP process error

The below section lists the error occurs when the SSL handshake takes place between ACOS_
decrypt and the server, and ACOS_decrypt is unable to validate the server certificate.

417
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

18 Unable to get issuer certificate The issuer certificate of a looked-up certificate

could not be found. This happens because the
list of trusted certificates is incomplete.

19 Unable to get certificate CRL The CRL of a certificate could not be found.

20 Unable to decrypt certificate's signature The server could not decrypt the certificate's sig-
nature. This error occurs because the actual sig-
nature value could not be determined or not
matching the expected value.

21 Unable to decrypt CRL's signature The server could not decrypt the CRL's signature.
This error occurs because the actual signature
value could not be determined or not matching
the expected value.

22 Unable to decode issuer public key The public key in the certificate Sub-
jectPublicKeyInfo could not be read.

23 Certificate signature failure The signature of the certificate is invalid.

24 CRL signature failure The signature of the CRL is invalid.

25 Certificate is not yet valid The SSL handshake failed as the certificate
is not the yet valid. This error occurs
because the system clock is not Today’s
Date.

26 CRL is not yet valid The SSL handshake failed as the CRL is not
the yet valid. This error occurs because the
system clock is not Today’s Date.

27 Certificate has expired The SSL handshake failed as the certificate is not
the yet valid. This error occurs because the sys-
tem clock is not Today’s Date.

28 CRL has expired The SSL handshake failed as the CRL is not the
yet valid. This error occurs because the system
clock is not Today’s Date.

418
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

29 Format error in certificate's notBefore field The certificate notBefore field contains an invalid
time.

30 Format error in certificate's notAfter field The CRL notAfter field contains an invalid time.

31 Format error in CRL's lastUpdate field The CRL lastUpdate field contains an invalid time.

32 Format error in CRL's nextUpdate field The CRL nextUpdate field contains an invalid
time.

33 Out of memory An error occurred trying to allocate memory.

34 Self signed certificate The passed certificate is self-signed and the

same certificate cannot be found in the list of
trusted certificates.

35 Self signed certificate in certificate chain The certificate chain could be built up using the
untrusted certificates, but the root could not be
found locally.

36 Unable to get local issuer certificate The issuer certificate could not be found. This
error occurs if the issuer certificate of an untrus-
ted certificate cannot be found.

37 Unable to verify the first certificate No signatures could be verified because the chain
contains only one certificate, and it is not self-
signed.

38 Certificate chain too long The certificate chain length is greater than the
supplied maximum depth.

39 Certificate revoked The server certificate has been revoked.

Cert revoked

40 Invalid CA certificate The server has an invalid the CA certificate.

41 Path length constraint exceeded The basic Constraints path length parameter has
been exceeded.

42 Unsupported certificate purpose The supplied certificate cannot be used for the
specified purpose.

43 Certificate not trusted The root CA is not marked as trusted for the spe-
cified purpose.

419
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

44 Certificate rejected The root CA is marked to reject the specified pur-

pose.

45 Application verification failure An error occurred due to application specific

error.

46 Subject issuer mismatch An error occurred due to the certificate Subject

issuer mismatch. This could be because the sub-
ject name in the trusted certificates file and path
are different.

47 Authority and subject key identifier mis- The issuer's certificate authority key identifier
match and the subject key identifier mismatched.

48 Key usage does not include certificate sign- The current candidate issuer certificate was rejec-
ing ted because its key usage extension does not per-
mit certificate signing.

49 Unable to get CRL issuer certificate The issuer certificate of a looked up CRL could
not be found. This happens because the list of
trusted certificates is incomplete.

50 Unhandled critical extension The certificate was rejected if an unhandled crit-

ical extension is present which is not supported
by OpenSSL.

51 Key usage does not include CRL signing The current candidate issuer certificate was rejec-
ted because its keyUsage extension does not per-
mit certificate signing.

52 Unhandled critical CRL extension The CRL was rejected if an unhandled critical
extension is present which is not supported by
OpenSSL.

The below section lists the error occurs when the SSL handshake takes place between client
and server.

53 Client SSL, Receive SSL Fatal Alert The SSL fatal alert is encountered from client side
during SSL handshake.

54 Client SSL, Connection finish by peer The client closes the connection by sending the
FIN packet during SSL handshake.

420
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

55 Client SSL, Connection reset by peer The client resets the connection by sending the
RST packet during SSL handshake.

56 SSL Session, Receive TCP FIN/RST packet The SSL session failed due to TCP FIN/RST from
the origin server. This can happen when the SSLi
decrypt zone does not support a cipher suite of
the origin server.

57 Server SSL, Receive SSL Fatal Alert The SSL fatal alert is encountered from server-
side during SSL handshake.

58 Server SSL, Connection finish by peer The server closes the connection by sending the
FIN packet during SSL handshake.

59 Server SSL, Connection reset by peer The server resets the connection by sending the
RST packet during SSL handshake.

60 SSLi encrypt side cannot do HTTP/2 The SSL negotiation with the client failed to
establish HTTP/2 connection.

61 Client SSL, Undefined fail reason The SSL handshake failure may occur due to
undefined reason.

62 Server SSL, Undefined fail reason The SSL handshake failure may occur due to
undefined reason.

The below section lists the errors in Cavium N3 during hardware encryption or decryption pro-
cess.

63 Invalid (Undefined) Opcode The hardware error occurred due to invalid or

undefined operation code (Opcode).

64 Authentication failed due to bad record The authentication failed due to bad record.

65 Number of scatter elements are zero, or Number of scatter elements and number of
number of gather elements are zero, or Dlen gather elements should not be zero. And Dlen
is less than the SG size calculated from s_ should not be less than the SG size calculated
Len and g_size from s_Len and g_size.

66 Resulting point is at infinity The resulting point is invalid, it should not be at

infinity.

67 Opcode is not point Addition, Double or Mul- The Opcode is incorrect, it should be Addition,
tiply Double or Multiply.

421
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

68 Curve is not Prime Curve The curve is not a prime curve.

69 Prime Curve Length is not 256 or 384. The prime curve length is not 256 or 384.

70 Additional input length > 656 bytes. The additional input length is less than 656 bytes.

71 Authentication failed due to bad HMAC The authentication failed due to invalid HMAC
digest digest record.

72 Specified total length of scatter buffers is The specified total length of scatter buffers is
less than calculated Result Length. less than calculated result length.

73 Exponent length, module length or data An error occurred due to invalid length range was
length is not in valid range. provided in exponent, module, or data.

74 Key_Len != < 16, 24, or 32 bytes. An error occurred due to incorrect key length.

75 TLS1.2 and MAC algorithm is other than An error occurred due to incorrect cipher was
MD5, SHA1, SHA256, SHA384, AES-GCM- passed in TLS1.2 and MAC algorithm.
128, AESGCM-256, or HMAC_Type != NULL,
MD5, or SHA1

76 In TLS1.2, Encrypt type is other than AES- An invalid encryption was passed in TLS 1.2.
128, AES-256, 3DES, RC4-128

77 Leading byte non-zero or Bad padding, or An error occurred due to possible issues in the
Bad pad type, or Pad too short, or Data too leading byte length.
large, or No zero_byte found or Leading
byte is non zero.

78 No Authentication and no cipher. An error occurred due to no authentication or

cipher was passed.

79 Cipher type is not supported. An error occurred due to unsupported cipher

type.

80 Authentication type is not supported. An error occurred due to unsupported authen-

tication type.

81 Encrypt length is not aligned. The encrypted length is not aligned correctly.

82 Authentication error due to bad MAC. An authentication error occurred due to invalid
MAC record.

422
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

83 ControlWord with Scatter Gather (SG) mode An error occurred due to unsupported Con-
not supported. trolWord with Scatter Gather (SG) mode was
used.

84 AES_Type != 128, 192 or 256. An error occurred due to incorrect value in AES_
Type.

85 ControlWord with other than CBC mode not An error occurred due to unsupported Con-
supported. trolWord with other than CBC mode was used.

86 If DSIV with SSL and TLS1.0. The DISV has invalid parameters, SSL and TLS
1.0.

The below section lists the error in Cavium N5 during hardware encryption or decryption pro-
cess.

87 Crypto request timeout error. An error occurred because the crypto error timed
out.

88 POM length invalid. An error occurred due to invalid POM length.

89 Invalid record length, length is 0. An error occurred due to invalid record length.

90 Invalid context length: not CTXL=22 words. An error occurred due to invalid context length.

91 Unsupported cipher select: cipher is An error occurred due to unsupported cipher

AESGCM for protocols other than selection.
TLS1.2/DTLS1.2.

92 MAC_Select > SHA2 for TLS1.0/TLS1.1/ An error occurred due to incorrect MAC value
DTLS/DTLS1.0 or MAC_Select != SHA384 was mapped with the cipher.
for AES256-GCM and MAC_Select !=
SHA256 for AES128-GCM.

93 Unsupported protocol version. An error occurred due to unsupported protocol

version.

94 Unsupported verify hash select. Param2 The selected hash value was unable to verify or
[15:12] is set for protocols other than unsupported.
TLS1.2/DTLS1.2.

95 Invalid pre-master secret length: length is An error occurred due to invalid pre-master
other than 4 < PMS < 256 for SSLv3 or 16 < secret key length.
PMS < 256 for TLS/DTLS.

423
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

96 Pad length invalid and MAC miscompare The pad length is invalid, and the MAC record was
(bad record). unable to compare in the cipher block.

97 Invalid pre-master secret length from DPTR. An error occurred due to invalid pre-master
Error is returned when PMS and first block secret key length in the data pointer (DPTR).
of handshake data (hash block size) are not
in the first BMI buffer.

The below section lists the errors when OCSP stapling or connection takes place.

98 OCSP stapling, decode error, length mis- The response received from the cert status could
match not be decoded due to length mismatch.

99 OCSP stapling, decode error, unsupported The response received from the cert status could
status type not be decoded due to unsupported status type.

100 OCSP stapling, lack of memory error The lack of memory error occurred while receiv-
ing the response of cert status during OCSP stap-
ling.

101 OCSP stapling, invalid status response, bad An invalid cert status response is received during
certificate status OCSP stapling.

102 OCSP stapling, SSL get message failed Failed to get cert status response during OCSP
stapling.

103 OCSP Revoked The server cert is revoked.

104 OCSP connection failed, undefined The OCSP connection failed due to undefined
SVM type or failed to set vwire l2 SVM type or failed to set virtual wire L2 inform-
ation.
information

105 OCSP failed, can not find certificate chain The OCSP connection failed due to untrusted
self-signed certificate in the chain.

106 OCSP failed, can not find peer ssl The OCSP connection failed when the SSL data
on the peer channel cannot be found.

107 OCSP failed, can not malloc for svm_ctx The OCSP connection failed when the malloc
function failed to allocate memory for data struc-
ture which stores svm information.

424
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

108 OCSP failed, can not find cert key of peer ssl The OCSP connection failed when the peer SSL
could not find cert key.

109 Cert Status Unknown The OCSP failed due to an undefined status.

110 Unsupported SSL Version The server reports incompatible or unsupported

SSL/TLS version.

111 Bypassed by aFlex process SSLi is bypassed due to the rules set in aFlex
scripts. The aFlex bypass process encounters an
error.

112 Bypassed due to failsafe SSLi is bypassed due to fail safe.

113 Bypassed by configuration rules SSLi is bypassed due to configuration rules.

The below section lists the internal error reasons (OpenSSL library) occurred in Client or Server
template.

114 app data in handshake The client has sent close_notify and is expecting
a close_notify back from the server, but instead
there is application data to be read first.

115 attempt to reuse session in different con- The client is attempting to reuse the session in
text different context.

116 bad alert record The SSL certificate has invalid alert record.

117 bad authentication type The SSL certificate has invalid authentication
type.

118 bad change cipher spec The SSL certificate has invalid cipher spe-
cification.

119 bad checksum The SSL certificate has invalid checksum or failed
checksum verification.

120 bad data returned by callback The SSL certificate has returned invalid data by
callback function.

121 bad decompression The compressed data could not be decom-

pressed.

425
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

122 bad dh g length The SSL certificate has invalid modulus g length
in Diffie-Hellman.

123 bad dh pub key length The SSL certificate has invalid public length in Dif-
fie-Hellman.

124 bad dh p length The SSL certificate has invalid modulus p length
in Diffie-Hellman.

125 bad digest length The SSL certificate has invalid MD5 message-
digest length.

126 bad dsa signature The SSL certificate has invalid DSA signature.

127 bad hello request The SSL certificate has invalid hello request.

128 bad length The SSL certificate has invalid length.

129 bad mac decode The SSL certificate is invalid or could not decode
the MAC.

130 bad message type The SSL certificate has invalid message type.

131 bad packet length The SSL certificate has invalid packet length.

132 bad protocol version number The SSL certificate has invalid protocol version
number.

133 bad response argument The SSL certificate has invalid response argu-
ment.

134 bad rsa decrypt The SSL certificate has invalid data exception dur-
ing RSA decrypt.

135 bad rsa encrypt The SSL certificate has invalid data exception dur-
ing RSA encrypt.

136 bad rsa e length The SSL certificate has invalid modulus e length
in RSA.

137 bad rsa modulus length The SSL certificate has invalid modulus length in
RSA.

138 bad rsa signature The SSL certificate has invalid RSA signature.

426
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

139 bad signature The SSL certificate has invalid signature.

140 bad ssl filetype The SSL certificate has invalid filetype.

141 bad ssl session id length The SSL certificate has invalid session ID length.

142 bad state The SSL certificate has invalid state.

143 bad write retry The SSL_write function failed while sending the
response.

144 bio not set The size of the memory BIO is not set.

145 block cipher pad is wrong The SSL certificate has invalid cipher pad is incor-
rect.

146 bn lib The memory allocation error may have occurred

due to BIGNUM (BN) object.

147 ca dn length mismatch The CA certificate distinguished name (DN)

length mismatched.

148 ca dn too long The CA certificate distinguished name (DN)

length is too long.

149 ccs received early The ChangeCipherSpec (ccs) messages received

before the finished function and after the master
secret has been generated.

150 certificate verify failed The SSL certificate verification failed.

151 cert length mismatch The SSL certificate length mismatched.

152 challenge is different The SSL certificate challenge password was

invalid or different.

153 cipher code wrong length The SSL certificate cipher code has incorrect
length.

154 cipher or hash unavailable The SSL certificate cipher or hash was unavail-
able.

155 cipher table src error An error occurred in the cipher table source.

427
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

156 compressed length too long The SSL certificate compressed length was too
long.

157 compression failure The SSL certificate compression failed.

158 compression library error An error occurred in the compression library.

159 connection id is different The SSL connection ID was different.

160 connection type not set The SSL connection type was not set.

161 data between ccs and finished The data between ChangeCipherSpec (ccs) mes-
sages and the finished function may not be
encrypted.

162 data length too long The SSL certificate or chain length was too long.

163 decryption failed The SSL certificate decryption failed.

164 decryption failed or bad record mac The SSL certificate decryption failed or has
invalid MAC record.

165 dh key too small The Diffie-Hellman key length was too small.

166 dh public value length is wrong The Diffie-Hellman public value length was incor-
rect.

167 digest check failed The SSL certificate digest calculation or check
failed.

168 encrypted length too long The SSL certificate encrypted length was too
long.

169 error generating tmp rsa key An error occurred while generating the tem-
porary RSA key.

170 error in received cipher list An error occurred in the cipher list.

171 excessive message size The large or excessive packets were exchanged
during the SSL handshake.

172 extra data in message The message has extra data.

173 got a fin before a ccs The finished function occurred before sending
the ChangeCipherSpec (ccs) messages.

428
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

174 https proxy request The HTTP request through HTTPS proxy failed.

175 http request The HTTP request failed.

176 illegal padding The certificate serial number may contain illegal
extra padding.

177 inappropriate fallback The inappropriate fallback occurred due to down-

graded TLS version.

178 invalid challenge length The SSL certificate challenge length was invalid.

179 inconsistent extms The master key extension was inconsistent.

180 invalid command An invalid command was executed from

OpenSSL.

181 invalid purpose The purpose of the certificate verification was

invalid.

182 invalid status response The callback status response was invalid.

183 invalid trust The trusted certificate is invalid.

184 key arg too long The passphrase argument was too long.

185 krb5 An error occurred in the Kerberos 5 header file.

186 krb5 client cc principal (no tkt?) The Kerberos 5 ticket was unavailable while
exchanging the kerberos principal with the client.

187 krb5 client get cred The client credentials could not be authenticated
on Kerberos 5.

188 krb5 client init The Kerberos 5 client fails to initialize.

189 krb5 client mk_req (expired tkt?) The Kerberos 5 client mk_req returns failure.

190 krb5 server bad ticket The Kerberos 5 server has an invalid ticket.

191 krb5 server init The Kerberos 5 server fails to initialize.

192 krb5 server rd_req (keytab perms?) The Kerberos 5 server rd_req returns failure.

193 krb5 server tkt expired The Kerberos 5 server ticket has expired.

429
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

194 krb5 server tkt not yet valid The Kerberos 5 server ticket is not yet valid.

195 krb5 server tkt skew The Kerberos 5 server’s clock is not within the
maximum clock skew.

196 length mismatch The certificate length has mismatched.

197 length too short The certificate length was too short.

198 library bug The Heartbleed security bug was encountered in

the OpenSSL cryptography library.

199 library has no ciphers The OpenSSL library has no ciphers.

200 master key too long The master key length is too long.

201 message too long The signature message was too long.

202 missing dh dsa cert The Diffie-Hellman DSA certificate was missing.

203 missing dh key The Diffie-Hellman key was missing.

204 missing dh rsa cert The Diffie-Hellman RSA certificate was missing.

205 missing dsa signing cert The DSA signing certificate was missing.

206 missing export tmp dh key The exported temporary Diffie-Hellman key was
missing.

207 missing export tmp rsa key The exported temporary RSA key was missing.

208 missing rsa certificate The RSA certificate was missing.

209 missing rsa encrypting cert The RSA encrypted certificate was missing.

210 missing rsa signing cert The RSA signing certificate was missing.

211 missing tmp dh key The temporary Diffie-Hellman key was missing.

212 missing tmp rsa key The temporary RSA key was missing.

213 missing tmp rsa pkey The temporary RSA private key was missing.

214 missing verify message The verification message was missing.

215 non sslv2 initial packet The initial packet is non-SSLv2 protocol.

430
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

216 no certificates returned No certificates were returned during SSL hand-

shake.

217 no certificate assigned No certificate was assigned to the server.

218 no certificate returned No certificate was returned during SSL hand-

shake.

219 no certificate set No certificate was set on the server.

220 no certificate specified No certificate is specified on the server.

221 no ciphers available No ciphers were available during SSL handshake.

222 no ciphers passed No ciphers were passed during SSL handshake.

223 no ciphers specified No ciphers were specified during SSL handshake.

224 no cipher list No cipher list were available during SSL hand-
shake.

225 no cipher match No cipher was matched during SSL handshake.

226 no client cert received No client cert was received during SSL hand-
shake.

227 no compression specified No compression was specified during SSL hand-

shake.

228 no method specified No method was specified during SSL handshake.

229 no privatekey No private key was available in the certificate.

230 no private key assigned No private key was assigned in the certificate.

231 no protocols available No protocols was available during SSL hand-

shake.

232 no publickey No public key was available in the certificate.

233 no shared cipher No shared cipher were available during SSL hand-
shake.

234 no verify callback The callback function was unable to verify the cer-
tificate.

431
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

235 null ssl ctx The SSL_CTX function returned null value.

236 null ssl method passed The null SSL method was passed during SSL
handshake.

237 old session cipher not returned The old session cipher was not returned during
SSL handshake.

238 packet length too long The packet length was too long.

239 path too long The path length was too long.

240 peer did not return a certificate The peer server did not return a valid certificate.

241 peer error An error occurred on the peer server.

242 peer error certificate An error occurred on the peer server certificate.

243 peer error no certificate No certificate was available on the peer server.

244 peer error no cipher No cipher was available on the peer server.

245 peer error unsupported certificate type The peer server certificate type is unsupported.

246 pre mac length too long The MAC length is too long before encryption.

247 problems mapping cipher functions An error occurred while mapping the cipher func-
tion.

248 protocol is shutdown The protocol is shutdown during SSL handshake.

249 public key encrypt error An error occurred during public key encryption.

250 public key is not rsa The public key is not RSA.

251 public key not rsa The public key is not RSA.

252 read bio not set The read function is not set in the BIO library.

253 read wrong packet type The incorrect packet type was read.

254 record length mismatch The length of a data record does not match the
length of the current record position

255 record too large The length of a data record is too large.

256 record too small The length of a data record is too small.

432
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

257 required cipher missing The required cipher is missing from the cer-
tificate.

258 reuse cert length not zero The reused certificate length is non zero.

259 reuse cert type not zero The reused certificate type is non zero.

260 reuse cipher list not zero The reused cipher list is non zero.

261 scsv received when renegotiating The renegotiating_info extension is missing.

262 session id context uninitialized The session ID context was not initialized.

263 short read An error occurred when the connection ended

before the server could send enough data to
decode the current message.

264 signature for non signing certificate The signature was invalid in the SSL certificate.

265 ssl23 doing session id reuse The SSLv23_method is called when it is unclear
which protocol to use.

266 ssl2 connection id too long The SSLv2_method connection ID is too long.

267 ssl3 session id too long The SSLv3_method session ID is too long.

268 ssl3 session id too short The SSLv3_method session ID is too short.

269 ssl3 ext invalid servername The client received an invalid server name exten-
sion.

270 ssl3 ext invalid servername type The client received an invalid server name type
extension.

271 sslv3 alert bad certificate The SSLv3 method alerted invalid certificate.

272 sslv3 alert bad record mac The SSLv3 method alerted invalid MAC record.

273 sslv3 alert certificate expired The SSLv3 method alerted an expired certificate.

274 sslv3 alert certificate revoked The SSLv3 method alerted the certificate is
revoked.

275 sslv3 alert certificate unknown The SSLv3 method alerted the certificate is
unknown.

433
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

276 sslv3 alert decompression failure The SSLv3 method alerted failure during decom-
pression.

277 sslv3 alert handshake failure The SSLv3 method alerted failure during SSL
handshake.

278 sslv3 alert illegal parameter The SSLv3 method alerted an illegal parameter in
the certificate.

279 sslv3 alert no certificate The SSLv3 method alerted no certificate.

280 sslv3 alert peer error certificate The SSLv3 method alerted error in the peer
server certificate.

281 sslv3 alert peer error no certificate The SSLv3 method alerted no certificate on the
peer server.

282 sslv3 alert peer error no cipher The SSLv3 method alerted no cipher in the peer
server certificate.

283 sslv3 alert peer error unsupported cer- The SSLv3 method alerted unsupported cer-
tificate type tificate type on the peer server.

284 sslv3 alert unexpected message The SSLv3 method alerted unexpected message.

285 sslv3 alert unknown remote error type The SSLv3 method alerted unknown remote
error type.

286 sslv3 alert unsupported certificate The SSLv3 method alerted unsupported cer-
tificate.

287 ssl ctx has no default ssl version The SSL_CTX methods do not have default SSL
version.

288 ssl handshake failure The SSL handshake failed.

289 ssl library has no ciphers The SSL library has no ciphers.

290 ssl session id callback failed The callback function failed to retrieve the SSL
session ID.

291 ssl session id conflict The SSL session ID conflicts with the original ses-
sion ID.

292 ssl session id context too long The SSL session ID context is too long.

434
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

293 ssl session id has bad length The SSL session ID has invalid length.

294 ssl session id is different The server returned different SSL session ID.

295 tlsv1 alert access denied The TLSv1 method alerted access denied due to
certificate authentication failure.

296 tlsv1 alert decode error The TLSv1 method alerted decode error because
some field was out of the specified range, or the
length of the message was incorrect.

297 tlsv1 alert decryption failed The TLSv1 method alerted decryption failed when
the TLS Cipher text record decrypted in an invalid
way.

298 tlsv1 alert decrypt error The TLSv1 method alerted decryption failed
because some field was out of the specified
range, or the length of the message was incor-
rect.

299 tlsv1 alert export restriction The TLSv1 method alerted export restriction
because it detected a negotiation that was not in
compliance with export restrictions.

300 tlsv1 alert insufficient security The TLSv1 method alerted insufficient security.

301 tlsv1 alert internal error The TLSv1 method alerted internal error.

302 tlsv1 alert no renegotiation The TLSv1 method alerted no renegotiation in

response to a hello request sent by the server or
client after initial handshaking.

303 tlsv1 alert protocol version The TLSv1 method alerted unsupported or unre-
cognized protocol version.

304 tlsv1 alert record overflow The TLSv1 method alerted record overflow.

305 tlsv1 alert unknown ca The TLSv1 method alerted unknown CA cer-
tificate.

306 tlsv1 alert user cancelled The TLSv1 method alerted when handshake is
cancelled due to unrelated protocol failure.

307 tls client cert req with anon cipher Creating an SSL connection using the ossl
stream driver a client certificate is required.

435
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

308 tls peer did not respond with certificate list The peer server did not respond with the cer-
tificate list.

309 tls rsa encrypted value length is wrong The RSA encryption value length is incorrect.

310 tried to use unsupported cipher The cipher does not support TLS version.

311 unable to decode dh certs The SSL handshake failed due to Diffie-Hellman
certificate could not be decoded.

312 unable to extract public key The SSL handshake failed because the public key
cannot be extracted from certificate.

313 unable to find dh parameters The SSL handshake failed because the Diffie-Hell-
man parameter in the certificate was not found.

314 unable to find public key parameters The SSL handshake failed because the public key
parameter in the certificate could not be found.

315 unable to find ssl method The SSL handshake failed as unable to find SSL
encryption method.

316 unable to load ssl2 md5 routines The SSL handshake failed because the SSL2 and
MD5 routines were unable to load.

317 unable to load ssl3 md5 routines The SSL handshake failed because the SSL3 and
MD5 routines were unable to load.

318 unable to load ssl3 sha1 routines The SSL handshake failed because the SSL3 and
SHA1 routines were unable to load.

319 unexpected message The SSL handshake failed due to unexpected

message.

320 unexpected record The SSL handshake failed due to unexpected

record.

321 uninitialized The SSL handshake was unable to initialize.

322 unknown alert type The SSL handshake failed due to unknown alert
type.

323 unknown certificate type The SSL handshake failed due to unknown cer-
tificate type.

436
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

324 unknown cipher returned The SSL handshake failed due to unknown cipher
returned.

325 unknown cipher type The SSL handshake failed due to unknown cipher
type.

326 unknown key exchange type The SSL handshake failed due to unknown key
exchange type.

327 unknown pkey type The SSL handshake failed due to unknown pkey
type.

328 unknown protocol The SSL handshake failed due to unknown pro-
tocol.

329 unknown remote error type The SSL handshake failed due to unknown error
from TLS Client

330 unknown ssl version The SSL handshake failed due to unknown SSL
version.

331 unknown state The SSL handshake failed due to unknown state.

332 unsupported cipher The SSL handshake failed due to unsupported

cipher.

333 unsupported compression algorithm The SSL handshake failed due to unsupported
compression algorithm

334 unsupported option The SSL handshake failed due to unsupported

option.

335 unsupported protocol The SSL handshake failed due to unsupported

protocol.

336 unsupported ssl version The SSL handshake failed due to unsupported
SSL version.

337 unsupported status type The SSL handshake failed due to unsupported
verification status type.

338 write bio not set The write function is not set in the BIO library.

437
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Sr.No Error Reason Description

339 wrong cipher returned The SSL handshake failed due to incorrect cipher
returned.

340 wrong message type The SSL handshake failed due to incorrect mes-
sage type.

341 wrong number of key bits The SSL handshake failed due to incorrect num-
ber of key bits.

342 wrong signature length The SSL handshake failed due to incorrect sig-
nature length.

343 wrong signature size The SSL handshake failed due to incorrect sig-
nature size.

344 wrong ssl version The SSL handshake failed due to incorrect SSL
version.

345 wrong version number The SSL handshake failed due to incorrect SSL
version number.

346 x509 lib An error occurred in x509 library.

347 x509 verification setup problems An error occurred while verifying x509 certificate.

348 clienthello tlsext The ClientHello does not contain the supported
point formats extension.

349 parse tlsext The client was unable to parse the ServerHello
point formats extension.

350 serverhello tlsext The ServerHello does not contain the supported
point formats extension.

351 too many warn alerts An error occurred due to too many warning
alerts.

Examples

The CEF error example is provided below. The error reason (mentioned in the above table) will
be displayed in the cs7 field as shown below.

438
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

CEF Error Log

May 4 02:07:41 AX1030 CEF:0|A10|CFW|5.3.0-d|SSLi 486706518616440835|SSL Inspec-
tion Failed|5|src=172.16.1.95 dst=23.185.0.3 spt=40434 dpt=443 act=bypassed
dhost=a10networks.com cs1=in_vip_wild cs1Label=VIP name cs2=https cs2Label=VIP
protocol cs3=TLSv1.2 cs3Label=SSL version cs6=OCSP_UNKNOWN cs6Label=Certificate
Validity status cs7=OCSP connection failed, undefined SVM type or failed to set
vwire l2 information cs7Label=Error type cn1=443 cn1Label=VIP port cn2=6 cn2La-
bel=Log ID cs10=a10networks.com cs10Label=subject_dn cs11-
1=043eea65632b57091509370b6c86c3dcd199 cs11Label=serial_num

Generic Failure Logs

The ACOS_decrypt device in an SSLi configuration generates a system log if SSLi fails. The
log includes the SNI, IP address of the outside server that the client was attempting to con-
nect to, and the reason for failure.

l SSL log is generated if the ACOS_decrypt device cannot retrieve the server certificate
during the SSL handshake with client.
l SSL Insight can also fail for other reasons such as the SSLi bypass, or abrupt con-
nection closure by server FIN due to malformed packet, and other.

l SSLi failure log messages are only seen by the inside ACOS device.

The SSLi failure logs consist of the similar error reason as mentioned in the Failure
Event Error Reasons.

NOTE: No CLI configurations are required to turn logging on or off.

SSLi Bypass Logs

The following example shows logs generated when the SSLi is bypassed or otherwise fails. Cli-
ent auth bypass will be treated as handshake failure:
ACOS-Inside# show log | include SSL intercept failed
...
Nov 10 2016 16:02:03 Info [SYSTEM]:SSL intercept failed. server (null) (Src
port: 43461 Src IP: 61.61.61.61 Dst port: 47873 Dst IP: 51.51.51.51) reason:
Can't verify Cert - Decrypted
...

439
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

SSL CA Verification Failure Logs

The following example shows a log generated when the outside server’s certificate fails veri-
fication:

ACOS# show log | include CA Verification Failed

Nov 10 2016 16:02:03 Info [SSL]:SSL Server CA Verification Failed with Host
Name: (null) and Destination IP: 51.51.51.51

Example
In this example, "SSLVerifyClient require" and "SSLVerifyDepth 10" is set up on APACHE ssl.-
conf, on the server. The following log shows there was an SSLi failure when retrieving the cer-
tificate because no client-side authentication has been configured.

As a result, the following log is generated:

ACOS# show log
Log Buffer: 30000
Aug 08 2016 11:44:23 Info [SYSTEM]:<l3v1> SSL intercept failed, server example.-
com (ip 10.10.10.101) reason: Crypto Error – bypassed
ACOS#

Additional Failure Logs

[SYSTEM]:SSL intercept failed, server vast.bp3871200.btrll.com (ip Src port:
53161 Src IP: 172.17.20.242 Dst port: 443 Dst IP: 162.208.20.178) reason: Can't
verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host
Name: vast.bp3871200.btrll.com and Destination IP: 162.208.20.178
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server
vast.bp3862928.btrll.com (ip Src port: 53149 Src IP: 172.17.20.242 Dst port:
443 Dst IP: 162.208.20.178) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host
Name: vast.bp3862928.btrll.com and Destination IP: 162.208.20.178
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src
port: 53018 Src IP: 172.17.1.145 Dst port: 443 Dst IP: 64.4.54.253) reason:
Unknown - Bypass
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server settings-
win.data.microsoft.com (ip Src port: 53017 Src IP: 172.17.1.145 Dst port: 443
Dst IP: 64.4.54.253) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host
Name: settings-win.data.microsoft.com and Destination IP: 64.4.54.253

440
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server settings-

win.data.microsoft.com (ip Src port: 56019 Src IP: 172.17.3.165 Dst port: 443
Dst IP: 64.4.54.253) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host
Name: settings-win.data.microsoft.com and Destination IP: 64.4.54.253
Feb 10 2017 18:16:19 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src
port: 53016 Src IP: 172.17.1.145 Dst port: 443 Dst IP: 64.4.54.254) reason:
Unknown - Bypass
Feb 10 2017 18:16:19 Info [SYSTEM]:SSL intercept failed, server vortex-
win.data.microsoft.com (ip Src port: 53015 Src IP: 172.17.1.145 Dst port: 443
Dst IP: 64.4.54.254) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:19 Info [SSL]:SSL Server CA Verification Failed with Host
Name: vortex-win.data.microsoft.com and Destination IP: 64.4.54.254
Feb 10 2017 18:16:07 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src
port: 51633 Src IP: 172.17.1.245 Dst port: 443 Dst IP: 40.77.228.92) reason:
Unknown - Bypass
Feb 10 2017 18:16:07 Info [SYSTEM]:SSL intercept failed, server wat-
son.telemetry.microsoft.com (ip Src port: 51632 Src IP: 172.17.1.245 Dst port:
443 Dst IP: 40.77.228.92) reason: Can't verify Cert - Rejected

441
Chapter 20: Error Logging
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

Event-based Logging
ACOS support sending SSLi event logs over the ACOS event-based logging infrastructure.
This provides a centralized logging infrastructure where applications generate and send logs
through a common interface.

For instructions on implementing Event-based Logging, refer 'Event Logging System' section
in System Configuration and Administration Guide and Event Logging Guide.

442
Glossary

B F

bypass failover
A go-around functionality, where a A backup operational mode that
specific action is performed via an allows the functions of a system
external or alternative route component such as a network,
instead of the intended route. In server or database to be assumed
network security, a bypass is by secondary components in
defined as a security system flaw instances when the primary com-
that allows attackers access to net- ponents are unavailable due to fail-
work by circumventing the security ure or downtime.
mechanism.
G
D
gateway
DNS
A hardware device such as a fire-
Domain Name System. A hier- wall, router, or server, that acts as
archical model and decentralized a gate between two networks and
naming system that identifies com- allows the inward and outward
puters, resources and network- flow of traffic among the networks.
based services over a private net- It secures the nodes within a net-
work or the Internet. It specifies work and also serves as a node
information on web domain names itself.
associated with respective entities.
H
DSR
Direct Server Return. A load bal- HTML
ancing mode where packets are Hypertext Markup Language. The
routed to the backend server by standard markup language
modifying only the destination developed for displaying doc-
MAC address. uments in a web browser.

443
Glossary
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

HTTP load balancing

HyperText Transfer Protocol. An The process of distributing a set of
underlying web protocol that tasks over a set of resources for
defines the way messages can be making their overall processing
formatted and sent, and the more efficient and improving the
actions to be taken by web servers performance.
and browsers for responding to
multiple commands. P

I packet flow
A sequence of packets sent from a
IPv4
source to a destination over
The fourth version of the Internet packet-switching networks, across
Protocol used as a core protocol in a host, a broadcast domain, or a
standardized internetworking multicast group.
methods over the Internet and
packet-switched networks. S

L service-group
A group of one or more services
L3
linked together for making object
A Network Layer, the third layer in configurations simple.
the seven-layered OSI reference
model used for routing traffic and SIP
forwarding packets across inter-
mediate routers. Session Initiation Protocol. A sig-
naling protocol that initiates, main-
tains, and ends real-time voice,
L4
video and messaging sessions of
A Transport Layer, the fourth layer applications.
of the seven-layered OSI reference
model used for establishing host- SMPP
to-host communications for applic-
ations. Short Message Peer-to-Peer. A
standardized protocol that
provides scalable data

444
Glossary
Feedback ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide

communication interfaces for

TLS
short message data transmissions
between ESME, message centres, Transport Layer Security. A cryp-
and routing entities. tographic protocol that provides
data transport and com-
source NAT pool munications security over a net-
work.
A pool of source NAT protocols
used when an internal host begins
U
a session with an external host
and a dual NAT without using the
switch IP. UDP
User Datagram Protocol. An altern-
SPDY ative to TCP and used for setting
up connections with low-latency
Speedy. A deprecated and open-
and loss-tolerance between inter-
spec networking protocol,
net applications.
developed by Google, which trans-
ports web content and manages
HTTP traffic at a high speed by URL
lowering webpage load latency Uniform Resource Locator. A web
and boosting web security. address that works as a reference
to specify the location of a web
subnet resource on a computer network
and also runs a mechanism for its
An IP network subdivision.
retrieval.

T
V

TCP
VIP
Transmission Control Protocol. Key
Virtual Internet Protocol. An IP
part of the main IP suite protocols
address which does not cor-
used during initial network imple-
respond to any real physical net-
mentation.
work interface but is used for
mobility, network address trans-
lation, and fault-tolerance.

445
Glossary
ACOS 5.2.1-P3 SSL Insight (SSLi) Configuration Guide Feedback

virtual port
An emulation or virtualization of a
hardware port.

VLAN
Virtual Local Area Network. A LAN
broadcast domain which is seper-
ated and isolated at the data link
layer in a network.

446

Cisco ISE Part 1
No ratings yet
Cisco ISE Part 1
182 pages
Interfaces Ethernet Switches
No ratings yet
Interfaces Ethernet Switches
1,600 pages
Dokumen - Pub - CCDP Self Study Designing Cisco Network Architectures Arch 1587051850 9781587051852
No ratings yet
Dokumen - Pub - CCDP Self Study Designing Cisco Network Architectures Arch 1587051850 9781587051852
697 pages
BRKSDN 2500
No ratings yet
BRKSDN 2500
86 pages
Better Practices For Guest Networks On Cisco Catalyst Wireless - BRKEWN-2284
No ratings yet
Better Practices For Guest Networks On Cisco Catalyst Wireless - BRKEWN-2284
106 pages
350-701 SCOR Exam Dumps - 40Q
No ratings yet
350-701 SCOR Exam Dumps - 40Q
6 pages
Tecsec 2345
No ratings yet
Tecsec 2345
249 pages
Crosswalk For CCNA 4 Labs and Activities
100% (1)
Crosswalk For CCNA 4 Labs and Activities
212 pages
High Availability Troubleshooting Guide
No ratings yet
High Availability Troubleshooting Guide
41 pages
Cisco Identity Services Engine (ISE) v3.1: Common Criteria Operational User Guidance and Preparative Procedures
No ratings yet
Cisco Identity Services Engine (ISE) v3.1: Common Criteria Operational User Guidance and Preparative Procedures
148 pages
Cisco Debug
No ratings yet
Cisco Debug
2,994 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
CP R77.20 EndpointSecurity AdminGuide
No ratings yet
CP R77.20 EndpointSecurity AdminGuide
168 pages
Secure Access Engineering Deep Dive
No ratings yet
Secure Access Engineering Deep Dive
25 pages
CP R81.10 Gaia AdminGuide
No ratings yet
CP R81.10 Gaia AdminGuide
520 pages
Symantec Lab Exercise
100% (1)
Symantec Lab Exercise
136 pages
Cisco Ccnp...
No ratings yet
Cisco Ccnp...
71 pages
Cisco DNA Subscription Software For SD-WAN and Routing FAQ Nb-06-Dna-Sw-Rout-Sub-Faq-Ctp-En
No ratings yet
Cisco DNA Subscription Software For SD-WAN and Routing FAQ Nb-06-Dna-Sw-Rout-Sub-Faq-Ctp-En
13 pages
BRKRST 2096
No ratings yet
BRKRST 2096
137 pages
Cisco+300-715 001
No ratings yet
Cisco+300-715 001
55 pages
Ccsa - 156-215.80 V18.75
No ratings yet
Ccsa - 156-215.80 V18.75
142 pages
4 Interview Ques - 1000 (Updated Sampath)
No ratings yet
4 Interview Ques - 1000 (Updated Sampath)
144 pages
Gartner Reprint ADC
No ratings yet
Gartner Reprint ADC
31 pages
Week 20220 Report
No ratings yet
Week 20220 Report
28 pages
Show Answer
No ratings yet
Show Answer
66 pages
Vignesh K Resume V1.1
No ratings yet
Vignesh K Resume V1.1
5 pages
OS6560 AOS 8.7.R01 Data Center Switching Guide
No ratings yet
OS6560 AOS 8.7.R01 Data Center Switching Guide
182 pages
PASSLEADER BY aNTON DUMP CCNA SEC
No ratings yet
PASSLEADER BY aNTON DUMP CCNA SEC
36 pages
Brksec 1708
No ratings yet
Brksec 1708
55 pages
100-490 V12.35
No ratings yet
100-490 V12.35
14 pages
Exam Questions 350-701: Implementing and Operating Cisco Security Core Technologies
No ratings yet
Exam Questions 350-701: Implementing and Operating Cisco Security Core Technologies
7 pages
ISE Auth-Feature Flows - v1
No ratings yet
ISE Auth-Feature Flows - v1
36 pages
Port Security Questions: Answer
No ratings yet
Port Security Questions: Answer
28 pages
CP R80.10 ThreatPrevention AdminGuide
No ratings yet
CP R80.10 ThreatPrevention AdminGuide
150 pages
HCIE-Routing & Switching V3.0 Mock Exam
100% (1)
HCIE-Routing & Switching V3.0 Mock Exam
4 pages
Administration, Configuration - Troubleshooting BIG-IP LTM v11 - LAB GUIDE - Day 1
No ratings yet
Administration, Configuration - Troubleshooting BIG-IP LTM v11 - LAB GUIDE - Day 1
12 pages
PassLeader 200-125 Exam Dumps
No ratings yet
PassLeader 200-125 Exam Dumps
5 pages
FA FTNT Fast Track Brochure 3302021 Final
No ratings yet
FA FTNT Fast Track Brochure 3302021 Final
47 pages
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
No ratings yet
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
1 page
300 725 SWSA v1.1
No ratings yet
300 725 SWSA v1.1
3 pages
Forcepoint Ipsec Guide: Forcepoint Web Security Cloud
No ratings yet
Forcepoint Ipsec Guide: Forcepoint Web Security Cloud
36 pages
Camera CGI Interface v3.51
No ratings yet
Camera CGI Interface v3.51
132 pages
Ccna 2020 200-301
No ratings yet
Ccna 2020 200-301
13 pages
CCIE Security Book List - Cisco Systems
100% (1)
CCIE Security Book List - Cisco Systems
2 pages
Esmpro Customer Presentation
No ratings yet
Esmpro Customer Presentation
65 pages
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
No ratings yet
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
4 pages
Access Lists Exercises
No ratings yet
Access Lists Exercises
36 pages
Cisco Networking Academy Membership Guide en
No ratings yet
Cisco Networking Academy Membership Guide en
24 pages
CCSI Test Paper
No ratings yet
CCSI Test Paper
53 pages
CheckPoint End Security
No ratings yet
CheckPoint End Security
2 pages
Installation Guide For Cisco ACS
No ratings yet
Installation Guide For Cisco ACS
8 pages
EAP Protocol
No ratings yet
EAP Protocol
7 pages
CP, FW & FWM: Checkpoint Commands
No ratings yet
CP, FW & FWM: Checkpoint Commands
6 pages
Lenteur SSL Palo Alto
No ratings yet
Lenteur SSL Palo Alto
17 pages
Check Point and Radware
No ratings yet
Check Point and Radware
3 pages
Modular Policy Framework - MPF
No ratings yet
Modular Policy Framework - MPF
10 pages
Checkpoint Actualtests 156-215 75 v2012-04-08
No ratings yet
Checkpoint Actualtests 156-215 75 v2012-04-08
178 pages
Re-Establishing SIC SecureInternalCommunications For CheckPoint
No ratings yet
Re-Establishing SIC SecureInternalCommunications For CheckPoint
3 pages
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet