ACOS 5.0.

0-P1
SSL Insight (SSLi) Configuration Guide
for A10 Thunder® Series
18 May 2020
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact
the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic compo-
nents in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents

SSL Insight Introduction ............................................................................................................ 13

SSLi Overview .......................................................................................................................13
SSLi Architecture and Workflow..........................................................................................14
SSLi Features........................................................................................................................16
SSLi Limitations....................................................................................................................16
SSLi Terminology .................................................................................................................16
Real Server .................................................................................................................................................. 17
Virtual Server and Virtual IP (VIP) ........................................................................................................... 17
Wildcard VIPs, Ports, Virtual Ports, and ACL ........................................................................................ 17
Service Groups ........................................................................................................................................... 18
ACOS_decrypt and ACOS_encrypt Partition or Device ....................................................................... 19
CA Certificates for SSLi and Certificate Chaining...............................................................19
SSLi Workflow for New and Revisited Websites.................................................................21
SSLi Requirements for vThunder.........................................................................................23

SSL Insight Deployments and Topologies .................................................................................. 25

Single ACOS Device with One Partition Deployment..........................................................25
Features for Single ACOS Device with One Partition .......................................................................... 26
Single ACOS Device with Two Partitions Deployment .......................................................27
Features for Single ACOS Device with Two Partitions ....................................................................... 28
Two ACOS Devices, Each with One Partition Deployment .................................................29
Features for Two ACOS Devices, Each With One Partition ............................................................... 30
SSLi Topologies....................................................................................................................31
SSLi in L2 Mode .......................................................................................................................................... 31
SSLi in L3 Mode .......................................................................................................................................... 33

SSLi for Outbound Static Port Type HTTPS ................................................................................ 37

Prerequisites for Configuring SSLi ......................................................................................37
Outbound SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a Single Par-
tition ......................................................................................................................................38
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI).................40
Configuration for ACOS_decrypt (CLI) ................................................................................................... 40
Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt) ............................................. 40
Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt) ................................. 41
Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt) ................................................. 41
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt) ..................................... 42
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt) ................................................. 42
Configuration for ACOS_encrypt (CLI) ................................................................................................... 44

page 3
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt) ............................................. 44

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt) ................................. 44
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt) ................................................. 45
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt) ..................................... 45
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt) ................................................. 46
Configuring L2 SSli on FTA-enabled ACOS Devices ........................................................................... 47
Consolidated Configuration for Outbound SSLi with Static Port Type HTTPS ............................. 47
Checking the Status and Operation of the Configuration Example ................................................. 50
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI) ................52
Configuration for ACOS_decrypt (GUI) .................................................................................................. 52
Step 1. Configuring the Network VLANs (GUI for ACOS_decrypt) ............................................ 52
Step 2. Configuring the Network IP Addresses (GUI for ACOS_decrypt) ................................. 53
Step 3. Creating an Access List (GUI for ACOS_decrypt) ........................................................... 53
Step 4. Configuring the SSLi Service (GUI for ACOS_decrypt) ................................................... 53
Step 5. Configuring the Real Server (GUI for ACOS_decrypt) .................................................... 54
Step 6 Creating the Service Group and its Members (GUI for ACOS_decrypt) ...................... 55
Step 7. Creating the Virtual Server (GUI for ACOS_decrypt) ....................................................... 56
Configuration for ACOS_encrypt (GUI) .................................................................................................. 58
Outbound SSLi with Static Port Type HTTPS—Single ACOS Device With Two Partitions ...
60
SSLi Configuration for a Single ACOS Device Two Partition SSLi Deployment (CLI) ................... 60
SSLi Configuration for a Single Device Two Partition SSLi Deployment (GUI) .............................. 60
Outbound SSLi with Static Port Type HTTPS—Single vThunder Device With Two Parti-
tions.......................................................................................................................................61

SSLi for Outbound Static Port Type STARTTLS .......................................................................... 63

Outbound SSLi with Static Port Type STARTTLS—Two ACOS Devices Each With a Single
Partition.................................................................................................................................63
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition .............65
Configuration for ACOS_decrypt (CLI) ................................................................................................... 65
Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt) ............................................. 65
Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt) ................................. 66
Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt) ................................................. 66
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt) ..................................... 68
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt) ................................................. 68
Configuration for ACOS_encrypt (CLI) ................................................................................................... 69
Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt) ............................................. 69
Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt) ................................. 70
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt) ................................................. 70
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt) ..................................... 71
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt) ................................................. 72
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS ..........73

SSLi for Inbound Static-Port Type HTTPS .................................................................................. 79

Example Configuration.........................................................................................................79
Topology of the Example ......................................................................................................................... 80

page 4
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Configuration Steps..............................................................................................................80
Configure the External Inbound ACOS device ...................................................................................... 80
Configure the Internal Inbound ACOS device ....................................................................................... 85

Dynamic-Port SSLi ..................................................................................................................... 91

Dynamic-Port SSLi Overview ...............................................................................................91
Configuring ACOS_Decrypt Virtual Server and Service Groups ........................................................ 92
Configuring ACOS_encrypt Virtual Server and Service Groups ........................................................ 92
Configuration Logic ................................................................................................................................... 92
Example Configuration: Dynamic-Port SSLi........................................................................93
Configuration Instructions ....................................................................................................................... 95
Reference Configuration for DSCP Dynamic-Port SSLi ..................................................................... 99
Dynamic Port Inspection Based on DSCP........................................................................ 103
Single-Device Double-Partition SSLi Configuration with DSCP ......................................................103
Traffic Flows for the Sample Deployment ..........................................................................................104
Initial Configuration (CLI) .......................................................................................................................105
Configuring the ACOS_decrypt Partition (CLI) ...................................................................................105
Configuring the Default VLAN (CLI) ...............................................................................................106
Configuring the ACL (CLI) ................................................................................................................106
Configuring Network IP Addresses for Untagged VLANs (CLI) ...............................................106
Configuring the Security Device (CLI) ...........................................................................................107
Configuring the SSLi Services for ACOS_decrypt Partition (CLI) ............................................108
Configuring Handling of Incoming Traffic (CLI) ..........................................................................108
Configuring the ACOS_encrypt Partition (CLI) ...................................................................................109
Configuring the ACL (CLI) ................................................................................................................109
Configuring the Default VLAN (CLI) ...............................................................................................109
Configuring Network IP Addresses for the VLAN (CLI) .............................................................110
Configuring the Security Device (CLI) ...........................................................................................110
Configuring the SSLi Services for ACOS_encrypt Partition (CLI) ............................................111
Configuring Handling of Outgoing Traffic (CLI) ..........................................................................111
Consolidated Configuration for Dynamic Port Inspection Based on DSCP .................................111
Related Information........................................................................................................... 115

SSLi in a Single Partition Deployment ...................................................................................... 117

Overview of Single Partition Deployment......................................................................... 117
Architecture of Single Partition Deployment ......................................................................................117
Types of Single Partition Deployment .................................................................................................119
L2 Deployment with Tagged VLANs................................................................................. 119
Configuration for Tagged VLANs by Using the CLI ...........................................................................120
Initial Configuration by using CLI ...................................................................................................120
Configuring the Network VLANs (CLI) ..........................................................................................121
Configuring the SSLi Services (CLI) .............................................................................................. 122
Configuring Network IP Addresses (CLI) .....................................................................................123
Configuring the Security Device (CLI) ...........................................................................................124
Configuring Handling of Incoming Traffic (CLI) ..........................................................................125
Configuring Handling of Outgoing Traffic (CLI) ..........................................................................126

page 5
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Consolidated Configuration for Single Partition with Tagged VLANs (CLI) ..........................127
Configuration for Tagged VLANs by Using the GUI ..........................................................................132
Configuring the Network VLANs (GUI) .........................................................................................132
Configuring the SSLi Services (GUI) ..............................................................................................133
Configuring the VIPs (GUI) ..............................................................................................................137
Configuring the Security Device (GUI) ..........................................................................................138
Configuring Handling of Incoming Traffic (GUI) .........................................................................139
Configuring Handling of Outgoing Traffic (GUI) .........................................................................140
L2 Deployment with Untagged VLANs ............................................................................. 142
Initial Configuration for Untagged VLANs by using CLI ............................................................ 143
Configuring the Default VLAN (CLI) ...............................................................................................143
Configuring the SSLi services for Untagged VLANs (CLI) ........................................................144
...............................................Configuring Network IP Addresses for Untagged VLANs (CLI) 146
Configuring the Security Device for Untagged VLANs (CLI) ....................................................146
Configuring Handling of Incoming Traffic for Untagged VLANs (CLI) ...................................147
Configuring Handling of Outgoing Traffic for Untagged VLAN (CLI) ......................................148
Consolidated Configuration for Single Partition with Untagged VLANs (CLI) ......................149

SSH Insight .............................................................................................................................. 155

Configuring RSA Keys ...................................................................................................... 155
Generating a Key using Remote Client ................................................................................................156
Generating a Key using Windows .........................................................................................................156
Importing the Key to ACOS Device .......................................................................................................158
SSHi Deployment Overview .............................................................................................. 159
SSHi Deployment Example ............................................................................................... 160
SSHi Configuration for a Two-Device Deployment, Each With a Single Partition .......................162
Configuration for ACOS_decrypt (CLI) ..........................................................................................162
Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt) ........................................... 162
Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt) ...............................163
Step 3. Configuring the SSHi Services (CLI for ACOS_decrypt) ...............................................163
Step 4. Configuring the SSHi Service Groups (CLI for ACOS_decrypt) ..................................164
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt) ...............................................164
Configuration for ACOS_encrypt (CLI) .................................................................................................165
Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt) ........................................... 165
Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt) ...............................165
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt) ...............................................166
Step 4. Configuring the SSH Service Groups (CLI for ACOS_encrypt) ...................................166
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt) ...............................................167
Consolidated Configuration for Static Port Type SSH .................................................... 168
Related Information........................................................................................................... 170

SSL Insight with IPv6 for Single ACOS Device with Two Partitons ........................................... 171
Prerequisites for Configuring Single Device SSLi for IPv6.............................................. 171
SSLi for IPv6 Deployment Overview ................................................................................. 172
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions ........................ 173

page 6
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Configuration for SSLi_inside (CLI) ......................................................................................................174

Step 1. Configuring the Network VLANs (CLI for SSLi_inside) ................................................174
Step 2. Configuring the Network IP Addresses (CLI for SSLi_inside) .....................................175
Step 3. Configuring the SSLi Services (CLI for SSLi_inside) .....................................................175
Step 4. Configuring the SSLi Service Groups (CLI for SSLi_inside) ........................................ 176
Step 5. Configuring the Virtual Server (CLI for SSLi_inside) ..................................................... 177
Configuration for SSLi_outside (CLI) ....................................................................................................178
Step 1. Configuring the Network VLANs (CLI for SSLi_outside) ..............................................178
Step 2. Configuring the Network IP Addresses (CLI for SSLi_outside) ..................................179
Step 3. Configuring the SSLi Services (CLI for SSLi_outside) ..................................................179
Step 4. Configuring the SSLi Service Groups (CLI for SSLi_outside) ...................................... 179
Step 5. Configuring the Virtual Server (CLI for SSLi_outside) ..................................................180
Consolidated Configuration for IPv6 SSLi........................................................................ 181
Consolidated Configuration for SSLi_Inside .......................................................................................181
Consolidated Configuration for SSLi_Outside ....................................................................................184
Configuring the SSLi_Inside and SSLi_Outside in the GUI .............................................. 186

SSLi Inspect, Bypass, and Exception Lists ............................................................................... 189

SSLi Traffic Inspection Based on SNI and Server Certificate ......................................... 190
SSLi Traffic Bypass Based on User Name and Group Name.......................................... 190
Priority of Rules for SSLi ................................................................................................... 192
CLI Options for SSLi Bypass and Inspect ........................................................................ 195
Converting an SNI List to an AC Class List (CLI) ............................................................. 196
Configuring Rules for SSLi Inspect and Bypass (GUI) .................................................... 197
Creating a Class List (GUI) .....................................................................................................................199
Importing a Class List (GUI) ...................................................................................................................199
Configuring Rules for SSLi Inspect and Bypass (CLI) ..................................................... 200
Creating a Class List (CLI) ......................................................................................................................202
Importing a Class List (CLI) ...................................................................................................................203
Showing the System Resource Usage of SNI-Based Bypassing (CLI) .........................................203
SSLi Bypass for "no shared cipher" Error ......................................................................... 204
Configuring SSLi Bypass for “no shared cipher” Error (CLI) ............................................................204
Configuring SSLi Bypass for “no shared cipher” Error (GUI) ...........................................................204
Consolidated Client-SSL Templates for SSLi Bypass...................................................... 205
Example Configuration of SSLi Bypass and “no-shared-cipher” Error ..........................................205
Example Configuration of AAM, User Name, AD Group, Explicit Proxy, and SSLi ......................205
Example Configuration of AAM, User Name, AD Group Name, Transparent Proxy, and SSLi .207

Web Category ........................................................................................................................... 209

Installing Web Category .................................................................................................... 209
Step 1: Installing the Web Category License ......................................................................................209
Step 2: Verifying the Web Category License Installation .................................................................210
Step 3: Activating the Web Category License ....................................................................................211
Step 4: Verifying the Web Category Library ........................................................................................211
Step 5: Checking Web Category License Status and Expiration ....................................................211

page 7
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Using a Proxy Server for BrightCloud Servers ................................................................. 212

Web Category Filtering for SSLi Bypass .......................................................................... 213
Configuring Web Category Filtering for SSLi Bypass .......................................................................213
ACOS_decrypt Configuration Instructions ...................................................................................214
Consolidated Configuration for ACOS_decrypt ...........................................................................217
SSLi ACOS_encrypt Configuration Instructions ................................................................................220
Verification of the Basic Example Operation ......................................................................................220
Deleting or Re-importing the Database ...............................................................................................222
Troubleshooting .......................................................................................................................................222
Logging for Web Category .....................................................................................................................223
Configuration Options with BrightCloud Servers ..............................................................................224
Web Category Lookup Enforcement................................................................................. 225
Implementing Web Category Lookup Enforcement for URL Filtering ..........................................225
Implementing Web Category Lookup Enforcement for Web Category Based SSLi Bypass ....225
Related Information........................................................................................................... 226

URL Filtering ............................................................................................................................ 227

Forward Policy Actions ..................................................................................................... 227
SSLi Forward Policy Example Configuration Using the CLI ............................................................228
SSLi Forward Policy Example Configuration Using the GUI ...........................................................229
SSLi Bypass and URL Filtering Example .......................................................................... 229
Related Information........................................................................................................... 232

Client Authentication Bypass ................................................................................................... 233

Bypassing Client Authentication Overview ...................................................................... 233
Message Sequence .................................................................................................................................233
Bypass Configuration........................................................................................................ 234
CLI SNI Bypass Configuration Instructions ........................................................................................234
GUI SNI Bypass Configuration Instructions .......................................................................................235
Example Configuration for Bypassing SSLi for Client Authentication Traffic .............................235
Show Running-Config of the ACOS_decrypt ...............................................................................235
Show Running-Config of the Outside ACOS device ...................................................................237
Troubleshooting Bypassing SSLi for Client Authentication Traffic Configuration ..............239
Related Information........................................................................................................... 240

Explicit and Transparent Proxy ................................................................................................ 241

Overview of Explicit and Transparent Proxy .................................................................... 241
Explicit Proxy with Static-Port SSLi on the Same VIP ..................................................... 241
Configuring ACOS_decrypt for Explicit Proxy .....................................................................................243
Configuring ACOS_encrypt for Explicit Proxy .....................................................................................244
Verifying the Configuration for Explicit Proxy .................................................................................... 244
Consolidated Configuration for Explicit Proxy and SSLi on the Same VIP ..................................246
Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy 250
Key ACOS_Decrypt Configuration for Drop and Drop-Redirect-URL .............................................250
Consolidated Configuration for ACOS_decrypt .................................................................................252

page 8
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Drop and Drop-Redirect-URL Priorities ................................................................................................254

Proxy Chaining SSLi Overview .......................................................................................... 254
Guidelines for Configuring Explicit Proxy and SSLi Proxy Chaining ..............................................255
Guidelines for Configuring Transparent Proxy and SSLi Proxy Chaining .....................................255
Configuring SSLi Proxy Chaining for Explicit and Transparent Proxy ...........................................255
ACOS_decrypt CLI configuration ...................................................................................................256
ACOS_encrypt CLI configuration ...................................................................................................257
AAM for Transparent Proxy for SSLi ................................................................................ 258
Configuring AAM for Transparent Proxy for SSLi............................................................ 259
Authentication Flow for HTTP-authenticate Logon ..........................................................................262
AAM Support...................................................................................................................... 263
Decrypt_VIP Support ...............................................................................................................................263
Forward-Policy JWT (JSon Web Token) Authorization ...................................................................263
Related Information........................................................................................................... 263

SSLi Sessions with ICAP Services ............................................................................................ 265

ICAP Applications.............................................................................................................. 265
ICAP Overview.................................................................................................................... 265
ICAP REQMOD Message Exchange ..............................................................................................266
How ACOS Processes REQMOD Configuration Options ..........................................................267
ICAP RESPMOD Message Exchange ............................................................................................267
Configuring Basic ICAP on the Inside Partition/Device .................................................. 269
Using the CLI ......................................................................................................................................269
Using the GUI .....................................................................................................................................270
Configuring Basic ICAP on the Outside Partition/Device................................................ 272
ICAP Show Commands ..................................................................................................... 272
ICAP Configuration Options .............................................................................................. 272
Pre-Filtering Traffic Before ICAP ...........................................................................................................273
Include Protocol and Port in HTTP URI ...............................................................................................273
ICAP Templates Configuration Options in the CLI ............................................................................274
Configuring ACOS Logging in ICAP Templates................................................................ 275
Example Logs ....................................................................................................................................276
ICAP Usage Guidelines...................................................................................................... 276
Related Information........................................................................................................... 276

SSL Certificate Management and Options ................................................................................ 277

SSL Certificate Management............................................................................................ 277
SSL Certificate Management Overview ............................................................................................... 277
CA Certificate Versus SSL Certificate ..................................................................................................278
The SSL Process ......................................................................................................................................278
Certificate Chain ................................................................................................................................279
Certificate Warning from Client Browser .....................................................................................281
CA-Signed and Self-Signed Certificates .......................................................................................281
SSL Templates .........................................................................................................................................282

page 9
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Client-SSL Template Configuration and Usage Guidelines ......................................................282

Server-SSL Template Configuration and Usage Guidelines .....................................................284
Cipher Template Configuration and Usage Guidelines ............................................................. 286
SSLi Connection Buffering During Certificate Fetching and Forging ............................................ 287
Enabling SSLi Connection Buffering in ACOS CLI ......................................................................287
Enabling SSLi Connection Buffering in ACOS GUI .....................................................................288
TLS Server Name Indication (SNI) Support ........................................................................................288
Default Certificate and Key .............................................................................................................288
SNI Extension Support .....................................................................................................................289
Partition Support ...............................................................................................................................289
Configuring TLS Server Name Indication .....................................................................................289
TLS SNI Support on vThunder ........................................................................................................290
TLS 1.3 Support for Software SSL .......................................................................................................291
CLI to enable TLS 1.3 for Software SSL .......................................................................................291
Configure Certificate Key pair .........................................................................................................292
Managing CAs and CSRs .................................................................................................. 293
Importing a Certificate and Key ............................................................................................................293
Importing Individual Files ................................................................................................................294
Bulk Import and Export of SSL Certificate and Key Files ..........................................................295
Generating an SSL Cert – Private Key File with a CSR ....................................................................295
Generating a Certificate Signing Request (CSR) ...............................................................................298
Generating a Self-Signed Certificate and Key ....................................................................................300
Certificate Installation Process .............................................................................................................301
Requesting and Installing a CA-Signed Certificate ....................................................................301
Installing a Self-Signed Certificate ................................................................................................303
Creating a Client-SSL or Server-SSL Template and Binding it to a VIP .........................................304
Multiple CA Certificate Support in Server-SSL Templates ..............................................................305
Multiple Certificates in Single File – Preparing the File ............................................................305
Support for Binding Server-SSL Templates to Individual Real Ports ............................................307
Configuring Email Notification for SSL Certificate Expiration ........................................................308
SSL Certificate Notification via System Log Warnings ....................................................................309
Converting Certificates and CRLs to PEM Format ...........................................................................309
Importing a Certificate Revocation List (CRL) ...................................................................................310
SSL File Delete ..........................................................................................................................................311
Exporting Certificates, Keys, and CRLs ...............................................................................................311
Importing a CA Cert and Private Key for SSLi ....................................................................................313
Forward Proxy Alternate Signing Cert and Key .................................................................................313
Simple Certificate Enrollment Protocol (SCEP) .................................................................................314

OCSP Overview and SSLi OSCP Workflow ................................................................................ 319

Configuring ACOS Server Certificate Verification (CLI)................................................... 322
Server-SSL Template Certificate Revocation List............................................................ 324
Configuring Server-SSL Template Certificate Revocation List (CLI) .............................. 325
IP-less OCSP and CRL Requests for SSLi ...........................................................................................327
Configuration Example for IP-Less OCSP and CRL Requests (CLI) ..............................................327
Customizable Message for Invalid Certificates............................................................... 328

page 10
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

Configuring a Customizable Message for Invalid Certifcates (CLI) ..............................................328

Configuring a Customizable Message for Invalid Certifcates (GUI) ..............................................329
Revoking Certificates From the Cache and Generating CRL .......................................... 329
Workflow for Certificate Revocation and CRL Generation (CLI) ....................................................330
Step 1: Checking the Certificate Serial Number (CLI) ................................................................330
Step 2: Revoking a Certificate (CLI) ...............................................................................................331
Step 3: Generating a CRL (CLI) .......................................................................................................332
Step 4: Displaying the CRL (CLI) ....................................................................................................332
Step 5: Clearing Revoked Certificates and Deleting the CRL (CLI) .........................................332
Revoking a Certificate and Generating CRL (GUI) .............................................................................332

SSL Insight VRRP-A ................................................................................................................. 335

VRRP-A SSLi Configuration Example ............................................................................... 336
CLI Configuration Steps .........................................................................................................................338
Inside Primary ACOS device ...........................................................................................................338
Inside Secondary ACOS device ......................................................................................................342
Outside Primary ACOS device ........................................................................................................ 346
Outside Secondary ACOS device ...................................................................................................350
Related Information........................................................................................................... 354

Miscellaneous SSLi Features ................................................................................................... 355

File Inspection ................................................................................................................... 355
Configuring File Inspection ....................................................................................................................356
Verifying the Device has a Cylance License ................................................................................356
Creating a File Inspection Template .............................................................................................356
Creating a File Inspection Template .............................................................................................356
Binding the File Inspection Template to a Port ...........................................................................357
Importing a Cylance BW List ..........................................................................................................357
Implementing File Inspection on Application Delivery Partitions (ADP) ................................ 358
Using SSLi Source NAT..................................................................................................... 358
Example Configuration SSLi Static Source NAT ...............................................................................358
Configuration of the Inside ACOS device .....................................................................................358
Configuration of the Outside ACOS device ..................................................................................360
Example Configuration SSLi Auto Source NAT .................................................................................360
Configuration of the Inside ACOS device .....................................................................................361
Configuration of the Outside ACOS device ..................................................................................362
Example Configuration Displaying Priority of SSLi Source NAT ....................................................363
Redirecting Clients from Server Sites Using Self-Signed Certificates ........................... 365
Example Configuration of Redirecting Clients from Self-Signed Certs ........................................366
Show Running-Config of Example Configuration ..............................................................................366
Persistent Proxied Certificates for SSL Insight ............................................................... 367
Example: Create a Persistent Forward-Proxy Class List .................................................................367
Example: Binding a Separate Client-SSL Template to Each Unique SSLi VPort .........................368
Configuration Option Supporting the Chrome Browser .................................................. 369
Global SSL Configuration Commands.............................................................................. 369

page 11
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Contents

References ......................................................................................................................... 369

SSLi Logging ............................................................................................................................ 371

Configuring SSLi Logging (CLI)......................................................................................... 372
SSLi Inspection Failure Event Error Codes ...................................................................... 373
SSLi Inspection Failure Error Codes Examples .................................................................................373
Cert fetch, fatal alert .........................................................................................................................373
Cert fetch, TCP FIN/RST .................................................................................................................. 374
Cert fetch, Validation error ..............................................................................................................374
Client SSL, fatal alert ........................................................................................................................374
Client SSL, TCP FIN/RST .................................................................................................................375
SSL Session, TCP FIN/RST .............................................................................................................375
Server SSL, fatal alert .......................................................................................................................375
Server SSL, TCP FIN/RST ................................................................................................................375
Client SSL, internal error ..................................................................................................................376
Server SSL, internal error .................................................................................................................376
Generic SSLi Failure Logs ................................................................................................. 376
Example: SSLi Bypass Logs ...................................................................................................................377
Example: SSL CA Verification Failure Log ..........................................................................................377
Example of a Failure .........................................................................................................................378
Additional Example Logs of SSLi Failures .......................................................................................... 378
CEF Error Logs ................................................................................................................... 379
ACOS Event-based Logging .............................................................................................. 380

page 12
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSL Insight Introduction

This chapter provides an overview of SSL Insight (SSLi).

The following topics are covered:

• SSLi Overview

• SSLi Architecture and Workflow

• SSLi Features

• SSLi Terminology

• CA Certificates for SSLi and Certificate Chaining

• SSLi Workflow for New and Revisited Websites

• SSLi Requirements for vThunder

SSLi Overview
Traditional security devices have the ability to inspect HTTP traffic, however, such devices cannot
inspect SSL or encrypted traffic without incurring heavy CPU resources. This limited functionality of
traditional security devices is a concern as the volume of encrypted traffic is increasing and is expected
to surpass the volume of unencrypted traffic. Considering the immense possibility of cyber threats
propagating through encrypted traffic, it is essential that organizations configure their security devices
to inspect both encrypted and unencrypted traffic.

Deploy SSL Insight (SSLi) in your organization to dedicatedly decrypt SSL traffic, which can then be
analyzed by a security device. Since the encryption and decryption functions are performed by the SSLi
device, there is minimum latency in the network.

SSLi is configurable by using any of the supported ACOS devices. SSLi can detect and decrypt
encryption on even non-proprietary TCP protocols. SSLi is deployable in a number of different ways,
customizable for your network environment, with added HA. SSLi is also scalable to address the
requirements of an expanding organization. The integrated load balancing capability of SSLi helps to
optimize the SSLi performance.

For more information on the supported ACOS devices for deploying SSLi, refer to the SSLi Technical
Specifications document at https://www.a10networks.com/products/thunder-series/ssl-decryption-
encryption-and-inspection-ssl-insight.

Feedback page 13
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Architecture and Workflow FFee
e

SSLi Architecture and Workflow

In the following deployment example, the client network is connected to the SSLi solution which is then
connected through a gateway to the external network such as the Internet. All the encrypted traffic
between the Internet and the client network is passed through the SSLi solution for inspection.

FIGURE 1 SSLi Architecture

page 14
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Architecture and Workflow

Deploy the SSLi solution in a number of ways by using one or more supported ACOS devices, reducing
the disruption to your existing network to a minimum. In this example, the SSLi solution consists of two
ACOS devices and a number of sample security devices that perform the traffic inspection on the clear
decrypted text. Some examples of sample security devices are a next-generation firewall (NGFW), an
intrusion detection system (IDS), a unified threat management (UTM), and so on. The ACOS devices
can also be configured as an ICAP client to offload traffic inspection to an ICAP server.

NOTE: While configuring SSLi, it is recommended to have separate interfaces

for management and data in your network, as the management network
frequently uses SSL.

You can deploy the SSLi solution with a single ACOS device or multiple ACOS devices. The ACOS
devices in the SSLi solution consists of two parts:

• ACOS_decrypt —The ACOS partition or ACOS device(s) that connects to the client network. This
part of the SSLi solution decrypts the traffic from the client and passes the clear traffic to the
security devices for inspection. In some implementations, this part is also referred to as
ACOS_inside.
• ACOS_encrypt —The ACOS partition or ACOS device(s) that connects to the server network. This
part of the SSLi solution re-encrypts the clear traffic which it receives from the security device
and passes it to the external server network by using SLB operations. In some implementations,
this part is also referred to as ACOS_outside.

The following is an explanation of the workflow of the SSLi solution:

1. The client network sends an encrypted request to a remote server.

2. After a session is established, the traffic is intercepted and decrypted by the SSLi solution
(ACOS_decrypt). Clear-text traffic is sent to the security devices.
3. The security device inspects the clear-text request data and, if approved, forwards it to the SSLi
solution to be re-encrypted (ACOS_encrypt).
4. The traffic is intercepted by ACOS_encrypt, re-encrypted, and sent to the default gateway.
5. The remote server receives an encrypted request.
6. The remote server sends back an encrypted response.
7. The SSLi solution (ACOS_encrypt) decrypts the response and forwards it to the same security
device that sourced the request.
8. The security device inspects the clear-text response data and, if approved, forwards it to the SSLi
solution to be re-encrypted (ACOS_decrypt).
9. The traffic is intercepted by ACOS_decrypt, encrypted again, and sent to the client.
10.The client receives the encrypted response.

page 15
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Features FFee
e

SSLi Features
As discussed previously, the SSLi solution is a requirement of organizations to decrypt traffic so that
the data can be analyzed by security devices. SSLi has a number of advantages compared to other
available similar products. Here are just a few of the advantages that are available when deploying the
SSLi feature:

• Deploy SSLi either as a transparent proxy or an explicit proxy in the network.

• SSLi supports URL classification services for meeting compliance standards.

• Configure SSLi for dynamic port inspection of SSL and TLS traffic.

• Configure SSLi as an ICAP client to an ICAP server for DLP and AV security devices.

• SSLi has a very high performance compared to similar products deployed in similar
environments.
• SSLi utilizes the extensive SSL cipher support of ACOS, including support for ECDHE and DHE.

• SSLi offers load balancing capabilities to support scaling of the security infrastructure.

SSLi Limitations
SSLi has the following limitations.

• The ACOS device cannot pass packets when the device has a failure or is powered down. To
configure this functionality, a second ACOS device or a bypass switch is required.
• Explicit proxy cannot be placed in the ACOS_decrypt zone.

• The use of a native VLAN with tagged VLANs is not supported.

• Sites which use hard certificate pinning cannot be decrypted.

SSLi Terminology
Before deploying SSLi, there are some terms provided in the following sections to help you understand
how SSLi functions. For more information on ACOS terminology, refer to the Application Delivery and
Server Load Balancing Guide.

page 16
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Terminology

Real Server
A real server is the logical representation of physical servers (either individual servers, or servers in a
server farm) connected to an ACOS device, or to another router in the network. To configure a real
server, a name, an IP address, and a port are required.

In SSLi operation, the security device or collection of security devices is configured as a real server.

The following is an example of configuring a security device in an SSLi solution as a real server:

ACOS_decrypt(config)# slb server GW 1.1.1.254

ACOS_decrypt(config-slb server)# port 0 tcp

Virtual Server and Virtual IP (VIP)

A virtual server is the combination of real servers and an ACOS device(s), which together appear as a
single server to the client.

A virtual IP (VIP) is the IP address of the virtual server. The VIP is used to access a group of servers or it
can be a default gateway for users accessing the Internet. To configure a virtual server, a name, an IP
address, and a port are required.

In SSLi operation, the security device or collection of security devices together with the ACOS device or
devices is configured as a virtual server. The virtual server port or port 0 is configured for a virtual
server with the no-destination-nat option enabled. This configuration enables SSLi to accept traffic
for any destination port and send it to any destination port.

The following is an example of configuring a virtual server for incoming traffic:

ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver)# port 0 tcp
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

If the port-translation option is used, and the response traffic passes through the ACOS device, the
ACOS device translates the source port of the server-reply back into the destination port to which the
client sent the request, before forwarding the reply to the client. The port-translation option is
supported only for the following virtual port types: TCP, UDP, and HTTP/HTTPS.

Wildcard VIPs, Ports, Virtual Ports, and ACL

A wildcard VIP is a VIP that does not have a specific IP address. Instead, wildcard VIPs have IP address
0.0.0.0 (for IPv4) or :: (for IPv6). The client requests sent to any IP address is accepted when they are
received at a wildcard VIP.

page 17
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Terminology FFee
e

Wildcard VIPs enable you to configure a feature that applies to multiple VIPs, without the need to
reconfigure the feature separately for each VIP. To specify the subset of VIP addresses and ports for
which a feature is applicable, use an Access Control List (ACL). ACLs also specify the subset of clients
allowed to access the VIPs, thus ensuring that only legitimate requests are allowed through. Wildcard
VIPs can be used for any type of load balancing. Port 0 is used as a wildcard port to match on any port
number.

In SSLi operations, a wildcard VIP is configured to intercept supported encrypted traffic such as
HTTPS, STARTTLS, IMAPS, SSH and so on, on any port. Use ACLs to specify the clients whose traffic is
to be intercepted. The virtual server port or port 0 is configured for a virtual server with the
no-destination-nat option enabled. This configuration enables SSLi to accept traffic for any
destination port and send it to any destination port.

The following is an example configuration for a wildcard VIP that accepts HTTPS requests on port 443:

ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

The following is an example configuration where on VLAN 10, all IP traffic is intercepted by
ACOS_decrypt by using an ACL 100:

ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10

ACOS_decrypt(config)# slb virtual-server ACOS_decrypt 0.0.0.0 acl 100

Service Groups
A service group is a group of servers that fulfill a service. Service groups are where load balancing
algorithms are applied. The minimum configuration for a service group include a name, the type of
protocol, the load balancing algorithm, and at least one real server and port.

In SSLi operations, configure service groups to handle different types of encrypted traffic that is
intercepted by the SSLi solution. In the following configuration example, a real server FW1_Inspect is
created on ACOS_decrypt. A service group named FW1_Inspect_SG is also created on ACOS_decrypt to
forward decrypted traffic over protocol TCP on port 8080.

In the following configuration example, a real server FW1_Inspect is created and added to the also
created service group FW1_Inspect_SG. All the traffic will be decrypted and forward to members of the
group (in this case) over protocol TCP on port 8080.

ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 8080 tcp
ACOS_decrypt(config-real server)# exit
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 8080

page 18
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
CA Certificates for SSLi and Certificate Chaining

ACOS_decrypt and ACOS_encrypt Partition or Device

The SSLi solution sandwiches the security device or devices between the ACOS_decrypt and
ACOS_encrypt partition or device.

NOTE: ACOS_decrypt and ACOS_encrypt can be configured on separate ACOS

devices or in a single ACOS device by using partitions. There are also
examples of single partition SSLi deployments where ACOS_decrypt and
ACOS_encrypt zones are created by using a combination of virtual
servers and ACLs. In a single partition deployment, a VIP represents the
client and server sides.

ACOS_decrypt decrypts all SSL traffic originating from the client. All clear-text traffic decrypted by
ACOS_decrypt is passed to the security device.

Some guidelines for configuring ACOS_decrypt are as follows:

• Provision ACOS _decrypt with either a CA or a subordinate CA certificate and the accompanying
private key. Refer to “CA Certificates for SSLi and Certificate Chaining” on page 19.
• With HTTPS to HTTP conversion, the destination port is changed from 443 to any other port such
as 8080.
• Create a client-SSLi template with forward-proxy-enable configured.

• Any TCP or UDP traffic that is intercepted must have an access control list (ACL) configured
within the wildcard VIP to define the traffic flow.
• Incoming HTTPS sessions that are intercepted and decrypted are forwarded as clear text over
HTTP on a configurable port such as 8080 through a third-party security device.

The ACOS_encrypt zone re-encrypts the HTTP traffic received on the port such as 8080 from the
security device after inspection. The clear-text traffic is encrypted to HTTPS 443 and sent to the default
router or Internet by using the port 443. You must configure a server-SSLi template with forward-
proxy-enable for this zone.

CA Certificates for SSLi and Certificate Chaining

SSLi requires a CA certificate and key pair to decrypt traffic between clients and any external SSL
servers that are not controlled by the same organization. When an internal user from the client network
initiates any SSL communication with an external server, the SSLi solution intercepts the server
certificate from the original server, modifies the certificate and then re-signs it using the CA certificate.
This proxy certificate is then sent to the internal user as a server certificate of the original server.

page 19
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
CA Certificates for SSLi and Certificate Chaining FFee
e

This CA certificate must be signed by the root CA. Otherwise, internal users see an SSL untrusted root
error whenever they try to connect to an SSL-enabled website. Import the CA certificate and key pair to
the ACOS_decrypt. This CA certificate must be trusted by the client web browsers. There are a number
of third-party certificate distribution solutions available for this function. Microsoft Group Policy
Manager is a recommended tool for Windows-based clients.

In the following example, the CA certificate for SSLi is signed by another trusted intermediate CA
instead of a root CA. A CA certificate chain is required to complete the chain of trust. The CA certificate
chain is created by concatenating the intermediate CA certificates from the one for SSLi up to the one
signed by the root CA. In this example, the intermediate CA certificate is signed by the root CA. The
certificate chain include two certificates and the root CA (ca.cert.pem).

FIGURE 2 SSLi CA Certificate Chain

After the intermediate CA and certificate chain are ready, you can import both as a certificate type into
the SSLi device. Since CSR is used, the private key (ssli-ca.key) is already on the SSLi device.

From the client’s perspective, the SSL session is directly between the client and the outside SSL server.
However, the SSL session is actually between the ACOS_decrypt device and the client.

The following is the workflow for the exchange of security certificates during the SSLi operation:

1. The client sends a request to set up an SSL session with the outside server.
2. Assuming that ACOS_decrypt has cached a proxied certificate for the outside server, it presents
the certificate to the client.
3. If the client browser contains a copy of the proxied certificate, the client trusts ACOS_decrypt and
allows the SSL session to be set up.

page 20
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Workflow for New and Revisited Websites

NOTE: If ACOS_decrypt has not cached a proxied certificate for the outside
server, it opens an SSL session with the server and retrieves the server’s
public certificate which it modifies and resigns with its imported private
key to create the needed proxied certificate. Specifically, the header
information is extracted from the server certificate. The issuer and the
public key are changed as specified in the client-SSLi template. The
modified certificate is then re-signed with the CA private key specified in
the client-SSLi template.

The default CA bundle is used for remote certificate validation. The trusted CA certificates imported
from browsers such as Mozilla do not require importing of any private keys.

Ensure that you have the latest root certificate bundle for remote certificate validation. The
default_ca_bundle may not contain the latest certificates. For the most current root certificates, see
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/. It is highly
recommended to update the default_ca_bundle periodically using either an automated or manual
process.

SSLi Workflow for New and Revisited Websites

The flow of traffic from the client to the gateway by using an SSLi solution requires a security
certificate to be configured for the SSLi solution. In this section, the sequence of events, including the
security certificate exchange process, is explained for processing the SSL traffic in a typical
deployment. The process is explained for both new and revisited websites.

page 21
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Workflow for New and Revisited Websites FFee
e

FIGURE 3 SSLi Flow of Traffic

In any typical SSLi deployment such as the one displayed in this section, the flow of traffic from the
client network to the outside network or server network is processed by the SSLi solution as follows for
new websites:

1. The client establishes an SSL connection with the remote server and receives a security certificate
from the remote server.
2. In ACOS_decrypt, the header information is extracted from the server certificate.
3. In the client SSLi template defined for ACOS_decrypt, a new security certificate is generated by
using the CA certificate specified in the client SSLi template. This reconstructed server-hello
message is sent to the client instead of the original encrypted hello message.
4. ACOS_decrypt is now able to intercept traffic, decrypt it and send the clear-text to the security
device.
5. A new SSL session is initiated with the remote server by ACOS_encrypt.
6. Clear text data is passed from the security device to ACOS_encrypt. ACOS_encrypt re-encrypts the
data and sends it to the remote server.
7. The server response is intercepted by ACOS_encrypt which decrypts it and passes it to the security
device.
8. The security device processes the clear text data and passes it to ACOS_decrypt. ACOS_decrypt
re-encrypts the data and sends it to the client.

Now that ACOS_decrypt has a cached certificate and if the client were to make another request for
connection to the remote server, the flow of traffic from the client network to the outside network or
server network is processed by the SSLi solution as follows:

1. The client establishes an SSL connection with the remote server and receives the security
certificate from the remote server.

page 22
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Requirements for vThunder

2. ACOS_decrypt sends the client the cached certificate of the website.

3. ACOS_decrypt is now able to intercept traffic, decrypt it and send the clear-text to the security
device.
4. A new SSL session is initiated with the remote server by ACOS_encrypt.
5. Clear text data is passed from the security device to ACOS_encrypt. ACOS_encrypt re-encrypts the
data and sends it to the remote server.
6. The server response is intercepted by ACOS_encrypt which decrypts it and passes it to the security
device.
7. The security device processes the clear text data and passes it to ACOS_decrypt. ACOS_decrypt
re-encrypts the data and sends it to the client.

SSLi Requirements for vThunder

SSLi is supported by the vThunder convergent firewall (CFW) virtual appliance. All deployments
discussed in “SSL Insight Deployments and Topologies” on page 17 are supported with vThunder.

The following are supported:

• Supported hypervisors—VMware ESXi, KVM, and Microsoft Hyper-V

• Minimum memory—8 GB

• Minimum hard disk storage space—16 GB

• Individual virtual interface ports for the following:

• Ingress from client

• Outbound to security device
• Inbound from security device
• Egress to gateway router

For more information on supported vThunder specifications for SSLi, refer to the SSLi Technical
Specifications document at https://www.a10networks.com/products/thunder-series/ssl-decryption-
encryption-and-inspection-ssl-insight.

page 23
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Requirements for vThunder FFee
e

page 24
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSL Insight Deployments and Topologies

This chapter provides an overview of the different types of deployments and topologies for SSL Insight
(SSLi). In terms of the number of ACOS devices in your SSLi solution, you can have three types of
deployment options:

• Single ACOS Device with One Partition Deployment

• Single ACOS Device with Two Partitions Deployment

• Two ACOS Devices, Each with One Partition Deployment

In addition to the afore-mentioned deployments, SSLi Topologies are discussed.

Single ACOS Device with One Partition Deployment

In this deployment, a single ACOS device with one partition is configured as part of the SSLi solution. In
a single partition deployment, the ACOS device is in L2 mode and requires one IP address at the
minimum irrespective of the number of VLANs to be inspected. All interfaces used for the SSLi
deployment must be assigned the same VLANs.

FIGURE 4 Deployment of a Single ACOS Device with One Partition

In the sample deployment as shown in Figure , the client device is connected to the SSLi solution,
which is then connected to the external gateway. The SSLi solution consists of an ACOS device in L2
mode and a single security device in L2 mode. The encrypted traffic from the client is passed to the
ACOS device on interface e1. The ACOS device decrypts the traffic and forwards the clear traffic to the
security device on interface e2. After inspection, the security device passes the clear traffic to the ACOS

Feedback page 25
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Single ACOS Device with One Partition Deployment FFee
e

device on interface e3. The ACOS device re-encrypts the traffic and passes it to the external gateway on
interface e4.

Features for Single ACOS Device with One Partition

The following table lists the features for a single ACOS device with one partition deployment.

TABLE 1 Features for Single ACOS Device with One Partition

Features Description Notes
General Fea- • Supported across all ACOS releases • L3 firewalls supported across all
tures • SSLi Solution delivered in a single device ACOS releases.
• Web-category license add-on for the same • L2 firewalls supported from ACOS
device 4.1.1-P3 version onwards.
• Number of physical ports available to
the solution is roughly halved.
SSLi Features • Static port inspection: • Firewall Load Balancing (FWLB) is not
• SNI-based bypass supported.
• Web category-based bypass • URL filtering, explicit proxy, and proxy
chaining are available with L3 firewall
• URL Filtering only.
• Explicit proxy • For dynamic port inspection, a spe-
• Proxy chaining cial header is not pre-pended to the
• ICAP client request.
• Dynamic port inspection
• STARTTLS inspection
Security • Inline L2 or vWire transparent firewalls • For inline L2 and L3 security devices,
Devices • Inline L3 or NAT’ed transparent firewalls both tagged and untagged VLANs are
supported.
• Inline L7 or transparent proxy
• For inline L7 security devices, only
• One-armed transparent proxy transparent proxy is supported.
• Non-inline passive IDS • One-armed transparent proxy is sup-
• ICAP-based DLP/AV ported with L3 firewalls only.
• For non-inline passive IDs, up to four
passive devices are supported.
Topologies • Full L2 with the deployment behind SSLi and • For an L2 deployment, both tagged
STP-based active-standby HA and untagged VLANs are supported.
• L2 with L3 security device and VRRP-A based • L2 deployment does not support
active-standby HA VRRP-A.
• L3 with A10 Thunder SSLi and VRRP-A based • L3 deployment and both types of
active-standby HA explicit proxy deployments are sup-
• Explicit proxy with A10 Thunder SSLi as the ported with L3 firewalls only.
explicit proxy for client web browsers • Explicit proxy with upstream explicit
• Explicit proxy with upstream explicit proxy set proxy set on client web browsers
on client web browsers require two IP addresses from the
network.

page 26
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Single ACOS Device with Two Partitions Deployment

Single ACOS Device with Two Partitions Deployment

In this deployment, two L3V partitions are configured in the ACOS device. The partition ACOS_decrypt
is connected to the client and the partition ACOS_encrypt is connected to the external network by using
a gateway. Configure system ve-mac-scheme system-mac on the shared partition to eliminate the MAC
address duplication across partitions. If the ACOS device is a vThunder, also configure system
promiscuous-mode on the shared partition.

FIGURE 5 Deployment of a Single ACOS Device with a Two-Partition SSLi Solution

In the sample deployment as shown in Figure 5, the client device is connected to the SSLi solution,
which is then connected to the external gateway. The SSLi solution consists of an ACOS device and a
single security device. The ACOS device has two partitions, ACOS_decrypt is connected to the client
network and ACOS_encrypt is connected to the server network. The encrypted traffic from the client is
passed to the ACOS_decrypt partition on interface e1. The ACOS_decrypt partition decrypts the traffic
and forwards the clear traffic to the security device on interface e2. After inspection, the security device
passes the clear traffic to the ACOS_encrypt partition on interface e3. The ACOS_encrypt partition re-
encrypts the traffic and passes it to the external gateway on interface e4.

page 27
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Single ACOS Device with Two Partitions Deployment FFee
e

Features for Single ACOS Device with Two Partitions

The following table lists the features for a single ACOS device with two partitions deployment.

TABLE 2 Features for Single ACOS Device with Two Partitions

Features Description Notes
General Fea- • Supported across all ACOS releases Number of physical ports available to the
tures • SSLi solution delivered in a single ACOS solution is roughly halved.
device
• Web-category license add-on for the same
device
• Full separation of L2 and L3 in ADPs
• Firewall Load Balancing (FWLB) support
SSLi Features • Static port inspection: For dynamic port inspection, a special
• SNI-based bypass header ‘A10FP’ gets pre-pended to client
• Web category-based bypass requests and is visible to the security
• URL Filtering device.
• Explicit proxy
• Proxy chaining
• ICAP
• Dynamic port inspection
• STARTTLS inspection
Security • Inline untagged L2 or vWire transparent fire- • For inline L2 deployment, only
Devices walls untagged VLANs are supported.
• Inline L3 or NAT’ed transparent firewalls • For inline L3, both tagged and
• Inline L7 or transparent proxy untagged VLANs are supported.
• One-armed transparent proxy • For inline L7, only transparent proxy is
supported.
• Non-inline passive IDS
• For non-inline passive IDs, up to two
• ICAP-based DLP/AV passive devices are supported.

Topologies • Full L2 with the deployment behind SSLi and • For a full L2 deployment, only untagged
STP-based active-standby HA VLANs are supported. VRR-A is not
• L2 with L3 security device as the deploy- supported.
ment and VRRP-A based active-standby HA • For explicit proxy, two IP addresses are
• L3 with A10 Thunder SSLi as the deploy- required from the network segment in
ment and VRRP-A based active-standby HA which the Thunder SSi is deployed.
• Explicit proxy with Thunder SSLi as the
explicit proxy for client web browsers
• Explicit proxy with upstream explicit proxy
set on client web browsers

page 28
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Two ACOS Devices, Each with One Partition Deployment

Two ACOS Devices, Each with One Partition Deployment

In this deployment, a dedicated ACOS device is configured each for the ACOS_decrypt and
ACOS_encrypt partitions. This deployment provides a greater throughput than a single device
deployment.

FIGURE 6 Deployment of a Double ACOS Device SSLi Solution

In the sample deployment as shown in Figure 6, the client device is connected to the SSLi solution,
which is then connected to the external gateway. The SSLi solution consists of two ACOS devices and
a single security device. The ACOS device connected to the client has a partition called ACOS_decrypt.
The ACOS device connected to the external gateway has a partition called ACOS_encrypt. The
encrypted traffic from the client is passed to the ACOS_decrypt partition on interface e1. The
ACOS_decrypt partition decrypts the traffic and forwards the clear traffic to the security device on
interface e2. After inspection, the security device passes the clear traffic to the ACOS_encrypt partition
on interface e3. The ACOS_encrypt partition re-encrypts the traffic and passes it to the external
gateway on interface e4.

page 29
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Two ACOS Devices, Each with One Partition Deployment FFee
e

Features for Two ACOS Devices, Each With One Partition

The following table lists the features for two ACOS devices, each with one partition deployment.

TABLE 3 Features for Two ACOS Devices, Each With One Partition
Features Description Notes
General Features • Supported across all ACOS releases Number of physical ports avail-
• Throughput is about 1.8x more than that of a single- able to the solution is roughly
device deployment doubled.
• SSLi Solution is delivered with two ACOS devices
• Web-category license add-on only for one device
• Full separation of L2/L3 in two physical devices
• Firewall Load Balancing (FWLB) support
SSLi Features • Static Port inspection: For dynamic port inspection, a
• SNI-based bypass special header ‘A10FP’ gets pre-
• Web category-based bypass pended to client request and is
• URL Filtering visible to the security device.
• Explicit proxy
• Proxy chaining
• ICAP
• Dynamic port inspection
• STARTTLS inspection
Security Devices • Inline L2 or vWire transparent firewalls • For inline L2 and L3, both
• Inline L3 or NAT’ed transparent firewalls tagged and untagged VLANs
are supported.
• Inline L7 or transparent proxy
• For inline L7, only transparent
• One-armed transparent proxy proxy is supported.
• Non-inline passive IDS • For non-inline passive IDs, up
• ICAP-based DLP/AV to four passive devices are
supported.
Topologies • Full L2 with the deployment behind SSLi and STP- • For a full L2 deployment, only
based active-standby HA untagged VLANs are sup-
• L2 with L3 security device and VRRP-A based active- ported. VRR-A is not sup-
standby HA ported.
• L3 with A10 Thunder SSLi as the deployment and • For explicit proxy, two IP
VRRP-A based active-standby HA addresses are required from
the network segment in
• Explicit proxy with A10 Thunder SSLi as the explicit which the Thunder SSi is
proxy for client web browsers deployed.
• Explicit proxy with upstream explicit proxy set on cli-
ent web browsers

page 30
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Topologies

SSLi Topologies
SSLi can be deployed in different topologies. Topologies can differ based on the mode of the SSLi
deployment. The security device can be either in-line or in a passive mode.

For in-line deployment of the security device(s), the following topological combinations are supported:

• SSLi in L2 mode and the in-line security device in L2 mode

• SSLi in L2 mode and the in-line security device in L3 mode

• SSLi in L3 mode and the in-line security device in L2 mode

• SSLi in L3 model and the in-line security device in L3 mode

Security devices can be deployed in passive (tap) mode by using a mirror port on the SSLi device. This
deployment is independent of whether the security device or the SSLi device is in L2 or L3 mode. In this
mode, the physical link is established between ACOS_decrypt and ACOS_encrypt appliances and the
decrypted traffic is mirrored out to the passive security device. The tap mode supports up to eight
security devices. Support for RST from the security device (over a separate link) to terminate
compromised connections is also included.

If you are configuring SSLi on a single vThunder device, then only two bi-directional or four unidirec-
tional ports are required. For configuring SSLi on two vThunder devices, four bi-directional ports or 8
unidirectional ports are required.

SSLi in L2 Mode
In this topology, the SSLi solution consist of the ACOS device(s) in L2 mode and the security device(s)
in L2 mode or L3 mode and these devices sit between the client and the external gateway. All of the
devices are in the same subnet. For a single security device, four physical interfaces are required on the
ACOS device, as shown in Figure 7.

NOTE: On Thunder platforms with the older version of the FTA chipset, a cpu-
process command must be run for the L2 mode to work. For more infor-
matio, see “Configuring L2 SSli on FTA-enabled ACOS Devices” on page
37.

page 31
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Topologies FFee
e

FIGURE 7 SSLi Deployment in L2 Mode, Security Device in L2 Mode

In this topology, there is minimal change to the existing IP network. Each additional security device
requires two more physical interfaces on the ACOS device. Each additional security device must be in a
separate subnet for load balancing purposes.

In this topology, if the security device is in L3 mode, two separate subnets are required, as shown in
Figure 8.

page 32
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Topologies

FIGURE 8 SSLi Deployment in L2 Mode, Security Device in L3 Mode

SSLi in L3 Mode
This topology configures the SSLi solution as a routed hop between the client network and the external
gateway, which are on different subnets. The security device can either be deployed in an L2 or L3
mode. For a single security device, four physical interfaces are required on the ACOS device. Separate
IP addresses are required for each interface. With a single security device in L2 mode, this topology
requires three subnets, as shown in Figure 9.

page 33
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Topologies FFee
e

FIGURE 9 SSLi Deployment in L3 Mode, Security Device in L2 Mode

For each additional security device, two more physical interfaces are required on the ACOS device.
Each additional security device must be in a separate subnet for load balancing purposes. With a single
security device in L3 mode, this topology requires four subnets, as shown in Figure 10.

page 34
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Topologies

FIGURE 10 SSLi Deployment in L3 Mode, Security Device in L3 Mode

page 35
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Topologies FFee
e

page 36
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi for Outbound Static Port Type HTTPS

This chapter provides instructions on configuring SSL Insight (SSLi) by using an example configuration of an
outbound SSLi with a static port type HTTPS deployment. To implement the configuration, the following
deployments are discussed:

• Two ACOS devices and each with one partition

• A single ACOS device with two partitions

• A single vThunder device with two partitions

Both CLI and GUI procedures are explained.

Although A10 Networks supports a number of different types of SSLi deployments, with each deployment
supporting different SSLi features, the overall steps for configuring SSLi for each deployment are the same.

NOTE: Subsequent chapters in this document refer to the procedures documented for
Outbound SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a
Single Partition. It is recommended that you understand the workflow described in
this section, even if your SSLi deployment differs from this example.

The following topics are covered:

• Prerequisites for Configuring SSLi

• Outbound SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a Single Partition

• SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

• SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI)

• Outbound SSLi with Static Port Type HTTPS—Single ACOS Device With Two Partitions

• Outbound SSLi with Static Port Type HTTPS—Single vThunder Device With Two Partitions

Prerequisites for Configuring SSLi

To deploy the SSLi solution, the following are the prerequisites:

• A10 Networks Advanced Core Operating System (ACOS®) 4.0.1 SP9 or higher. ACOS version 4.1.0 or
higher is recommended.

Feedback page 37
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Outbound SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a Single Partition FFee
e

• For single-partition SSLi deployments, ACOS version 4.1.1 or higher is required.

• Supported A10 Thunder or vThunder device(s)

For more information on the supported ACOS devices for deploying SSLi, refer to the SSLi Technical
Specifications document at https://www.a10networks.com/products/ssl-inspection.
• Security appliance or ICAP-based (RFC3507) antivirus or DLP solution

• A self-signed certificate or a certification authority (CA) certificate with a known private key

NOTE: If not already provisioned, push an internal PKI CA root certificate to all the client
machines.

• The ACOS device supports both CLI and GUI for configuration. Change the default management port IP
address for GUI or CLI access.
• If you are using two separate ACOS devices to deploy SSLi, make sure that both systems are configured
with management addresses. For more information on how to access an ACOS device, refer to System Con-
figuration and Administration Guide.
• Unless you are using a single ACOS device with a single partition to deploy SSLi, you require two partitions,
one to decrypt SSL traffic and the second to encrypt SSL traffic. Make sure that you are on the correct par-
tition when creating configurations.
• In a single device solution, use the command system ve-mac-scheme system-mac to support MAC address
duplication .

Outbound SSLi with Static Port Type HTTPS—Two ACOS

Devices Each With a Single Partition
In a static-port type deployment, each intercepted protocol is configured with its own static virtual port enabled
for SSLi. For example, to intercept SMTP running over SSL, the wildcard VIP configuration includes the command
line port 25 ssli where 25 is the port number identifying SMTP. For static port type SSLi deployment configured
to intercept HTTPS traffic, the wildcard VIP includes the command line port 443 https where port 443 is the port
number identifying HTTPS. In such deployments, only the traffic for the specified protocol is intercepted. All other
SSL and non-SSL traffic is bypassed.

You can configure static port inspection for both inbound and outbound traffic. The intercepted and decrypted
traffic is said to be outbound when it flows from clients in a private network to the SSL servers on the Internet. If
the traffic is intercepted and decrypted as it flows from the Internet to the client network, it is called as inbound.
Inbound and outbound SSLi can also be configured together. In such a deployment, traffic flowing in both
directions is decrypted and re-encrypted. However, the command lines that configure the inbound virtual servers
must go before the command lines that configure the outbound virtual servers.

page 38
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Outbound SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a Single Partition

Static port inspection is supported for all the three types of SSLi deployments discussed in “SSL Insight
Deployments and Topologies” on page 25.

FIGURE 11 Static Port Type HTTPS in a Two ACOS Device each with Single Partition Deployment

The following table provides the VLAN IDs, Virtual Ethernet (VE) addresses, and interfaces used to configure the
SSLi network topology illustrated in Figure 11.

TABLE 4 Details of the SSLi Deployment

Partition Tagged VLAN VE IP Address Ethernet Port Number
ACOS_decrypt 10 10.10.1.2 /24 eth1
15 10.15.1.2 /24 eth2
ACOS_encrypt 20 20.1.1.2 /24 eth2
15 10.15.1.12 /24 eth1

page 39
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

In this example, the outbound SSLi with static-port type HTTPS deployment consists of two ACOS devices, each
with a single partition, and the security device set in between. The ACOS devices are in L2 mode, while the
security device is in L3 mode.

The encrypted traffic from the client is passed to the ACOS_decrypt partition. The ACOS_decrypt partition
decrypts the HTTPS traffic and forwards the clear traffic to the security device. After inspection, the security
device passes the clear traffic to the ACOS_encrypt partition. The ACOS_encrypt partition re-encrypts the HTTPS
traffic and passes it to the external gateway. All other SSL traffic is bypassed.

SSLi Configuration for Two ACOS Devices Each With a

Single Partition (CLI)
In order to configure SSLi for two ACOS devices each with a single partition deployment, you must first configure
the two partitions, ACOS_decrypt and ACOS_encrypt.

Also, for a list of prerequisites, see “Prerequisites for Configuring SSLi” on page 37.

Configuration for ACOS_decrypt (CLI)

Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)
Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt)
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

Create tagged VLANs 10 and 15 on the ethernet 1 and ethernet 2 interfaces respectively.

1. Enable the interface ethernet 1 and 2 by running the following commands:

ACOS_decrypt(config)# interface ethernet 1
ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# exit

ACOS_decrypt(config)# interface ethernet 2

ACOS_decrypt(config-if:ethernet:2)# enable
ACOS_decrypt(config-if:ethernet:2)# exit

page 40
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

2. Create a tagged VLAN 10. Bind ethernet 1 to the tagged VLAN 10. Also, bind a virtual interface VE 10 to VLAN
10.
ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# tagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config-vlan:10)# exit

3. Create a tagged VLAN 15. Bind ethernet 2 to the tagged VLAN 15. Also, bind a virtual interface VE 15 to VLAN
15.
ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2
ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)

On each VE, enable promiscuous VIP support, which is required for wildcard VIPs. When you enable promiscuous
VIP support on a VE, the option is automatically enabled on each Ethernet data port associated with the VE.
Perform the following steps:

ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve10)# ip address 10.10.1.2 /24
ACOS_decrypt(config-if:ve10)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve10)# exit

ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt)

Create a client SSL template with forward-proxy enable configured. This configuration enables the
ACOS_decrypt device to proxy for the remote SSL servers and bring up SSL sessions with the clients.

1. Configure the client SSL template called SSLInsight_DecryptSide by running the following commands:
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS_decrypt(config-client ssl)# forward-proxy-enable

NOTE: There already may be a CA Root Certificate installed. If the CA has signed the A10
certificate as a subordinate, the certificate-chaining command is used to make the
chain a trusted one.

2. Create a real server called FW1_Inspect on ACOS_decrypt. Configure the port 8080 for decrypted SSLi traffic.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

page 41
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

ACOS_decrypt(config-real server)# port 8080 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable

3. Configure wildcard ports for all non-HTTPS traffic that is to be bypassed.

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 0 udp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt)

Configuring the SSLi service groups enable you to manage how the different types of traffic coming from the
clients is handled by ACOS_decrypt.

1. Create a service group named FW1_Inspect_SG for decrypted SSL traffic. The FW1_Inspect_SG service group
is configured on FW1_Inspect to forward HTTPS assigned over protocol 8080 to the ACOS_encrypt device.
ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 8080

2. For the non-HTTPS traffic that is to be bypassed, configure two other service groups called ALL_TCP_SG for
TCP and ALL_UDP_SG for UDP traffic.
ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

A virtual server called Decypt_VIP is created and is associated to the wildcard outbound VIP to intercept traffic
from clients. The following virtual ports are configured on this VIP:

• 443 (HTTPS)—Intercepts SSL-encrypted traffic from the clients. Port 443 on the wildcard outbound VIP is
bound to a service group called FW1_Inspect_SG that contains the path through the security device to the
ACOS_encrypt device. Consider the following information:
• The destination NAT is disabled, and ACOS_decrypt does not change the source or destination IP
addresses of the traffic.
• Port translation is enabled and required because the ACOS device must change the destination protocol
port from 443 to the port number on which the security device listens for traffic.
• The client-SSL template is bound to the virtual port 443 HTTPS.
• 0 (TCP), 0 (UDP), and 0 (Others) —Intercepts the client traffic that is not HTTPS in the following ways:

page 42
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

• The TCP port intercepts all other TCP traffic from clients. The TCP wildcard port is bound to a TCP service
group called ALL_TCP_SG that contains the path through the security device to the ACOS_encrypt device.
• The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is bound to a UDP
service group called ALL_UDP_SG that contains the path through the security device to the ACOS_encrypt
device.
• The Others port intercepts the client traffic types that are not listed. The Others port is for IP traffic not
included by the TCP and UDP all-ports sections. The Others wildcard port is bound to a UDP service group
called ALL_UDP_SG that contains the path through the security device to the ACOS_encrypt device.
• The destination NAT and port translation are disabled for the aforementioned ports.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL template, you must
unbind the template from the virtual ports that use it and then rebind the template
to the virtual ports.

1. Create an ACL to permit IP traffic from any source to any destination. Create the virtual server Decrypt_VIP.
Bind the wildcard VIP to the virtual server and associate the ACL with the VIP.
ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10
ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

2. Bind the port 443 to the wildcard outbound VIP and associate the port with the service group called
FW1_Inspect_SG that contains the path through the security device to the ACOS_encrypt device.
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation

3. Bind the client SSL template to the virtual port.

ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# exit

4. Configure the virtual server to assign wildcard ports to incoming non-HTTPS traffic and to forward that
traffic over the non-HTTPS service groups.
ACOS_decrypt(config-slb vserver)# port 0 tcp
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 other

ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat

page 43
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

Configuration for ACOS_encrypt (CLI)

Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

Create tagged VLANs 15 and 20 on the ethernet 1 interface. Perform the following steps:

1. Enable the interface ethernet 1 by running the following commands:

ACOS_encrypt(config)# interface ethernet 1
ACOS_encrypt(config-if:ethernet:1)# enable
ACOS_encrypt(config-if:ethernet:1)# exit

ACOS_encrypt(config)# interface ethernet 2

ACOS_encrypt(config-if:ethernet:2)# enable
ACOS_encrypt(config-if:ethernet:2)# exit

2. Create a tagged VLAN 20. Bind ethernet 2 to the tagged VLAN 20. Also, bind a virtual interface VE 20 to VLAN
20.
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:10)# tagged ethernet 2
ACOS_encrypt(config-vlan:10)#router-interface ve 20
ACOS_encrypt(config-vlan:10)# exit

3. Create a tagged VLAN 15. Bind ethernet 1 to the tagged VLAN 15. Also, bind a virtual interface VE 15 to VLAN
15.
ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1
ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)

On each VE, enable promiscuous VIP support, which is required for wildcard VIPs. When you enable promiscuous
VIP support on a VE, the option is automatically enabled on each Ethernet data port associated with the VE.
Perform the following steps:

ACOS_encrypt(config)# interface ve 20

page 44
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24

ACOS_encrypt(config-if:ve20)# exit

ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# ip allow-promiscuous-vip
ACOS_encrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)

1. Create an SSL server template called SSLInsight_EncryptSide on ACOS_encrypt so that the VIP on
ACOS_encrypt can operate as an SSL client and handshake with the ExternalABC server. Enable forward
proxy services on the template to allow SSLi operation on the VIP.
ACOS_encrypt(config)# slb template server-ssl SSLInsight_EncryptSide
ACOS_encrypt(config-server ssl)# forward-proxy-enable

2. Create a real server called Default_Gateway on ACOS_encrypt. Configure port 443 for the intercepted HTTPS
traffic. ACOS_encrypt forwards the traffic on these ports over VLAN 20 to the default gateway at IP address
20.1.1.10. The default gateway has a route to the ExternalABC server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 443 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

3. Configure wildcard ports for all non-HTTPS traffic.

ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 0 udp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt)

1. Create a service group called DG_SSL_SG and provide a path for the intercepted HTTPS traffic by binding the
service group to ports 443 of the real server Default_Gateway.
ACOS_encrypt(config)# slb service-group DG_SSL_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 443

2. Create a service group called DG_TCP_SG and provide a path to Default_Gateway for all other TCP traffic by
binding the service group to the wildcard port 0 tcp.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

3. Create a service group called DG_UDP_SG and provide a path to Default_Gateway for all UDP traffic by binding
the service group to the wildcard port 0 udp.
ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

page 45
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

A virtual server called Encrypt_VIP is created and is associated to the wildcard VIP to intercept traffic from the
security device. The following virtual ports are configured on this VIP:

• 8080 (HTTP)—Intercepts decrypted client traffic that is allowed by the security devices. Port 8080 is bound
to a service group called DG_SSL_SG that contains a member for the gateway router to the Internet. This
member consists of the router’s IP address and protocol port 443. Consider the following information:
• The destination NAT is disabled, but port translation is enabled.
• Port translation is required because ACOS_encrypt must change the destination protocol port to 443
before sending the re-encrypted traffic to the gateway router.
• 0 (TCP), 0 (UDP), and 0 (Others)—Intercepts all client traffic that is not SSL-encrypted traffic in the
following ways:
• The TCP port intercepts all other TCP traffic from clients. The TCP port is bound to a TCP service group
called DG_TCP_SG that contains a member for the gateway router to the Internet.
• The UDP port intercepts all other UDP traffic from clients.
• The Others port intercepts client traffic of types other than those listed above. The UDP wildcard port and
others wildcard port is bound to a UDP service group called DG_UDP_SG that contains a member for the
gateway router.
• The destination NAT and port translation are disabled for the aforementioned ports.
1. Create an ACL to permit IP traffic from any source to any destination for VLAN 15. Create a virtual server
called Encrypt_VIP and associate the ACL to the virtual server.
ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15
ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

2. Bind the port 8080 to the wildcard VIP and associate the port with the service group called DG_SSL_SG that
contains the path through from ACOS_encrypt to the gateway router.
ACOS_encrypt(config-slb vserver)# port 8080 http
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG

3. Bind the server SSL template to the virtual port.

ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_EncryptSide
ACOS_encrypt(config-slb vserver-vport)# exit

4. Create wildcard ports for all other traffic. Disable destination NAT to preserve the destination IP address on
load-balanced traffic. Bind the wildcard virtual port 0 tcp to the DG_TCP_SG service-group. Bind the wildcard
virtual port 0 udp to the DG_UDP_SG service-group. Bind the wildcard virtual port 0 others to any wildcard
service group such as DG_UDP_SG.
ACOS_encrypt(config-slb vserver)# port 0 tcp
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG

page 46
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 udp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 others

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# exit

Configuring L2 SSli on FTA-enabled ACOS Devices

If you provision SSLi on an FTA-enabled ACOS device with any partition that is deployed in a L2 mode, configure
the interfaces by using the cpu-process command.

For example, to enable ethernet 1, the following steps are applicable:

ACOS_decrypt(config)# interface ethernet 1

ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# cpu-process

Consolidated Configuration for Outbound SSLi with Static Port Type

HTTPS
The configuration developed in the preceding section is the basic building block for other SSLi features. It is
referred to as the reference configuration for Static-Port SSLi.

Use the show running-config command to check your configuration for both ACOS_decrypt and ACOS_encrypt.

ACOS_decrypt# show running-config

!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 2
router-interface ve 15
!

page 47
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

hostname ACOS_decrypt
!
interface ethernet 1
enable
!
interface ethernet 2
enable

!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
no-dest-nat port-translation
port 0 tcp

page 48
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

ACOS_encrypt# show running-config

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 2
router-interface ve 20
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS_encrypt
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp

page 49
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI) FFee
e

health-check-disable
!
slb service-group DG_SSL_SG tcp
member Default_Gateway 443

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssl SSLInsight_EncryptSide
forward-proxy-enable
!
slb virtual-server Encrypt_VIP 0.0.0.0 acl 101
!
port 8080 http
no-dest-nat port-translation
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG
!
end

Checking the Status and Operation of the Configuration Example

1. Run the show slb ssl-forward-proxy-cert command to check the status and operation of ACOS_decrypt.
ACOS_decrypt# show slb ssl-forward-proxy-cert Decrypt_VIP 443 all
Virtual server(VIP1 : 443):

----Start One Certificate---

Real Server : 52.8.106.9 :443 tcp
Server name: bnc.lt
state: cert verifying

----End One Certificate---

page 50
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (CLI)

----Start One Certificate---

Real Server : 209.170.210.156 :443 tcp
Server name: stats.ebizautos.com
state: cert proxying

----End One Certificate---

----Start One Certificate---

Real Server : 54.215.175.93 :443 tcp
Server name: api.branch.io
state: ready to proxy cert

----End One Certificate---

----Start One Certificate---

Real Server : 216.58.192.46 :443 tcp
Server name: maps.google.com
state: ready
hit times : 6
idle time : 0 seconds
timeout after 3600 seconds
expires after 603641 seconds

----End One Certificate---

2. Run the show slb ssl-forward-proxy-stats command to check the SSLi counters such as the certificates
created and expired, hit times, idle times, the SSL connections that were inspected and those that were bypassed.
3. Run the clear slb ssl-forward-proxy-cert command to reset the ssl-forward-proxy-cert counters.

page 51
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI) FFee
e

SSLi Configuration for Two ACOS Devices Each With a

Single Partition (GUI)
In order to configure SSLi for a two ACOS device single partition deployment, you must first configure the two
partitions.

Also, for a list of prerequisites, see “Prerequisites for Configuring SSLi” on page 37.

Configuration for ACOS_decrypt (GUI)

Perform the following steps for the ACOS_decrypt partition:

• “Step 1. Configuring the Network VLANs (GUI for ACOS_decrypt)” on page 52

• “Step 2. Configuring the Network IP Addresses (GUI for ACOS_decrypt)” on page 53
• “Step 3. Creating an Access List (GUI for ACOS_decrypt)” on page 53
• “Step 4. Configuring the SSLi Service (GUI for ACOS_decrypt)” on page 53)
• “Step 5. Configuring the Real Server (GUI for ACOS_decrypt)” on page 54
• “Step 6 Creating the Service Group and its Members (GUI for ACOS_decrypt)” on page 55
• “Step 7. Creating the Virtual Server (GUI for ACOS_decrypt)” on page 56

Step 1. Configuring the Network VLANs (GUI for ACOS_decrypt)

Create tagged VLANs 10 and 15 on the ethernet 1 and ethernet 2 interfaces respectively.

To create VLAN 10, perform the following steps:

1. Navigate to Network > Interfaces > LAN.

2. Click Edit in the Actions column for interface 1 (Interface field).
3. On the Update Ethernet page, select Enable in the Status field.
4. Click Update.
5. Navigate to Network > VLAN.
6. Click + Create.
7. Enter 10 in the VLAN ID field.
8. Click the checkbox in the Create Virtual Interface field.
9. Select 1 from the list of interfaces in the Tagged Ethernet field
10.Click Create VLAN.

page 52
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI)

Repeat the steps to create VLAN 15 for interface 2.

Step 2. Configuring the Network IP Addresses (GUI for ACOS_decrypt)

Configure the parameters for VE 10 by performing the following steps:

1. Navigate to Network > Interfaces > Virtual Ethernets.

2. Click Edit in the Actions column for virtual interface (ve)10 (ifnum field).
3. Enter 10.10.1.2 in the IPv4 Address field
4. Enter 255.255.255.0 in the NetMask field.
5. Click the icon to save the new row.
6. Click the Allow Promiscuous VIP box.
7. Click Update.

Repeat the procedure for the ve 15 parameters, IPv4 address is 10.15.1.2.

Step 3. Creating an Access List (GUI for ACOS_decrypt)

Create an ACL to permit IP traffic from any source to any destination.

1. Click Security >> Access List.

2. Click Create.
The Create Standard Access List page is displayed.
3. Enter the details:
• Access List Number: 100
• Sequence Number: 1
• Action: Permit Any for Entry
4. Click Create to create ACL 100.

Step 4. Configuring the SSLi Service (GUI for ACOS_decrypt)

In the GUI configuration, the red asterisk (*) indicates a required parameter. Some required parameters are filled
in automatically, while some must be manually configured. Before attempting to create an SSLi service, the CA
certificate you import and upon which your proxied certificates are based, must be imported. In the CLI, the
import cert command imports certificates that can be used in the SSLi service.

NOTE: This example of GUI configuration covers only the SSLi VIP and all the other SSL
ACOS objects that are needed for the basic static-port https 443 configuration.

page 53
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI) FFee
e

For a complete list of available options and their associated descriptions, refer to
the Online Help for the ACOS GUI.

1. Navigate to Security > SSLi > Services > +Create and click +Create.
The Create SSLi Service page is displayed.
2. Enter the following details:
• Type: Inside(Decrypt)
• Name: SSLInsight_DecryptSide
• Enable static port.
3. Click Next.
4. Under Basic, select Forward Proxy Enable.
5. Under SSLi proxy, select the CA cert and Key.
6. Click Next.
7. Continue clicking Next till you get to the end page and then click Done.

Step 5. Configuring the Real Server (GUI for ACOS_decrypt)

Create a real server called FW1_Inspect on ACOS_decrypt. Configure the port 8080 for decrypted SSLi traffic.
Configure wildcard ports for all non-HTTPS traffic that is to be bypassed.

1. Go to Security >> SSLi >> Servers.

2. Click Create.
The Create Server page is displayed.
3. Enter the following details:
• Name: FW1_Inspect
• Type: IPv4
• Host: 10.15.1.12
4. Click Add Port, and enter the following details.
• Port: 8080
• Protocol: TCP
5. Click Apply under Actions.
6. Click Add Port, and enter the following details:
• Port: 0
• Protocol: TCP

page 54
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI)

7. Click Apply under Actions.

8. Click Add Port, and enter the following details:
• Port: 0
• Protocol: UDP
9. Click Apply under Actions.
10.Click OK to create the server FW1_Inspect.

Step 6 Creating the Service Group and its Members (GUI for ACOS_decrypt)
Create a service group named FW1_Inspect_SG for decrypted SSL traffic. The FW1_Inspect_SG service group is
configured on FW1_Inspect real server to forward HTTPS assigned over protocol 8080 to the ACOS_encrypt
device. The real server is already created in the previous section.

1. Go to Security >> SSLi >> Service Group.

2. Click Create.
The Create Service Group page is displayed.
3. Enter the following details to create a service group named FW1_Inspect_SG:
• Name: FW1_Inspect_SG
• Protocol: TCP
4. Under Members, click Add Member.
The Create Member page is displayed.
5. Select Existing.
6. Select FW1_Inspect from the drop-down under Name and enter the following details:
• Port: 8080
• Click Apply.
The member FW1_Inspect is added to the service group.
7. Click Create again to create the Service Group.

For the non-HTTPS traffic that is to be bypassed, configure two other service groups called ALL_TCP_SG for TCP
and ALL_UDP_SG for UDP traffic.

1. Go to Security >> SSLi >> Service Group.

2. Click Create.
The Create Service Group page is displayed.
3. Enter the following details to create a service group named ALL_TCP_SG.

page 55
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI) FFee
e

• Name: ALL_TCP_SG
• Protocol: TCP
4. Under Members, click Add Member.
The Create Member page is displayed.
5. Select Existing.
6. Select FW1_Inspect from the drop-down under Name and enter the following details:
• Port: 0
• Click Apply.

The member FW1_Inspect is added to the service group.

1. Click Create again to create the Service Group.

To create the service group, ALL_UDP_SG, here are the details:
• Name: ALL_UDP_SG
• Protocol: UDP
2. Under Members, click Add Member.
The Create Member page is displayed.
3. Select Existing.
4. Select FW1_Inspect from the drop-down under Name.
• Port: 0
• Click Apply.
The member FW1_Inspect is added to the service group.
5. Click Create again to create the Service Group.

Step 7. Creating the Virtual Server (GUI for ACOS_decrypt)

A virtual server called Decypt_VIP is created and is associated to the wildcard outbound VIP to intercept traffic
from clients. The following virtual ports are configured on this VIP:

• 443 (HTTPS)—Intercepts SSL-encrypted traffic from the clients. Port 443 on the wildcard outbound VIP is
bound to a service group called FW1_Inspect_SG that contains the path through the security device to the
ACOS_encrypt device. Consider the following information:
• The destination NAT is disabled, and ACOS_decrypt does not change the source or destination IP
addresses of the traffic.
• Port translation is enabled and required because the ACOS device must change the destination proto-
col port from 443 to the port number on which the security device listens for traffic.

page 56
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI)

• The client-SSL template is bound to the virtual port 443 HTTPS.

• 0 (TCP), 0 (UDP), and 0 (Others) —Intercepts the client traffic that is not HTTPS in the following ways:

• The TCP port intercepts all other TCP traffic from clients. The TCP wildcard port is bound to a TCP ser-
vice group called ALL_TCP_SG that contains the path through the security device to the ACOS_encrypt
device.
• The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is bound to a UDP ser-
vice group called ALL_UDP_SG that contains the path through the security device to the ACOS_encrypt
device.
• The Others port intercepts the client traffic types that are not listed. The Others port is for IP traffic not
included by the TCP and UDP all-ports sections. The Others wildcard port is bound to a UDP service
group called ALL_UDP_SG that contains the path through the security device to the ACOS_encrypt
device.
• The destination NAT and port translation are disabled for the aforementioned ports.

Perform the following steps:

1. Go to ADC >> SLB >> Virtual Servers.

2. Click Create.
The Create Virtual Server page is displayed.
3. Enter the following details:
• Name: Decrypt_VIP
• Enable Wildcard.
• Under Virtual Port, click Create.
The Create Virtual Port page is displayed.
4. Enter the following details:
• Protocol: HTTPS
• Port: 443
• Service Group:FW1_Inspect_SG
• Template Client SSL: SSLInsight_DecryptSide
• Enable No Dest Nat and Port Translation.
• Click Create.
5. Click Create to add another virtual port.
The Create Virtual Port page is displayed.
• Protocol: TCP
• Port: 0
• Service Group:ALL_TCP_SG

page 57
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI) FFee
e

• Click Create.
6. Click Create to add another virtual port.
The Create Virtual Port page is displayed.
• Protocol: UPD
• Port: 0
• Service Group:ALL_UDP_SG
• Click Create.
7. Click Create to add another virtual port.
The Create Virtual Port page is displayed.
• Protocol: Other
• Port: 0
• Service Group:ALL_UDP_SG
• Click Create.

Configuration for ACOS_encrypt (GUI)

Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs

Create tagged VLANs 15 and 20 on the ethernet 1 interface and ethernet interface 2 respecitvely.
Follow the instructions in “Step 1. Configuring the Network VLANs (GUI for ACOS_decrypt)” on page 52.

Step 2. Configuring the Network IP Addresses

Assign IP address 20.1.1.2 to ve 20 and IP address 10.15.1.12 to ve 15 respectively.
Follow the instructions in “Step 2. Configuring the Network IP Addresses (GUI for ACOS_decrypt)” on
page 53.

Step 3. Configuring an Access List.

Create an ACL to permit IP traffic from any source to any destination for VLAN 15. Create a virtual server
called Encrypt_VIP and associate the ACL to the virtual server.
Follow the instructions in “Step 3. Creating an Access List (GUI for ACOS_decrypt)” on page 53.

Step 4. Configuring SSLi Services

Create an SSLi service called SSLInsight_EncryptSide. Enable forward proxy enable.
Follow the instructions in “Step 4. Configuring the SSLi Service (GUI for ACOS_decrypt)” on page 53.

page 58
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for Two ACOS Devices Each With a Single Partition (GUI)

Step 5. Configuring the Real Server

Create a real server called Default_Gateway on ACOS_encrypt. Configure port 443 for the intercepted HTTPS
traffic. ACOS_encrypt forwards the traffic on these ports over VLAN 20 to the default gateway at IP address
20.1.1.10. The default gateway has a route to the ExternalABC server.
Follow the instructions in “Step 5. Configuring the Real Server (GUI for ACOS_decrypt)” on page 54.

Step 6. Configuring the Service Groups

Create a service group called DG_SSL_SG and provide a path for the intercepted HTTPS traffic by binding the
service group to ports 443 of the real server Default_Gateway.
Create a service group called DG_TCP_SG and provide a path to Default_Gateway for all other TCP traffic by
binding the service group to the wildcard port 0 tcp.
Create a service group called DG_UDP_SG and provide a path to Default_Gateway for all UDP traffic by bind-
ing the service group to the wildcard port 0 udp.
Follow the instructions in “Step 6 Creating the Service Group and its Members (GUI for ACOS_decrypt)” on
page 55.

Step 7. Creating the Virtual Server

A virtual server called Encrypt_VIP is created and is associated to the wildcard VIP to intercept traffic from
the security device. The following virtual ports are configured on this VIP:
• 8080 (HTTP)—Intercepts decrypted client traffic that is allowed by the security devices. Port 8080 is
bound to a service group called DG_SSL_SG that contains a member for the gateway router to the Inter-
net. This member consists of the router’s IP address and protocol port 443. Consider the following infor-
mation:
• The destination NAT is disabled, but port translation is enabled.
• Port translation is required because ACOS_encrypt must change the destination protocol port to 443
before sending the re-encrypted traffic to the gateway router.
• 0 (TCP), 0 (UDP), and 0 (Others)—Intercepts all client traffic that is not SSL-encrypted traffic in the follow-
ingways:
• The TCP port intercepts all other TCP traffic from clients. The TCP port is bound to a TCP service grou
called DG_TCP_SG that contains a member for the gateway router to the Internet.
• The UDP port intercepts all other UDP traffic from clients.
• The Others port intercepts client traffic of types other than those listed above. The UDP wildcard port
and others wildcard port is bound to a UDP service group called DG_UDP_SG that contains a member
for the gateway router.
• The destination NAT and port translation are disabled for the aforementioned ports.
Follow the instructions in “Step 7. Creating the Virtual Server (GUI for ACOS_decrypt)” on page 56.

page 59
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Outbound SSLi with Static Port Type HTTPS—Single ACOS Device With Two Partitions FFee
e

Outbound SSLi with Static Port Type HTTPS—Single ACOS

Device With Two Partitions
You can implement SSLi in a single device by creating a separate partition for ACOS_decrypt and ACOS_encrypt.
The deployment architecture and the flow of traffic is similar to that of “Outbound SSLi with Static Port Type
HTTPS—Two ACOS Devices Each With a Single Partition” on page 38.

SSLi Configuration for a Single ACOS Device Two Partition SSLi

Deployment (CLI)
To configure SSLi for a single device two partition deployment, perform the following steps:

1. Follow the prerequisites discussed in “Prerequisites for Configuring SSLi” on page 37.
2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global command of system
ve-mac-scheme system-mac in the shared partition:
ACOS(config)# system ve-mac-scheme system-mac

3. Create the ACOS_decrypt and ACOS_encrypt partitions by running the following commands:
ACOS(config)# partition ACOS_encrypt id 1 application-type adc
ACOS(config-partition: ACOS_encrypt)# exit
ACOS(config)# active-partition ACOS_encrypt
ACOS[ACOS_encrypt](config)#
ACOS[ACOS_encrypt](config)# active-partition shared
ACOS(config)# partition ACOS_decrypt id 2 application-type adc
ACOS[ACOS_decrypt](config)#

4. Bind the VLANs as shown in “Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)” on page 40
and continue with the remaining steps shown in “SSLi Configuration for Two ACOS Devices Each With a
Single Partition (CLI)” on page 40.

SSLi Configuration for a Single Device Two Partition SSLi Deployment

(GUI)
To configure SSLi for a single device two partition deployment, perform the following steps:

1. Follow the prerequisites discussed in “Prerequisites for Configuring SSLi” on page 37.
2. To create the ACOS_decrypt and ACOS_encrypt partitions, perform the following steps:
a. Navigate to System >> Admin Partitions.
b. Click Create+.

page 60
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Outbound SSLi with Static Port Type HTTPS—Single vThunder Device With Two Partitions

c. Specify ACOS_encrypt for Partition Name and 1 for the Partition ID.
d. Specify ADC for the Type.
e. Enable Shared VLAN.
f. Repeat the preceding steps for the ACOS_decrypt partition.
3. Continue with the configuration steps shown in “SSLi Configuration for Two ACOS Devices Each With a
Single Partition (GUI)” on page 52.

Outbound SSLi with Static Port Type HTTPS—Single

vThunder Device With Two Partitions
The vThunder instance can run in promiscuous mode or non-promiscuous mode. By default, vThunder runs in
non-promiscuous mode in order to help optimize system performance. However, the following limitations apply
when running vThunder in non-promiscuous mode:

• VE interfaces can be bound to only 1 tagged or untagged physical interface.

• VE MAC address assignment scheme changes are not supported.

The two-partition configuration for SSLi requires VE MAC address assignment changes, and vThunder does not
support VE MAC address assignment scheme changes in non-promiscuous mode. Therefore, run the vThunder
instance in promiscuous mode. Perform the following steps:

1. To change the vThunder mode to promiscuous mode, use the following command:
ACOS(config)# system promiscuous-mode
Settings will take effect on reload. Please save the configuration by issuing the "write
memory" command followed by the "reload" command
ACOS(config)# write memory
Building configuration...
Write configuration to primary default startup-config
[OK]
ACOS(config)# exit
ACOS# exit
WARNING:System configuration has been modified

2. When the reload completes, enter the following command to permit VE MAC address assignment scheme
changes:
ACOS# config
ACOS(config)# system ve-mac-scheme system-mac

3. Create the ACOS_decrypt and ACOS_encrypt partitions by running the following commands:
ACOS(config)# partition ACOS_encrypt id 1 application-type adc
ACOS(config-partition:ACOS_encrypt)# exit

page 61
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Outbound SSLi with Static Port Type HTTPS—Single vThunder Device With Two Partitions FFee
e

ACOS(config)# active-partition ACOS_encrypt

ACOS[ACOS_encrypt](config)#
ACOS[ACOS_encrypt](config)# active-partition shared
ACOS(config)# partition ACOS_decrypt id 2 application-type adc
ACOS[ACOS_decrypt](config)#

4. Bind the VLANs as shown in “Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)” on page 40
and continue with the remaining steps shown in “SSLi Configuration for Two ACOS Devices Each With a
Single Partition (CLI)” on page 40.

page 62
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi for Outbound Static Port Type STARTTLS

This chapter describes how to configure outbound SSLi for static port type STARTTLS by using CLI.
Inbound and outbound SSLi can be configured together. In such a deployment, traffic flowing in both
directions is decrypted and re-encrypted. However, the command lines that configure the inbound
virtual servers must go before the command lines that configure the outbound virtual servers.

NOTE: To complete the procedure in GUI, refer to a similar procedure described

in “SSLi Configuration for Two ACOS Devices Each With a Single Partition
(GUI)” on page 52 and use the consolidated CLI configuration for the
STARTLS example included in “Consolidated Configuration for Outbound
SSLi with Static Port Type STARTTLS” on page 73.

The following topics are covered:

• Outbound SSLi with Static Port Type STARTTLS—Two ACOS Devices Each With a Single Partition

• SSLi Configuration for a Two-Device Deployment, Each With a Single Partition

• Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS

Outbound SSLi with Static Port Type STARTTLS—Two

ACOS Devices Each With a Single Partition
Static port inspection is supported by all SSLi deployments discussed in “SSL Insight Deployments and
Topologies” on page 25. The SSLi deployment for static port type STARTTLS intercepts XMPP, POP,
and SMTP sessions. The virtual ports are specified by using the port port-number ssli command. The
keyword, ssli, specifies that the port is treated as a STARTTLS type. In addition, each STARTLS type
port is defined in an SLB SSLi template which is bound to an SSLi port with the keyword type.

In static port type SSLi, each intercepted protocol is configured with its own static virtual port enabled
for SSLi. For example, to intercept SMTP running over SSL, the wildcard VIP configuration includes the
command line port 25 ssli where 25 is the port number identifying SMTP.

In this example, the outbound SSLi with static port type STARTLS deployment consists of two ACOS
devices, each with a single partition, and the security device set in between. The ACOS devices are in L2
mode, while the security device is in L3 mode. In this example, SSLi intercepts SMTP, POP, and XMPP
sessions that are running over SSL.

Feedback page 63
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Outbound SSLi with Static Port Type STARTTLS—Two ACOS Devices Each With a Single Partition FFee
e

FIGURE 12 Static Port Type STARTLS in a Two-Device Deployment, Each with Single Partition

The encrypted traffic from the client is passed to the ACOS_decrypt partition. The ACOS_decrypt parti-
tion decrypts the STARTTLS traffic and forwards the clear traffic to the security device. After inspec-
tion, the security device passes the clear traffic to the ACOS_encrypt partition. The ACOS_encrypt
partition re-encrypts the HTTPS traffic and passes it to the external gateway. All other HTTPS traffic is

page 64
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition

bypassed. The following table provides the VLAN IDs, Virtual Ethernet (VE) addresses, and interfaces
used to configure the SSLi network topology illustrated in Figure 12.

TABLE 5 Details of the SSLi Deployment

Partition Tagged VLAN VE IP Address Ethernet Port Number
ACOS_Decrypt 10 10.10.1.2 /24 eth 1
15 10.15.1.2 /24 eth 2
ACOS_Encrypt 20 20.1.1.2 /24 eth 2
15 10.15.1.12 /24 eth 1

SSLi Configuration for a Two-Device Deployment, Each

With a Single Partition
In order to configure SSLi for a two ACOS device single partition deployment, you must first configure
the two partitions, ACOS_decrypt and ACOS_encrypt.

Also, for a list of prerequisites, see “Prerequisites for Configuring SSLi” on page 37.

Configuration for ACOS_decrypt (CLI)

Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)
Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt)
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 1. Configuring the
Network VLANs (CLI for ACOS_decrypt)” on page 40.

ACOS(config)# interface ethernet 1

ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit
!
ACOS(config)# interface ethernet 2
ACOS(config-if:ethernet:2)# enable

page 65
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition FFee
e

ACOS(config-if:ethernet:2)# exit
!
ACOS(config)# hostname ACOS_decrypt
ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# tagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config-vlan:10)# exit

ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2
ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 2. Configuring the
Network IP Addresses (CLI for ACOS_decrypt)” on page 41.

ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve10)# ip address 10.10.1.2 /24
ACOS_decrypt(config-if:ve10)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve10)# exit

ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services (CLI for ACOS_decrypt)

1. Configure an SSLi client template, by running the following commands.
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# exit

NOTE: There already may be a CA Root Certificate installed. If the CA has signed
the A10 certificate as a subordinate, the certificate-chaining command is
used to make the chain a trusted one.

2. Configure a real server called FW1_Inspect with the IP address 10.15.1.12. This IP address
matches the virtual IP address of ACOS_decrypt so that the real server connects to ACOS_decrypt
over VLAN 15. Bind FW1_Inspect interface to TCP ports 25, 110, and 5522 so that ACOS_decrypt
forwards decrypted SMTP, POP, and SMPP over VLAN 15 to the security device. All other UDP and
TCP traffic is forwarded on VLAN 15 by using the wildcard ports port 0 tcp and port 0 udp.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

page 66
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition

ACOS_decrypt(config-real server)# port 25 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 110 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 5522 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit
ACOS_decrypt(config-real server)# exit

ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 0 udp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

NOTE: You can configure ACOS_decrypt to bypass the security devices based
on the website category, client authentication, or the domain SNI (Ser-
vice Name Indication). For more information, see the relevant chapter for
the specific SSLi feature.

3. Create an SSLi template for each non-HTTP protocol running over SSL that ACOS_decrypt must
intercept. The subcommand type specifies the intercepted protocols running over SSL. The default
protocol service is HTTPS.
ACOS_decrypt(config)# slb template ssli xmpp_insight
ACOS_decrypt(config-ssli)# type xmpp
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli smtp_insight

ACOS_decrypt(config-ssli)# type smtp
ACOS_decrypt(config-ssli)# exit

ACOS_decrypt(config)# slb template ssli pop_insight

ACOS_decrypt(config-ssli)# type pop
ACOS_decrypt(config-ssli)# exit

page 67
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition FFee
e

Step 4. Configuring the SSLi Service Groups (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 4. Configuring the
SSLi Service Groups (CLI for ACOS_decrypt)” on page 42.

The only deviation is that the service group FW1_Inspect_SG in this example is associated with ports 25,
5522, and 110 as the SSLi solution inspects POP, SMTP, and XMPP traffic.

ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 25
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 5522
ACOS_decrypt(config-slb svc group)# member FW1_Inspect 110
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 5. Configuring the
Virtual Server (CLI for ACOS_decrypt)” on page 42.

The only deviation is that the port 25 ssli, port 110 ssli, and port 5522 ssli in this example must be
configured as members of the service group FW1_Inspect_SG and also associated with the client SSLi
template.

ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10

ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 25 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli smtp_insight
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 110 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli pop_insight
ACOS_decrypt(config-slb vserver-vport)# exit

page 68
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition

ACOS_decrypt(config-slb vserver)# port 5522 ssli

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-slb vserver-vport)# template ssli xmpp_insight
ACOS_decrypt(config-slb vserver-vport)# exi

ACOS_decrypt(config-slb vserver)# port 0 tcp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 others

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# exit

Configuration for ACOS_encrypt (CLI)

Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)
Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

ACOS(config)# hostname ACOS_encrypt
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# tagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20
ACOS_encrypt(config-vlan:20)# exit

ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1

page 69
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition FFee
e

ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)

ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24
ACOS_encrypt(config-if:ve20)# exit

ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# exit

Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)

1. Create an SSL server template on ACOS_encrypt so that the VIP on ACOS_encrypt can operate as
an SSL client and handshake with the EnterpriseABC server.
ACOS(config)# slb template server-ssl SSLInsight_DecryptSide
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# exit

2. Create the real server Default_Gateway. Bind the SLB ports of the intercepted non-HTTP protocols
(ports 25, 100, and 5522) to Default_Gateway. ACOS_encrypt forwards the traffic on these ports
over VLAN 20 to the default gateway at IP address 20.1.1.10. The default gateway has a route to
the EnterpriseABC server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 25 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 5522 tcp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 110 tcp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit
ACOS_encrypt(config-real server)# exit

3. All other UDP and TCP traffic is forwarded on VLAN 20 to the default gateway using the wildcard
ports: port 0 tcp and port 0 udp.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

page 70
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition

ACOS_encrypt(config-real server)# port 0 udp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

4. Create an SSLi template for each service protocol running over SSL that is to be intercepted.
ACOS_encrypt(config)# slb template ssli smtp_insight
ACOS_encrypt(config-ssli)# type smtp
ACOS_encrypt(config-ssli)# exit

ACOS_encrypt(config)# slb template ssli xmpp_insight

ACOS_encrypt(config-ssli)# type xmpp
ACOS_encrypt(config-ssli)# exit

ACOS_encrypt(config)# slb template ssli pop_insight

ACOS_encrypt(config-ssli)# type pop
ACOS_encrypt(config-ssli)# exit

Step 4. Configuring the SSLi Service Groups (CLI for ACOS_encrypt)

1. Provide a path for intercepted non-HTTPS over SSL traffic by creating a service group called
DG_SSL_SG and binding it to ports 25, 5522, and 110 of the SLB real server.
ACOS_encrypt(config)# slb service-group DG_SSL_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 25
ACOS_encrypt(config-slb svc group)# member Default_Gateway 5522
ACOS_encrypt(config-slb svc group)# member Default_Gateway 110
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

2. Provide a path to the default gateway for all other traffic by creating two service groups called
DG_TCP_SG and DG_UDP_SG.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

page 71
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Configuration for a Two-Device Deployment, Each With a Single Partition FFee
e

Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 5. Configuring the
Virtual Server (CLI for ACOS_encrypt)” on page 46.

The only deviation is that the port 25 ssli, port 110 ssli, and port 5522 ssli in this example must be
configured as part of the virtual server Encrypt_VIP.

ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15

ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

ACOS_encrypt(config-slb vserver)# port 25 ssli

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_DecryptSide
ACOS_encrypt(config-slb vserver-vport)# template ssli smtp_insight
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 110 ssli

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_DecryptSide
ACOS_encrypt(config-slb vserver-vport)# template ssli pop_insight
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 5522 ssli

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssl SSLInsight_DecryptSide
ACOS_encrypt(config-slb vserver-vport)# template ssli xmpp_insight
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 tcp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 udp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 others

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

page 72
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS

ACOS_encrypt(config-slb vserver)# exit

Consolidated Configuration for Outbound SSLi with Static

Port Type STARTTLS
Use the show running-config command to check your configuration for both ACOS_decrypt and ACOS_en-
crypt.

ACOS_decrypt# show running-config

!Current configuration: 811 bytes
!!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 2
router-interface ve 15
!
hostname ACOS_decrypt
!
interface management
ip address dhcp
!
interface ethernet 1
enable
interface ethernet 2
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb template ssli xmpp_insight
type xmpp
!

page 73
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS FFee
e

slb template ssli smtp_insight

type smtp
!
slb template ssli pop_insight
type pop
!
slb server FW1_Inspect 10.15.1.12
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 25 tcp
health-check-disable
port 110 tcp
health-check-disable
port 5522 tcp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 25
member FW1_Inspect 5522
member FW1_Inspect 110
!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat

page 74
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS

port 25 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli smtp_insight
no-dest-nat
port 110 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli pop_insight
no-dest-nat
port 5522 ssli
service-group FW1_Inspect_SG
template client-ssl SSLInsight_DecryptSide
template ssli xmpp_insight
no-dest-nat
!
end
ACOS_Encrypt# show running-config
!Current configuration: 485 bytes
!
access-list 101 permit ip any any vlan 15
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
vlan 20
tagged ethernet 2
router-interface ve 20
!
hostname ACOS_encrypt
!
interface management
ip address dhcp
!
interface ethernet 1
enable
interface ethernet 2
enable
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!

page 75
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS FFee
e

interface ve 20
ip address 20.1.1.2 255.255.255.0
!
!
slb template server-ssl SSLInsight_EncryptSide
forward-proxy-enable
!
slb template ssli xmpp_insight
type xmpp
!
slb template ssli smtp_insight
type smtp
!
slb template ssli pop_insight
type pop
!
slb server Default_Gateway 20.1.1.10
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 25 tcp
health-check-disable
port 110 tcp
health-check-disable
port 5522 tcp
health-check-disable
!
slb service-group DG_SSL_SG tcp
member Default_Gateway 25
member Default_Gateway 5522
member Default_Gateway 110
!
slb service-group DG_TCP_SG tcp
member Default_Gateway 0
!
slb service-group DG_UDP_SG udp
member Default_Gateway 0
!
slb virtual-server Encrypt_VIP 0.0.0.0 acl 101
port 0 tcp
service-group DG_TCP_SG
no-dest-nat
port 0 udp

page 76
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS

service-group DG_UDP_SG
no-dest-nat
port 0 others
service-group DG_UDP_SG
no-dest-nat
port 25 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli smtp_insight
no-dest-nat
port 110 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli pop_insight
no-dest-nat
port 5522 ssli
service-group DG_SSL_SG
template server-ssl SSLInsight_EncryptSide
template ssli xmpp_insight
no-dest-nat
!
end

page 77
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for Outbound SSLi with Static Port Type STARTTLS FFee
e

page 78
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi for Inbound Static-Port Type HTTPS

Inbound SSL Insight (SSLi) refers to the intercepting and decrypting SSL/TLS traffic originating from
the Internet into your internal SSL web application servers. Inbound SSLi allows for inspection of
incoming traffic.

The following topics are covered:

• Example Configuration

• Configuration Steps

Example Configuration
This section provides detailed steps for configuring SSLi to transparently intercept HTTPS traffic from
clients, decrypt the traffic so that it can be inspected at the firewall, re-encryption of the traffic and
forwarding it to the SSL server that the clients are trying to reach. The example of SSLi contained in this
chapter intercepts only HTTPS sessions. Using virtual port type HTTPS, the virtual ports are specified
using the port 443 https command. All other SSL and non-SSL traffic is bypassed.

The topology for this example is illustrated in Figure 13.

Feedback page 79
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

Topology of the Example

Figure 13 below illustrates the topology of the configuration described in this chapter.

FIGURE 13 Example of Inbound SSLi Network Topology

INBOUND SSLI
10.1.1.10/24
www-1.a10networks.com

Encrypted Decrypted Encrypted

10.1.1.1
INTERNAL SSLi EXTERNAL SSLi
10.4.4.2 10.10.10.2 10.10.10.1 88.2.0.2
10.3.3.1 10.4.4.1 E1
12
12/1
2 /1
2/
Firewall
10.3.3.30/24
www-3.a10networks.com 10.2.2.1

10.2.2.20/24
www-2.a10networks.com

The configuration of SSLi in this chapter is one in which the clients are connecting to SSL servers run-
ning on a private network behind a firewall. The session connect “inbound” to the private network.

Inbound and outbound SSLi can be configured together. Traffic flowing in both directions would be
decrypted and re-encrypted. However the command lines that configure the inbound virtual-servers
must go before the command lines that configure the outbound virtual servers. For the configuration of
outbound SSLi, refer to “Static-Port Type HTTPS SSLi.”

Configuration Steps

Configure the External Inbound ACOS device

1. Before beginning this configuration, you must import the certificates and private keys of the SSL/
TLS servers that SSLi will be provisioned to decrypt and encrypt. In the configuration that follows,
each server will be mapped by domain to a certificate, private key pair. In addition, a default
certificate and corresponding private key will be configured
See the “SSL Insight Introduction” chapter for information on importing certificates and keys.

page 80
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Steps

2. Configure the access lists. Traffic coming from the Internet is filtered to permit traffic going to the
following three private networks.

access-list 101 permit ip any 10.1.1.0 0.0.0.255

access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255

3. Configure the virtual Ethernet interface, 100, facing the Internet and give an IP address, 10.10.10.1.
Configure a second interface, 882, facing the firewall protecting the private networks. Assign the
public IP address 88.2.0.2 to this interface.

vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 882
untagged ethernet 51
router-interface ve 882
!
hostname Ext-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10
!
interface management
ip address 10.101.6.190 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.1 255.255.255.0

!
interface ve 882
ip address 88.2.0.2 255.255.255.0
ip allow-promiscuous-vip
!

4. Configure a default route to an Internet router, and configure static routes from the virtual Ethernet
interfaces to the private network.

page 81
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

ip route 0.0.0.0 /0 88.2.0.1

ip route 10.1.1.0 /24 10.10.10.2
ip route 10.2.2.0 /24 10.10.10.2
ip route 10.3.3.0 /24 10.10.10.2
ip route 10.4.4.0 /24 10.10.10.2
!

5. Configure the SSL-client template for SNI-mapped certificate-key pairs. If a client includes the
Server Name Indication (SNI) extension in its Hello message, the SSLi session connects to the
server in the specified domain using the certificate and key that are mapped to the domain
requested by the client.

For client-ssl template, the new command is:

• certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>] [chain-cert

<chain-cert-name>]

Certificate and key configuration must be put in one line because they should exist at the same time.

slb template client-ssl inbound-ssli

server abc.com certificate cert1 key key1 pass-phrase Pass1 chain-cert Cert1
server xyz.com certificate cert2 key key2 pass-phrase Pass2 chain-cert Cert2
cert default-cert
key default-key
!

6. Configure three protocol ports that forward traffic on real servers to the firewall. Only port 8080
tcp is configured to decrypt the SSL traffic that it receives from the Internet on port 443 https.
Protocol port 0 udp and port 0 tcp forward all other traffic to the firewall.

slb server gw2-bp 10.10.10.2

port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
slb service-group gw2-bp-8080 tcp
member gw2-bp 8080
!
slb service-group gw2-bp-tcp tcp
member gw2-bp 0
!
slb service-group gw2-bp-udp udp
member gw2-bp 0
!

7. Configure the virtual server with the ports configured in the previous. Assign service groups to
forward the traffic of these ports to the firewall. In addition provision the IP datagrams to send

page 82
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Steps

replies to clients back through the last hop on which the request for the virtual port's service was
received and to use the IP address of the virtual traffic when forwarding traffic (do not use
destination NAT).

slb virtual-server vip1-ext 0.0.0.0 acl 101

port 0 tcp
service-group gw2-bp-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 443 https
service-group gw2-bp-8080
use-rcv-hop-for-resp
template client-ssl inbound-ssli
no-dest-nat port-translation

8. Use the show running-config command to check your configuration of the external ACOS device.

Ext-Inbound# show running-config

!
access-list 101 permit ip any 10.1.1.0 0.0.0.255
access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255
!
vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 882
untagged ethernet 51
router-interface ve 882
!
hostname Ext-Inbound-SSLi
!
timezone America/Los_Angeles
!
ntp server 10.101.4.10
!
interface management

page 83
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

ip address 10.101.6.190 255.255.252.0

ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.1 255.255.255.0

!
interface ve 882
ip address 88.2.0.2 255.255.255.0
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 88.2.0.1
ip route 10.1.1.0 /24 10.10.10.2
ip route 10.2.2.0 /24 10.10.10.2
ip route 10.3.3.0 /24 10.10.10.2
ip route 10.4.4.0 /24 10.10.10.2
!
slb template client-ssl inbound-ssli
server abc.com cert
cert1 key key1
server xyz.com cert cert2 key key2
cert default-cert
key default-key
!
slb server gw2-bp 10.10.10.2
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
slb service-group gw2-bp-8080 tcp
member gw2-bp 8080
!
slb service-group gw2-bp-tcp tcp
member gw2-bp 0
!
slb service-group gw2-bp-udp udp
member gw2-bp 0
!

page 84
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Steps

slb virtual-server vip1-ext 0.0.0.0 acl 101

port 0 tcp
service-group gw2-bp-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group gw2-bp-udp
use-rcv-hop-for-resp
no-dest-nat
port 443 https
service-group gw2-bp-8080
use-rcv-hop-for-resp
template client-ssl inbound-ssli
no-dest-nat port-translation
!

Configure the Internal Inbound ACOS device

1. Configure the access lists. Traffic coming from the Internet is filtered to permit traffic going to the
following three private networks.

access-list 101 permit ip any 10.1.1.0 0.0.0.255

access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255

2. Configure the virtual Ethernet interface, 100, facing the inbound traffic and give it an IP address,
10.10.10.2. Configure a second interface, 104, facing the outbound direction and the private net-
works. Assign the private IP address 10.4.4.2 to this interface.

vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 104
untagged ethernet 51
router-interface ve 104
!
hostname Int-Inbound-SSLi
!
timezone America/Los_Angeles
!

page 85
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

ntp server 10.101.4.10

!
interface management
ip address 10.101.6.191 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 104
ip address 10.4.4.2 255.255.255.0
!

3. Configure a default route to the private network and specify the service groups that forward traffic
to that network.

ip route 0.0.0.0 /0 10.10.10.1

ip route 10.1.1.0 /24 10.4.4.1
ip route 10.2.2.0 /24 10.4.4.1
ip route 10.3.3.0 /24 10.4.4.1
!
slb server internal-gw 10.4.4.1
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group internal-gw-443 tcp
member internal-gw 443
!
slb service-group internal-gw-tcp tcp
member internal-gw 0
!
slb service-group internal-gw-udp udp
member internal-gw 0
!

4. The ACOS real server, the server-ssl is configured to re-establish SSL sessions that were inter-
cepted by the external ACOS device.

page 86
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Steps

slb template server-ssl inbound-ssli

forward-proxy-enable
!

5. Configure the virtual server that re-encryted traffic received on port 8080 http. The non-SSL ses-
sions are received on the wildcard ports 0 udp, 0 tcp, and 0 others.

slb virtual-server vip1-int 0.0.0.0 acl 101

port 0 tcp
service-group internal-gw-tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
service-group internal-gw-443
use-rcv-hop-for-resp
template server-ssl inbound-ssli
no-dest-nat port-translation
!

6. Use the show running-config command to check your configuration of the internal ACOS device.

Int-Inbound# show running-config

!
access-list 101 permit ip any 10.1.1.0 0.0.0.255
access-list 101 permit ip any 10.2.2.0 0.0.0.255
access-list 101 permit ip any 10.3.3.0 0.0.0.255
!
vlan 100
untagged ethernet 52
router-interface ve 100
!
vlan 104
untagged ethernet 51
router-interface ve 104
!
hostname Int-Inbound-SSLi
!
timezone America/Los_Angeles
!

page 87
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

ntp server 10.101.4.10

!
interface management
ip address 10.101.6.191 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 51
enable
!
interface ethernet 52
enable
!
interface ve 100
ip address 10.10.10.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 104
ip address 10.4.4.2 255.255.255.0
!
ip route 0.0.0.0 /0 10.10.10.1
ip route 10.1.1.0 /24 10.4.4.1
ip route 10.2.2.0 /24 10.4.4.1
ip route 10.3.3.0 /24 10.4.4.1
!
slb server internal-gw 10.4.4.1
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group internal-gw-443 tcp
member internal-gw 443
!
slb service-group internal-gw-tcp tcp
member internal-gw 0
!
slb service-group internal-gw-udp udp
member internal-gw 0
!
slb template server-ssl inbound-ssli
forward-proxy-enable
!
slb virtual-server vip1-int 0.0.0.0 acl 101
port 0 tcp
service-group internal-gw-tcp

page 88
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Steps

use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group internal-gw-udp
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
service-group internal-gw-443
use-rcv-hop-for-resp
template server-ssl inbound-ssli
no-dest-nat port-translation
!

page 89
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuration Steps FFee
e

page 90
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

Dynamic-Port SSLi

The following topics are covered:

• Dynamic-Port SSLi Overview

• Example Configuration: Dynamic-Port SSLi

• Dynamic Port Inspection Based on DSCP

• Related Information

Dynamic-Port SSLi Overview

In dynamic-port SSLi, all protocols running over SSL are intercepted. Figure 14 below illustrates the
overall DSCP dynamic-port SSLi configuration topology and IP addresses of the configuration ele-
ments. In this example, the security device is operating in layer-2 mode.

FIGURE 14 DSCP Dynamic-Port SSLi Example Topology

Feedback page 91
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic-Port SSLi Overview FFee
e

Configuring ACOS_Decrypt Virtual Server and Service Groups

The following virtual server and service groups are configured.

• Clients_VIP SLB Virtual Server– Provides SSL forward proxy service that enables ACOS_decrypt
to proxy for the remote SSL servers and bring up SSL sessions with the clients. SSL traffic from
the clients arriving on unknown ports is decrypted and forwarded to the Outbound-SSLi-0 service
group, whereas bypassed and non-SSL traffic is forwarded to either the Outbound-TCP service
group or the Outbound-UDP service group. SSL traffic arriving on standard SSL vPort is decrypted
and forwarded to the Outbound-SSLi-443 service-group.
• Outbound-SSLi-0 SLB Service Group–Marks all decrypted SSL traffic arriving on unknown TCP
ports with custom DSCP value (ex.6) and forwards it to the security device.
• Outbound-SSLi-443 SLB Service Group–Marks all decrypted SSL traffic arriving on known SSL
ports (443 in this example) with custom DSCP value (6 in this example) and forwards it to the
security device.
• Outbound-TCP and Outbound-UDP SLB Service Groups–Marks all other TCP traffic with custom
DSCP value (4 in this example) and forwards it to the security device. This traffic stream includes
non-SSL traffic as well as any SSL traffic which was purposefully bypassed in SSLi configuration.

Configuring ACOS_encrypt Virtual Server and Service Groups

The following virtual server and service groups are configured.

• Encrypt_SSLi_VIP wildcard SLB Virtual Server–Provides server-SSL services for decrypted traffic
that enable ACOS_decrypt to establish SSL connections with the remote SSL servers through the
Gateway SLB real server, completing end-to-end SSL connectivity.
• Outside_nonSSLi_VIP wildcard SLB Virtual Server–Forwards all bypassed TCP traffic arriving at
the outside ACOS to the Gateway SLB real server.
• Outbound-SSLi-8080 SLB Service Group–Forwards all decrypted traffic arriving on static port
8080 to the Internet default gateway.
• Outbound-TCP and Outbound-UDP SLB Service Groups–Forwards all other non-SSL as well as
decrypted TCP traffic to the Internet default gateway.

Configuration Logic
Since Dynamic-Port SSLi is configured in parallel with SSLi over known ports, in order to configure
Dynamic-Port SSLi you need to address three flows:

• SSL traffic arriving on known ports–This is addressed by standard static-port SSLi configuration,
however you will need to explicitly tag this traffic as decrypted using a custom DSCP value (ex.
Dscp=6)

page 92
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Example Configuration: Dynamic-Port SSLi

• SSL traffic arriving on unknown ports–This is addressed by Dynamic-Port SSLi configuration,

and all decrypted traffic is tagged using a custom DSCP value (ex. Dscp=6)
• All SSLi-bypassed & non-SSL (TCP, UDP, ICMP etc.) traffic arriving on unknown ports–This is
addressed with wildcard vPorts and service-groups, however you will need to explicitly tag this
traffic as non-SSK using a custom DSCP value (ex. Dscp=4)

Figure 14 below illustrates the overall DSCP dynamic-port SSLi configuration logic.

FIGURE 15 DSCP Dynamic-Port SSLi Configuration Logic

Example Configuration: Dynamic-Port SSLi

Inside ACOS Configuration Summary

The ACOS_decrypt zone is configured as the client-facing device. Key configuration elements include
the following:

1. Define Access-List to identify traffic of interest.

2. Import a proxied CA certificate, and the certificate’s private key. This certificate must be trusted by
clients.
3. Define two SLB port templates for marking dscp values. In this example, we use dscp=6 for mark-
ing decrypted traffic and dscp=4 for marking all bypassed traffic.
!

page 93
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Example Configuration: Dynamic-Port SSLi FFee
e

slb template port decrypt-dscp-6

dscp 6
!
slb template port non-ssli-dscp-4
dscp 4

4. Create an SLB real server for a path through the security device for all TCP and UDP traffic.
!
slb server FW1 10.10.2.20
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable

5. Define an SLB service group for all TCP traffic and bind the port template for dscp=4 under it. This
service group will be used for all bypassed TCP traffic.
6. Define an SLB service group for all UDP traffic and bind the port template for dscp=4 under it. This
service group will be used for all UDP traffic.
7. Define an SLB service group for all TCP traffic and bind the port template for dscp=6 under it. This
service group will be used for all decrypted TCP traffic.
8. Define an SLB service group for all TCP traffic and bind the port template for dscp=6 under it. This
service group will be used for all decrypted TCP traffic.
9. Configure the client-SSL template. You must complete the following tasks:
a. Enable SSL Insight support.
b. Add the proxied CA certificate.
c. Add the CA certificate’s private key.
d. Bind the service-group for bypassed TCP traffic.
10.Configure a wildcard VIP to capture all client traffic, and add a wildcard ssl-Proxy vPort under it,
along with wildcard TCP, UDP and others vPorts.
11.Enable promiscuous VIP mode on the Ethernet interface that is connected to the clients’ network.
This is required by the wild-card VIP.

ACOS_encrypt Configuration Summary

ACOS_encrypt is configured as the server-facing interface. Key configuration elements include the fol-
lowing:

1. Define an Access-Lists to identify traffic with dscp=6.

2. Define an Access-Lists to identify traffic with dscp=4.

page 94
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Example Configuration: Dynamic-Port SSLi

3. Configure the server-SSL template and enable SSL Insight support.

4. Create an SLB real server for the default gateway router to the Internet and add it to a TCP and
UDP service group.
5. Configure a wildcard VIP to capture all decrypted traffic and add a wildcard TCP-Proxy vPort under
it.
6. Configure another wildcard VIP to capture all other traffic and add wildcard TCP, UDP and others
vPorts under it.
7. Enable promiscuous VIP mode on the Virtual Ethernet (VE) interfaces that are connected to the
security device. This is required by the wildcard VIPs.

Configuration Instructions
ACOS_decrypt Configuration Instructions

1. On ACOS_decrypt, configure an access list to permit traffic arriving from the clients.
ACOS_decrypt(config)# access-list 101 permit ip 10.10.1.0 0.0.0.255 any

2. Create vlan 10 on Ethernet 1 port for connecting the clients’ network to ACOS_decrypt and config-
ure a VE interface 10 with an IP address on the same subnet as the clients. Lastly, configure ip
allow-promiscuous-vip under the VE interface.

ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# untagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve:10)# ip address 10.10.1.10 255.255.255.0
ACOS_decrypt(config-if:ve:10)# ip allow-promiscuous-vip

3. Create vlan 20 on Ethernet 2 port for connecting the security device to ACOS_decrypt and config-
ure a VE interface 20.

ACOS_decrypt(config)# vlan 20
ACOS_decrypt(config-vlan:20)# untagged ethernet 2
ACOS_decrypt(config-vlan:20)#router-interface ve 20
ACOS_decrypt(config)# interface ve 20
ACOS_decrypt(config-if:ve:20)# ip address 10.10.2.10 255.255.255.0

4. Create the SLB real server, FW1 with IP address 10.10.2.20. This would match the IP address
assigned to ve 20 on ACOS_encrypt. Enable wildcard ports for TCP and UDP. Disable health check.

NOTE: Since port is wildcard port 0, health check will fail if enabled.

page 95
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Example Configuration: Dynamic-Port SSLi FFee
e

ACOS_decrypt(config)# slb server FW1 10.10.2.20

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server)# port 0 udp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server)# port 8080 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable

5. Define port templates for setting DSCP=6 and DSCP=4

ACOS_decrypt(config)# slb template port decrypt-dscp-6

ACOS_decrypt(config-rport)# dscp 6
ACOS_decrypt(config)# slb template port non-ssl-dscp-4
ACOS_decrypt(config-rport)# dscp 4

6. Define service-groups for the security device for all bypassed traffic by binding the non-ssl-dscp-4
port template to server port memberships:

ACOS_decrypt(config)# slb service-group Outbound-UDP udp

ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template non-ssli-dscp-4
ACOS_decrypt(config)# slb service-group Outbound-TCP tcp
ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template non-ssli-dscp-4

7. Define service-groups for the security device for all decrypted traffic by binding the decrypt-dscp-6
port template to server port memberships:

ACOS_decrypt(config)# slb service-group Outbound-SSLi-0 tcp

ACOS_decrypt(config-slb svc group)# member FW1 0
ACOS_decrypt(config-slb svc group-member:0)# template decrypt-dscp-6
ACOS_decrypt(config)# slb service-group Outbound-SSLi-443 tcp
ACOS_decrypt(config-slb svc group)# member FW1 8080
ACOS_decrypt(config-slb svc group-member:8080)# template decrypt-dscp-6

8. Configure a client-ssl template: Client-SSL provisioned with the certificate and private key needed
to proxy a certificate that would be accepted by the clients seeking an SSL session with the remote
servers. Enable forward-proxy and non-SSL bypass.
When the SSL client is enabled for forward proxy, ACOS processes intercepted traffic by default as
if it were an HTTPS session. It is therefore necessary to disable the default HTTPS processing for
non-HTTP protocol sessions. The non-ssl-bypass command disables this processing for non-
HTTP protocols.

page 96
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Example Configuration: Dynamic-Port SSLi

ACOS_decrypt(config)# slb template client-ssl Client-SSL

ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# non-ssl-bypass service-group Outbound-TCP

9. Create a virtual server decrypt_SSLi_VIP for ACOS_decrypt facing the clients. Enable its wildcard
port for SSL-proxy service, disable destination NAT, and bind the previously configured service
groups and client-ssl template to it.
When you enable SSL-proxy service on the wildcard VIP, it will dynamically proxy for any protocol
running over SSL; in other words all SSL protocols running over SSL will be intercepted.
a. Disable destination NAT to preserve the destination IP address on load-balanced traffic.
b. Bind the wildcard SSL proxy port to the service-group named Outbound-SSLi-0 to provide a path
to the inspection device and the outside ACOS. Also bind an HTTPs vport to the service-group
Outbound-SSLi-443.
c. Bind the wildcard SSL-proxy port to the SSL client template named Client-SSL to enable forward
proxy services (SSLi) on that port.
d. Bind the Outbound-SSLi-443 port to the SSL client template named Client-SSL to enable for-
ward proxy services (SSLi) on that port.

ACOS_decrypt(config)# slb virtual-server decrypt_SSLi_VIP 0.0.0.0 acl 101

ACOS_decrypt(config-slb vserver)# port 0 ssl-proxy
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-SSLi-0
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Client-SSL
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port translation
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-SSLi-443
ACOS_decrypt(config-slb vserver-vport)# template client-ssl Client-SSL

10.Enable wildcard udp and others ports and provide service groups for them.

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_decrypt(config-slb vserver)# port 0 others
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group Outbound-UDP

ACOS_encrypt Configuration Instructions

1. On ACOS_encrypt, configure two access lists. The first, access-list 101, filters decrypted traffic
arriving with dscp=6, and the second, access-list 102, filters all other traffic arriving with dscp=4.

page 97
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Example Configuration: Dynamic-Port SSLi FFee
e

ACOS_encrypt(config)# access-list 101 permit ip any any dscp 6

ACOS_encrypt(config)# access-list 102 permit ip any any dscp 4

2. Create vlan 30 and specify its VE interface to be on a subnet that links to the Internet default gate-
way.

ACOS_encrypt(config)# vlan 30
ACOS_encrypt(config-vlan:30)# untagged ethernet 1
ACOS_encrypt(config-vlan:30)#router-interface ve 30
ACOS_encrypt(config)# interface ve 30
ACOS_encrypt(config-if:ve:30)# ip address 10.10.3.20 255.255.255.0

3. Configure a VE interface for vlan 20 and configure ip allow-promiscuous-vip under it.

ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# untagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20
ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve:20)# ip address 10.10.2.20 255.255.255.0
ACOS_encrypt(config-if:ve:20)# ip allow-promiscuous-vip

4. The outside ACOS needs to support forward-proxy services for SSLi. The server-ssl template:
Server-SSL enables this capability when bound to a virtual server.

ACOS_encrypt(config)# slb template server-ssl Server-SSL

ACOS_encrypt(config-server ssl)# forward-proxy-enable

5. Configure the SLB real server, Gateway, on the IP subnet that links to the default gateway. Config-
ure the server with the wildcard port for TCP sessions and disable health check.

ACOS_encrypt(config)# slb server Gateway 10.10.3.1

ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server)# port 443 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server)# port 0 udp
ACOS_encrypt(config-real server-node port)# health-check-disable

6. Configure TCP and UDP service groups which have Gateway as their only member.

ACOS_encrypt(config)# slb service-group Outbound-TCP tcp

ACOS_encrypt(config-slb svc group)# member Gateway 0
ACOS_encrypt(config)# slb service-group Outbound-UDP tcp

page 98
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Example Configuration: Dynamic-Port SSLi

ACOS_encrypt(config-slb svc group)# member Gateway 0

ACOS_encrypt(config)# slb service-group Outbound-SSLi-8080 tcp
ACOS_encrypt(config-slb svc group)# member Gateway 443

7. Create the virtual server, Outside_nonSSLi_VIP, to handle non-SSL and bypassed TCP connections.

ACOS_encrypt(config)# slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 102

ACOS_encrypt(config-slb vserver)# port 0 tcp
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-TCP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 0 udp
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 0 others
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-UDP
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp

8. Create the virtual server, Encrypt_SSLi_VIP, to handle SSLi TCP connections. Bind the previously
configured server-ssl template to this server to enable the forward-proxy process.

ACOS_encrypt(config)# slb virtual-server Encrypt_SSLi_VIP 0.0.0.0 acl 101

ACOS_encrypt(config-slb vserver)# port 0 tcp-proxy
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-TCP
ACOS_encrypt(config-slb vserver-vport)# template server-ssl Server-SSL
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_encrypt(config-slb vserver)# port 8080 http
ACOS_encrypt(config-slb vserver-vport)# name PORT_8080
ACOS_encrypt(config-slb vserver-vport)# service-group Outbound-SSLi-8080
ACOS_encrypt(config-slb vserver-vport)# template server-ssl Server-SSL
ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# use-rcv-hop-for-resp

Reference Configuration for DSCP Dynamic-Port SSLi

ACOS_decrypt
!
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
!
interface ethernet 1

page 99
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Example Configuration: Dynamic-Port SSLi FFee
e

enable
!
interface ethernet 2
enable
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
interface ve 10
ip address 10.10.1.10 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 10.10.2.10 255.255.255.0
!
slb template port decrypt-dscp-6
dscp 6
!
slb template port non-ssli-dscp-4
dscp 4
!
slb server FW1 10.10.2.20
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
!
slb service-group Outbound-TCP tcp
member FW1 0
template non-ssli-dscp-4
!
slb service-group Outbound-UDP udp
member FW1 0
template non-ssli-dscp-4
!
slb service-group Outbound-SSLi-0 tcp

page 100
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Example Configuration: Dynamic-Port SSLi

member FW1 0
template decrypt-dscp-6
!
slb service-group Outbound-SSLi-443 tcp
member FW1 8080
template decrypt-dscp-6
!
slb template client-ssl Client-SSL
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
non-ssl-bypass service-group Outbound-TCP
!
slb virtual-server Clients_VIP 0.0.0.0 acl 101
port 0 ssl-proxy
no-dest-nat
service-group Outbound-SSLi-0
template client-ssl Client-SSL
port 0 udp
no-dest-nat
service-group Outbound-UDP
port 0 others
no-dest-nat
service-group Outbound-UDP
port 443 https
no-dest-nat port-translation
service-group Outbound-SSLi-443
template client-ssl Client-SSL
!
end

ACOS_encrypt
!
access-list 101 permit ip any any dscp 6
!
access-list 102 permit ip any any dscp 4
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
vlan 30
untagged ethernet 1

page 101
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Example Configuration: Dynamic-Port SSLi FFee
e

router-interface ve 30
!
ip route 0.0.0.0 /0 10.10.3.1
!
interface ethernet 1 enable
!
interface ve 20
ip address 10.10.2.20 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 30
ip address 10.10.3.20 255.255.255.0
!
slb server Gateway 10.10.3.1
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable po
!
slb service-group Outbound-TCP tcp
member Gateway 0
!
slb service-group Outbound-UDP udp
member Gateway 0
!
slb service-group Outbound-SSLi-8080 tcp
member Gateway 443
!
slb template server-ssl Server-SSL
forward-proxy-enable
!
slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 102
port 0 tcp
service-group Outbound-TCP
no-dest-nat
use-rcv-hop-for-resp
port 0 udp
service-group Outbound-UDP
no-dest-nat
use-rcv-hop-for-resp
port 0 others
service-group Outbound-UDP

page 102
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

no-dest-nat
use-rcv-hop-for-resp
!
slb virtual-server Encrypt_SSLi_VIP 0.0.0.0 acl 101
port 0 tcp-proxy
service-group Outbound-TCP
template server-ssl Server-SSL
no-dest-nat
use-rcv-hop-for-resp
port 8080 http
name PORT_8080
service-group Outbound-SSLi-8080
template server-ssl Server-SSL
no-dest-nat port-translation
use-rcv-hop-for-resp
!
end

Dynamic Port Inspection Based on DSCP

You can set the DSCP for decrypted and bypassed traffic by using the forward-proxy-decrypted
dscp command without changing service groups. The configured DSCP is applied to the IP header of
the decrypted or bypassed traffic.

NOTE: If the service group has a template with DSCP configured, the forward-
proxy-decrypted dscp command takes precedence.

Single-Device Double-Partition SSLi Configuration with DSCP

The following configuration example includes a single SSLi device with two partitions. ACOS_encrypt
and ACOS_decrypt are the two partitions. This L2 configuration example uses the DSCP argument in
the client SSLi template to handle decrypted and bypassed traffic. The configuration uses DSCP tag-
ging to enable ACOS_decrypt to communicate to ACOS_encrypt about which traffic was decrypted,
and thus needs to be re-encrypted. The DSCP tagging is achieved with the forward-proxy-decrypted
dscp command and is referenced in the service groups that handle decrypted traffic. As the traffic is
decrypted, it gets a DSCP 6 tag. An access-list is configured for the ACOS_encrypt partition that
catches traffic with this tag. All other traffic (without a DSCP 6 tag) is switched by ACOS on the
ACOS_encrypt partition. DSCP enables us to avoid rewriting the port when decrypting SSL traffic.

page 103
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

Figure 16 is an example deployment. In the following example deployment, the client network is con-
nected through a layer 2 switch to the ACOS device. The ACOS device, which has two partitions, is in
turn connected to a security device for traffic inspection purposes. The security device is a L2 transpar-
ent device that preserves the L2 header while processing the traffic flows. The ACOS device is then
connected through a layer 2 switch to the Internet. Interfaces 1 and 2 belong to the ACOS_decrypt
partition. Interfaces 3 and 4 belong to the ACOS_encrypt partition.

FIGURE 16 Single-Device Double-Partition SSLi Configuration with DSCP

Traffic Flows for the Sample Deployment

The traffic flow from the client network is sent to the ACOS_decrypt partition on the e1 interface. The
traffic flow is decrypted by the ACOS_decrypt partition. The traffic from the ACOS_decrypt partition
is directed to the security device in the forward direction. From the security device, the traffic is
directed to the ACOS_encrypt partition on the e3 interface. The ACOS_encrypt partition re-encrypts
the traffic and forwards the traffic to the gateway by using normal SLB operation.

The traffic flow is shown as follows:

HTTPS/443 >>Traffic Decrypted in ACOS_decrypt >>HTTP/443 through security devices >>Traffic Re-
encrypted in ACOS_encrypt >>HTTPS/443 to Internet

The following list includes information about the other kinds of traffic flow:

• UDP/ICMP/Other traffic—This traffic is not caught by any VIP configuration and is just
switched by ACOS.
• HTTPS on port 443—This traffic is decrypted in the ACOS_decrypt partition, tagged with
DSCP 6, and re-encrypted by the ACOS_encrypt partition by the "port 0 tcp-proxy" vPort.
• HTTP on port 80—Traffic is caught by the wildcard VIP on ACOS_decrypt, and is only called out
in case DLP configuration needs to be added. Otherwise the "port 80 http" vPort is omitted.

page 104
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

• TCP+SSL on any other port—Traffic is caught by the wildcard VIP in ACOS_decrypt, tagged
with DSCP 6, and re-encrypted by the ACOS_encrypt partition.
• TCP on any other port—Traffic is caught by the wildcard VIP in ACOS_decrypt, but since it is
not SSL it is not tagged with DSCP 6. When it hits the ACOS_encrypt partition, there is no DSCP
tag, so the wildcard VIP doesn't see it and it gets switched by ACOS. In the client-ssl template in
ACOS_decrypt, non-ssl traffic is sent to the SG_SSLi_TCP-bypass service-group, via the "non-
ssl-bypass service-group" command in the client-ssl template.

NOTE: The static port intercept for the HTTP protocol is required when you have
configured either HTTP policy or the ICAP feature. Otherwise, you can
remove the static port intercept for each virtual server.

Initial Configuration (CLI)

1. Enter the configuration mode for the ACOS device:
ACOS>
ACOS>enable
Password:
ACOS# config
ACOS(config)#

The configuration mode is denoted by the ACOS(config)# prompt.

2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global command of
system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

3. Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.10.30.15 255.255.255.0
ACOS(config-if:management)# ip control-apps-use-mgmt-port
ACOS(config-if:management)# ip default-gateway 10.10.30.1
ACOS(config-if:management)# exit

4. Create the two partitions of ACOS_decrypt and ACOS_encrypt:

ACOS(config)# partition ACOS_decrypt id 1 application-type adc
ACOS(config)# partition ACOS_encrypt id 2 application-type adc

Configuring the ACOS_decrypt Partition (CLI)

The work-flow for configuring the ACOS_decrypt partition includes the following:

• Configuring the Default VLAN (CLI)

• Configuring the ACL (CLI)

page 105
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

• Configuring Network IP Addresses for Untagged VLANs (CLI)

• Configuring the Security Device (CLI)

• Configuring the SSLi Services for ACOS_decrypt Partition (CLI)

• Configuring Handling of Incoming Traffic (CLI)

Configuring the Default VLAN (CLI)

1. Configure the default VLAN. Bind ethernet ports 1 and 2 to the VLAN. Also, bind a virtual interface
ve to the VLAN. A VE is required in order to configure an IP address on a VLAN. In this example, a
default VLAN of 850 is configured.
ACOS_decrypt(config)# vlan 850
ACOS_decrypt(config-vlan:850)# untagged ethernet 1 to 2
ACOS_decrypt(config-vlan:850)# router-interface ve 850
ACOS_decrypt(config-vlan:850)# exit

2. Enable the ethernet interfaces 1 and 2 that are associated with the VLAN
ACOS_decrypt(config)# interface ethernet 1
ACOS_decrypt(config-if:ethernet:1)# enable
ACOS_decrypt(config-if:ethernet:1)# exit
ACOS_decrypt(config)# interface ethernet 2
ACOS_decrypt(config-if:ethernet:2)# enable
ACOS_decrypt(config-if:ethernet:2)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS_decrypt(config)# show interfaces brief

Configuring the ACL (CLI)

1. Configure the access lists. Configure the ACL to drop UDP-based traffic from any source to any
destination on ports 80 and 443. If the traffic is IP-based, it is allowed to be forwarded.
ACOS_decrypt(config)# access-list 101 deny udp any any eq 80
ACOS_decrypt(config)# access-list 101 deny udp any any eq 443
ACOS_decrypt(config)# access-list 101 permit ip any any

2. Configure the ACL to permit IP traffic from any source to any destination for the VLAN 850:
ACOS_decrypt(config)# access-list 190 permit ip any any vlan 850

Configuring Network IP Addresses for Untagged VLANs (CLI)

On the virtual interface 850, enable promiscous VIP support. When you enable promiscuous VIP sup-
port on a VE, the option is automatically enabled on each ethernet data port in the VE. Provision the vir-
tual interfaces to allow promiscuous IP in order to subject traffic to the rules enabled on each interface.
In addition, assign an IP address and a default gateway to the VLAN. In this example, we assign the IP
address and gateway to interface ve 850. Additionally, bind ACL 101 to the interface for all inbound traf-
fic.

page 106
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

ACOS_decrypt(config)# interface ve 850

ACOS_decrypt(config-if:ve850)# access-list 101 in
ACOS_decrypt(config-if:ve850)# ip address 10.10.10.98 255.255.255.0
ACOS_decrypt(config-if:ve850)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve850)# exit

Configuring the Security Device (CLI)

1. Configure the server GW and its ports. Configure ports 0, 80, and 443 for TCP traffic. Disable health
check for each port.
ACOS_decrypt(config)# slb server gw 10.10.10.1
ACOS_decrypt(config-real server)# health-check-disable
ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 80 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 443 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

2. Configure the server service group called SG_SSLi_HTTP of type TCP. Associate GW and port 80
with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_HTTP tcp
ACOS_decrypt(config-slb svc group)# member gw 80
ACOS_decrypt(config-slb svc group-member:80)# exit
ACOS_decrypt(config-slb svc group)# exiT

3. Configure the server service group called SG_SSLi_HTTPS of type TCP. Associate GW and port
443 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_HTTPS tcp
ACOS_decrypt(config-slb svc group)# member gw 443
ACOS_decrypt(config-slb svc group-member:443)# exit
ACOS_decrypt(config-slb svc group)# exit

4. Configure the server service group called SG_SSLi_TCP of type TCP. Associate GW and port 0
with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_TCP tcp
ACOS_decrypt(config-slb svc group)# member gw 0
ACOS_decrypt(config-slb svc group-member:0)# exit
ACOS_decrypt(config-slb svc group)# exit

5. Configure the server service group called SG_SSLi_TCP-bypass of type TCP. Associate GW and
port 0 with the service group.
ACOS_decrypt(config)# slb service-group SG_SSLi_TCP-bypass tcp

page 107
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

ACOS_decrypt(config-slb svc group)# member gw 0

ACOS_decrypt(config-slb svc group-member:0)# exit
ACOS_decrypt(config-slb svc group)# exit

Configuring the SSLi Services for ACOS_decrypt Partition (CLI)

1. Configure the client SSL template by specifying the SSLi self-signed certificate and private key. For
all encrypted traffic, add a DSCP tag of 6. For all bypassed traffic, add a DSCP tag of 1.
ACOS_decrypt(config)# slb template client-ssl SSLi
ACOS_decrypt(config-client ssl)# chain-cert abc.home
ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert abc.home
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key abc.home
ACOS_decrypt(config-client ssl)# forward-proxy-decrypted dscp 6 1
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# forward-proxy-failsafe-disable

2. When the SSL client is enabled for forward proxy, ACOS processes intercept traffic by default as if
it were an HTTPS session. It is therefore necessary to disable the default HTTPS processing for
non-HTTP protocol sessions. The non-ssl-bypass command disables this processing for non-
HTTP protocols.
ACOS_decrypt(config-client ssl)# non-ssl-bypass service-group SG_SSLi_TCP-bypass

Configuring Handling of Incoming Traffic (CLI)

1. Create a virtual server called ACOS_decrypt for the ACOS_decrypt partition facing the clients.
Enable its wildcard port for SSL-proxy service, disable destination NAT, and bind the previously
configured service groups and client-ssl template to it. The ACL 190 is bound to the wildcard VIP.
When you enable SSL-proxy service on the wildcard VIP, it will dynamically proxy for any protocol
running over SSL; in other words all SSL protocols running over SSL will be intercepted.
ACOS_decrypt(config)# slb virtual-server ACOS_decrypt 0.0.0.0 acl 190

2. Bind the wildcard SSL proxy port to the service-group named SG_SSLi_TCP to provide a path to
the inspection device and the ACOS_encrypt partition. Bind the wildcard SSL-proxy port to the
SSL client template named SSLi to enable forward proxy services (SSLi) on that port.
ACOS_decrypt(config-slb vserver)# port 0 ssl-proxy
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_TCP
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLi
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit

3. Bind an HTTPs vport to the service-group SG_SSLi_HTTPS. Bind the Outbound-SSLi-443 port to
the SSL client template named SSLi to enable forward proxy services (SSLi) on that port.
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_HTTPS
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLi
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit

page 108
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

4. Associate port 80 of type HTTP with service group SG_SSLi_HTTP. Disable destination NAT.
ACOS_decrypt(config-slb vserver)# port 80 http
ACOS_decrypt(config-slb vserver-vport)# service-group SG_SSLi_HTTP
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# exit

Configuring the ACOS_encrypt Partition (CLI)

The work-flow for configuring the ACOS_encrypt partition includes the following:

• Configuring the ACL (CLI)

• Configuring the Default VLAN (CLI)

• Configuring Network IP Addresses for the VLAN (CLI)

• Configuring the Security Device (CLI)

• Configuring the SSLi Services for ACOS_decrypt Partition (CLI)

• Configuring Handling of Outgoing Traffic (CLI)

Configuring the ACL (CLI)

Configure two access lists. The first, access-list 191, filters decrypted traffic arriving with dscp=6, and
the second, access-list 192, filters all other traffic arriving with dscp=1.

ACOS[ACOS_encrypt](config)# access-list 191 permit ip any any dscp 6

ACOS[ACOS_encrypt](config)# access-list 192 permit ip any any dscp 1

Configuring the Default VLAN (CLI)

Configure the default VLAN. Bind ethernet ports 3 and 4 to the VLAN. Also, bind a virtual interface ve to
the VLAN. In this example, a default VLAN of 860 is configured.

ACOS[ACOS_encrypt](config)# vlan 860

ACOS[ACOS_encrypt](config-vlan:860)# untagged ethernet 3 to 4
ACOS[ACOS_encrypt](config-vlan:860)# router-interface ve 860
ACOS[ACOS_encrypt](config-vlan:860)# exit

ACOS[ACOS_encrypt](config)# interface ethernet 3

ACOS[ACOS_encrypt](config-if:ethernet:3)# enable
ACOS[ACOS_encrypt](config-if:ethernet:3)# exit
ACOS[ACOS_encrypt](config)# interface ethernet 4
ACOS[ACOS_encrypt](config-if:ethernet:4)# enable
ACOS[ACOS_encrypt](config-if:ethernet:4)# exit

page 109
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

Configuring Network IP Addresses for the VLAN (CLI)

1. On the virtual interface 860, enable promiscous VIP support. When you enable promiscuous VIP
support on a VE, the option is automatically enabled on each ethernet data port in the VE. Provi-
sion the virtual interfaces to allow promiscuous IP in order to subject traffic to the rules enabled on
each interface. In addition, assign an IP address and a default gateway to the VLAN. In this exam-
ple, we assign the IP address and gateway to interface ve 860.
ACOS[ACOS_encrypt](config)# interface ve 860
ACOS[ACOS_encrypt](config-if:ve860)# ip address 10.10.10.99 255.255.255.0
ACOS[ACOS_encrypt](config-if:ve860)# ip allow-promiscuous-vip
ACOS[ACOS_encrypt](config-if:ve860)# exit

2. Enable the ethernet interfaces 3 and 4 that are associated with the VLAN
ACOS[ACOS_encrypt](config)# interface ethernet 3
ACOS[ACOS_encrypt](config-if:ethernet:3)# enable
ACOS[ACOS_encrypt](config-if:ethernet:3)# exit
ACOS[ACOS_encrypt](config)# interface ethernet 4
ACOS[ACOS_encrypt](config-if:ethernet:4)# enable
ACOS[ACOS_encrypt](config-if:ethernet:4)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS[ACOS_encrypt](config)# show interfaces brief

Configuring the Security Device (CLI)

1. Configure the server GW and its ports.
ACOS[ACOS_encrypt](config)# slb server gw 10.10.10.1
ACOS[ACOS_encrypt](config-real server)# health-check-disable

ACOS[ACOS_encrypt](config-real server)# port 0 tcp

ACOS[ACOS_encrypt](config-real server-node port)# health-check-disable
ACOS[ACOS_encrypt](config-real server-node port)# exit

ACOS[ACOS_encrypt](config-real server)# port 443 tcp

ACOS[ACOS_encrypt](config-real server-node port)# health-check-disable
ACOS[ACOS_encrypt](config-real server-node port)# exit

2. Configure the server service group called SG_SSLi_HTTP of type TCP. Associate GW and port
443 with the service group.
ACOS[ACOS_encrypt](config)# slb service-group SG_SSLi_HTTP tcp
ACOS[ACOS_encrypt](config-slb svc group)# member gw 443
ACOS[ACOS_encrypt](config-slb svc group-member:443)# exit
ACOS[ACOS_encrypt](config-slb svc group)# exit

3. Configure the server service group called SG_SSLi_TCP of type TCP. Associate GW and port 0
with the service group.
ACOS[ACOS_encrypt](config)# slb service-group SG_SSLi_TCP
ACOS[ACOS_encrypt](config-slb svc group)# member gw 0

page 110
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

ACOS[ACOS_encrypt](config-slb svc group-member:0)# exit

ACOS[ACOS_encrypt](config-slb svc group)# exit

Configuring the SSLi Services for ACOS_encrypt Partition (CLI)

Create an SSL server template on the ACOS_encrypt partition so that the VIP can operate as an SSL
client and handshake with the enterprise server. Enable forward proxy services on the template to
enable SSLi operation on the VIP.

ACOS[ACOS_encrypt](config)# slb template server-ssl SSLi

ACOS[ACOS_encrypt](config-server ssl)# forward-proxy-enable
ACOS[ACOS_encrypt](config-server ssl)# exit

Configuring Handling of Outgoing Traffic (CLI)

1. Create the virtual server ACOS_encrypt filter incoming traffic with a tag of dscp=6.
ACOS[ACOS_encrypt](config)# slb virtual-server ACOS_encrypt 0.0.0.0 acl 191

2. Bind the virtual port port 0 tcp-proxy to the service group SG_SSLi_TCP and the SSLi server
template. Bind the virtual port port 443 http to the service group SG_SSLi_HTTP and the SSLi
server template. Disable destination NAT to preserve the destination IP address on load-balanced
traffic. The HTTPS traffic tagged with DSCP=6 arriving at the vport port 0 tcp-proxy is re-
encrypted.
ACOS[ACOS_encrypt](config-slb vserver)# port 0 tcp-proxy
ACOS[ACOS_encrypt](config-slb vserver-vport)# service-group SG_SSLi_TCP
ACOS[ACOS_encrypt](config-slb vserver-vport)# template server-ssl SSLi
ACOS[ACOS_encrypt](config-slb vserver-vport)# no-dest-nat
ACOS[ACOS_encrypt](config-slb vserver-vport)# exit

ACOS[ACOS_encrypt](config-slb vserver)# port 443 http

ACOS[ACOS_encrypt](config-slb vserver-vport)# service-group SG_SSLi_HTTP
ACOS[ACOS_encrypt](config-slb vserver-vport)# template server-ssl SSLi
ACOS[ACOS_encrypt](config-slb vserver-vport)# no-dest-nat
ACOS[ACOS_encrypt](config-slb vserver-vport)# exit

3. Create the virtual server, ACOS_encrypt_bypass, to handle non-SSL and bypassed TCP connec-
tions with a tag of dscp=4.
ACOS[ACOS_encrypt](config)# slb virtual-server ACOS_encrypt_bypass 0.0.0.0 acl 192

Consolidated Configuration for Dynamic Port Inspection Based on

DSCP
!
system ve-mac-scheme system-mac
!

page 111
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

partition ACOS_decrypt id 1 application-type adc

!
partition ACOS_encrypt id 2 application-type adc

interface management
ip address 10.10.30.15 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 10.10.30.1
!
interface ethernet 1
!
interface ethernet 2
!
interface ethernet 3
!
interface ethernet 4
!
end
active-partition ACOS_decrypt
!
!
access-list 101 deny udp any any eq 80
!
access-list 101 deny udp any any eq 443
!
access-list 101 permit ip any any
!
access-list 190 permit ip any any vlan 850
!
vlan 850
untagged ethernet 1 to 2
router-interface ve 850
name ACOS_decrypt_ingress_egress
user-tag ACOS_decrypt_ingress_egress
!
interface ethernet 1
name ACOS_decrypt_ingress
enable
!
interface ethernet 2
name ACOS_decrypt_egress
enable
!
interface ve 850
name ACOS_decrypt_ingress_egress
access-list 101 in
ip address 10.10.10.98 255.255.255.0

page 112
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Dynamic Port Inspection Based on DSCP

ip allow-promiscuous-vip
!
!
slb server gw 10.10.10.1
health-check-disable
user-tag ACOS_decrypt
port 0 tcp
health-check-disable
port 80 tcp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group SG_SSLi_HTTP tcp
member gw 80
!
slb service-group SG_SSLi_HTTPS tcp
member gw 443
!
slb service-group SG_SSLi_TCP tcp
member gw 0
!
slb service-group SG_SSLi_TCP-bypass tcp
member gw 0
!
slb template client-ssl SSLi
chain-cert abc.home
forward-proxy-ca-cert abc.home
forward-proxy-ca-key abc.home
forward-proxy-decrypted dscp 6 1
forward-proxy-enable
forward-proxy-failsafe-disable
non-ssl-bypass service-group SG_SSLi_TCP-bypass
!
slb virtual-server ACOS_decrypt 0.0.0.0 acl 190
port 0 ssl-proxy
service-group SG_SSLi_TCP
template client-ssl SSLi
no-dest-nat
port 80 http
service-group SG_SSLi_HTTP
no-dest-nat
port 443 https
service-group SG_SSLi_HTTPS
template client-ssl SSLi
no-dest-nat
!

page 113
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Dynamic Port Inspection Based on DSCP FFee
e

end
active-partition ACOS_encrypt
!
!
access-list 191 permit ip any any dscp 6
!
access-list 192 permit ip any any dscp 1
!
vlan 860
untagged ethernet 3 to 4
router-interface ve 860
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!
interface ve 860
ip address 10.10.10.99 255.255.255.0
ip allow-promiscuous-vip
!
!
slb template server-ssl SSLi
forward-proxy-enable
!
slb server gw 10.10.10.1
health-check-disable
port 0 tcp
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group SG_SSLi_HTTP tcp
member gw 443
!
slb service-group SG_SSLi_TCP tcp
member gw 0
!
slb virtual-server ACOS_encrypt 0.0.0.0 acl 191
port 0 tcp-proxy
service-group SG_SSLi_TCP
template server-ssl SSLi
no-dest-nat
port 443 http
service-group SG_SSLi_HTTP
template server-ssl SSLi

page 114
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Related Information

no-dest-nat
!
slb virtual-server ACOS_encrypt_bypass 0.0.0.0 acl 192
!
end
!Current config commit point for partition 2 is 0 & config mode is classical-mode
TH3030S#

Related Information
For more information on TCP-Proxy, see the “Generic TCP-Proxy” chapter of the Application Delivery and
Server Load Balancing Guide.

For more information on SSL Proxy, see the”SSL Offload and SSL Proxy chapter in the Application Deliv-
ery and Server Load Balancing Guide.

For detailed information on the load-balancing servers that enable SSLi and other applications, see the
Application Delivery and Server Load Balancing Guide.

page 115
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

page 116
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi in a Single Partition Deployment

The following topics are covered:

• Overview of Single Partition Deployment

• L2 Deployment with Tagged VLANs

• L2 Deployment with Untagged VLANsend

Overview of Single Partition Deployment

You can deploy SSLi by using a single partition instead of two partitions. The single partition approach
allows for a bump-in-the-wire deployment that requires minimal changes to the existing network infra-
structure.

In a single partition deployment, the ACOS device is in L2 mode and requires one IP address irrespec-
tive of the number of VLANs to be inspected. The VLAN ID and the source and destination MAC
addresses of the incoming packets are completely preserved as the traffic passes through the ACOS
device. For this type of deployment, all the four interfaces, e1, e2, e3, and e4 (as shown in Figure 17),
related to the SSLi deployment must be assigned the same set of VLANs.

NOTE: To ensure that all traffic is routed to the security device for inspection,
you must define the traffic flow with respect to port-0-tcp, port-0-udp,
and port-0-others as shown in the following configuration examples.
Undefined traffic flows bypass the security device. Instead, configure
SSLi Bypass to govern traffic that is not required to be inspected. See
“SSLi Inspect, Bypass, and Exception Lists” on page 189.

Architecture of Single Partition Deployment

In the following example deployment, as shown in Figure 17, the client network is connected through a
layer 3 switch to the ACOS device. The ACOS device, which has a single partition, is in turn connected
to a security device for traffic inspection purposes. The ACOS device is then connected through a layer
3 switch to the Internet. The traffic flows for the single partition deployment is described in the follow-
ing section:

• Traffic flows from the client network to the Internet—The traffic flow from the client net-
work is sent to the ACOS device on the e1 interface. The traffic flow is decrypted by the ACOS

Feedback page 117

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Overview of Single Partition Deployment FFee
e

device. The traffic from the ACOS device is redirected to the security device in the forward direc-
tion. The traffic flow is
forwarded from e1 to e2 by using the redirect-fwd command. From the security device, the traf-
fic is directed back to the ACOS device on the e3 interface. The ACOS device re-encrypts the traf-
fic and
forwards the traffic to the gateway by using normal SLB operation.
• Traffic flows from the Internet to the client network—The traffic from the gateway is sent
to the ACOS device on the e4 interface. The traffic flow is decrypted by the ACOS device. The traf-
fic flow is then directed from e4 to e3 by using the redirect-rev command. From the security
device, the traffic flow is directed back to the ACOS device on the e2 interface. The ACOS device
re-encrypts the traffic and forwards the traffic to the client network on the e1 interface.

The security device is a L2 transparent device that preserves the L2 header while processing the traffic
flows. For both scenarios, the L2 header is also preserved for the following traffic flows:

• Traffic flows between the client and the security device, on interfaces (e1 <- -> e2).

• Traffic flows between the security device and the gateway (e3 <- -> e4).

FIGURE 17 A Single Partition Deployment for SSLi

The single partition SSLi deployment requires the ACOS device to have four interfaces. The functions of
the interfaces is explained in the following list by using the logic of the traffic flow from the client net-
work to the Internet:

• e1—This interface connects the layer 3 switch and the ACOS device. Traffic from the user net-
work is channeled through the layer 3 switch to the ACOS device by using e1. An ACL rule is
applied at e1 to forward only relevant traffic that is required to be inspected.
• e2—This interface connects the ACOS device and the security device. Decrypted traffic from the
ACOS device is forwarded to the security device by using e2.

page 118
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

• e3—This interface connects the ACOS device and the security device. The inspected traffic from
the security device is forwarded to the ACOS device by using e3. An ACL rule is applied at e3 to
forward only relevant traffic.
• e4—This interface connects the ACOS device to another layer 3 switch.The inspected traffic from
the user network is forwarded to the Internet by using e4.

The redirect-fwd and redirect-rev commands disable MAC learning on the interfaces specified in
these commands and instead forwards packets to the specified ethernet port. The redirect-fwd con-
figuration command redirects the client traffic to the security device. The redirect-rev configuration
command redirects server traffic back to the security device. See the port command in the “Config Com-
mands: SLB Virtual Servers” chapter of the Command Line Interface Reference for more information.

Types of Single Partition Deployment

In single partition deployment, two types are supported and described in subsequent sections:

• L2 deployment with tagged VLANs

• L2 deployment with untagged VLANs

Tagged ports can be members of multiple VLANs. The port can recognize the VLAN to which a packet
belongs based on the VLAN tag included in the packet. In the deployment scenario involving tagged
VLANs, you can specify multiple VLANs for traffic inspection. All the ports of the security device are
tagged.

Untagged ports can belong to only a single VLAN. By default, all Ethernet data ports are untagged
members of a default VLAN.

If there is only one VLAN, whether tagged or untagged, Source-NAT is supported if the Source-NAT pool
belongs to the same subnet as the VEs.

L2 Deployment with Tagged VLANs

Figure 18 is an example of an SSLi L2 deployment by using tagged VLANs. In this example, traffic from
tagged VLANs 10 and 20 is inspected by the security device. To understand how the traffic flows in this
deployment, see “Architecture of Single Partition Deployment” on page 117.

page 119
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

FIGURE 18 L2 Deployment with Tagged VLANs

Configuration for Tagged VLANs by Using the CLI

The following sections describe how to configure SSLi for this deployment by using the AOCS CLI. The
work-flow includes the following:

• Initial Configuration by using CLI

• Configuring the Network VLANs (CLI)

• Configuring the SSLi Services (CLI)

• Configuring Network IP Addresses (CLI)

• Configuring the Security Device (CLI)

• Configuring Handling of Incoming Traffic (CLI)

• Configuring Handling of Outgoing Traffic (CLI)

• Consolidated Configuration for Single Partition with Tagged VLANs (CLI)

Initial Configuration by using CLI

1. Enter the configuration mode for the ACOS device:
ACOS>
ACOS>enable
Password:
ACOS#config
ACOS(config)#

page 120
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

The configuration mode is denoted by the ACOS(config)# prompt.

2. (Applicable to deployments using vThunder) The single-partition configuration for SSLi requires VE
MAC address assignment changes, and since vThunder does not support VE MAC address assign-
ment scheme changes in non-promiscuous mode, you must enable promiscuous mode.
ACOS(config)# system promiscuous-mode
Settings will take effect on reload. Please save the configuration by issuing the "write
memory" command followed by the "reload" command

3. To avoid a duplicate MAC address because of the VLAN that is shared, add the global command of
system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

4. Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.101.7.103 255.255.252.0
ACOS(config-if:management)# ip default-gateway 10.101.4.1
ACOS(config-if:management)# exit

Configuring the Network VLANs (CLI)

1. Configure VLAN 10. Bind ethernet ports 1 to 4 to VLAN 10. Also, bind a virtual interface VE 10 to
VLAN 10.
ACOS(config)# vlan 10
ACOS(config-vlan:10)# tagged ethernet 1 to 4
ACOS(config-vlan:10)# router-interface ve 10
ACOS(config-vlan:10)# exit

2. Configure VLAN 20. Bind ethernet port 1 to 4 to VLAN 20. Also, bind a virtual interface VE 20 to
VLAN 20.
ACOS(config) #vlan 20
ACOS(config-vlan:20)# tagged ethernet 1 to 4
ACOS(config-vlan:20)# router-interface ve 20
ACOS(config-vlan:20)# exit

3. Enable the ethernet interfaces 1 to 4 on the ACOS device that are associated with the VLANs:
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit

ACOS(config)# interface ethernet 2

ACOS(config-if:ethernet:2)# enable
ACOS(config-if:ethernet:2)# exit

ACOS(config)# interface ethernet 3

ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# exit

page 121
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

ACOS(config)# interface ethernet 4

ACOS(config-if:ethernet:4)# enable
ACOS(config-if:ethernet:4)# exit

4. Verify the operational state of the interfaces by running the show interfaces command.
ACOS(config)# show interfaces brief

Configuring the SSLi Services (CLI)

1. Configure a cipher settings template called cl_cipher_template. This template is associated with
the SSL client template.
ACOS(config)# slb template cipher cl_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

2. Configure a cipher settings template called sr_cipher_template. This template is associated with
the SSL server template.
ACOS(config)# slb template cipher sr_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

3. Create a server SSL template called sr_ssl so that the VIP on the SSLi device can operate as an
SSL
client and handshake with an external server. Enable forward proxy services on the template to
enable SSLi operation on the VIP. Associate the sr_cipher_template with the server SSL template.
ACOS(config)# slb template server-ssl sr_ssl
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# cipher sr_cipher_template

4. Traffic selected to be forwarded to the security device is governed by the redirect-fwd configura-
tion. All the IP traffic passing the vport that has the redirect-fwd command configured is redi-
rected to the security device. Configure the client SSL template to provide the attributes which
enable SSLi, specify the SSLi self-signed certificate, and private key. Associate the cl_cipher_tem-
plate with the client SSL template.

page 122
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

ACOS(config)# slb template client-ssl cl_ssl

ACOS(config-client ssl)# template cipher cl_cipher_template
ACOS(config-client ssl)# forward-proxy-ca-cert a10_root_shared
ACOS(config-client ssl)# forward-proxy-ca-key a10_root_shared
ACOS(config-client ssl)# forward-proxy-enable

5. Within the client SSL template, disable OCSP Stapling for SSL forward proxy.
ACOS(config-client ssl)# forward-proxy-ocsp-disable

6. Within the client SSL template, disable Certificate Revocation List (CRL) services for SSLi (forward-
proxy).
ACOS(config-client ssl)# forward-proxy-crl-disable

7. Within the client SSL template, disable support for SSLv3.

ACOS(config-client ssl)# disable-sslv3
ACOS(config-client ssl)# exit

8. Configure an ACL called ssli_in for incoming traffic to the ACOS device. Configure the ACL to per-
mit IP traffic from any source to any destination for VLAN 10 and VLAN 20 on the interface Ether-
net 1:
ACOS(config)# access-list 190 remark ssli_in
ACOS(config)# access-list 190 permit ip any any vlan 10 ethernet 1
ACOS(config)# access-list 190 permit ip any any vlan 20 ethernet 1

9. Configure an ACL for dropping traffic called block_quic. Configure the ACL to drop UDP-based traf-
fic from any source to any destination on ports 80 and 443. If the traffic is IP-based, it is allowed to
be forwarded.
ACOS(config)# access-list 191 remark block_quic
ACOS(config)# access-list 191 deny udp any any eq 80
ACOS(config)# access-list 191 deny udp any any eq 443
ACOS(config)# access-list 191 permit ip any any

10.Configure an ACL for outgoing traffic from the ACOS device called ssli_out. Configure the ACL to
permit IP traffic from any source to any destination for VLAN 10 and VLAN 20 on the interface
Ethernet 3:
ACOS(config)# access-list 192 remark ssli_out
ACOS(config)# access-list 192 permit ip any any vlan 10 ethernet 3
ACOS(config)# access-list 192 permit ip any any vlan 20 ethernet

Configuring Network IP Addresses (CLI)

On each virtual interface, enable promiscous VIP support. When you enable promiscuous VIP support
on a VE, the option is automatically enabled on each ethernet data port in the VE. Provision the virtual
interfaces to allow promiscuous IP in order to subject traffic to the rules enabled on each interface. In
addition, for any of the VLANs, assign an IP address and a default gateway. In this example, we assign
the IP address and gateway to interface ve 10 associated with VLAN 10. Additionally, bind ACL 191 to
the interfaces.

page 123
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

ACOS(config)# interface ve 10
ACOS(config-if:ve10)# access-list 191 in
ACOS(config-if:ve10)# ip address 1.1.1.1 255.255.255.0
ACOS(config-if:ve10)# ip allow-promiscuous-vip
ACOS(config-if:ve10)# exit

ACOS(config)# interface ve 20
ACOS(config-if:ve20)# access-list 191 in
ACOS(config-if:ve20)# ip allow-promiscuous-vip
ACOS(config-if:ve20)# exit

Configuring the Security Device (CLI)

1. Configure a server GW and its ports.
ACOS(config)# slb server GW 1.1.1.254
ACOS(config-real server)# port 0 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 0 udp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 443 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 8080 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit

2. Configure the server service group called GW_TCP_0 of type TCP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group GW_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# exit

3. Configure the server service group called GW_TCP_8080 of type TCP. Associate GW and port 443 with
the service group.
ACOS(config)# slb service-group GW_TCP_8080 tcp
ACOS(config-slb svc group)# member GW 443
ACOS(config-slb svc group-member:443)# exit
ACOS(config-slb svc group)# exit

4. Configure the server service group called SSLi_TCP_443 of type TCP. Associate GW and port 8080
with the service group.

page 124
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

ACOS(config)# slb service-group SSLi_TCP_443 tcp

ACOS(config-slb svc group)# member GW 8080
ACOS(config-slb svc group-member:8080)# exit
ACOS(config-slb svc group)# exit

5. Configure the server service group called SSLi_TCP_0 of type TCP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group SSLi_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

6. Configure the server service group called SSLi_UDP_0 of type UDP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group SSLi_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

7. Configure the server service group called GW_UDP_0 of type UDP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group GW_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

Configuring Handling of Incoming Traffic (CLI)

1. Create the wildcard VIP called SSLi_in_ingress at IP address 0.0.0.0 to handle traffic from the cli-
ent network to the ACOS device. The ACL 190 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190

2. Associate port 0 of type TCP with service group SSLi_TCP_0. Disable destination NAT. Within the
virtual server command level, use the redirect-fwd command to select the forward direction for
steering the IP traffic from the client destined for the security device through ethernet 2. Use the
use-rcv-hop-for-resp command to send reply traffic for the session back through the same hop
where the traffic was received.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group SSLi_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 2
ACOS(config-slb vserver-vport)# exit

3. Within the virtual server command level, associate port 443 of type HTTPS with the service group
SSLi_TCP_443 and the client SSL template cl_ssl. Disable destination NAT. Within the virtual
server command level, use the redirect-fwd command to select the forward direction for steering
the layer 2 traffic from the security device to the Internet through ethernet 3. Use the use-rcv-
hop-for-resp command to send reply traffic for the session back through the same hop where the
traffic was received.

page 125
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

ACOS(config-slb vserver)# port 443 https

ACOS(config-slb vserver-vport)# service-group SSLi_TCP_443
ACOS(config-slb vserver-vport)# template client-ssl cl_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

4. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)#service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)#redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

Configuring Handling of Outgoing Traffic (CLI)

1. Create the wildcard VIP called SSLi_out_ingress at IP address 0.0.0.0 to handle traffic from the
ACOS device to the outside network. The ACL 192 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192

2. Associate port 0 of type TCP with service group GW_TCP_0. Disable destination NAT. Within the vir-
tual server command level, use the redirect-rev command to select the reverse direction for
steering the layer 2 traffic from the security device to the ACOS device through ethernet 3. Use the
use-rcv-hop-for-resp command to send reply traffic for the session back through the same hop
where the traffic was received.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

3. Associate port 443 of type TCP with service group GW_TCP_0. Disable destination NAT. Within the
virtual server command level, use the redirect-rev command to select the reverse direction for
steering the layer 2 traffic from the security device to the ACOS device through ethernet 3. Use the
use-rcv-hop-for-resp command to send reply traffic for the session back through the same hop
where the traffic was received.
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0

page 126
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

ACOS(config-slb vserver-vport)# no-dest-nat port-translation

ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

4. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 8080 http

ACOS(config-slb vserver-vport)# service-group GW_TCP_8080
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# template server-ssl sr_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# exit

Consolidated Configuration for Single Partition with Tagged VLANs (CLI)

ACOS(config)# show run
!Current configuration: 2593 bytes
!Configuration last updated at 17:01:10 PDT Fri May 19 2017
!Configuration last saved at 14:15:38 PDT Wed May 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 28 (May-12-2017,04:15)
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 10 ethernet 1
!
access-list 190 permit ip any any vlan 20 ethernet 1
!
access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!

page 127
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

access-list 191 deny udp any any eq 443

!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out
!
access-list 192 permit ip any any vlan 10 ethernet 3
!
access-list 192 permit ip any any vlan 20 ethernet 3
!
multi-config enable
!
system ve-mac-scheme system-mac
!
vlan 10
tagged ethernet 1 to 4
router-interface ve 10
!
vlan 20
tagged ethernet 1 to 4
router-interface ve 20
!
interface management
ip address 10.101.7.103 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!

page 128
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

interface ethernet 8
!
interface ve 10
access-list 191 in
ip address 1.1.1.1 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
access-list 191 in
ip allow-promiscuous-vip
!
!
ip route 0.0.0.0 /0 1.1.1.254
!
slb template cipher cl_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
user-tag Security,ssli_in
!
slb template cipher sr_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
user-tag Security,ssli_out
!
slb template server-ssl sr_ssl
forward-proxy-enable
template cipher sr_cipher_template
!
slb server GW 1.1.1.254
user-tag Security,ssli_in
port 0 tcp
health-check-disable

page 129
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

user-tag Security,ssli_in_srv_port_0_tcp
port 0 udp
health-check-disable
user-tag Security,ssli_in_srv_port_0_udp
port 443 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_443_tcp
port 8080 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_8080_tcp
!

slb server GW 1.1.1.254

user-tag Security,ssli_in
port 0 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_0_tcp
port 0 udp
health-check-disable
user-tag Security,ssli_in_srv_port_0_udp
port 443 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_443_tcp
port 8080 tcp
health-check-disable
user-tag Security,ssli_in_srv_port_8080_tcp

slb service-group GW_TCP_0 tcp

member GW 0
!
slb service-group GW_TCP_8080 tcp
member GW 443
!
slb service-group GW_UDP_0 udp
member GW 0
!
slb service-group SSLi_TCP_0 tcp
member GW 0
!
slb service-group SSLi_TCP_443 tcp
member GW 8080
!
slb service-group SSLi_UDP_0 udp
member GW 0

page 130
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-cert a10_root_shared
forward-proxy-ca-key a10_root_shared
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-enable
disable-sslv3
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
port 0 tcp
service-group SSLi_TCP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 udp
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 others
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 443 https
service-group SSLi_TCP_443
use-rcv-hop-for-resp
redirect-fwd ethernet 2
template client-ssl cl_ssl
no-dest-nat port-translation
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192
port 0 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat

page 131
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 8080 http
service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation
!
end

Configuration for Tagged VLANs by Using the GUI

The following sections describe how to configure SSLi for this deployment by using the AOCS GUI. The
work-flow includes the following:

• Configuring the Network VLANs (GUI)

• Configuring the SSLi Services (GUI)

• Configuring the VIPs (GUI)

• Configuring the Security Device (GUI)

• Configuring Handling of Incoming Traffic (GUI)

• Configuring Handling of Outgoing Traffic (GUI)

Configuring the Network VLANs (GUI)

In this section, first create the VLANs 10 and 20 and the interfaces e1, e2, e3, and e4. Associate the e1,
e2, e3, and e4 interfaces with the VLANs. Finally, enable the interfaces.

Creating the VLANs

To create the VLANs:

page 132
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

1. Navigate to Network > VLAN.

Click Create.
The Create VLAN page is displayed.
2. Enter the following details to create VLAN 10.
a. VLAN ID: 10
b. Name: VLAN10
c. Select Create Virtual Interface.
d. For Tagged Ethernet, select 1,2,3, and 4.
e. Click Create VLAN.
VLAN10 is created.

3. Repeat step 1 and step 2 to create VLAN 20.

For Tagged Ethernet, select 1,2,3, and 4.

The tagged VLANs are created. You must now enable the interfaces associated with the VLANs.

Enabling the Network Interfaces

To enable the network interfaces associated with the tagged VLANs:

1. Navigate to Network > Interfaces.

2. Select e1, e2, e3, and e4.
3. Click Enable to enable the interfaces.
The icons for the interfaces change to a green up-arrow.

You can now proceed to configuring the SSLi services.

Configuring the SSLi Services (GUI)

In this section, create the two cipher templates to be associated with the SSL templates. Next, create
the server SSL and client SSL templates. Associate the client cipher template with the client SSL
template. Associate the server cipher template with the server SSL template. Finally, create the ACL
lists to define how to handle incoming traffic, outgoing traffic, and which traffic to drop for inspection.

Creating the Client and Server Cipher Templates

A cipher template contains a list of ciphers. A client or server, that connects to a virtual port, can use
only the ciphers that are listed in the template. A cipher template must be bound to a client or server
SSL template.

To create the client cipher template:

1. Navigate to ADC > Templates > SSL.

page 133
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

2. Select Create > SSL Cipher.

The Create SSL Cipher Template is displayed.
3. Enter the name as cl_cipher_template.
4. For Cipher Config, click Add.
5. For Cipher Suite, select TLS1_RSA_AES_256_SHA.
6. Add the following ciphers by clicking Add for each cipher and selecting the appropriate one from
the drop-down menu:
• TLS1_RSA_AES_128_GCM_SHA256
• TLS1_RSA_AES_256_GCM_SHA384
• TLS1_ECDHE_RSA_AES_128_SHA
• TLS1_ECDHE_RSA_AES_256_SHA
• TLS1_ECDHE_RSA_AES_128_SHA256
• TLS1_ECDHE_RSA_AES_128_GCM_SHA256

NOTE: Priority values are supported only for client-SSL templates. If a cipher
template is used by a server-SSL template, the priority values in the
cipher template are ignored. In this example, since all the ciphers have
equal priority, ACOS selects the strongest available cipher.

7. Click Create.
8. The cl_cipher_template cipher template is created.

Repeat the procedure to create a server cipher template called sr_cipher_template and configured
with the following ciphers:

• TLS1_RSA_AES_128_SHA

• TLS1_RSA_AES_256_SHA

• TLS1_RSA_AES_128_GCM_SHA256

• TLS1_RSA_AES_256_GCM_SHA384

• TLS1_ECDHE_RSA_AES_128_SHA

• TLS1_ECDHE_RSA_AES_256_SHA

• TLS1_ECDHE_RSA_AES_128_SHA256

• TLS1_ECDHE_RSA_AES_128_GCM_SHA256

Proceed to creating the client SSL template and the server SSL template and associating these tem-
plates with the correct SSL cipher template.

page 134
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

Creating the Client SSL Template

To create the client SSL template:

1. Navigate to Security > SSLi > Templates.

2. Select Create > Client SSL.
The Create Client SSL Template is displayed.
3. For Name, enter cl_ssl.
4. Under the Basic tab, select Forward Proxy Enable for SSLi.
5. For SSLi Forward Proxy CA Cert, select your appropriate certificate.
6. For SSLi Forward Proxy CA Key, select your appropriate key.
7. Under Ciphers, select Template.
From the drop-down menu, select cl_cipher_template.

NOTE: You had already created the client cipher template in “Creating the Client
and Server Cipher Templates” on page 133.

8. Under Advanced tab, select Forward Proxy OCSP Disable.

9. Click OK to create the client SSL template.

Creating the Server SSL Template

To create the server SSL template:

1. Navigate to Security > SSLi > Templates.

2. Select Create > Server SSL.
The Create Server SSL Template is displayed.
3. For Name, enter sr_ssl.
4. Select SSL Forward Proxy Enable.
5. For Cipher, select Template.
From the drop-down menu, select sr_cipher_template.

NOTE: You had already created the server cipher template in “Creating the Client
and Server Cipher Templates” on page 133.

6. Click Create.
The server SSL template is created.

page 135
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

Creating an ACL

You must create three ACLS to govern three types of traffic: incoming traffic, traffic to be dropped, and
outgoing traffic.

To create the ACL 190 for incoming traffic:

1. Navigate to Security > Access List > Extended.

2. Click Create.
The Create Extended Access List page is displayed.
3. For ID, enter 190.
4. For Sequence number, enter 1.
5. Select Remark.
6. For Remark, enter ssli_in.
7. Select Create.
The ACL 190 is created.

You can now add rules to the ACL.

Adding Rules to an ACL

To add a rule to ACL 190 that allows IP traffic on VLAN 10 and on e1 to pass through.

1. Select ACL 190 and click Add New Rule.

2. Enter the Sequence Number as 2.
3. Select Entry.
4. For Action, select Permit.
5. For Service, select Protocol and IP.
6. For Source Address, select Source Address and Any.
7. For Destination Address, select Destination Address and Any.
8. For Match Type, select VLAN.
9. Enter VLAN value as 10.
10.For Interface Type, select Ethernet.
11.Select the Ethernet number from the drop down as 1.
12.Click Create.
A new rule is added to ACL 190.

page 136
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

13.You can repeat the procedure to add another rule for ACL 190 that allows IP traffic on VLAN 20 e1
to pass through.

Similarly, create ACL 191 and ACL 192.

The configuration statements are provided for reference:

access-list 191 remark block_quic

!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out
!
access-list 192 permit ip any any vlan 10 ethernet 3
!
access-list 192 permit ip any any vlan 20 ethernet 3

You can now associate the ACLs with the VIPS.

Configuring the VIPs (GUI)

The virtual interfaces or VIPs are already created as VE 10 and VE 20 in section “Configuring the Net-
work VLANs (GUI)” on page 132. The following section modifies the properties of the VIPs.

1. Navigate to Network > Interfaces > Virtual Ethernets.

2. Select 10 and click Edit.
3. Under IP, add in IP address as 1.1.1.1 and gateway as 255.255.255.0.
4. Enable Allow Promiscuous VIP.
5. Select Access List as 191.
You created the Access List in “Creating an ACL” on page 136.
6. Click Update.
Interface VE 10 is updated.
7. Select VE 20 and click Edit.
8. Select Access List as 191.
9. Enable Allow Promiscuous VIP.
10.Click Update.
Interface VE 20 is updated.

page 137
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

You are now ready to define the real server and its ports.

Configuring the Security Device (GUI)

In this section, first create the real server GW. Then, create service groups and associate the real server
and a port to each of the service groups.

Creating the Real Server and its Ports

To create the real server GW and its ports:

1. Navigate to ADC > SLB > Servers.

2. Click Create and configure the following real server settings:
• Name: GW
• Type: IPv4
• Host: 1.1.1.254
• Action: Enable
• Select Disable Health Check.
3. Under Port, click Create, and configure the following port settings:
• Port Number: 0
• Protocol: TCP
• Select Disable Health Check.
4. Click Create.
Port 0 of type TCP is now associated with GW.
5. Similarly, associate the following ports with GW:
• Port 0 of type UDP.
• Port 443 of type TCP.
• Port 8080 of type TCP.
6. Click Update to create the real server GW.

Proceed to creating the service groups.

Creating the Service Groups

To create and associate the service group GW_TCP_0 with GW and port 0:

1. Navigate to ADC > SLB > Service Groups.

2. Click Create and configure the following settings:

page 138
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

• Name: GW_TCP_0
• Protocol: TCP
3. Under Member, select Create.
The Create Member page is displayed.
4. Under Choose Creation Type, select Existing Server.
5. For Server, select GW from the drop-down menu.
6. For Port, select O.
7. Select State as Enable.
8. Click Create.
GW and port 0 are now associated with the service group GW_TCP_0 tcp.

Repeat the procedure to configure the following:

• Service group GW_TCP_8080 of type TCP.

Associate GW and port 8080 with this service group.
• Service group SSLi_TCP_443 of type TCP.
Associate GW and port 443 with this service group.
• Service group SSLi_TCP_0 of type TCP.
Associate GW and port 0 with this service group.
• Service group SSLi_UDP_0 of type UDP.
Associate GW and port 0 with this service group.
• Service group GW_UDP_0 of type UDP.
Associate GW and port 0 with this service group.

Configuring Handling of Incoming Traffic (GUI)

Create a virtual server for incoming traffic called SSLi_in_ingress.

1. Navigate to ADC > SLB > Virtual Servers.

2. Click Create.
The Create Virtual Server page is displayed.
3. For Name, enter SSLi_in_ingress, and configure the following
• Select Wildcard.
• For Address Type, select IPv4.
• For Action, select Enable.
• For Access List, select 190.

page 139
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Tagged VLANs FFee
e

4. Under Virtual Port, click Create.

The Create Virtual Port page is displayed. Configure the following:
• For Protocol, select TCP.
• For Port, select 0.
• For Action, select Enable.
• For Service Group, select SSLi_TCP_0.
5. Expand General Fields and select the following:
• No Dest NAT.
• Use Rcv Hop For Resp.
• For Redirect Forward, select Ethernet.
6. Click Create.
The Virtual Port is created and added to the virtual server.

Similarly, create and add ports of the following properties:

port 0 udp

service-group SSLi_UDP_0

use-rcv-hop-for-resp

redirect-fwd ethernet 2

no-dest-nat

port 0 others

service-group SSLi_UDP_0

use-rcv-hop-for-resp

redirect-fwd ethernet 2

no-dest-nat

port 443 https

service-group SSLi_TCP_443

use-rcv-hop-for-resp

redirect-fwd ethernet 2

template client-ssl cl_ssl

no-dest-nat port-translation

Configuring Handling of Outgoing Traffic (GUI)

Create a virtual server for outgoing traffic called SSLi_out_ingress.

page 140
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Tagged VLANs

1. Navigate to ADC > SLB > Virtual Servers.

2. Click Create.
The Create Virtual Server page is displayed.
3. For Name, enter SSLi_out_ingress, and configure the following
• Select Wildcard.
• For Address Type, select IPv4.
• For Action, select Enable.
• For Access List, select 192.
4. Under Virtual Port, click Create.
The Create Virtual Port page is displayed. Configure the following:
• For Protocol, select TCP.
• For Port, select 0.
• For Action, select Enable.
• For Service Group, select GW_TCP_0.
5. Expand General Fields and select the following:
• No Dest NAT.
• Use Rcv Hop For Resp.
• For Redirect Reverse, select Ethernet, and then select 3.
6. Click Create.
The Virtual Port is created and added to the virtual server.

Similarly, create and add ports of the following properties:

port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat

page 141
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

port 8080 http

service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation

Finally, click Update to complete creating the virtual server.

L2 Deployment with Untagged VLANs

Figure 19 is an example of an SSLi L2 deployment by using untagged VLANs. To understand how the
traffic flows in this deployment, see “Architecture of Single Partition Deployment” on page 117.

NOTE: To perform the procedure by using the GUI, see “Configuration for
Tagged VLANs by Using the GUI” on page 132. Refer to the “Consoli-
dated Configuration for Single Partition with Untagged VLANs (CLI)” on
page 149 while using the GUI for deviations in values and configurations.

FIGURE 19 L2 Deployment with Untagged VLANs

The following sections describe how to configure SSLi for this deployment by using the AOCS CLI. The
work-flow includes the following:

• Initial Configuration for Untagged VLANs by using CLI

• Configuring the Default VLAN (CLI)

page 142
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

• Configuring the SSLi services for Untagged VLANs (CLI)

• Configuring Network IP Addresses for Untagged VLANs (CLI)

• Configuring the Security Device for Untagged VLANs (CLI)

• Configuring Handling of Incoming Traffic for Untagged VLANs (CLI)

• Configuring Handling of Outgoing Traffic for Untagged VLAN (CLI)

• Consolidated Configuration for Single Partition with Untagged VLANs (CLI)

Initial Configuration for Untagged VLANs by using CLI

1. Enter the configuration mode for the ACOS device:
ACOS>
ACOS>enable
Password:
ACOS#config
ACOS(config)#

The configuration mode is denoted by the ACOS(config)# prompt.

2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global command of
system ve-mac-scheme system-mac.
ACOS(config)# system ve-mac-scheme system-mac

3. Assign an IP address and default gateway to the management interface:

ACOS(config)# interface management
ACOS(config-if:management)# ip address 10.101.7.103 255.255.252.0
ACOS(config-if:management)# ip default-gateway 10.101.4.1
ACOS(config-if:management)# exit

Configuring the Default VLAN (CLI)

1. Configure the default VLAN. Bind ethernet ports 1 to 4 to the VLAN. Also, bind a virtual interface ve
to the VLAN. In this example, a default VLAN of 850 is configured.
ACOS(config)# vlan 850
ACOS(config-vlan:850)# untagged ethernet 1 to 4
ACOS(config-vlan:850)# router-interface ve 850
ACOS(config-vlan:850)# exit

2. Enable the ethernet interfaces 1 to 4 on the ACOS device that are associated with the VLAN:
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit

ACOS(config)# interface ethernet 2

ACOS(config-if:ethernet:2)# enable

page 143
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

ACOS(config-if:ethernet:2)# exit

ACOS(config)# interface ethernet 3

ACOS(config-if:ethernet:3)# enable
ACOS(config-if:ethernet:3)# exit

ACOS(config)# interface ethernet 4

ACOS(config-if:ethernet:4)# enable
ACOS(config-if:ethernet:4)# exit

3. Verify the operational state of the interfaces by running the show interfaces command.
ACOS(config)# show interfaces brief

Configuring the SSLi services for Untagged VLANs (CLI)

1. Configure a cipher settings template called cl_cipher_template. This template is associated with
the SSL client template.
ACOS(config)# slb template cipher cl_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

2. Configure a cipher settings template called sr_cipher_template. This template is associated with
the SSL server template.
ACOS(config)# slb template cipher sr_cipher_template
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# TLS1_RSA_AES_256_GCM_SHA384
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_256_SHA
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_SHA256
ACOS(config-cipher)# TLS1_ECDHE_RSA_AES_128_GCM_SHA256
ACOS(config-cipher)# exit

3. Create a server SSL template called sr_ssl so that the VIP on the SSLi device can operate as an
SSL
client and handshake with an external server. Enable forward proxy services on the template to
enable SSLi operation on the VIP. Associate the sr_cipher_template with the server SSL template.
ACOS(config)# slb template server-ssl sr_ssl
ACOS(config-server ssl)# forward-proxy-enable

page 144
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

ACOS(config-server ssl)# cipher sr_cipher_template

4. Configure an SLB template of type TCP.

ACOS(config)# slb template tcp tcp

5. Configure an SLB template of type tcp-proxy.

ACOS(config)# slb template tcp-proxy tcp-proxy

6. Traffic selected to be forwarded to the security device is governed by the redirect-fwd configura-
tion. All the IP traffic passing the vport that has the redirect-fwd command configured is redi-
rected to the
security device. Configure the client SSL template to provide the attributes which enable SSLi,
specify the SSLi self-signed certificate, and private key. Associate the cl_cipher_template with the
client SSL template.
ACOS(config)# slb template client-ssl cl_ssl
ACOS(config-client ssl)# template cipher cl_cipher_template
ACOS(config-client ssl)# forward-proxy-ca-cert a10_root_shared
ACOS(config-client ssl)# forward-proxy-ca-key a10_root_shared
ACOS(config-client ssl)# forward-proxy-enable

7. Within the client SSL template, disable OCSP Stapling for SSL forward proxy.
ACOS(config-client ssl)# forward-proxy-ocsp-disable

8. Within the client SSL template, disable Certificate Revocation List (CRL) services for SSLi (forward-
proxy).
ACOS(config-client ssl)# forward-proxy-crl-disable

9. Within the client SSL template, disable support for SSLv3.

ACOS(config-client ssl)# disable-sslv3
ACOS(config-client ssl)# exit

10.Configure the ACL to permit IP traffic from any source to any destination for the VLAN on the inter-
face Ethernet 1:
ACOS(config)# access-list 190 remark ssli_in
ACOS(config)# access-list 190 permit ip any any vlan 850 ethernet 1

11.Configure an ACL for dropping traffic called block_quic. Configure the ACL to drop UDP-based traf-
fic from any source to any destination on ports 80 and 443. If the traffic is IP-based, it is allowed to
be forwarded.
ACOS(config)# access-list 191 remark block_quic
ACOS(config)# access-list 191 deny udp any any eq 80
ACOS(config)# access-list 191 deny udp any any eq 443
ACOS(config)# access-list 191 permit ip any any

12.Configure an ACL for outgoing traffic from the ACOS device called ssli_out. Configure the ACL to
permit IP traffic from any source to any destination for the VLAN on the interface Ethernet 3:
ACOS(config)# access-list 192 remark ssli_out
ACOS(config)# access-list 192 permit ip any any vlan 850 ethernet 3

page 145
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

Configuring Network IP Addresses for Untagged VLANs (CLI)

On the virtual interface 850, enable promiscous VIP support. When you enable promiscuous VIP sup-
port on a VE, the option is automatically enabled on each ethernet data port in the VE. Provision the vir-
tual interfaces to allow promiscuous IP in order to subject traffic to the rules enabled on each interface.
In addition, assign an IP address and a default gateway to the VLAN. In this example, we assign the IP
address and gateway to interface ve 850. Additionally, bind ACL 191 to the interface.

ACOS(config)# interface ve 850

ACOS(config-if:ve850)# access-list 191 in
ACOS(config-if:ve850)# ip address 1.1.1.1 255.255.255.0
ACOS(config-if:ve850)# ip allow-promiscuous-vip
ACOS(config-if:ve850)# exit

Configuring the Security Device for Untagged VLANs (CLI)

1. Configure the server GW and its ports.
ACOS(config)# slb server GW 1.1.1.254
ACOS(config-real server)# port 0 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 0 udp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 443 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit

ACOS(config-real server)# port 8080 tcp

ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit

2. Configure the server service group called GW_TCP_0 of type TCP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group GW_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# exit

3. Configure the server service group called GW_TCP_8080 of type TCP. Associate GW and port 443 with
the service group.
ACOS(config)# slb service-group GW_TCP_8080 tcp
ACOS(config-slb svc group)# member GW 443
ACOS(config-slb svc group-member:443)# exit

page 146
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

ACOS(config-slb svc group)# exit

4. Configure the server service group called SSLi_TCP_443 of type TCP. Associate GW and port 8080
with the service group.
ACOS(config)# slb service-group SSLi_TCP_443 tcp
ACOS(config-slb svc group)# member GW 8080
ACOS(config-slb svc group-member:8080)# exit
ACOS(config-slb svc group)# exit

5. Configure the server service group called SSLi_TCP_0 of type TCP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group SSLi_TCP_0 tcp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

6. Configure the server service group called SSLi_UDP_0 of type UDP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group SSLi_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

7. Configure the server service group called GW_UDP_0 of type UDP. Associate GW and port 0 with the
service group.
ACOS(config)# slb service-group GW_UDP_0 udp
ACOS(config-slb svc group)# member GW 0
ACOS(config-slb svc group)# exit

Configuring Handling of Incoming Traffic for Untagged VLANs (CLI)

1. Create the wildcard VIP called SSLi_in_ingress at IP address 0.0.0.0 to handle traffic from the cli-
ent network to the ACOS device. The ACL 190 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190

2. Associate port 0 of type TCP with service group SSLi_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group SSLi_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat

3. Within the virtual server command level, use the redirect-fwd command to select the forward
direction for steering the layer 2 traffic from the client destined for the security device through
ethernet 2. Use the use-rcv-hop-for-resp command to send reply traffic for the session back
through the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

4. Within the virtual server command level, associate port 443 of type HTTPS with the service group
SSLi_TCP_443 and the client SSL template cl_ssl. Disable destination NAT.
ACOS(config-slb vserver)# port 443 https

page 147
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

ACOS(config-slb vserver-vport)# service-group SSLi_TCP_443

ACOS(config-slb vserver-vport)# template client-ssl cl_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation

5. Within the virtual server command level, use the redirect-fwd command to select the forward
direction for steering the layer 2 traffic from the security device to the Internet through ethernet 3.
Use the use-rcv-hop-for-resp command to send reply traffic for the session back through the
same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# exit

6. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)#service-group SSLi_UDP_0
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 2
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

Configuring Handling of Outgoing Traffic for Untagged VLAN (CLI)

1. Create the wildcard VIP called SSLi_out_ingress at IP address 0.0.0.0 to handle traffic from the
ACOS device to the outside network. The ACL 192 is bound to the wildcard VIP.
ACOS(config)# slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192

2. Associate port 0 of type TCP with service group GW_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group GW_TCP_0
ACOS(config-slb vserver-vport)# no-dest-nat

3. Within the virtual server command level, use the redirect-rev command to select the reverse
direction for steering the layer 2 traffic from the security device to the ACOS device through ether-
net 3. Use the use-rcv-hop-for-resp command to send reply traffic for the session back through
the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

4. Associate port 443 of type TCP with service group GW_TCP_0. Disable destination NAT.
ACOS(config-slb vserver)# port 443 tcp

page 148
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

ACOS(config-slb vserver-vport)# service-group GW_TCP_0

ACOS(config-slb vserver-vport)# no-dest-nat port-translation

5. Within the virtual server command level, use the redirect-rev command to select the reverse
direction for steering the layer 2 traffic from the security device to the ACOS device through ether-
net 3. Use the use-rcv-hop-for-resp command to send reply traffic for the session back through
the same hop where the traffic was received.
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# exit

6. Enable similar configurations for the other ports.

ACOS(config-slb vserver)# port 0 udp
ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 0 others

ACOS(config-slb vserver-vport)# service-group GW_UDP_0
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# exit

ACOS(config-slb vserver)# port 8080 http

ACOS(config-slb vserver-vport)# service-group GW_TCP_8080
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 3
ACOS(config-slb vserver-vport)# template server-ssl sr_ssl
ACOS(config-slb vserver-vport)# no-dest-nat port-translation
ACOS(config-slb vserver-vport)# exit

Consolidated Configuration for Single Partition with Untagged VLANs (CLI)

TH3230S#show run
!Current configuration: 2333 bytes
!Configuration last updated at 17:03:06 PDT Fri May 19 2017
!Configuration last saved at 14:15:38 PDT Wed May 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 28 (May-12-2017,04:15)
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850 ethernet 1
!
access-list 191 remark block_quic

page 149
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
access-list 192 remark ssli_out
!
access-list 192 permit ip any any vlan 850 ethernet 3
!
multi-config enable
!
!
system ve-mac-scheme system-mac
!
vlan 850
untagged ethernet 1 to 4
router-interface ve 850
!

!
interface management
ip address 10.101.7.103 255.255.252.0
ip default-gateway 10.101.4.1
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
interface ethernet 4
enable
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!

page 150
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

interface ethernet 8
!
interface ve 850
access-list 191 in
ip address 1.1.1.1 255.255.255.0
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 1.1.1.254
!
slb template cipher cl_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
!
slb template cipher sr_cipher_template
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
!
slb template server-ssl sr_ssl
forward-proxy-enable
template cipher sr_cipher_template
!
slb server GW 1.1.1.254
user-tag Security,ssli_in
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
port 8080 tcp
health-check-disable
!

page 151
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

slb service-group GW_TCP_0 tcp

member GW 0
!
slb service-group GW_TCP_8080 tcp
member GW 443
!
slb service-group GW_UDP_0 udp
member GW 0
!
slb service-group SSLi_TCP_0 tcp
member GW 0
!
slb service-group SSLi_TCP_443 tcp
member GW 8080
!
slb service-group SSLi_UDP_0 udp
member GW 0
!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-cert test
forward-proxy-ca-key test
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-enable
disable-sslv3
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
user-tag Security,ssli_in
port 0 tcp
service-group SSLi_TCP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 udp
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat
port 0 others
service-group SSLi_UDP_0
use-rcv-hop-for-resp
redirect-fwd ethernet 2
no-dest-nat

page 152
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
L2 Deployment with Untagged VLANs

port 443 https

service-group SSLi_TCP_443
use-rcv-hop-for-resp
redirect-fwd ethernet 2
template client-ssl cl_ssl
no-dest-nat port-translation
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 192
user-tag Security,ssli_out
port 0 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 443 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
redirect-rev ethernet 3
no-dest-nat
port 8080 http
service-group GW_TCP_8080
use-rcv-hop-for-resp
redirect-rev ethernet 3
template server-ssl sr_ssl
no-dest-nat port-translation
!
end

page 153
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
L2 Deployment with Untagged VLANs FFee
e

page 154
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSH Insight

ACOS provides support for intercepting, decrypting, and re-encrypting Secure Shell (SSH) sessions.
Only static port SSH Insight (SSHi) with RSA keys is supported in this release. The purpose of the SSH
Insight (SSHi) feature is to transparently intercept and decrypt SSH traffic so that it can be inspected
for security reasons, and then re-encrypt the traffic before forwarding it to the SSH server.

NOTE: This chapter uses the CLI to configure SSHi. To complete the procedure
in GUI, refer to a similar procedure described in “SSLi Configuration for
Two ACOS Devices Each With a Single Partition (GUI)” on page 52 and
use the consolidated CLI configuration included in “Consolidated Config-
uration for Static Port Type SSH” on page 168.

The following topics are covered:

• Configuring RSA Keys

• SSHi Deployment Overview

• SSHi Deployment Example

• Consolidated Configuration for Static Port Type SSH

• Related Information

Configuring RSA Keys

The RSA keys are generated either using CLI command or Windows (PuTTy Key Generator). And then
can be imported to ACOS device.

The following topics are covered:

• Generating a Key using Remote Client

• Generating a Key using Windows

• Importing the Key to ACOS Device

Feedback page 155

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring RSA Keys FFee
e

Generating a Key using Remote Client

The administrator can access CLI (remote client) and generate an RSA key pair using SSH client. The
key pair consists of both a public and a private key.

NOTE: Although only a single RSA host key is supported, clients can connect to
multiple remote SSH hosts if required.

The following example shows you how to generate a key using ssh-keygen command.

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
16:0d:b5:95:76:51:86:2d:2c:28:2b:06:a8:e6:4f:c0 root@user-VirtualBox
The key's randomart image is:
+--[ RSA 2048]----+
| . .....o.=o|
| . . .o.o+ =..|
|.. . .oo. o . |
|.E o .. |
|o . . .S |
| . . . |
| o |
| . |
| |
+-----------------+

After the private/public key is generated, it must be copied to a server as authorized_keys file.

ssh-copy-id -i /root/.ssh/id_rsa/id_rsa.pub user@host

Generating a Key using Windows

The administrator can launch PuTTY application from the Windows Programs list and generate an RSA
key pair.

1. Launch PuTTYgen application.

page 156
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring RSA Keys

FIGURE 20 Key Generator

2. Enter the Number of bits in a generated key: value to a minimum of 2048 and then click Generate.

NOTE: You will be instructed to move the mouse cursor around within the
PuTTY Key generator window as a randomizer to generate the private
key.

page 157
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring RSA Keys FFee
e

FIGURE 21 Generating a Key

3. Click Save private key and save the private key to the desktop as id_rsa.ppk.
4. Copy the text under Public key for pasting into OpenSSH authorized_keys file:

Importing the Key to ACOS Device

After the keys are generated and saved, perform the following steps to import the private key to ACOS
device:

1. Log in to the ACOS device as a root user having global read-write privileges.
2. Access the configuration level for the administrator account.
3. Import the private key using the following command:
import key <key name> overwrite use-mgmt-port scp://user:<username>@<ip address>/< Key
path>

page 158
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSHi Deployment Overview

NOTE: You can import public/private keys in separate files or grouped in one
file.

SSHi Deployment Overview

In the sample deployment as shown in Figure 22, the client device is connected to the SSHi solution,
which is then connected to the external gateway. The SSHi solution consists of two ACOS devices and
a single security device. The ACOS device connected to the client has a partition called ACOS_decrypt.
The ACOS device connected to the external gateway has a partition called ACOS_encrypt. The following
steps provide an overview of the SSHi process:

1. The client sets up an SSH connection with ACOS_decrypt and sends an encrypted request.
2. ACOS_decrypt selects a traffic inspection device, decrypts the request, and sends the request over
a TCP connection to the traffic inspection device.
3. The traffic inspection device inspects the request data.
4. ACOS_encrypt encrypts the request and sends it to the outside server.
5. The server sends the encrypted reply.
6. ACOS_encrypt decrypts the reply and sends it back to the same traffic inspection device.
7. If the reply traffic is allowed by the traffic inspection device, the reply is forwarded to
ACOS_decrypt.
8. ACOS_decrypt encrypts the reply and sends it to the client.

Figure 22 shows the SSH Insight (SSHi) process when applied to SFTP sessions.

FIGURE 22 SSHi Overview

page 159
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSHi Deployment Example FFee
e

SSHi Deployment Example

In this example, the SSHi solution consists of two ACOS devices, each with a partition with the
inspection device in between. The Decrypt_VIP SLB virtual server provides SSH Forward Proxy service
that enables ACOS_decrypt to proxy for remote SSH servers and bring up SSH sessions with the
clients. SSH traffic from the clients is decrypted and forwarded to the FW1_Inspect SLB real server. The
FW1_Inspect SLB real server forwards decrypted SSH traffic and all other traffic to the Traffic
Inspection device. In this example, the Traffic Inspection device is operating in layer-2 mode. The
Encrypt_VIP wildcard VIP provides server-SSH services for decrypted traffic that enable the
ACOS_encrypt to establish SSH connections with remote SSH servers through the Default_Gateway
SLB real server, completing end-to-end SSH connectivity. The Default_Gateway SLB real server
forwards all traffic to the Internet default gateway.

Alternately, instead of using two ACOS devices, you can use one device by creating two separate
partitions, one for ACOS_decrypt and the other for ACOS_encrypt. In this case, to avoid a duplicate MAC
address, add the global command of system ve-mac-scheme system-mac in the shared partition. See
Configuring Application Delivery Partitions for further information.The key components of the example
SSHi deployment are illustrated in Figure 23:

page 160
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSHi Deployment Example

FIGURE 23 Example SSHi Static Port Network Topology

page 161
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSHi Deployment Example FFee
e

The following table provides the VLAN IDs, Virtual Ethernet (VE) Addresses, and interface
configurations for the SSHi network topology illustrated in Figure 23.

TABLE 6 Details of the SSHi Deployment

Partition Tagged VLAN VE IP Address Ethernet Port Number
ACOS_decrypt 10 10.10.1.2 /24 eth 1
15 10.15.1.2 /24 eth 2
ACOS_encrypt 20 20.1.1.2 /24 eth 2
15 10.15.1.12 /24 eth 1

SSHi Configuration for a Two-Device Deployment, Each

With a Single Partition
In order to configure SSHi for a two ACOS device single partition deployment, you must first configure
the two partitions, ACOS_decrypt and ACOS_encrypt.

Also, for a list of prerequisites, see “Prerequisites for Configuring SSLi” on page 37.

Configuration for ACOS_decrypt (CLI)

Perform the following steps for the ACOS_decrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)
Step 3. Configuring the SSHi Services (CLI for ACOS_decrypt)
Step 4. Configuring the SSHi Service Groups (CLI for ACOS_decrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 1. Configuring the
Network VLANs (CLI for ACOS_decrypt)” on page 40.

ACOS(config)# interface ethernet 1

ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit
!
ACOS(config)# interface ethernet 2
ACOS(config-if:ethernet:2)# enable
ACOS(config-if:ethernet:2)# exit
!

page 162
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSHi Deployment Example

ACOS(config)# hostname ACOS_decrypt

ACOS_decrypt(config)# vlan 10
ACOS_decrypt(config-vlan:10)# tagged ethernet 1
ACOS_decrypt(config-vlan:10)#router-interface ve 10
ACOS_decrypt(config-vlan:10)# exit

ACOS_decrypt(config)# vlan 15
ACOS_decrypt(config-vlan:15)# tagged ethernet 2
ACOS_decrypt(config-vlan:15)#router-interface ve 15
ACOS_decrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 2. Configuring the
Network IP Addresses (CLI for ACOS_decrypt)” on page 41.

ACOS_decrypt(config)# interface ve 10
ACOS_decrypt(config-if:ve10)# ip address 10.10.1.2 /24
ACOS_decrypt(config-if:ve10)# ip allow-promiscuous-vip
ACOS_decrypt(config-if:ve10)# exit

ACOS_decrypt(config)# interface ve 15
ACOS_decrypt(config-if:ve15)# ip address 10.15.1.2 /24
ACOS_decrypt(config-if:ve15)# exit

Step 3. Configuring the SSHi Services (CLI for ACOS_decrypt)

1. Configure an SSHi client template, by running the following commands.
ACOS_decrypt(config)# slb template client-ssh SSHInsight_DecryptSide
ACOS_decrypt(config-client ssh)# forward-proxy-hostkey RSA_key_1234
ACOS_decrypt(config-client ssh)# forward-proxy-enable
ACOS_decrypt(config-client ssh)# exit

2. Configure a real server called FW1_Inspect with the IP address 10.15.1.12. This IP address
matches the virtual IP address of ACOS_decrypt so that the real server connects to ACOS_decrypt
over VLAN 15. Bind FW1_Inspect interface to TCP port 2323 so that ACOS_decrypt forwards
decrypted SSH over VLAN 15 to the security device. All other UDP and TCP traffic is forwarded on
VLAN 15 by using the wildcard ports port 0 tcp and port 0 udp.
ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 2323 tcp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config)# slb server FW1_Inspect 10.15.1.12

ACOS_decrypt(config-real server)# port 0 tcp
ACOS_decrypt(config-real server-node port)# health-check-disable

page 163
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSHi Deployment Example FFee
e

ACOS_decrypt(config-real server-node port)# exit

ACOS_decrypt(config-real server)# port 0 udp

ACOS_decrypt(config-real server-node port)# health-check-disable
ACOS_decrypt(config-real server-node port)# exit

Step 4. Configuring the SSHi Service Groups (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 4. Configuring the
SSLi Service Groups (CLI for ACOS_decrypt)” on page 42.

ACOS_decrypt(config)# slb service-group FW1_Inspect_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 2323
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_TCP_SG tcp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

ACOS_decrypt(config)# slb service-group ALL_UDP_SG udp

ACOS_decrypt(config-slb svc group)# member FW1_Inspect 0
ACOS_decrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server (CLI for ACOS_decrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 5. Configuring the
Virtual Server (CLI for ACOS_decrypt)” on page 42.

ACOS_decrypt(config)# access-list 100 permit ip any any vlan 10

ACOS_decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS_decrypt(config-slb vserver)# port 22 ssh

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# template client-ssh SSHInsight_DecryptSide
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 tcp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

ACOS_decrypt(config-slb vserver)# port 0 udp

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit

page 164
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSHi Deployment Example

ACOS_decrypt(config-slb vserver)# port 0 others

ACOS_decrypt(config-slb vserver-vport)# no-dest-nat
ACOS_decrypt(config-slb vserver-vport)# service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# exit

Configuration for ACOS_encrypt (CLI)

Perform the following steps for the ACOS_encrypt partition:

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)
Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)
Step 4. Configuring the SSH Service Groups (CLI for ACOS_encrypt)
Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

Step 1. Configuring the Network VLANs (CLI for ACOS_encrypt)

ACOS(config)# hostname ACOS_encrypt
ACOS_encrypt(config)# vlan 20
ACOS_encrypt(config-vlan:20)# tagged ethernet 2
ACOS_encrypt(config-vlan:20)#router-interface ve 20
ACOS_encrypt(config-vlan:20)# exit

ACOS_encrypt(config)# vlan 15
ACOS_encrypt(config-vlan:15)# tagged ethernet 1
ACOS_encrypt(config-vlan:15)#router-interface ve 15
ACOS_encrypt(config-vlan:15)# exit

Step 2. Configuring the Network IP Addresses (CLI for ACOS_encrypt)

ACOS_encrypt(config)# interface ve 20
ACOS_encrypt(config-if:ve20)# ip address 20.1.1.2 /24
ACOS_encrypt(config-if:ve20)# exit

ACOS_encrypt(config)# interface ve 15
ACOS_encrypt(config-if:ve15)# ip address 10.15.1.12 /24
ACOS_encrypt(config-if:ve15)# ip allow-promiscuous-vip
ACOS_encrypt(config-if:ve15)# exit

page 165
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSHi Deployment Example FFee
e

Step 3. Configuring the SSLi Services (CLI for ACOS_encrypt)

1. Create an SSH server template on ACOS_encrypt so that the VIP on ACOS_encrypt can operate as
an SSL client and handshake with the EnterpriseABC server.
ACOS(config)# slb template server-ssh SSHInsight_DecryptSide
ACOS(config-server ssl)# forward-proxy-enable
ACOS(config-server ssl)# exit

2. Create the real server Default_Gateway. Bind the SLB ports of the intercepted SSH protocol (port
22) to Default_Gateway. ACOS_encrypt forwards the traffic on these ports over VLAN 20 to the
default gateway at IP address 20.1.1.10. The default gateway has a route to the EnterpriseABC
server.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 22 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

3. All other UDP and TCP traffic is forwarded on VLAN 20 to the default gateway using the wildcard
ports: port 0 tcp and port 0 udp.
ACOS_encrypt(config)# slb server Default_Gateway 20.1.1.10
ACOS_encrypt(config-real server)# port 0 tcp
ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

ACOS_encrypt(config-real server)# port 0 udp

ACOS_encrypt(config-real server-node port)# health-check-disable
ACOS_encrypt(config-real server-node port)# exit

4. Create an SSH template for the SSH service protocol to be intercepted.

ACOS_encrypt(config)# slb template server-ssh SSHInsight_EncryptSide
ACOS_encrypt(config-ssh)# forward-proxy-enable
ACOS_encrypt(config-ssh)# exit

Step 4. Configuring the SSH Service Groups (CLI for ACOS_encrypt)

1. Provide a path for intercepted SSH traffic by creating a service group called DG_SSH_SG and binding
it to port 22 of the SLB real server.
ACOS_encrypt(config)# slb service-group DG_SSH_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 22
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

page 166
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSHi Deployment Example

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0

ACOS_encrypt(config-slb svc group)# exit

2. Provide a path to the default gateway for all other traffic by creating two service groups called
DG_TCP_SG and DG_UDP_SG.
ACOS_encrypt(config)# slb service-group DG_TCP_SG tcp
ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

ACOS_encrypt(config)# slb service-group DG_UDP_SG udp

ACOS_encrypt(config-slb svc group)# member Default_Gateway 0
ACOS_encrypt(config-slb svc group)# exit

Step 5. Configuring the Virtual Server (CLI for ACOS_encrypt)

For an explanation of the procedure, refer to a similar procedure discussed in “Step 5. Configuring the
Virtual Server (CLI for ACOS_encrypt)” on page 46.

ACOS_encrypt(config)# access-list 101 permit ip any any vlan 15

ACOS_encrypt(config)# slb virtual-server Encrypt_VIP 0.0.0.0 acl 101

ACOS_encrypt(config-slb vserver)# port 2323 tcp-proxy

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_encrypt(config-slb vserver-vport)# service-group DG_SSH_SG
ACOS_encrypt(config-slb vserver-vport)# template server-ssh SSHInsight_DecryptSide
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 tcp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_TCP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 udp

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit

ACOS_encrypt(config-slb vserver)# port 0 others

ACOS_encrypt(config-slb vserver-vport)# no-dest-nat
ACOS_encrypt(config-slb vserver-vport)# service-group DG_UDP_SG
ACOS_encrypt(config-slb vserver-vport)# exit
ACOS_encrypt(config-slb vserver)# exit

page 167
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for Static Port Type SSH FFee
e

Consolidated Configuration for Static Port Type SSH

Show Running Config ACOS_decrypt
!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
slb server FW1_Inspect 10.15.1.12
port 2323 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 2323
!
slb template client-ssh SSHInsight_DecryptSide

page 168
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for Static Port Type SSH

forward-proxy-hostkey RSA_key_1234
forward-proxy-enable
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 22 ssh
service-group FW1_Inspect_SG
template client-ssh SSHInsight_DecryptSide
no-dest-nat port-translation
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

Show Running Config ACOS_encrypt

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 1
router-interface ve 20
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
interface ethernet 1
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10

page 169
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

port 22 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group DG_SSH_SG tcp
member Default_Gateway 22

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssh SSHInsight_EncryptSide
forward-proxy-enable
!
slb virtual-server Outside_VIP 0.0.0.0 acl 101
port 2323 tcp-proxy
no-dest-nat port-translation
service-group DG_SSH_SG
template server-ssh SSHInsight_EncryptSide
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG
!
end

Related Information
For detailed information on RSA security, see the Application Access Management guide.

page 170
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSL Insight with IPv6 for Single ACOS Device with

Two Partitons

ACOS supports SSLi IPv6 deployment in a single ACOS device with two partitions. Two partitions are
required for SSLi in this deployment, one to decrypt SSL traffic and the second to encrypt SSL traffic.

Although A10 Networks supports a number of different types of SSLi deployments, with each
deployment supporting different SSLi features, the overall steps for configuring SSLi for each
deployment are the same.

This chapter uses both the ACOS CLI and GUI to configure SSLi for IPv6.

NOTE: If you are new to SSLi, it is recommended that you first understand the
IPv4 static port deployment for both GUI and CLI discussed in “Outbound
SSLi with Static Port Type HTTPS—Two ACOS Devices Each With a
Single Partition” on page 38.

Prerequisites for Configuring Single Device SSLi for IPv6

To deploy the SSLi solution on a single ACOS device with two partitions for IPv6 addressing, the
following are the prerequisites:

• A10 Networks Advanced Core Operating System (ACOS®) 4.1.4-P3 or higher.

• Supported A10 Thunder or vThunder device(s).

For more information on the supported ACOS devices for deploying SSLi, refer to the SSLi
Technical Specifications document at https://www.a10networks.com/products/ssl-inspection.
• Security appliance or ICAP-based (RFC3507) antivirus or DLP solution.

• A self-signed certificate or a certification authority (CA) certificate with a known private key.

NOTE: If not already provisioned, push an internal PKI CA root certificate to all
the client machines.

• The ACOS device supports both CLI and GUI for configuration. Change the default management
port IP address for GUI or CLI access.

Feedback page 171

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi for IPv6 Deployment Overview FFee
e

• Two partitions are required for SSLi for IPv6 addressing, one to decrypt SSL traffic and the
second to encrypt SSL traffic. Make sure that you are on the correct partition when creating
configurations.
• In a single device solution, use the command system ve-mac-scheme system-mac to avoid MAC
address duplication .

SSLi for IPv6 Deployment Overview

In the sample deployment as shown in Figure 24, the client device is connected to the SSLi solution,
which is then connected to the external gateway. The SSLi solution consists of a single ACOS device
and a single security device. The ACOS device is connected to the client with a partition called
SSLi_inside. The ACOS device is also connected to the external gateway with a partition called
SSLi_outside.

NOTE: Static route configurations are not added to the route table on L3V
partitions. This is a limitation for IPv6 , IPv6 addressing is not virtualized
in the kernel.

FIGURE 24 Sample Topology for SSLi for IPV6 Deployment

The following steps provide an overview of the SSLi process:

1. The client sets up an SSLi connection with SSLi_inside and sends an encrypted request.
2. SSLi_inside selects a traffic inspection device, decrypts the request, and sends the request over a
TCP connection to the traffic inspection device.

page 172
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions

3. The traffic inspection device inspects the request data.

4. SSLi_outside encrypts the request and sends it to the outside server.
5. The server sends the encrypted reply.
6. SSLi_outside decrypts the reply and sends it back to the same traffic inspection device.
7. If the reply traffic is allowed by the traffic inspection device, the reply is forwarded to SSLi_inside.
8. SSLi_inside encrypts the reply and sends it to the client.

SSLi IPv6 Configuration for a Single ACOS Device with

Two Partitions
Perform the following steps:

1. Follow the prerequisites discussed in “Prerequisites for Configuring Single Device SSLi for IPv6” on
page 171.
2. To avoid a duplicate MAC address because of the VLAN that is shared, add the global command of
system ve-mac-scheme system-mac in the shared partition:
ACOS(config)# system ve-mac-scheme system-mac

3. Create the SSLi_inside and SSLi_outside partitions by running the following commands:
ACOS(config)# partition SSLi_outside id 1 application-type adc
ACOS(config-partition: SSLi_outside)# exit
ACOS(config)# active-partition SSLi_outside
ACOS[SSLi_outside](config)#
ACOS[SSLi_outside](config)# active-partition shared
ACOS(config)# partition SSLi_inside id 2 application-type adc
ACOS[SSLi_inside](config)# exit

4. Specify the DNS addressing by running the following command:

ACOS(config)# ip dns primary 10.5.3.1

5. Specify the management address and external gateway by running the following commands:
ACOS(config)# interface management
ACOS(config-if:management)#ip address 10.6.23.65 255.255.255.0
ACOS(config-if:management)#ip default-gateway 10.6.22.1
ACOS(config-if:management)# exit

page 173
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions FFee
e

Configuration for SSLi_inside (CLI)

Perform the following steps for the SSLi_inside partition:

Step 1. Configuring the Network VLANs (CLI for SSLi_inside)

Step 2. Configuring the Network IP Addresses (CLI for SSLi_inside)
Step 3. Configuring the SSLi Services (CLI for SSLi_inside)
Step 4. Configuring the SSLi Service Groups (CLI for SSLi_inside)
Step 5. Configuring the Virtual Server (CLI for SSLi_inside)

Step 1. Configuring the Network VLANs (CLI for SSLi_inside)

1. Configure the default VLAN. Bind ethernet ports 1 and 2 to the VLAN. Also, bind a virtual interface
ve to the VLAN. In this example, a default VLAN of 850 is configured.
SSLi_inside(config)# vlan 850
SSLi_inside(config-vlan:850)# untagged ethernet 1 to 2
SSLi_inside(config-vlan:850)# router-interface ve 850
SSLi_inside(config-vlan:850)# exit-module

2. Enable the ethernet interfaces 1 and 2 that are associated with the VLAN:
SSLi_inside(config)# interface ethernet 1
SSLi_inside(config-if:ethernet:1)# enable
SSLi_inside(config-if:ethernet:1)# cpu-process
SSLi_inside(config-if:ethernet:1)# exit-module

SSLi_inside(config)# interface ethernet 2

SSLi_inside(config-if:ethernet:2)# enable
SSLi_inside(config-if:ethernet:1)# cpu-process
SSLi_inside(config-if:ethernet:2)# exit-module

3. Verify the operational state of the interfaces by running the show interfaces command.
SSLi_inside(config)# show interfaces brief

page 174
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions

Step 2. Configuring the Network IP Addresses (CLI for SSLi_inside)

Associate the IPv6 address with interface ve 850. Also, specify the IP routes.

SSLi_inside(config)# interface ve 850

SSLi_inside(config-if:ve850)# ip allow-promiscuous-vip
SSLi_inside(config-if:ve850)# ipv6 address 2001:558:3dc:1::9/127
SSLi_inside(config-if:ve850)# exit-module
SSLi_inside(config)# ipv6 route ::/0 2001:558:3dc:1::8

Step 3. Configuring the SSLi Services (CLI for SSLi_inside)

1. Create a client SSL template cl_ssl_ipv6 with forward-proxy enable configured. This
configuration enables the SSLi_inside device to proxy for the remote SSL servers and bring up
SSL sessions with the clients. Also, configure the correct service group for non-SSLi traffic.
SSLi_inside(config)# slb template client-ssl cl_ssl_ipv6
SSLi_inside(config-client ssl)# forward-proxy-ca-cert WebProxyCA
SSLi_inside(config-client ssl)# forward-proxy-ca-key WebProxyCA
SSLi_inside(config-client ssl)# forward-proxy-enable
SSLi_inside(config-client ssl)# exit-module

2. Configure a real server called fw1_ipv6 with the IP address 2001:558:3dc:1::8. Bind fw1_ipv6
interface to TCP port 8080 so that SSLi_inside forwards decrypted SSLi over VLAN 850 to the
security device. All other UDP and TCP traffic is forwarded by using the wildcard ports port 0 tcp
and port 0 udp.
SSLi_inside(config)# slb server fw1_ipv6 2001:558:3dc:1::8

SSLi_inside(config-real server)# port 8080 tcp

SSLi_inside(config-real server-node port)# health-check-disable
SSLi_inside(config-real server-node port)# exit

SSLi_inside(config-real server)# port 0 tcp

SSLi_inside(config-real server-node port)# health-check-disable
SSLi_inside(config-real server-node port)# exit

SSLi_inside(config-real server)# port 0 udp

SSLi_inside(config-real server-node port)# health-check-disable
SSLi_inside(config-real server-node port)# exit

page 175
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions FFee
e

Step 4. Configuring the SSLi Service Groups (CLI for SSLi_inside)

Configuring the SSLi service groups enable you to manage how the different types of traffic coming
from the clients is handled by SSLi_inside.

1. Create a service group named sg_ssli_ipv6_intercept for decrypted SSL traffic.

SSLi_inside(config)# slb service-group sg_ssli_ipv6_intercept tcp
SSLi_inside(config-slb svc group)# member fw1_ipv6 8080
SSLi_inside(config-slb svc group)# exit-module

2. For the non-HTTPS traffic that is to be bypassed, configure three other service groups called
sg_ssli_ipv6_tcp, sg_ssli_ipv6_others , and sg_ssli_ipv6_udp .
SSLi_inside(config)# slb service-group sg_ssli_ipv6_tcp tcp
SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

SSLi_inside(config)# slb service-group sg_ssli_ipv6_others udp

SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

SSLi_inside(config)# slb service-group sg_ssli_ipv6_udp udp

SSLi_inside(config-slb svc group)# member fw1_ipv6 0
SSLi_inside(config-slb svc group)# exit-module

page 176
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions

Step 5. Configuring the Virtual Server (CLI for SSLi_inside)

1. Configure the access list to permit all IPv6 traffic on VLAN 850 on ethernet 1. You must bind this
ACL to the virtual server that you are going to create in the next step.
SSLi_inside(config)# ipv6 access-list ipv6-decrypt
SSLi_inside(config-access-list:ipv6-decrypt)# permit ipv6 any any vlan 850 ethernet 1
SSLi_inside(config-access-list:ipv6-decrypt)# exit-module

2. Create a virtual server called ssli_ipv6_decryption and associate it to the wildcard outbound VIP
to intercept traffic from clients. The following virtual ports are configured on this VIP:
• 443 (HTTPS)—Intercepts SSL-encrypted traffic from the clients. Port 443 on the wildcard
outbound VIP is bound to a service group called sg_ssli_ipv6_intercept that contains the
path through the security device to the SSLi_outside device. Consider the following
information:
• The destination NAT is disabled, and SSLi_inside does not change the source or
destination IP addresses of the traffic.
• Port translation is enabled and required because the ACOS device must change the
destination protocol port from 443 to the port number on which the security device listens
for traffic.
• The client-SSL template ssl cl_ssl_ipv6 is bound to the virtual port 443 HTTPS.
• 0 (TCP), 0 (UDP), and 0 (Others) —Intercepts the client traffic that is not HTTPS in the following
ways: The TCP port intercepts all other TCP traffic from clients. The TCP wildcard port is bound
to a TCP service group called sg_ssli_ipv6_tcp that contains the path through the security
device to the SSLi_outside device.
• The UDP port intercepts all other UDP traffic from clients.The UDP wildcard port is bound to
a UDP service group called sg_ssli_ipv6_udp that contains the path through the security
device to the SSLi_outside device.
• The Others port intercepts the client traffic types that are not listed. The Others port is for IP
traffic not included by the TCP and UDP all-ports sections. The Others wildcard port is bound
to a UDP service group called sg_ssli_ipv6_others that contains the path through the
security device to the SSLi_outside device.
• The destination NAT and port translation are disabled for the aforementioned ports.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL template,

you must unbind the template from the virtual ports that use it and then
rebind the template to the virtual ports.

SSLi_inside(config)# slb virtual-server ssli_ipv6_decryption :: ipv6-acl ipv6-decrypt

SSLi_inside(config-slb vserver)# port 0 tcp
SSLi_inside(config-slb vserver-vport)# service-group sg_ssli_ipv6_tcp
SSLi_inside(config-slb vserver-vport)# no-dest-nat
SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 0 udp

SSLi_inside(config-slb vserver-vport)# service-group sg_ssli_ipv6_udp

page 177
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions FFee
e

SSLi_inside(config-slb vserver-vport)# no-dest-nat

SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 0 others

SSLi_inside(config-slb vserver-vport)# sg_ssli_ipv6_others
SSLi_inside(config-slb vserver-vport)# no-dest-nat
SSLi_inside(config-slb vserver-vport)# exit

SSLi_inside(config-slb vserver)# port 443 https

SSLi_inside(config-slb vserver-vport)# sg_ssli_ipv6_intercept
SSLi_inside(config-slb vserver-vport)# template client-ssl cl_ssl_ipv6
SSLi_inside(config-slb vserver-vport)# no-dest-nat port-translation
SSLi_inside(config-slb vserver-vport)# exit-module

Configuration for SSLi_outside (CLI)

Perform the following steps for the SSLi_outside partition:

Step 1. Configuring the Network VLANs (CLI for SSLi_outside)

Step 2. Configuring the Network IP Addresses (CLI for SSLi_outside)
Step 3. Configuring the SSLi Services (CLI for SSLi_outside)
Step 4. Configuring the SSLi Service Groups (CLI for SSLi_outside)
Step 5. Configuring the Virtual Server (CLI for SSLi_outside)

Step 1. Configuring the Network VLANs (CLI for SSLi_outside)

SSLi_outside(config)# vlan 860
SSLi_outside(config-vlan:860)# untagged ethernet 3 to 4
SSLi_outside(config-vlan:860)# router-interface ve 860
SSLi_outside(config-vlan:860)# exit-module

SSLi_outside(config)# interface ethernet 3

SSLi_outside(config-if:ethernet:3)# enable
SSLi_outside(config-if:ethernet:3)# cpu-process
SSLi_outside(config-if:ethernet:3)# exit-module

SSLi_outside(config)# interface ethernet 4

SSLi_outside(config-if:ethernet:4)# enable
SSLi_outside(config-if:ethernet:4)# cpu-process
SSLi_outside(config-if:ethernet:4)# exit-module

Verify the operational state of the interfaces by running the show interfaces command.

page 178
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions

SSLi_outside(config)# show interfaces brief

Step 2. Configuring the Network IP Addresses (CLI for SSLi_outside)

SSLi_outside(config)# interface ve 860
SSLi_outside(config-if:ve860)# ip allow-promiscuous-vip
SSLi_outside(config-if:ve860)# ipv6 address 2001:558:3dc:1::5/125
SSLi_outside(config-if:ve860)# exit-module
SSLi_outside(config)# ipv6 route ::/0 2001:558:3dc:1::2
SSLi_outside(config)# exit-module

Step 3. Configuring the SSLi Services (CLI for SSLi_outside)

Create a real server called fw2_ipv6 on SSLi_outside. Configure the ports.

SSLi_outside(config)# slb server fw2_ipv6 2001:558:3dc:1::2

SSLi_outside(config-real server)# health-check-disable
SSLi_outside(config-real server)# port 0 tcp
SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit

SSLi_outside(config-real server)# port 0 udp

SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit

SSLi_outside(config-real server)# port 443 tcp

SSLi_outside(config-real server-node port)# health-check-disable
SSLi_outside(config-real server-node port)# exit-module

Step 4. Configuring the SSLi Service Groups (CLI for SSLi_outside)

1. Create a service group called sg_ssli_ipv6_443 and provide a path for the intercepted HTTPS
traffic by binding the service group to ports 443 of the real server fw2_ipv6.

SSLi_outside(config)# slb service-group sg_ssli_ipv6_443 tcp

SSLi_outside(config-slb svc group)# member fw2_ipv6 443
SSLi_outside(config-slb svc group)# exit-module

2. Create the other service groups to handle the other kinds of traffic.
SSLi_outside(config)# slb service-group sg_ssli_ipv6_tcp tcp
SSLi_outside(config-slb svc group)# member fw2_ipv6 0
SSLi_outside(config-slb svc group)# exit-module

SSLi_outside(config)# slb service-group sg_ssli_ipv6_others udp

SSLi_outside(config-slb svc group)# member fw2_ipv6 0

page 179
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi IPv6 Configuration for a Single ACOS Device with Two Partitions FFee
e

SSLi_outside(config-slb svc group)# exit-module

SSLi_outside(config)# slb service-group sg_ssli_ipv6_udp udp

SSLi_outside(config-slb svc group)# member fw2_ipv6 0
SSLi_outside(config-slb svc group)# exit-module

Step 5. Configuring the Virtual Server (CLI for SSLi_outside)

1. Create the access lists.
SSLi_outside(config)#ipv6 access-list ipv6-permit
SSLi_outside(config-access-list:ipv6-permit)#permit ipv6 any any vlan 860 ethernet 3
SSLi_outside(config-access-list:ipv6-permit)# exit-module

2. Create the virtual server for IPv6 traffic. Associate the virtual server ssli_ipv6_encrypt with the
ipv6-permit ACL thst permists all traffic on VLAN 860 on ethernet 3.
SSLi_outside(config)# slb virtual-server ssli_ipv6_encrypt :: ipv6-acl ipv6-permit
SSLi_outside(config-slb vserver)# port 0 tcp
SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_tcp
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 0 udp

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_udp
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 0 others

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_others
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 443 tcp

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_443
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat
SSLi_outside(config-slb vserver-vport)# exit

SSLi_outside(config-slb vserver)# port 8080 http

SSLi_outside(config-slb vserver-vport)# service-group sg_ssli_ipv6_encrypt
SSLi_outside(config-slb vserver-vport)# use-rcv-hop-for-resp
SSLi_outside(config-slb vserver-vport)# no-dest-nat port-translation
SSLi_outside(config-slb vserver-vport)# exit-module

page 180
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for IPv6 SSLi

Consolidated Configuration for IPv6 SSLi

Here is the configuration in the common partition.

!
system ve-mac-scheme system-mac
!
terminal idle-timeout 0
!
Ip dns primary 10.5.3.1
!
partition ssli_outside id 1
exit-module
!
partition ssli_inside id 2
exit-module
!
interface management
ip address 10.6.23.65 255.255.255.0
ip default-gateway 10.6.22.1
exit-module
!
interface ethernet 1
exit-module
!
interface ethernet 2
exit-module
!
interface ethernet 3
exit-module
!
interface ethernet 4
exit-module
!

Consolidated Configuration for SSLi_Inside

active-partition ssli_in
!
vlan 850
untagged ethernet 1 to 2
router-interface ve 850
name ssli_in_ingress_egress
user-tag Security,ssli_in_ingress_egress
exit-module
!

page 181
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for IPv6 SSLi FFee
e

ipv6 access-list ipv6-decrypt

permit ipv6 any any vlan 850 ethernet 1
exit-module
!
interface ethernet 1
name ssli_in_ingress
enable
cpu-process
user-tag Security,ssli_in_ingress
exit-module
!
interface ethernet 2
name ssli_in_egress
enable
cpu-process
user-tag Security,ssli_in_egress
exit-module
!
interface ve 850
name ssli_in_ingress_egress
user-tag Security,ssli_in_ingress_egress
ip address 10.177.253.13 255.255.255.240
ip allow-promiscuous-vip
ipv6 address 2001:558:3dc:1::9/127
exit-module
!
!
ipv6 route ::/0 2001:558:3dc:1::8
!
!
slb server fw1_ipv6 2001:558:3dc:1::8
port 0 tcp
health-check-disable
exit-module
port 0 udp
health-check-disable
exit-module
port 8080 tcp
health-check-disable
exit-module
exit-module
!
!
slb service-group sg_ssli_ipv6_intercept tcp
member fw1_ipv6 8080
exit-module
exit-module

page 182
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for IPv6 SSLi

!
slb service-group sg_ssli_ipv6_others udp
member fw1_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_tcp tcp
member fw1_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_udp udp
member fw1_ipv6 0
exit-module
exit-module
!
!
slb template client-ssl cl_ssl_ipv6
forward-proxy-ca-cert WebProxyCA
forward-proxy-ca-key WebProxyCA
forward-proxy-enable
non-ssl-bypass service-group sg_ssli_ipv6_tcp
exit-module
!
!
slb virtual-server ssli_ipv6_decrypion :: ipv6-acl ipv6-decrypt
user-tag Security,ipv6
port 0 tcp
service-group sg_ssli_ipv6_tcp
no-dest-nat
user-tag Security,ipv6_port_0tcp
exit-module
port 0 udp
service-group sg_ssli_ipv6_udp
user-tag Security,ipv6_port_0udp
exit-module
port 0 others
service-group sg_ssli_ipv6_others
no-dest-nat
user-tag Security,ipv6_port_0others
exit-module
port 443 https
service-group sg_ssli_ipv6_intercept
template client-ssl cl_ssl_ipv6
no-dest-nat port-translation
user-tag Security,ipv6_port_443https
exit-module

page 183
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Configuration for IPv6 SSLi FFee
e

exit-module
!
end
!Current configuration: 7779 bytes
!Configuration last updated at 06:29:47 UTC Thu Aug 16 2018
!Configuration last saved at 09:12:05 UTC Wed Sep 5 2018
!

Consolidated Configuration for SSLi_Outside

active-partition ssli_out
!
!
vlan 860
untagged ethernet 3 to 4
router-interface ve 860
name ssli_out_ingress_egress
user-tag Security,ssli_out_ingress_egress
exit-module
!
ipv6 access-list ipv6-permit
permit ipv6 any any vlan 860 ethernet 3
exit-module
!
interface ethernet 3
name ssli_out_ingress
enable
cpu-process
user-tag Security,ssli_out_ingress
exit-module
!
interface ethernet 4
name ssli_out_egress
enable
cpu-process
user-tag Security,ssli_out_egress
exit-module
!
interface ve 860
name ssli_out_ingress_egress
user-tag Security,ssli_out_ingress_egress
ip allow-promiscuous-vip
ipv6 address 2001:558:3dc:1::5/125
exit-module
!
!

page 184
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Configuration for IPv6 SSLi

ipv6 route ::/0 2001:558:3dc:1::2

!
!
slb server fw2_ipv6 2001:558:3dc:1::2
health-check-disable
port 0 tcp
health-check-disable
exit-module
port 0 udp
health-check-disable
exit-module
port 443 tcp
health-check-disable
exit-module
exit-module
!
!
slb service-group sg_ssli_ipv6_encrypt tcp
member fw2_ipv6 443
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_others udp
member fw2_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_tcp tcp
member fw2_ipv6 0
exit-module
exit-module
!
slb service-group sg_ssli_ipv6_udp udp
member fw2_ipv6 0
exit-module
exit-module
!
!
slb virtual-server ssli_ipv6_encrypt :: ipv6-acl ipv6-permit
user-tag Security,ssli_out
port 0 tcp
service-group sg_ssli_ipv6_tcp
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_0tcp
exit-module
port 0 udp

page 185
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring the SSLi_Inside and SSLi_Outside in the GUI FFee
e

service-group sg_ssli_ipv6_udp
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_0udp
exit-module
port 0 others
service-group sg_ssli_ipv6_others
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_0others
exit-module
port 443 tcp
service-group sg_ssli_ipv6_443
use-rcv-hop-for-resp
no-dest-nat
user-tag Security,ssli_out_port_443tcp
exit-module
port 8080 http
service-group sg_ssli_ipv6_encrypt
use-rcv-hop-for-resp
no-dest-nat port-translation
user-tag Security,ssli_out_decrypted_port_44380http
exit-module
!
end

Configuring the SSLi_Inside and SSLi_Outside in the GUI

The procedures for creating the configuration for both SSLi_Inside and SSLi_Outside for single ACOS
device with dual partitions for IPv6 is very similar to the procedure in “Outbound SSLi with Static Port
Type HTTPS—Two ACOS Devices Each With a Single Partition” on page 38

Follow the steps and make appropriate replacements by consulting the consolidated configurations
discussed in:

Step 1. Configuring the Network VLANs

Create tagged VLANs 15 and 20 on the ethernet 1 interface and ethernet interface 2 respecitvely.
Follow the instructions in “Step 1. Configuring the Network VLANs (GUI for ACOS_decrypt)” on
page 52.

Step 2. Configuring the Network IP Addresses

Follow the instructions in “Step 2. Configuring the Network IP Addresses (GUI for ACOS_decrypt)”
on page 53.

page 186
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring the SSLi_Inside and SSLi_Outside in the GUI

Step 3. Configuring an Access List.

Follow the instructions in “Step 3. Creating an Access List (GUI for ACOS_decrypt)” on page 53.

Step 4. Configuring SSLi Services

Follow the instructions in “Step 4. Configuring the SSLi Service (GUI for ACOS_decrypt)” on
page 53.

Step 5. Configuring the Real Server

Follow the instructions in “Step 5. Configuring the Real Server (GUI for ACOS_decrypt)” on page 54.

Step 6. Configuring the Service Groups

Follow the instructions in “Step 6 Creating the Service Group and its Members (GUI for
ACOS_decrypt)” on page 55.

Step 7. Creating the Virtual Server

Follow the instructions in “Step 7. Creating the Virtual Server (GUI for ACOS_decrypt)” on page 56

page 187
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring the SSLi_Inside and SSLi_Outside in the GUI FFee
e

page 188
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi Inspect, Bypass, and Exception Lists

ACOS enables configuring of rules that determine if a packet is to be bypassed or inspected based on the config-
ured criteria by using the forward-proxy-bypass command or as configured in the Policies tab of the SSLi ser-
vices. The exception class list is used to decide if a packet passing through an SSLi solution is to be inspected
even if forward-proxy-bypass is configured.

For example, a rule can be configured to bypass inspection of all financial services. However, using an excep-
tion-class-list option, it is possible to inspect packets from specific financial services.

ACOS supports the following criteria for taking inspection decisions:

• Server Name Indication (SNI)

• Certificate Subject Alternative Name (SAN)

• Certificate Subject

• Certificate Issuer

ACOS supports the following criteria for taking bypass decisions:

• SNI

• Certificate Subject Alternative Name (SAN)

• Certificate Subject

• Certificate Issuer

• Web Category (requires license)

• User Name

• AD Group

NOTE: If Bypass Decrypt is enabled, exception lists can also be configured so that ACOS
is forced to inspect specific packets.

Additionally, ACOS supports client authentication bypass that requires configuring a list of server names that
bypass SSLi forward proxy processing when CAC is requested by the server.

Related Concepts

• “SSLi Traffic Inspection Based on SNI and Server Certificate” on page 190

• “SSLi Traffic Bypass Based on User Name and Group Name” on page 190

Feedback page 189

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Traffic Inspection Based on SNI and Server Certificate FFee
e

• “Priority of Rules for SSLi” on page 192

• “SSLi Bypass for "no shared cipher" Error” on page 204

Related Tasks

• “Configuring Rules for SSLi Inspect and Bypass (GUI)” on page 197

• “Configuring Rules for SSLi Inspect and Bypass (CLI)” on page 200

• “Converting an SNI List to an AC Class List (CLI)” on page 196

Related References

• “CLI Options for SSLi Bypass and Inspect” on page 195

• “Consolidated Client-SSL Templates for SSLi Bypass” on page 205

SSLi Traffic Inspection Based on SNI and Server

Certificate
ACOS supports inspection, bypass, and exception lists that include elements such as IP addresses, SNIs, and
matching certificate subject or issuer. Unless this new option is configured, by default, the SNI in the client-hello
message is used for deciding bypass or inspection.

Server Name Indication (SNI) is an extension of the TLS protocol and indicates the hostname that is being con-
tacted by the browser at the beginning of the SSL handshake. SNI enables multiple secure websites to be served
off the same IP address without requiring all those sites to use the same certificate. In an SSL Insight deploy-
ment, SNI support allows multiple self-signed certificates to be used. In SSLi deployments, you can map each
certificate to the domain name of an outside resource that is being accessed by clients.

Subject Alternative Name (SAN) certificates can secure a number of fully qualified domain names with a single
certificate. The SAN field enables you to specify additional host names such as sites, IP addresses, common
names, and so on, to be protected by a single SSL Certificate. SAN Certificates allow you to secure a primary
domain and then add additional domains to the subject alternative name field of the certificate.

SSLi Traffic Bypass Based on User Name and Group Name

SSLi traffic can be bypassed based on user name and group name.

For example, SSLi can bypass all traffic from users who belong to a specific group such as optout. SSli can also
bypass traffic for specific users.

page 190
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Traffic Bypass Based on User Name and Group Name

This feature leverages AAM, or inline authentication and challenges the user for credentials if no IP information is
known. Only supported AAM authentication methods for HTTP are enabled for this feature.

To enable the feature, you must bind an AAM authentication template which contains logon on virtual port to col-
lect the user names. For user-group based bypassing, enable AAM authorization for retrieving group information
for authorization service. The authorization server must be an LDAP server which supports the memberOf attri-
bute.

Since the username and group name is retrieved from the AAM module, the actual matching procedure is pro-
cessed in the AAM module (after authentication and authorization pass). The results are marked in the authenti-
cation-session and the SSL module makes a bypass decision according to the results in the authentication
session.

The following are the limitations:

• The feature is not applicable to reverse proxy scenarios.

• Since SSL does not have cookies similar to HTTP, in this feature a user is associated with an IP address.
Multiple users sharing a single system is not supported.
• To do group matching, authorization must be configured to retrieve group membership information.

page 191
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Priority of Rules for SSLi FFee
e

Priority of Rules for SSLi

There are three ways you can apply rules in ACOS that specify which server connections bypass ACOS SSLi ser-
vices or which ones are intercepted. You can add each rule directly, you can create an Aho-Corasick (AC) class
list containing the matching rules, or you can import an AC class list. The rules and/or class lists are bound to a
client SSL template which in turn is bound to a virtual router port.

Both ACOS CLI and GUI are supported for creating these rules.

The following match options are used by the rules that you configure:

• Equals—Matches only if the value completely matches the specified string.

• Starts-with—Matches only if the value starts with the specified string.

• Contains—Matches if the specified string appears anywhere within the value.

• Ends-with—Matches only if the value ends with the specified string.

These match options are always applied in the order shown, regardless of the order in which the rules appear in
the configuration. If a template has more than one rule with the same match option (equals, starts-with, contains,
or ends-with) and a value matches on more than one of them, the most-specific match is always used.

NOTE: When one string matches multiple rules, the first matched string wins. Users
expecting multiple rule hit should be aware of this behavior and revise their class-
list as needed.

By default, matching is case sensitive. For example, the forward-proxy-bypass contains aa rule searches for
matches on SNI strings that contain “aa” but not on strings that contain “AA”. You can also enable or disable
case-sensitive matching. In this case, the rule shown above matches SNI strings that contain any of the follow-
ing: “aa”, “AA”, “aA”, or “Aa”. You can disable case sensitivity on a template-wide basis. The setting applies to all
match rules in the template.

At a top level, the priority of rules is as follows:

1. aFleX SSLi commands

2. forward-proxy-no-sni-action
3. forward-proxy-inspect commands
4. forward-proxy-no-sni-action
5. forward-proxy-bypass commands

page 192
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Priority of Rules for SSLi

FIGURE 25 Hierarchy of SSLi Rules

NOTE: No Match decision box: If there is no match on Inspect Checking, SSLi checks if
there is bypass configuration available. If there is no bypass configuration, action
is bypass for bypass SSL decrypt. If there is bypass configuration available, there
is bypass checking done as shown in the figure.

page 193
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Priority of Rules for SSLi FFee
e

The following is the priority of rules configured for SSLi.

1. If no SNI is configured, forward-proxy-no-sni-action is run. For intercept action, the current decision for the
checkpoint is to inspect and the check continues. For bypass action, the final decision is bypass, and for
reset action, the final decision is reset.
2. If the SNI inspection class-list is configured but not matched, the final decision is bypass.
3. If forward-proxy-bypass exception-user-name-list or exception-ad-group-list is configured and matched, the
final decision is inspect.
4. If forward-proxy-bypass user-name-list or ad-group-list is configured and matched, the final decision is
bypass.
5. If the SNI bypass strings (contains/starts-with/equals/ends-with) are configured and matched, the final deci-
sion is bypass.
6. If the SNI bypass exception class list is configured and matched, the final decision is inspect.
7. If the SNI bypass class-list is configured and matched, the final decision is bypass.
8. If web category bypass is configured and matched, the final decision is bypass.
9. Else, the decision is inspect for now and continue to perform the remaining checks.

Next, SNI URL filtering is checked as follows:

1. If intercepted-sni-enable is not configured (the option is disabled by default), SNI URL filtering is skipped.
2. If bypass-sni-disable is configured for bypassed URL, SNI URL filtering is continued.
3. In the event that there is no SNI and if no_sni_allow is not configured, the connection is dropped.
4. If enable-san is configured and there is a match, the server certificate is fetched even for a bypass decision.
5. SNI URL filtering is continued, and if the class-list is matched, the configured action is run.

Next, server certificate checkpoint is run as follows:

1. If the certificate subject/issuer/SAN inspect class-list is configured but not matched, then the final decision
is bypass.
2. If forward-proxy-bypass exception-user-name-list/exception-ad-group-list is configured and matched, the
final decision is inspect.
3. If forward-proxy-bypass user-name-list/ad-group-list is configured and matched, the final decision is bypass.
4. If the certificate subject/issuer/SAN bypass strings (contains/starts-with/equals/ends-with) are configured
and matched, the final decision is bypass.
5. If the certificate subject/issuer/SAN bypass exception class list is configured and matched, the final deci-
sion is inspect.

page 194
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
CLI Options for SSLi Bypass and Inspect

6. If the certificate subject/issuer/SAN bypass class-list is configured and matched, the final decision is
bypass.
7. Else, the decision is inspect.

Next, SAN URL filtering is checked as follows:

1. If enable-san is not configured, SAN URL filtering is skipped.

2. If enable-san is configured, check if intercepted-san-enable is configured for intercepted URL. If the option is
not enabled (disabled by default), SAN URL filtering is not continued.
3. Check if bypassed-san-disable is configured for bypassed URL. If the option is disabled (enabled by default),
SAN URL filtering is not continued.
4. In NO SAN case, if no_san_allow is not configured, the connection is dropped.
5. Else, SAN URL filtering is continued, the class-list is matched against certificate subject/issuer/SAN and the
rule action with the highest priority is run.

CLI Options for SSLi Bypass and Inspect

Use the forward-proxy-bypass command to configure SSLi rules for inspection, bypass, and exception lists.

The forward-proxy-bypass command has the following options, refer to the ADC Command Reference Guide for
more information on the options:

ACOS_decrypt(config-client ssl)#forward-proxy-bypass ?
ad-group-list Forward proxy bypass if ad-group matches class-list
async-web-cat-lookup Async lookup for web-category
case-insensitive Case insensitive forward proxy bypass
certificate-issuer Certificate issuer will be used to match another
string
certificate-san Certificate SAN will be used to match another string
certificate-subject Certificate Subject will be used to match
class-list Forward proxy bypass if SNI string matches
class-list
client-auth Bypass SSL forward proxy client authentication
contains Forward proxy bypass if SNI string contains another
string
ends-with Forward proxy bypass if SNI string ends with
another string
equals Forward proxy bypass if SNI string equals another
string
exception-ad-group-list Exceptions to forward proxy bypass if ad-group
matches class-list
exception-class-list Exceptions to forward-proxy-bypass

page 195
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Converting an SNI List to an AC Class List (CLI) FFee
e

exception-user-name-list Exceptions to forward proxy bypass if user-name

matches class-list
starts-with Forward proxy bypass if SNI string starts with
another string
user-name-list Forward proxy bypass if user-name matches class-list
web-category Web URL Category

Converting an SNI List to an AC Class List (CLI)

The class lists used in the SSLi policies must conform to the A10 Aho-Corasick (AC) implementation. The class-
list list-name ac command combined with the contains, ends-with, equals, and starts-with sub-commands
can create the required list, but you must enter each SNI individually.

To convert a newline-delimited text SNI list to an AC class list for SSLi bypass, use the import class-list-con-
vert filename class-list-type ac command.

The file mySNIs.txt is a newline delimited list of domain names. Its contents are as follows:

www.armardo.com
www.pickature.com
mail.ispgen.com

The conversion procedure takes the following steps:

1. Enter the following command in global configuration mode:

import class-list-convert mySNIs.txt class-list-type ac scp://[email protected]/home/user-
name/test_import

2. Verify the converted list file. Use the show class-list class-list-name debug command:
AX5100# show class-list mySNIs.txt debug
Name: name
Total String: 2
Total hash chain: 0
Total trie node: 0
Reference count: 0
File size: N/A
File date: N/A
Content:
equals mail.ispgen.com
equals www.pickature.com
equals www.armardo.com
File content:
class-list class-list1 ac file

; AC (Total: 3)
equals mail.ispgen.com

page 196
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Rules for SSLi Inspect and Bypass (GUI)

equals www.pickature.com
equals www.armardo.com

3. Use a text editor to edit the class-list as required by your network. For example, you might wish to alter the
first domain in the list:
A10 Aho-Corasick Class-List
ends-with armardo.com
equals www.pickature.com
equals mail.ispgen.com

Configuring Rules for SSLi Inspect and Bypass (GUI)

You can enter match rules directly, you can create an AC class list, or you can import an AC class list for binding
to the client SSL template.

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as SSLi_vip_001_cli-
ent_ssl).
2. In the Update Client SSL Template window, click the Policies tab.
3. To create inspection rules, select any or a combination of the following options:
• Inspect if SNI Matches Class List
• Inspect if Certificate SAN Matches Class List
• Inspect if Certificate Subject Matches Class List
• Inspect if Certificate Issue Matches Class List
4. For no SNI, configure the Forward Proxy No SNI Action field to either intercept, bypass or drop the
packet.
5. For each Inspect field, three options are available, select one:
• Select from the drop-down
• Create a class list
• Import a class list
6. For Bypass Decrypt, select a Condition from the drop-down.
7. Select a Value and click Apply.
8. To add multiple rules, click Add as needed.
9. For creating exceptions to the SSLi bypass decrypt rules, the following options are available:
• Exceptions if SNI Matches Class List
• Exceptions if User Name Matches Class List
• Exceptions if AD Group Matches Class List

page 197
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Rules for SSLi Inspect and Bypass (GUI) FFee
e

• Exceptions if Certificate Subject Matches Class List

• Exceptions if Certificate Issuer Matches Class List
10.For each Exception field, three options are available, select one:
• Select from the drop-down
• Create a class list
• Import a class list

Related Tasks

• “Creating a Class List (GUI)” on page 199

• “Importing a Class List (GUI)” on page 199

page 198
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Rules for SSLi Inspect and Bypass (GUI)

Creating a Class List (GUI)

Configure an AC class list to add to the SSLi inspection, bypass, or exception lists.

The procedure bellow add an AC class list for the Bypass Decrypt option. You can perform the similar steps for
creating AC class lists for other fields in the SSLi Policies tab.

To create an AC class list for the Bypass Decrypt option, perform the following steps:

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as SSLi_vip_001_cli-
ent_ssl).
2. In the Update Client SSL Template window, click the Policies tab.
3. For Bypass Decrypt, click Add and then click a condition from the drop-down.
Since the procedure is for adding class lists, select SNI Match Class List:.
a. For Value, click the +
b. In the Name field, enter a name.
c. To store the list as a file, select Store as a file.
Class list type Aho Corasick is selected by default.
d. For AC, select an option from the drop-down list:
• Contains
• Ends with
• Starts with
• Equals
e. Type the key that you wish to match.
f. Click the save icon.
g. To add another item to the class list, click Add.
h. Repeat step e, f, and g for additional ACs.
i. Click OK.
4. Click Apply on the main page to add the condition.

Importing a Class List (GUI)

SSLi supports importing an AC class list for configuring the SSLi bypass, inspect, and exception lists options.

The procedure bellow add an AC class list for the Bypass Decrypt option. You can perform the similar steps for
importing AC class lists for other fields in the SSLi Policies tab.

page 199
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Rules for SSLi Inspect and Bypass (CLI) FFee
e

To import an AC class list, perform the following steps:

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as SSLi_vip_001_cli-
ent_ssl).
2. In the Update Client SSL Template window:
a. Click the Policies tab.
3. For Bypass Decrypt, click Add.
4. Expand the Condition section and select SNI Match Class List (an example).
a. For Value, click the Import button.
b. Click whether the class list is Local or Remote.
c. Enter the class list Name.
5. Browse to the location if the class list is Local, and skip to step 7.
6. If the class list is Remote,
• Click whether or not to Use Mgmt Port.
• Select the file import Protocol.
• Enter the Host name.
• Enter the URL Location.
• If you selected the FTP Protocol, enter the protocol port used for FTP, the User name, and the Pass-
word.
• If you selected the SCP or SFTP Protocol, enter the User name, and the Password.
7. Click OK.
8. Click Apply on the main page to add the condition.
9. Either add your newly imported class list to an existing template, or create a new template and then add your
newly imported class list.

Configuring Rules for SSLi Inspect and Bypass (CLI)

Use the forward-proxy-bypass command to create rules for SSLi bypass, inspection, and exceptions.

In this example, assume that ACOS SSLi is configured as described the “Reference Configuration for Two-Device
Static-HTTPS-Port SSLi” section of the “Static-Port Type HTTPS SSLi” chapter. Also assume that the client-facing
VIP on the ACOS decrypt device and the client SSL template are configured as follows:

ACOS-Decrypt# show running-config slb virtual-server

page 200
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Rules for SSLi Inspect and Bypass (CLI)

!Section configuration: 722 bytes

!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
port 443 https
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat
!
ACOS-Decrypt# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-selfsignd
forward-proxy-enable
!

1. Enter the configuration mode for the SSL client template named SSLInsight_ClientSide:
ACOS_Decrypt# configure
ACOS_Decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_Decrypt(config-client ssl)#

2. The forward-proxy-bypass CLI command configures the SNI match and case rules and/or class-lists that
determine whether or not a client is enabled for client-authentication bypass. This section describes adding
SNI match rules:
Use the forward-proxy-bypass command to enter the SNI match and case rules as needed to specify which
servers bypass ACOS SSLi
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass contains jsmith.com
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass contains EnterpriseABC.com
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass equals UofKgmc.edu/admissions
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass case-insensitive

3. Commit the changes to ACOS memory.

ACOS_Decrypt(config-client ssl)# write memory

4. Enter the configuration mode for the “Decrypt_VIP” and bind the modified SSL client template to the virtual
port “port 443 https:”
ACOS_Decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_Decrypt(config-slb vserver)# port 443 https

page 201
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Rules for SSLi Inspect and Bypass (CLI) FFee
e

ACOS_Decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide

ACOS_Decrypt(config-slb vserver-vport)#

5. Commit the changes to ACOS memory.

ACOS_Decrypt(config-slb vserver-vport)# write memory

Related Tasks

• “Creating a Class List (CLI)” on page 202

• “Importing a Class List (CLI)” on page 203

Creating a Class List (CLI)

Use the class-list command with the ac option to create a class list in ACOS CLI.

Assume that the VIP and SSL Client template are configured on ACOS decrypt just as described in the “Reference
Configuration for Two-Device Static-HTTPS-Port SSLi” section of the “Static-Port Type HTTPS SSLi” chapter.

1. To create a class list, use the class-list command with the ac option.
The class-list command creates a class list and gives it a name. The file option saves the list as a file that
you can export. Without this option, the class list entries are saved in the configuration file instead. The ac
option is required. This specifies that the list type is Aho-Corasick.
ACOS_Decrypt# configure

Required ACOS Release ACOS_Decrypt(config)# class-list bypassed-servers-CL ac

ACOS_Decrypt(config-class list)# contains jsmith.com
ACOS_Decrypt(config-class list)# contains EnterpriseABC.com
ACOS_Decrypt(config-class list)# equals UofKgmc.edu/admissions

2. Bind the new class list to the SSL client template:

ACOS_Decrypt# configure
ACOS_Decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass class-list bypassed-servers-CL

3. Bind the modified SSL client template the port 443 https of the VIP:
ACOS_Decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_Decrypt(config-slb vserver)# port 443 https
ACOS_Decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS_Decrypt(config-slb vserver-vport)#

4. Commit the changes to ACOS memory.

ACOS_Decrypt(config-slb vserver-vport)# write memory

page 202
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Rules for SSLi Inspect and Bypass (CLI)

Importing a Class List (CLI)

Use the import class-list command to import a class list.

Assume that the VIP and SSL Client template are configured on the ACOS Decrypt zone just as described in the
“Reference Configuration for Two-Device Static-HTTPS-Port SSLi” section of the “Static-Port Type HTTPS SSLi”
chapter.

1. The following example shows the importing of a class list file named CL.tgz. The imported class list is given
the name bypassed-servers-CL which identifies it in ACOS commands. The URL where the file is located is /
/192.168.20.161, and the file transfer protocol is scp.
ACOS_Decrypt# import class-list bypassed-servers-CL scp://192.168.20.161/CL.tgz

2. Bind the imported class list to the SSL client template:

ACOS_Decrypt# configure
ACOS_Decrypt(config)# slb template client-ssl SSLInsight_ClientSide
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass class-list CL.tgz

3. Bind the modified SSL client template the port 443 https of the VIP:
ACOS_Decrypt(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
ACOS_Decrypt(config-slb vserver)# port 443 https
ACOS_Decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS_Decrypt(config-slb vserver-vport)#

4. Commit the changes to ACOS memory.

ACOS_Decrypt(config-slb vserver-vport)# write memory

The forward-proxy-bypass class-list command bypasses SSLi when the SNI of the outside server matches
based on the specified class list or class-lists. When enabled by the multi-class-list command option, you can
enter the names of up to 16 file-type class lists for each slb template client-ssl instance. If not enabled by the
multi-class-list command option, you can enter only one class list name.

ACOS_Decrypt(config)# slb template client-ssl SSLInsight_ClientSide

ACOS_Decrypt(config-client ssl)# forward-proxy-bypass class-list multi-class-list my-class-list-
name1
ACOS_Decrypt(config-client ssl)# forward-proxy-bypass class-list multi-class-list my-class-list-
name2

Showing the System Resource Usage of SNI-Based Bypassing (CLI)

Use the show system resource-usage command to check the AC class-list entry count and the remaining space available.
ACOS# show system resource-usage
Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 67108864 67108864 16777216 134217728
class-list-ipv6-addr-count 4096000 4096000 4096000 8192000

page 203
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Bypass for "no shared cipher" Error FFee
e

class-list-ac-entry-count 3072000 3072000 3072000 6144000

auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
max-aflex-file-size 32768 32768 16384 262144
aflex-table-entry-count 102400 102400 102400 10485760

SSLi Bypass for "no shared cipher" Error

In running earlier ACOS releases, SSLi terminates a connection if there is a "no shared cipher" error that occurs
during the client-side handshake. Additionally, the forward-proxy-failsafe option does not work in such cases
as the cipher check occurs during an early stage of the SSL handshake. Starting from this release, ACOS sup-
ports an additional forward-proxy-no-shared-cipher-action option that can be configured to either bypass the
SSLi processing or drop the connection.

The forward-proxy-no-shared-cipher-action option can be enabled either through the ACOS GUI or ACOS CLI.

Related Tasks

• “Configuring SSLi Bypass for “no shared cipher” Error (CLI)” on page 204

• “Configuring SSLi Bypass for “no shared cipher” Error (GUI)” on page 204

Configuring SSLi Bypass for “no shared cipher” Error (CLI)

Perform the following steps to create an client-SSLi template that bypasses SSLi connections where there is a
no-shared-cipher error during the SSLi handshake.

1. Create a client SSL template called SSLInsight_DecryptSide by running the following command:
ACOS(config)# slb template client-ssl SSLInsight_DecryptSide

2. Configure bypass for the forward-proxy-no-shared-cipher-action option

ACOS(config-client ssl)#forward-proxy-no-shared-cipher-?
forward-proxy-no-shared-cipher-action Action taken if handshake fails due to no shared cipher,
close the connection by default
ACOS(config-client ssl)# forward-proxy-no-shared-cipher-action ?
bypass bypass SSLi processing
drop close the connection
ACOS(config-client ssl)# forward-proxy-no-shared-cipher-action bypass

Configuring SSLi Bypass for “no shared cipher” Error (GUI)

Perform the following steps to create a client-SSL template that bypasses SSLi connections where there is a no-
shared-cipher error during the SSLi handshake.

page 204
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Client-SSL Templates for SSLi Bypass

1. Navigate to Security >> SSLi >> Templates >> Create >> Client SSL.
Alternatively, navigate to ADC >> Templates >> SSL >> Create >> Client SSL.
The Create Client SSL Template page is displayed.
2. Fill in the required fields.
3. Under the forward-proxy-no-shared-cipher-action option, select either Drop or Bypass.
By default, the value is Drop.
4. Click OK.

Consolidated Client-SSL Templates for SSLi Bypass

You can configure a number of client-ssl templates for SSLi bypass using a combination of the commands avail-
able under forward-proxy-bypass.

Example Configuration of SSLi Bypass and “no-shared-cipher” Error

The following client-SSL template bypasses the SSLi connection under three conditions:

• For financial services

• For health and medicine services

• For “no-shared-cipher” error

!
slb template client-ssl SSLInsight_DecryptSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-cert-expiry hours 168
forward-proxy-enable
forward-proxy-failsafe-disable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
forward-proxy-no-shared-cipher-action bypass

Example Configuration of AAM, User Name, AD Group, Explicit Proxy,

and SSLi
In this example, the SSLi solution uses a combination of AAM and user name group and AD name group to create
SSLi bypass decisions.

page 205
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Client-SSL Templates for SSLi Bypass FFee
e

Three class lists are configured as AC lists. These are UNAME, GROUP, and BYPASS_EXCEPTION.

In this template, BASIC is the profile for HTTP-based logon and it is associated with the AAM authentication tem-
plate of SSLi_BYPASS. The SSLi client template is configured as USER_BYPASS and it includes and exception list of
BYPASS_EXCEPTION, a user name list of UNAME and a AD group list of GROUP for bypass. There is also an explicit pol-
icy template of EP_SSLi for forward proxy. Finally, the virtual server is associated with the explicit proxy template,
the SSLi client template, and the AAM authentication template.

class-list UNAME ac
equals asmith
equals jdoe
!
class-list GROUP ac
equals Employee
!
class-list BYPASS_EXCEPTION ac
equals TEST
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
aam authentication template SSLI_BYPASS
logon BASIC
server AD_LDAP
!
aam aaa-policy SSLI_BYPASS
aaa-rule 1
authentication-template SSLI_BYPASS
!
slb template client-ssl USER_BYPASS
forward-proxy-ca-cert ...
forward-proxy-ca-key ...
forward-proxy-enable
forward-proxy-bypass exception-ad-group-list BYPASS_EXCEPTION
forward-proxy-bypass user-name-list UNAME
forward-proxy-bypass ad-group-list GROUP
!
slb template policy EP_SSLI
forward-policy
...
!
slb virtual-server EP 10.0.0.1
port 3128 http
template policy EP_SSLI
template client-ssl USER_BYPASS
aaa-policy SSLI_BYPASS
!

page 206
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Consolidated Client-SSL Templates for SSLi Bypass

Example Configuration of AAM, User Name, AD Group Name,

Transparent Proxy, and SSLi
In this example, the SSLi solution uses a combination of AAM and user name group and AD name group to create
SSLi bypass decisions.

A class list of UNAME is configured as an AC list. In this example, BASIC is the profile for HTTP-based logon and it is
associated with the AAM authentication template of SSLi_BYPASS. The SSLi client template is configured as
USER_BYPASS and it includes the user name list of UNAME for bypass. There is also transparent proxy template of
TP_SSLi configured with forward-policy.

Finally, the virtual server at port 443 HTTPS is associated with the transparent proxy template, the SSLi client tem-
plate, and the AAM authentication template. No-destination-nat and port translation are enabled.

access-list 10 permit 172.16.1.0 0.0.0.255

!
class-list UNAME ac
equals asmith
equals jdoe
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
aam authentication template SSLI_BYPASS
auth-sess-mode ip-based
logon BASIC
server AD_LDAP
!
aam aaa-policy SSLI_BYPASS
aaa-rule 1
authentication-template SSLI_BYPASS
!
slb template client-ssl USER_BYPASS
forward-proxy-ca-cert ...
forward-proxy-ca-key ...
forward-proxy-enable
forward-proxy-bypass user-name-list UNAME
!
slb template policy TP_SSLI
forward-policy
...
!
slb virtual-server TP 0.0.0.0 acl 10
port 443 https
service-group DUMMY
template policy TP_SSLI
template client-ssl USER_BYPASS

page 207
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Consolidated Client-SSL Templates for SSLi Bypass FFee
e

no-dest-nat port-translation
aaa-policy SSLI_BYPASS
!

page 208
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

Web Category

Web Category refers to a set of features that includes URL Classification and Asynchronous Lookup.
Classifying URLs provides this information that is used to filter unwanted content, adding additional
layer of security. The information can also determine which URLs should bypass SSLi decryption to
comply with privacy laws.

The following topics are covered:

• Installing Web Category

• Using a Proxy Server for BrightCloud Servers

• Web Category Filtering for SSLi Bypass

• Web Category Lookup Enforcement

• Related Information

Installing Web Category

Web Category features are accessed through a Web Category license and an active URL Classification
Database. This section describes the installation process and consists of the following steps:

• Step 1: Installing the Web Category License

• Step 2: Verifying the Web Category License Installation

• Step 3: Activating the Web Category License

• Step 4: Verifying the Web Category Library

• Step 5: Checking Web Category License Status and Expiration

Step 1: Installing the Web Category License

The license import method works for both the local and cloud-based (plus local) licenses. The following
steps install a Web Category License:

1. Configure your ACOS device with a valid ip route and domain name server (DNS).
The following is an example. Use the show run ip command to verify the configuration.

Feedback page 209

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Installing Web Category FFee
e

ACOS(config)# ip route 0.0.0.0 /0 192.168.200.1

ACOS(config)# ip dns primary 192.168.1.100
ACOS(config)# show run ip
!Section configuration: 69 bytes
!
ip route 0.0.0.0 /0 192.168.200.1
!
ip dns primary 192.168.1.100

2. Ensure the ACOS device does not block access to the following URLs:
• https://glm.a10networks.com/
• https://database.brightcloud.com
• http://service.brightcloud.com
3. Save your URL Classification license file on an accessible server.
4. Enter the web-category sub-command mode by entering web-category, and configure the use of
the management port for communication with the BrightCloud servers using the use-mgmt-port
CLI command. The the exit, command returns to global configuration mode.
ACOS(config)# web-category
ACOS(config-web-category)# use-mgmt-port
ACOS(config-web-category)# exit

5. Import your Web Category license file using the CLI command at the global configuration mode
level. The file-name is the name of the Web Category license file.
import web-category-license file-name

The following example shows the output when the URL Classification license file has been imported.
ACOS(config)# import web-category-license test.json use-mgmt-port
scp://[email protected]/home/example/lic_test/test_URL_C.json
Password []?
Done.

Step 2: Verifying the Web Category License Installation

Verify the URL Classification License on an ACOS device, by using the show log CLI command verifies
the URL Classification license is imported onto the ACOS device.

ACOS(config)# show log | grep WEB-CATEGORY.

This output example displays the relevant portion (highlighted in blue) of a successful Web Category
license installation.

ACOS(config)# show log

Log Buffer: 30000
Oct 30 2015 16:23:39 Info [SYSTEM]:Imported file test.json from example:192.168.1.200/

page 210
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Installing Web Category

home/example/lic_test/test_URL_C.json using scp

Oct 30 2015 16:23:39 Info [WEB-CATEGORY]:BrightCloud license activated successfully
Oct 30 2015 16:23:38 Info [WEB-CATEGORY]:license key used for activation:
{"id":"581b839aba28b1d39a55a39dae909b9e7383b564b7b1f7eaa215f851d460f73e","signature":"61f7
b36da2e88cfa2fb3943434563cdafe58e221b83ca44d3b8e73d40183f795","current_time":1446244661.66
63604,"payload":"eyJ0b2tlbiI6InZUaGNmOTQ2Y2Ix-
ZSJ9\n","account_id":497,"uuid":"AX25061111340044"}
...

Step 3: Activating the Web Category License

The Web Category license must be enabled before utilizing the database. Use the enable CLI com-
mand from the web-category configuration mode to enable web-category functionality.

ACOS(config)# web-category
ACOS(config-web-category)# enable

Step 4: Verifying the Web Category Library

The Web Category database installation is verified with the show web-category database command.
The following display an example commmand output:

ACOS> show web-category database

Database Name : full_bcdb_4.827.bin
Database Status : Active
Database Size : 351 MB
Database Version : 827
Last Update Time : Wed Jul 6 19:39:59 2016
Next Update Time : Fri Jul 8 00:00:22 2016
Connection Status : GOOD
Last Successful Connection : Thu Jul 7 00:39:22 2016

From the GUI, navigate to Security >> Web Categories and click on License to view the database
information.

Step 5: Checking Web Category License Status and Expiration

After installing a Web Category License, check the expiration date and status by entering show web-
category license. The following example displays typical command output.

ACOS> show web-category license

Module Status : Enabled
License Status : License is valid
License Type : Term License
License Expiry : 2016-11-30 00:00:00 GMT

page 211
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Using a Proxy Server for BrightCloud Servers FFee
e

Remaining Period : 145 d 17 hrs 26 min 3 sec

Grace Period Status : License has not expired
Grace Period : Grace period not in effect
UUID/SN : EX00000000000000

From the GUI, navigate to Security >> Web Categories and click on License to view license status
and expiration date information.

Using a Proxy Server for BrightCloud Servers

BrightCloud servers are hosted in a location where the IPs are subject to change. This can be a issue to
administrators with an upstream firewall in their networks when they need to manage a list of allowed
IPs to allow communication between ACOS and the BrightCloud servers. One solution is to have all
BrightCloud communication go through a proxy server, so IP management is no longer necessary.

From the web-category sub-configuration, enter proxy-server to go to web-category-proxy-server sub-

configuration. Here, the following minimum requirements are needed for configuration.

• Authentication protocol - NTLM and BASIC authentication are supported. If NTLM is configured,
NTLM version 2 is used. NTLM version 1 is not supported.
• Server information

• IP address or hostname of proxy server

• port for HTTPS or HTTP communication with proxy server. If only one port type is configured,
both HTTP and HTTPS communication go through the configured port type.

The proxy-server sub-configuration has commands to configure the username and password for
authentication. Refer to “Web Category” in Command Line Interface Reference for ADC.

An example of a configuration to a proxy server is provided. This example configures port 3128 for
HTTP communication and port 8080 for HTTPS communication, uses NTLM authentication, with the
username exampleadmin and password 0e1x2a3m4p5l6e7 to sign in to a proxy server at 192.0.2.0.

ACOS(config)# web-category
ACOS(config-web-category)# proxy-server
ACOS(config-web-category-proxy-server)# proxy-host 192.0.2.0
ACOS(config-web-category-proxy-server)# http-port 3128
ACOS(config-web-category-proxy-server)# https-port 8080
ACOS(config-web-category-proxy-server)# auth-type ntlm domain example
ACOS(config-web-category-proxy-server)# username exampleadmin
ACOS(config-web-category-proxy-server)# password 0e1x2a3m4p5l6e7
ACOS(config-web-category-proxy-server)# exit

A number of options to configure how and when ACOS interacts with the BrightCloud Servers, for
example, configuring when an update should occur, is available from the Command Line Interface Ref-

page 212
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

erence for ADC in “Web Category”. These options are available through the GUI by navigating to Secu-
rity>>Web Categories >> Configure.

Web Category Filtering for SSLi Bypass

ACOS connects with third-party servers (specifically, Webroot’s BrightCloud servers), to obtain this
information for enhanced protection. To access these servers, a URL Classification license is required.
Two Webroot license types are available:

• Local – covers top 20 million URLs

• Cloud-based (plus local) – access to Webroot URL classification database (27 billion URLs)

An ACOS device can utilize web category features in forward-policy source rules that link destination
and matching rules for an slb template policy through a category-list and for specifying web catego-
ries to bypass using the forward-proxy-bypass command in an slb template client-ssl for SSLi con-
figuration.

The following topics are covered:

• Configuring Web Category Filtering for SSLi Bypass

• SSLi ACOS_encrypt Configuration Instructions

• Verification of the Basic Example Operation

• Deleting or Re-importing the Database

• Troubleshooting

• Logging for Web Category

Configuring Web Category Filtering for SSLi Bypass

This section describes how to configure ACOS device to bypass SSL Insight (SSLi) decryption of traffic
based on traffic category. Dynamic Web Category classification is provided using the BrightCloud Web-
root Web Security Service.

BrightCloud classifies the traffic into one or more web categories. Encrypted traffic from the client is
not intercepted if the web category of the traffic is configured to be bypassed (example: Healthcare due
to HIPPA regulation). If a specific web category is not bypassed, traffic of that category is decrypted for
interception.

When a user’s client browser sends a request to a URL, ACOS checks the category of the URL.

page 213
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

• If the category of the URL is allowed by the configuration, the ACOS_decrypt leaves the data
encrypted and sends it to ACOS_encrypt, which sends the encrypted data to the server.
• If the category of the URL is not allowed by the configuration, the ACOS_decrypt decrypts the
traffic and sends it to the traffic inspection device.

Similarly, reply traffic from the server is decrypted by the ACOS_encrypt for interception, if the web cat-
egory is not bypassed. ACOS_decrypt then sends the encrypted data to the client.

To configure ACOS to use BrightCloud to classify URLs for SSLi bypass:

• Configure ACOS_encrypt. (The configuration steps for this feature are described in the Application
and Server Load Balancing Guide. The configuration example later in this chapter also shows the
syntax.)
• Configure BrightCloud Web Category classification services on the ACOS_decrypt. (This may
include installing the BrightCloud license, if not already installed.)
• Configure forward-proxy-bypass web-category rules on ACOS_decrypt.

The following sections configure SSLi on a pair of ACOS devices. Web Category classification is used
for bypassing decryption of certain categories of web traffic. For simplicity, a simple topology using a
single ACOS_decrypt and a single ACOS_encrypt is used.

ACOS_decrypt Configuration Instructions

Here is the configuration of the ACOS device on the inside network, connected to clients. Encrypted cli-
ent traffic to the following categories of URL is bypassed (forwarded without being decrypted):

• financial-services

• educational-institutions

• health-and-medicine

SSLi decrypts traffic to URLS that are not labeled as belonging to any of these bypassed categories.

Configure BrightCloud on the ACOS_decrypt

1. Obtain a URL Classification license from your A10 Networks Sales Representative. You will need to
import this license into the ACOS_decrypt via the CLI.

NOTE: For more information, see “URL Classification License Installation” in the
Global License Manager User Guide.

2. Establish a CLI session with the ACOS_decrypt and verify it can successfully ping the BrightCloud
service URL. (If this ping does not work, please verify the default gateway for the management
interface and the DNS configuration.)

page 214
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

ACOS_decrypt# ping source mgmt-port-ip-addr service.brightcloud.com.

3. Use the command below to import the BrightCloud Web Category classification service license
you received from the A10 Sales Representative. This command must be entered on each ACOS
device or virtual ACOS device instance that will be using the BrightCloud software.
ACOS_decrypt# import web-category-license license use-mgmt-port scp://
[email protected]/home/jsmith/webroot_license.json

NOTE: If you are deploying this feature in an aVCS deployment, the license file
must be explicitly loaded into each ACOS device before it joins an aVCS
cluster. This license is a special system file that will not be automatically
synchronized to the vBlade. After the ACOS device has joined the cluster
(but before enabling web-category), enter the use-mgmt-port command
as shown in the following step.

4. After the web-category license has been imported onto the ACOS device, use the following CLI
commands to enable the BrightCloud Web Category classification service:

NOTE: You must enter commands in the order shown. The installation will fail if
you enter enable before use-mgmt-port.

ACOS_decrypt# configure
ACOS_decrypt(config)# web-category
ACOS_decrypt(config-web-category)# use-mgmt-port
ACOS_decrypt(config-web-category)# enable

NOTE: The web-category should be enabled on the shared partition.

Once the use-mgmt-port and enable commands are entered, ACOS uses the management port and the
default settings for the other configurable options to contact the BrightCloud database server and
download the category database.

Additional Configuration Notes

• Disabling the Web Category classification feature does not delete the database. Likewise, re-
enabling the feature does not cause the database to be downloaded again. (See “Deleting or Re-
importing the Database” on page 222.)
• Additional options, including database and query server names and their listening ports, also are
configurable. However, A10 Networks recommends to leave these options at their default values
to ensure proper operation of the feature. The options are described in the CLI Reference.
• If a website resides in multiple categories in the BrightCloud database, and you configure some,
but not all, of these categories to bypass encryption, the website bypasses encryption. In other
words, a website that resides in multiple categories is encrypted only if none of its categories is
configured to bypass encryption.

page 215
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

Verifying Successful Import of Web-Category License

If an error occurs during import or activation of the web-category license, the ACOS device CLI displays
an error message. If no error messages appear after using the import web-category-license com-
mand, this indicates the license was successfully imported/activated. In addition, to confirm success, a
short message will appear after the import command is used:

ACOS_decrypt(config)# import web-category-license license use-mgmt-port scp://

[email protected]/home/jsmith/webroot_license.json
Done. <-- this brief message confirms successful import of the license

If a failure occurs, ACOS displays an error message similar to the following:

ACOS_decrypt(config)# import web-category-license license use-mgmt-port scp://

[email protected]/home/jsmith/webroot_license.json
Communication with license server failed <-- this message indicates failed import

Alternatively, you can check the output of the show log CLI command after the command is executed.
If the import CLI command was successful, the log output will contain the license key that was used for
activation. For example, the log output will contain log messages similar to the following:

• Feb 25 09:15:08 AX2500-client a10logd: [WEB-CATEGORY]<6> license key used for activa-
tion: {"id":"blah0_blah_blah_aa9488c6dc305ab91f94e2282b1ebb6a3e1581ee1d58233c",
"signature":"b31e560f755effaf2d8dfb13d54moregibberishcae0046f4e8bdc2","current_time":1
424823803.9468372,"payload":"eyJ0b2tlmoregibberishNzljMWY0ZTg2NzUmoregibberishMwOGJk\n
ZDA2Y2NiNjEzMGM5MzRmMzc4MTIwZjcxY2M3ZmoregibberishYx\nOGE4ZDhlMzlmNGRjZGQxMjNkYWEifQ==
\n","account_id":69,"uuid":"AX25051110160086"}

• Feb 25 08:50:44 AX2500-client a10logd: [WEB-CATEGORY]<6> BrightCloud license activated

successfully

Or if the import web-category-license command fails, the log messages will show an error from the
GLM server similar to the following:

Feb 25 09:11:11 AX2500-client a10logd: [WEB-CATEGORY]<3> License activation: returned

error {"message":"Invalid Signature"}

Update Web-category Bypass Rules (ACOS_decrypt) Using the GUI

You can configure rules for specific web categories.

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as SSLi_vi-
p_001_client_ssl).
2. In the Update Client SSL Template window:
a. Click the Policy tab.
b. For Bypass Decrypt, click Add.
c. Select the Condition of Web Category from the drop-down menu.
d. Select a Value such as educational-institutions from the drop-down menu and click Apply.

page 216
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

3. Click Update.
In order for a URL to match the rule, the category-name must match a name from the Web Category
Database Server.

Configure Web-category Bypass Rules (ACOS_decrypt) Using the CLI

You can configure rules for specific web categories.

1. Access the configuration level for client-SSL template used to enable SSLi on the VIP:
slb template client-ssl template-name

2. Add a rule for each category of URL to bypass:

forward-proxy-bypass web-category category-name

In order for a URL to match the rule, the category-name must match a name from the Web Category
Database Server.

Consolidated Configuration for ACOS_decrypt

ACOS_decrypt(config)# show running-config
!Current configuration: 857 bytes
!Configuration last updated at 22:09:44 GMT Tue Jan 5 2016
!Configuration last saved at 18:52:08 GMT Mon Jan 4 2016
!64-bit Advanced Core OS (ACOS) version 4.1.0, build 318 (Jan-04-2016,05:27)
!
hostname ACOS_decrypt
!
access-list 100 permit ip any any
!
!
class-list bypass-cl
!
!
ip dns primary 8.8.8.8
!
!
interface management
ip address 10.101.7.103 255.255.252.0
ip default-gateway 10.101.4.1
!
!
interface ethernet 1
enable
ip address 10.50.10.1 255.255.255.0
ip allow-promiscuous-vip
!

page 217
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

interface ethernet 2
enable
ip address 100.100.100.7 255.255.255.0
ip allow-promiscuous-vip
!
interface ethernet 3
!
interface ethernet 4
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
!
interface ethernet 9
!
interface ethernet 10
!
interface ethernet 11
!
interface ethernet 12
!
!
ip route 0.0.0.0 /0 100.100.100.8
!
!
web-category
use-mgmt-port
enable
!
slb server s1 100.100.100.8
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 80 tcp
health-check-disable
port 8080 tcp
health-check-disable
!

page 218
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

!
slb service-group wildcard_http tcp
health-check-disable
member s1 80
!
slb service-group wildcard_http8080 tcp
health-check-disable
member s1 8080
!
slb service-group wildcard_tcp tcp
health-check-disable
member s1 0
!
slb service-group wildcard_udp udp
health-check-disable
member s1 0
!
!
slb template client-ssl client
forward-proxy-ca-cert CA
forward-proxy-ca-key CA
forward-proxy-enable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category educational-institutions
forward-proxy-bypass web-category health-and-medicine
!
!
slb virtual-server wildcard 0.0.0.0 acl 100
port 0 udp
no-dest-nat
service-group wildcard_udp
use-rcv-hop-for-resp
port 0 others
no-dest-nat
service-group wildcard_tcp
use-rcv-hop-for-resp
port 0 tcp
no-dest-nat
service-group wildcard_tcp
use-rcv-hop-for-resp
port 443 https
no-dest-nat port-translation
service-group wildcard_http8080
template client-ssl client

page 219
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

!
!
terminal idle-timeout 0
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode

SSLi ACOS_encrypt Configuration Instructions

No Web Category classification commands are required on this device. All of the Web Category classi-
fication configuration takes place on the ACOS_decrypt.

Verification of the Basic Example Operation

To show Web Category statistics, use the show slb template client-ssl [template-name] url-stats
command The show slb template client-ssl url-stats command lists each bypassed web cate-
gory, along with the number of times it has been bypassed. Intercepted web categories are counted
under Other Categories. If the BrightCloud database cannot classify traffic into a Web category, then it
is listed under uncategorized:

show slb template client-ssl [template-name] url-stats.

• The following command shows the current Web Category statistics:

ACOS# show slb template client-ssl url-stats
slb template client-ssl ssl_int
Category hits:
uncategorized 0
financial-services 42
travel 3
training-and-tools 0
web-based-email 5
Other Categories 47

To show Web Category information about the bypassed-urls, intercepted-urls, and the BrightCloud
database, use the show web-category command:

ACOS# show web-category ?

bypassed-urls Show list of URL's bypassed
database Show information about currently loaded BrightCloud database
intercepted-urls Show list of URL's intercepted
url-category Show categories returned by BrightCloud library for a URL
version Show BrightCloud library version

• The following command shows the current version of the Web Category engine:
ACOS# show web-category version
version: 4.0

page 220
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

• The following command shows information about the currently loaded BrightCloud database:
ACOS# show web-category database
Database name : full_bcdb_4.457.bin
Database size : 352 MB
Database version : 457
Last Update Time : Fri Jan 23 00:00:40 2015
Next Update Time : Sat Jan 24 00:00:43 2015
Connection Status : GOOD
Last Successful Connection : Fri Jan 23 15:54:43 2015

• The following command shows the 20 most recently bypassed URLs:

ACOS# show web-category bypassed-urls 20
paper.example.com
paper.example.com
paper.example.com
paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...

• The following command shows the 20 most recently intercepted URLs:

ACOS# show web-category intercepted-urls 20
fhr.data.example.com
fhr.data.example.com
fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org
versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
fhr.data.example.com
...

• The following commands show the web categories to which some individual URLs belong. In this
example, the categories for the URLs in the ACOS’s local database match the most recent cate-
gorizations from the BrightCloud server.
ACOS# show web-category url-category www.google.com
Search Engines
ACOS# show web-category url-category www.google.com local-db-only
Search Engines
ACOS# show web-category url-category http://www.youtube.com

page 221
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

Streaming Media
ACOS# show web-category url-category www.youtube.com local-db-only
Streaming Media

Deleting or Re-importing the Database

Disabling the Web Category classification feature does not delete the database. Likewise, re-enabling
the feature does not cause the database to be downloaded again.

To delete the database:

ACOS(config)# web-category
ACOS(config-web-category)# no enable
ACOS(config-web-category)# exit
ACOS(config)# delete web-category database

To re-import the database, first disable the feature and delete the database that is on the ACOS device
(as shown above), then re-enable the Web Category classification feature:

ACOS(config)# web-category
ACOS(config-web-category)# use-mgmt-port
ACOS(config-web-category)# enable

NOTE: Simply disabling and re-enabling the feature does not delete and reload
the database. In this case, the same database is used.

Troubleshooting
The following troubleshooting commands are used for Webroot on the ACOS_decrypt:

debug web-category
debug monitor

Error during database download of Webroot

If you see the following error messages during enable under web-category configuration:

[WEB-CATEGORY] downloading full_bcdb_4.445.bin

[WEB-CATEGORY] BcDownloadDb: failed to InitializeSsl context
[WEB-CATEGORY] nDownloadAndApplyDatabaseUpdates( ) 0 - call to BcDownloadDatabaseUp-
dates( ) failed.

A required certificate file may be missing. Contact A10 Networks.

page 222
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Filtering for SSLi Bypass

Verify the ACOS_decrypt Has Downloaded Certificates from the HTTPS Server
show slb ssl-forward-proxy-cert SSLi_vip-1 443 all

Verify Traffic is Flowing

• On the ACOS_encrypt:
show slb virtual-server

Bypassed SSL traffic packet and connection counters will go up under port 0.
Intercepted SSL traffic and HTTP protocol packet and connection counters will go up under port
8080.
• On the ACOS_decrypt:
show slb virtual-server

SSL traffic packet and connection counters will go up under port 443.
HTTP protocol packet and connection counters will go up under port 0.

Logging for Web Category

ACOS supports remote logging for the Web Category classification feature. The provided information
includes the URL accessed by the client, to which category the URL belongs to and action taken by
ACOS: intercept or bypass. Logs are provided in Common Event Format (CEF). Remote logging for the
feature is disabled by default.

NOTE: To use remote logging, you also must configure a remote syslog server
on ACOS using the logging host host-ipaddr command.

The current release does not support use of the management interface
for remote logging for Web Category classification.

CEF format comprises of a syslog prefix, header and an extension. A typical ACOS message in CEF
contains the following fields:

Timestamp host CEF:Version|Device-Vendor|Device-Product|Device-Version|

Signature-ID|Name|Severity|[Extensions]

Log messages for Web Category classification have the following fields:

• Syslog prefix: the starting of the message with timestamp on syslog server and hostname of
ACOS device.
• CEF header: All fields in the header are mandatory.

• Version: Identifies the version of CEF format. ACOS uses version 0.

page 223
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Web Category Filtering for SSLi Bypass FFee
e

• Device Vendor, Device Product and Device Version: Used to uniquely identify the device.
• Signature ID and Name: Unique identifier for an event and “name” is a string giving a description
of this event. For his feature, there are two event types: SSLi connection intercepted and SSL
connection bypassed:
• SSLi100 -> SSLi request intercepted
• SSLi101 -> SSLi request bypassed
• Severity: Integer that reflects importance of the event with range 1-10. 10 indicates most
important event. In this example, the value is 5 for both events.
• Extensions: a collection of key-value pairs to provide more information about the event. A pre-
defined set of keys are provided by CEF format. The following keys are used in case of Signature
ID 1 (URL lookup).
• Request: URL accessed by the client.
• Act stands for deviceAction: Action taken by device. Values are going to be intercepted or
bypassed.
• Msg: An additional message about the log. In our case it will be category is xxx, where xxx is the
category into which URL is categorized by the BrightCloud server.
• Src stands for sourceAddress: Source IP address if the address is an IPv4 address.
• Dst stands for destinationAddress: Destination IP address if the address is an IPv4 address.
• C6a2 stands for deviceCustomIPv6Address2: This is a custom field used to show the source
network address in case of an IPV6 address.
• C6a2label stands for deviceCustomIPv6Address2Label: Explains what the field c6a2 is for. In
this case, it will be Source IPv6 address.
• C6a3 stands for deviceCustomIPv6Address3: This is a custom field used to show the destina-
tion network address in case of an IPV6 address.
• C6a3label stands for deviceCustomIPv6Address3Label: Explains what the field c6a3 is for. In
this case, it will be DestinationIPv6 address.
• Spt stands for sourcePort: Source port number on the client.
• Dpt stands for destinationPort: Destination port number client is trying to access.

Configuration Options with BrightCloud Servers

A number of options to configure how and when ACOS interacts with the BrightCloud Servers, for
example, configuring when an update should occur, is available from the Command Line Interface Reference
for ADC in “Web Category”. These options are available through the GUI by navigating to Security>>Web
Categories >> Configure.

page 224
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Web Category Lookup Enforcement

Web Category Lookup Enforcement

Web-category lookups in the data plane are performed by querying the local database for a URL and
returning the URL category when the database contains the URL. When the database does not contain
the URL, it returns the value "uncategorized" and the resolution of the unknown URL is delayed and per-
formed in the background. Therefore, lookup result of the first request of an unknown URL is always
"uncategorized". In SSLi / Forward-proxy deployments, the lapse of proper URL categorization can
result in intercepting requests that should be bypassed or allowing requests that should be dropped.

Web category lookup enforcement resolves the category of unknown (first request) URLs by pausing
the data plane connection. When the result is known and the URL is categorized, the connection is
resumed.

To enable web category lookup enforcement through the ACOS CLI, enter require-web-category under
the following templates as applicable:

• policy template for URL filtering

• client-ssl template for web-category-based SSLi bypass

Implementing Web Category Lookup Enforcement for URL Filtering

SSLi when deployed as an Explicit Proxy or a Transparent Proxy, utilize a policy template that binds a
web-category list to destination rules. Web Category Lookup Enforcement is enabled for these features
by adding the require-web-category option to the policy template.

The following example enables Web Category Lookup Enforcement for all actions defined under the
RED policy template.

ACOS(config)# slb template policy RED

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# require-web-category
ACOS(config-policy-forward-policy)#

Implementing Web Category Lookup Enforcement for Web Category

Based SSLi Bypass
Client-ssl template that includes the "forward-proxy-bypass require-web-category" option enables
Web Category Lookup Enforcement for web-category based SSLi bypass policies under that template..

The following example enables Web Category Lookup Enforcement for web-category based SSLi
bypass policies under the BLUE client-ssl template.

ACOS(config)# slb template client-ssl BLUE

ACOS(config-client ssl)# forward-proxy-bypass web-category financial-services

page 225
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

ACOS(config-client ssl)# forward-proxy-bypass web-category health-and-medicine

ACOS(config-client ssl)# forward-proxy-bypass require-web-category
ACOS(config-client ssl)#

Related Information
• For detailed information on the load-balancing servers that enable SSLi and other applications,
see the Application Delivery and Server Load Balancing Guide.
• RFC 5246, The Transport Layer Security (TLS) Protocol, Version 1.3

• RFC 3546, TLS Extensions

• RFC 3986, Uniform Resource Identifier (URI): Generic Syntax

• For detailed information on logging, see the “Common Event Format (CEF)” in the Configuring
Data Center Firewall guide and the “Generic SSLi Failure Logs” section in the SSLi Logging chapter.

page 226
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

URL Filtering

This chapter provides guidelines for the implementation of URL Filtering configurations. URL Filtering
can be implemented either by web category or SNI matching.

• Forward Policy Actions

• SSLi Bypass and URL Filtering Example

• Related Information

Forward Policy Actions

Forward policy actions follow after the decision has been made in the by the Client-SSL template
whether to bypass or intercept. In other words, after ACOS processes the incoming traffic as provi-
sioned the Client-SSL template, then it processes the incoming traffic as provisioned by the forward
policy.

The SSLi forward policy handles the traffic of bypassed (non-decrypted) sessions differently than the
traffic of intercepted (decrypted) sessions. This difference is illustrated in Figure 26, “Transparent
Proxy with SSLi SNI Matching and URL Filtering Default Packet Flow Sequence,” on page 228.

In a bypassed connection, by default ACOS examines the server name identification (SNI) field to deter-
mine a course of action for the traffic of that connection.

In a intersected connection, by default ACOS looks at the client’s request HTTP header to determine a
course of action.

While these actions work by default for an SSLi configuration, options are available to provide different
ways of handling bypassed and intercepted SSLi packets by using the ssli-url-filtering CLI com-
mand from the forward-policy configuration mode in an SLB template policy that is applied to a SLB cli-
ent-SSL template. The specific options for ssli-url-filtering are available under the forward-policy
command in the Command Line Reference for ADC.

Feedback page 227

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Forward Policy Actions FFee
e

FIGURE 26 Transparent Proxy with SSLi SNI Matching and URL Filtering Default Packet Flow Sequence

SSLi Forward Policy Example Configuration Using the CLI

This section describes how to add transparent HTTP proxy services to the SSLi example described in
detail in the “Reference Configuration for Two-Device Static-HTTPS-Port SSLi” on page 48.

In this example, we create a server load balancing template policy ExamplePolicy, followed by the for-
ward-policy sub-command and configure ssli-url-filtering to allow transparent SSLi proxy traffic
not containing SNI extension information to be forwarded, rather than being dropped (default action).

ACOS(config)# slb template policy ExamplePolicy

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# ssli-url-filtering no-sni-allow

Other actions that are configurable include disabling SNI inspection on bypassed traffic, enabling SNI
matching for intercepted transparent proxy SSLi traffic and disabling HTTP header inspection for inter-

page 228
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Bypass and URL Filtering Example

cepted transparent proxy SSLi traffic (see ssli-url-filtering in the Command Line Interface Reference
Guide).

NOTE:

• From the forward-policy configuration, no-client-conn-reuse is not supported in a server load

balancing template policy consisting of a HTTPS virtual port and a wildcard VIP. The com-
mands are permitted, but it will be ignored for this specific case.
• From the forward-policy configuration, drop-message and drop-redirect-url are not supported
in the case where the ACOS device acts as a transparent proxy with a SSLi connection due to
the fact that the drop commands are http level messages, but with SNI matching, the device is
inspecting at the SSL handshake level.

SSLi Forward Policy Example Configuration Using the GUI

This section describes the steps to configure SSL Insight URL filtering options using the GUI.

1. Navigate to Security >> Forward Proxy.

2. Click on the Templates tab.
3. Click “+ Create” and click on Policy.
4. In the Add Policy Template page, enter a policy name in the Name field.
Note: It does not matter if the Action Policies tab or Source Policies tab has been selected.
5. In SSLi URL Filtering, click on the check box for the SSLi URL Filtering options you wish to be
active.
• Bypassed SNI Disable
• Intercepted SNI Enable
• Intercepted HTTP Disable
• NO SNI Allow
6. Click Add Template

SSLi Bypass and URL Filtering Example

The following example deployment illustrates configurations for SSLi bypass in the Client-SSL template
and URL filtering and SNI matching in the forwarding policy.

In this example, a web-category category-list drops requests from clients trying to connect to sites
classified as various types of security risks. The failsafe-disable option is disabled so that when an SSL

page 229
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Bypass and URL Filtering Example FFee
e

handshake transaction fails, the traffic inspection is not bypassed. Because of privacy rules, this con-
figuration does not decrypt and inspect the financial transactions and medical and health categories.

For further information on configuration of the forward-policy, see the “Explicit and Transparent Proxy”
chapter.

Current active partition: ssli_in

ACOS[ssli_in]#show run
!Current configuration: 1546 bytes
!Configuration last updated at 21:21:06 PST Fri Mar 10 2017
!Configuration last saved at 12:57:23 PST Thu Mar 9 2017
!
active-partition ssli_in
!
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850
!
access-list 191 remark block_quic
!
access-list 191 deny udp any any eq 80
!
access-list 191 deny udp any any eq 443
!
access-list 191 permit ip any any
!
class-list Block_domains ac
contains sslitest
!
web-category
category-list Url_filter_cat
malware-sites
phishing-and-other-fraud
proxy-avoid-and-anonymizers
spyware-and-adware
bot-nets
confirmed-spam-sources
spam-urls
unconfirmed-spam-sources
!
slb template cipher cl_cipher_template
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256

!
slb server fw1 30.91.11.104

page 230
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Bypass and URL Filtering Example

port 0 tcp
health-check-disable
_0_tcp_port
port 0 udp
health-check-disable
_0_udp_port
port 80 tcp
health-check-disable
_80_tcp_port
port 8080 tcp
health-check-disable
user-tag Security,ssli_signaling
!
slb service-group SG_SSLi_HTTP tcp

member fw1 80
!
slb service-group SG_SSLi_TCP tcp

member fw1 0
!
slb service-group SG_SSLi_UDP udp

member fw1 0
!
slb service-group SG_SSLi_Xlated tcp

member fw1 8080

!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
forward-proxy-ca-cert a10_root
forward-proxy-ca-key a10_root
forward-proxy-ocsp-disable
forward-proxy-crl-disable
forward-proxy-cert-expiry hours 168
forward-proxy-enable
forward-proxy-failsafe-disable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
!
slb template http insertHeaders
non-http-bypass service-group SG_SSLi_Xlated
!
slb template policy Url_filter_pl

forward-policy
action Drop
drop
log
action Permit
forward-to-internet SG_SSLi_Xlated
action permi

page 231
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

source Any
match-any
destination class-list Block_domains action Drop url priority 20
destination web-category-list Url_filter_cat action Drop url priority 10
destination any action Permit
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
port 0 tcp
service-group SG_SSLi_TCP
no-dest-nat
port 0 udp
service-group SG_SSLi_UDP
no-dest-nat
port 0 others
service-group SG_SSLi_UDP
no-dest-nat
port 80 http
service-group SG_SSLi_Xlated
template policy Url_filter_pl
no-dest-nat port-translation
port 443 https
service-group SG_SSLi_Xlated
template policy Url_filter_pl
template http insertHeaders
template client-ssl cl_ssl
no-dest-nat port-translation
!
end
!Current config commit point for partition 1 is 0 & config mode is classical-mode
ACOS[ssli_in]#

Related Information
• For detailed information on the load-balancing servers that enable SSLi and other applications,
see the Application Delivery and Server Load Balancing Guide.
• RFC 5246, The Transport Layer Security (TLS) Protocol, Version 1.3

• RFC 3546, TLS Extensions

• RFC 3986, Uniform Resource Identifier (URI): Generic Syntax

• For detailed information on logging, see the “Common Event Format (CEF)” in the Configuring
Data Center Firewall guide and the “Generic SSLi Failure Logs” section.

page 232
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

Client Authentication Bypass

The following topics are covered:

• Bypassing Client Authentication Overview

• Bypass Configuration

• Related Information

Bypassing Client Authentication Overview

Some HTTPS servers might require client certificate authentication (CAC/PKI) when the server
authenticates incoming requests based on the certificate in the client’s certificate store. If the ACOS
SSLi configuration lacks the necessary client certificate and key information, and if the ACOS SSLi is
not enabled for client authentication bypass, CAC fails when requested by the server.

This chapter describes how to configure a list of server names that bypass SSLi forward proxy pro-
cessing when CAC is requested by the server. The list is configured in the SSL client template.

Message Sequence
Figure 27 shows how client authentication bypass works.

1. After the Inside ACOS device receives the client hello message from the client, the device checks
whether the remote server’s certificate is saved in the cache.
2. If the certificate has not been saved, the Inside ACOS device starts a server SSL connection to the
remote server to retrieve the certificate.
3. The Inside ACOS device also detects whether the remote server requires client certificate
authentication. If the server requires client authentication, the Inside ACOS device checks whether
the server name or web category matches the configuration condition to bypass this traffic.
4. If a match is found, the Inside ACOS device stops SSLi processing and switches from HTTPS
processing to basic TCP proxy processing.
5. A TCP connection to the server is established where client and server can directly negotiate the
SSL session bypassing the ACOS SSLi.

Feedback page 233

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Bypass Configuration FFee
e

FIGURE 27 Client Authentication Traffic Network Example

Bypass Configuration
• CLI SNI Bypass Configuration Instructions

• GUI SNI Bypass Configuration Instructions

• Example Configuration for Bypassing SSLi for Client Authentication Traffic

CLI SNI Bypass Configuration Instructions

The forward-proxy-bypass client-auth CLI command configures the SNI attributes and/or class-lists
that determine whether or not a client is enabled for client-authentication bypass. These attributes and
class-lists are bound to SSL client template which itself is bound to the inside ACOS device. The for-
ward-proxy-bypass client-auth CLI command options follow:

slb template client-ssl Client-SSL

forward-proxy-bypass client-auth case-insensitive
forward-proxy-bypass client-auth class-list testclass
forward-proxy-bypass client-auth contains jsmith
forward-proxy-bypass client-auth ends-with abc
forward-proxy-bypass client-auth equals test.hello.com

page 234
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Bypass Configuration

forward-proxy-bypass client-auth starts-with efg

For more details on the forward-proxy-bypass command see the subcommand table under the slb
template-client-ssl command.

GUI SNI Bypass Configuration Instructions

1. Navigate to Security > SSLi > Templates and edit your client ssl template (such as SSLi_vi-
p_001_client_ssl).
2. In the Update Client SSL Template window:
a. Click the Policy tab.
b. For Bypass Client Auth, click Add.
c. Expand the Condition section and select an option from the drop-down list:
• SNI Contains
• SNI Ends with
• SNI Starts with
• SNI Equals
d. For Value, enter the matching value of the client to bypass authentication.
3. You can add multiple match rules. Click Add as needed.
4. Click Update.

Example Configuration for Bypassing SSLi for Client Authentication

Traffic

Show Running-Config of the ACOS_decrypt

The following sample configuration shows how to configure the inside ACOS device for client authenti-
cation bypass:

ACOS-inside# show running-config

access-list 101 permit ip 10.10.1.0 0.0.0.255 any
!
class-list Client_Auth_Bypass ac
starts-with a10a10
equals ssl-i
contains hello.com
!

page 235
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Bypass Configuration FFee
e

interface ethernet 1
enable
!
interface ethernet 2
enable
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
interface ve 10
ip address 10.10.1.10 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 10.10.2.10 255.255.255.0
!
slb server FW1_SSLi 10.10.2.20
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 8080 tcp
health-check-disable
!
!
slb service-group Outbound_TCP tcp
member FW1_SSLi 0
!
slb service-group Outbound_UDP udp
member FW1_SSLi 0
!
slb service-group Outbound_SSLi tcp
member FW1_SSLi 8080
!
slb template client-ssl Client-SSL

page 236
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Bypass Configuration

forward-proxy-ca-cert selfsigned_Cert
forward-proxy-ca-key selfsigned_key
forward-proxy-enable

forward-proxy-bypass client-auth contains abcd

forward-proxy-bypass client-auth class-list Client_Auth_Bypass
!
slb virtual-server Inside_SSLi_VIP 0.0.0.0 acl 101
port 443 https
no-dest-nat port-translation
service-group Outbound_SSLi
template client-ssl Client-SSL
port 0 tcp
no-dest-nat
service-group Outbound_TCP
port 0 udp
no-dest-nat
service-group Outbound_UDP
port 0 others
no-dest-nat
service-group Outbound_UDP
!
end

Show Running-Config of the Outside ACOS device

The following CLI output shows how to configure the outside ACOS device:

ACOS-outside# show running-config

access-list 101 permit ip any any vlan 20
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
vlan 40
untagged ethernet 1
router-interface ve 40
!
vlan 20

page 237
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Bypass Configuration FFee
e

tagged ethernet 2
router-interface ve 20
!
interface ve 40
ip address 10.10.4.20 255.255.255.0
!
interface ve 20
ip address 10.10.2.20 255.255.255.0
ip allow-promiscuous-vip
!
slb server Gateway 10.10.4.1
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
port 443 tcp
health-check-disable
!
!
slb service-group Outbound_TCP tcp
member Gateway 0
!
slb service-group Outbound_UDP udp
member Gateway 0
!
slb service-group Outbound_SSL tcp
member Gateway 443
!
slb template server-ssl Server-SSL
forward-proxy-enable
!
slb template virtual-port ignore-msl
ignore-tcp-msl
!
slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 101
port 8080 http
service-group Outbound_SSL
template server-ssl Server-SSL
no-dest-nat port-translation
use-rcv-hop-for-resp

page 238
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Bypass Configuration

port 0 tcp
service-group Outbound_TCP
no-dest-nat
use-rcv-hop-for-resp
template virtual-port ignore-msl
port 0 udp
service-group Outbound_UDP
no-dest-nat
use-rcv-hop-for-resp
port 0 others
service-group Outbound_UDP
no-dest-nat
use-rcv-hop-for-resp
!
end

Troubleshooting Bypassing SSLi for Client Authentication Traffic Configuration

SSLi might fail for one of the following reasons:

• If the configuration of client authentication is present on the client SSL template on the server
side but missing on the client side, the ACOS device will not be able retrieve the server certificate
during the SSL handshake.
• SSLi could fail in any other generic case such as abrupt connection closure by server FIN due to
malformed packet, and so on.

When SSLi fails, a log is generated that includes the following information:

• SNI

• IP address of the server

When the connection is successful, no logs are generated.

NOTE: The log messages are only seen by the inside ACOS device.

Log Example

When "SSLVerifyClient require" and "SSLVerifyDepth 10" is set up on APACHE ssl.conf, on the server, there is
a failure when retrieving the certificate because no client side authentication has been configured.

As a result, the following log is generated:

ACOS# show log

Log Buffer: 30000

page 239
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

Nov 30 2014 09:03:19 Info [SYSTEM]:SSL intercept failed, server amogh-server (ip
20.20.101.50)
ACOS#

NOTE: No CLI configurations are required to turn this logging on or off.

Related Information
For detailed information on the load-balancing servers that enable SSLi and other applications, see the
Application Delivery and Server Load Balancing Guide.

RFC 8446, The Transport Layer Security (TLS) Protocol, Version 1.3

RFC 3546, TLS Extensions

RFC 3986, Uniform Resource Identifier (URI): Generic Syntax

• For software SSLi/forward-proxy feature supports TLS1.3 with this release.

• Backward compatibility for SSLi in TLS 1.2

Known Issues or Limitations

• We use open SSL supporting only ECDHE with, no support for DHE

• No aFlex support for TLS 1.3

• Backward compatibility for aFlex TLS1.2

page 240
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

Explicit and Transparent Proxy

The following topics are covered:

• Overview of Explicit and Transparent Proxy

• Explicit Proxy with Static-Port SSLi on the Same VIP

• Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy

• Drop and Drop-Redirect-URL Priorities

• Proxy Chaining SSLi Overview

• AAM for Transparent Proxy for SSLi

• Configuring AAM for Transparent Proxy for SSLi

• AAM Support

• Related Information

Overview of Explicit and Transparent Proxy

A proxy is an agent that acts in place of the original requester. For a transparent proxy, the client is not
aware of the use of a proxy (proxy server). In the case of an explicit proxy, client browsers are config-
ured to send requests to a proxy server, hence the name explicit proxy as the proxy service is known.

In HTTP proxy, browser clients connect to the Internet through proxy servers that make service
requests on behalf of the clients. The configuration of the browser specifies the proxy servers it uses.
You can configure ACOS to provide both SSLi services and HTTP proxy services in the same HTTP ses-
sion, and on the same virtual router.

Explicit Proxy with Static-Port SSLi on the Same VIP

Figure 28 shows the topology of this SSLi example to which explicit HTTP proxy services are added.To
understand the SSLi topology, refer to “Outbound SSLi with Static Port Type HTTPS—Two ACOS
Devices Each With a Single Partition” on page 38.

Feedback page 241

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Explicit Proxy with Static-Port SSLi on the Same VIP FFee
e

FIGURE 28 Explicit Proxy with Basic Static-Port SSLi Example

This section describes how to add an explicit HTTP proxy to an SSLi solution consisting of two ACOS
devices, ACOS_decrypt and ACOS_encrypt. Both SSLi and explicit proxy are configured on the same vir-
tual port. The following topics are included:

• Configuring ACOS_decrypt for Explicit Proxy

• Configuring ACOS_encrypt for Explicit Proxy

• Verifying the Configuration for Explicit Proxy

• Consolidated Configuration for Explicit Proxy and SSLi on the Same VIP

page 242
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Explicit Proxy with Static-Port SSLi on the Same VIP

Configuring ACOS_decrypt for Explicit Proxy

The following are the recommended steps for configuring explicit proxy on ACOS_decrypt.

1. Prior to configuring explicit proxy, determine what port number and what IP address are to be used
for explicit proxy. It is this address that the clients will configure in their browser’s proxy option. In
example, 10.10.1.30:1234 will be used.
2. Create the source-NAT pool of IP addresses required by the forward-to-internet action.
The configuration of the NAT pool used by source-NAT for Internet-bound traffic provides a source
address that is the same as the IP interface of ACOS_decrypt.
ip nat pool Internet_Pool 10.10.1.30 10.10.1.30 netmask /32

3. Enter the following commands to define the template for the explicit proxy policy.
The policy template defines what actions are applied to upstream traffic by the client-facing virtual
server on the ACOS_decrypt device. The configuration of this policy template follows:
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet

4. Enter the following commands to create a template that is bound to the client-facing virtual server
to provide the IP addresses of DNS servers used by the VIP. The DNS dynamic service template
points to two DNS servers that enable the ACOS_decrypt to look up the IP address of the Enterpri-
seABC servers that the clients request SSL connections to.

slb template dynamic-service DNS

dns server 10.10.1.253
dns server 10.10.1.254

5. Configure a static route to a gateway, 10.10.1.2, that can reach the clients on the 192.168.1.0 /24
subnet. No route to the DNS servers is necessary because ACOS_decrypt and the DNS servers are
both on the same subnet, 10.10.1.0 /24.
ip route 192.168.1.0 /24 10.10.1.2
!

6. Modify the configuration of the decrypt_VIP to enable explicit proxy. The decrypt_VIP is a static-
port virtual router that manages explicit proxy traffic and provides SSLi services. The policy tem-
plate, the SSL client template, and the dynamic services template are all bound to the client-facing
virtual router on ACOS_decrypt.

page 243
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Explicit Proxy with Static-Port SSLi on the Same VIP FFee
e

a. Specify the IP address of the decrypt_VIP as 10.10.1.30. The IP address must be explicit and
matches the proxy configurations of the clients.
b. Begin the configuration of virtual port 1234 on 10.10.1.30 as the interface of this VIP. This too
matches the proxy configuration on the clients.
c. Bind the Explict_Proxy policy template to the 1234 HTTP port of the VIP.
d. Bind the DNS dynamic services template to the 1234 HTTP port of the VIP.
e. Bind the SSLInsight_decrypt template to the 1234 HTTP port of the VIP.

slb virtual-server decrypt_VIP 10.10.1.30

port 1234 http
service-group FW1_Inspect_SG
template client-ssl SSLInsight_decrypt
template policy Explicit_Proxy
template dynamic-service DNS
no-dest-nat port-translation

Configuring ACOS_encrypt for Explicit Proxy

The only change is the addition of a default route to the gateway router to Internet.

ip route 0.0.0.0 /0 20.1.1.10

Verifying the Configuration for Explicit Proxy

Enter the following commands to verify the configuration and operation of this explicit proxy example:

1. Show the configuration of the SLB policy template.

ACOS_decrypt# show slb template policy Explicit_Proxy
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet SSL snat Internet_Pool fallback SSL snat Fallback_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet

2. Show the IP addresses of the source-NAT pool.

ACOS_decrypt# show ip nat pool
Pool Name Start Address End Address Mask Gateway Vrid
---------------------------------------------------------------------------------------

page 244
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Explicit Proxy with Static-Port SSLi on the Same VIP

---------
Internet_Pool 203.0.113.5 203.0.113.5 /32 0.0.0.0 default

3. Show the status of the client-facing VIP on ACOS_decrypt.

ACOS_decrypt# show slb virtual-server decrypt_VIP
Virtual server: EP_VIP State: Functional Up IP: 10.10.1.30
Port Curr-conn Total-conn Rsv-Pkt Fwd-Pkt Peak-conn
-------------------------------------------------------------------------------

Virtual Port:8080 / service:To_Internet / state:Functional Up

port 8080 http 0 0 0 0 0

4. Show the detailed status of the client-facing VIP on ACOS_decrypt.

ACOS_decrypt# show slb virtual-server decrypt_VIP detail

Virtual server name: decrypt_VIP

Virtual server IP address: 10.10.1.30
Virtual server MAC: 001f:a003:5fc3
Virtual server template: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connections: 0
Current connection rate: 0 per second

5. Show the statistics of the forward-policy to verify the forward-policy managed packet flow through
the ACOS_decrypt virtual router.

ACOS_decrypt# show slb template policy Explicit_Proxy forward-policy-stats

slb template policy name: Explicit_Proxy

Source NAT failure: 0
Unresolved DNS requests: 0
Outstanding DNS requests: 0
Hits: 0
Requests forward to Internet: 0
Requests forward to Service Group: 0

page 245
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Explicit Proxy with Static-Port SSLi on the Same VIP FFee
e

Requests dropped: 0
Source Match not found: 0
Expected Client HELLO requests not found: 0

Consolidated Configuration for Explicit Proxy and SSLi on the Same

VIP
The configuration of ACOS_decrypt is shown first: The highlighted lines of the configuration show
items specifically described in the preceding configuration instructions.

ACOS_decrypt# show running-config

!
access-list 100 permit ip any any vlan 10
!
!
ip nat pool Internet_Pool 10.10.1.30 10.10.1.30 netmask /32
!
ip route 192.168.1.0 /24 10.10.1.2
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS_decrypt
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
!
slb template dynamic-service DNS
dns server 10.10.1.253

page 246
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Explicit Proxy with Static-Port SSLi on the Same VIP

dns server 10.10.1.254

!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet
!
slb template client-ssl SSLInsight_decrypt
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
!
slb virtual-server decrypt_VIP 10.10.1.30
port 1234 http
service-group FW1_Inspect_SG
template client-ssl SSLInsight_decrypt
template policy Explicit_Proxy
template dynamic-service DNS
no-dest-nat port-translation
port 0 tcp
service-group ALL_TCP_SG
no-dest-nat
port 0 udp

page 247
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Explicit Proxy with Static-Port SSLi on the Same VIP FFee
e

service-group ALL_UDP_SG
no-dest-nat
port 0 others
service-group ALL_UDP_SG
no-dest-nat
!
end

Use the show running-config command to check your configuration of ACOS_encrypt. A default route
to the Internet gateway is added; otherwise explicit proxy configuration does not change the configura-
tion. The highlighted lines of the configuration show items specifically described in the preceding con-
figuration instructions.

ACOS_encrypt# show running-config

!
access-list 101 permit ip any any vlan 15
!
vlan 20
tagged ethernet 1
router-interface ve 20
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
ip route 0.0.0.0 /0 20.1.1.10
!
hostname ACOS_encrypt
!
interface ethernet 1
enable
!
interface ve 20
ip address 20.1.1.2 255.255.255.0
!
interface ve 15
ip address 10.15.1.12 255.255.255.0
ip allow-promiscuous-vip
!
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp

page 248
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Explicit Proxy with Static-Port SSLi on the Same VIP

health-check-disable
port 0 udp
health-check-disable
!
slb service-group DG_SSL_SG tcp
member Default_Gateway 443

slb service-group DG_TCP_SG tcp

member Default_Gateway 0

slb service-group DG_UDP_SG udp

member Default_Gateway 0
!
slb template server-ssl SSLInsight_encrypt
forward-proxy-enable
!
slb virtual-server decrypt_VIP 0.0.0.0 acl 101
port 8080 http
no-dest-nat port-translation
service-group DG_SSL_SG
template server-ssl SSLInsight_decrypt
use-rcv-hop-for-resp
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
use-rcv-hop-for-resp
port 0 udp
no-dest-nat
service-group DG_UDP_SG
use-rcv-hop-for-resp
port 0 others
no-dest-nat
use-rcv-hop-for-resp
service-group DG_UDP_SG
!
end

page 249
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy FFee
e

Drop and Drop-Redirect-URL Message Responses for

HTTPS Traffic in Explicit Proxy
NOTE: This section requires that the explicit proxy configuration is known for
ACOS_decrypt and ACOS_encrypt. To configure explicit proxy, refer to
“Explicit Proxy with Static-Port SSLi on the Same VIP” on page 241.

Starting from ACOS 4.1.4, there is support for configuring drop-message and drop-redirect-url options
for HTTPS traffic in explicit proxy for SSLi. This feature enables the network administrator to either con-
figure a customized drop message or a customized redirect URL for specific websites tagged under
the explicit proxy configuration. The SSLi deployment must complete the SSL intercept before being
able to send a drop or redirect message.

Configure ACOS_decrypt with some additional actions for the explicit proxy template. There are no
additional changes required for ACOS_encrypt. The following are the guidelines for the configuration of
drop and drop-redirect-url messages in ACOS_decrypt:

• Prior to configuring explicit proxy, determine what port number and what IP address are to be
used for explicit proxy.
• (Optional) Create the source-NAT pool of IP addresses required by the forward-to-internet action.

• Create a service group under the vPort for the forward-to-internet action.

• Define the class-lists or web-category for specifying the destinations for the actions created for
explicit proxy.
• Create the explicit proxy template with the drop and drop-redirect actions. Also include the for-
ward-to-internet option for allowed traffic.
• Bind the explicit proxy template and the client-SSL template to the VIP.

Key ACOS_Decrypt Configuration for Drop and Drop-Redirect-URL

The following is a sample configuration that displays the following logic:

• If a user accesses www.netflix.com, a drop message is displayed.

• If a user accesses www.game.com, the user is redirected to the HTTPS website configured, which is
https://www.apple.com.

• If a user accesses www.poker.com, the user is redirected to the website configured, which is
http://192.168.98.115.

Configure the explicit proxy policy template called ep-template, with the following properties:

page 250
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy

• For the action FORWARD, the service group sg-8080 is added for forwarding the allowed traffic to
the Internet.
• For the action GAMBLE, the action is to drop and the redirect URL is http://192.168.98.115.

• For the action GAME, the action is to drop and the redirect the URL is https://www.apple.com.

• For the action NETFLIX, the action is to drop and a message is displayed as: This website is not
allowed, contact your networks admin for more info.
ACOS(config)# slb template policy ep-template
ACOS(config-policy)# forward-policy

ACOS(config-policy-forward-policy)# action forward

ACOS(config-policy-forward-policy-action)# forward-to-internet sg-8080 snat NAT
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# action GAMBLE

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-redirect-url http://192.168.98.115
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# action GAME

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-redirect-url https://www.apple.com
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# action NETFLIX

ACOS(config-policy-forward-policy-action)# drop
ACOS(config-policy-forward-policy-action)# drop-message "This website is not allowed,
contact your networks admin for more info"
ACOS(config-policy-forward-policy-action)# exit

ACOS(config-policy-forward-policy)# source SRC

ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination class-list gamble action GAMBLE
host priority 800
ACOS(config-policy-forward-policy-source)# destination class-list game action GAME host
priority 900
ACOS(config-policy-forward-policy-source)# destination class-list netflix action NET-
FLIX host priority 1000
ACOS(config-policy-forward-policy-source)# destination any action FORWARD
ACOS(config-policy-forward-policy-source)# exit
ACOS(config-policy-forward-policy)# exit
ACOS(config-policy)# exit

Configure the client-SSL template called C1 and enable forward proxy.

ACOS(config)# slb template client-ssl c1

ACOS(config-client ssl)# forward-proxy-ca-cert rootca.crt

page 251
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy FFee
e

ACOS(config-client ssl)# forward-proxy-ca-key rootca-dec.key

ACOS(config-client ssl)# forward-proxy-enable

Configure the virtual server called VS. Associate the explicit proxy template, the client-SSL template,
and the fake-sg service group to the Vport of port 80.

ACOS(config)# slb virtual-server vs 192.168.91.105

ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# source-nat auto
ACOS(config-slb vserver-vport)# service-group fake-sg
ACOS(config-slb vserver-vport)# template policy ep-template
ACOS(config-slb vserver-vport)# template client-ssl c1
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver-vport)# exit

Consolidated Configuration for ACOS_decrypt

The following is an excerpt of the ACOS_decrypt configuration for configuring message-drop and redi-
rect-URLs:

!Configure the class-list.

class-list gamble ac
contains poker
!
class-list game ac
contains game
!
class-list netflix ac
contains netflix
!
class-list permit
192.168.99.24/32
!
!Configure the NAT pool.
ip nat pool NAT 192.168.91.24 192.168.91.24 netmask /32 gateway 192.168.91.254

!Configure the real servers.

slb server fake 1.1.1.1
health-check-disable
port 1111 tcp
health-check-disable
!
slb server s1 192.168.221.70
health-check-disable
port 80 tcp
health-check-disable

page 252
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Drop and Drop-Redirect-URL Message Responses for HTTPS Traffic in Explicit Proxy

port 8080 tcp

health-check-disable

!Configure the service groups.

slb service-group fake-sg tcp
member fake 1111
!
slb service-group sg-8080 tcp
member s1 8080
!
!Configure the client-ssl template.
slb template client-ssl c1
forward-proxy-ca-cert rootca.crt
forward-proxy-ca-key rootca-dec.key
forward-proxy-enable
!
!Configure the explicit policy template.
slb template policy ep-template
forward-policy
action FORWARD
forward-to-internet sg-8080 snat NAT
action GAMBLE
drop
drop-redirect-url http://192.168.98.115
action GAME
drop
drop-redirect-url https://www.apple.com
action NETFLIX
drop
drop-message "This website is not allowed, contact your networks admin for more
info"
source SRC
match-any
destination class-list gamble action GAMBLE host priority 800
destination class-list game action GAME host priority 900
destination class-list netflix action NETFLIX host priority 1000
destination any action FORWARD
!
!Configure the virtual server.
slb virtual-server vs 192.168.91.105
port 80 http
source-nat auto
service-group fake-sg
template policy ep-template
template client-ssl c1

page 253
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Proxy Chaining SSLi Overview FFee
e

Drop and Drop-Redirect-URL Priorities

For an explicit proxy, the priority of the match condition determines which action is selected for the
request. For example, the following is a sample configuration excerpt:

!
class-list cnn ac
contains cnn
!
class-list sport ac
contains sport
!
slb template policy ep-template
forward-policy
action A1
forward-to-internet sg-8080 snat NAT
action drop
drop
drop-message "Not allowed"
source ANY
match-any
destination class-list cnn action drop host priority 500
destination class-list sport action A1 url priority 1000

In the configuration sample, if the request contains the word cnn, the action is to drop the request.

If the request contains the word sport, the action is to forward to internet. The URL cnn.com/sport
matches both conditions, however the priority of the sport action is higher than the priority of the cnn
action. As a result, the request is forwarded to internet under the action A1.

For the same configuration, if the priorities are reversed as destination class-list cnn action drop
host priority 1000 and destination class-list sport action A1 url priority 500, the request
cnn.com/sport is dropped and the message "Not Allowed" is displayed.

The drop-message and redirect-URL options in the configuration changes the behavior of the explicit
proxy from previous ACOS versions. If none of the options are configured, the ACOS device drops the
CONNECT request immediately, instead of doing an SSL negotiation.

Proxy Chaining SSLi Overview

For a general overview of proxy chaining, see the Server Load Balancing Guide.

In an SSLi environment, when traffic is routed to an upstream proxy server, to handle HTTPS traffic,
some configuration points need to be kept in mind to handle upstream proxy explicit proxy traffic and
transparent proxy traffic. This chapter provides general configuration steps required for an upstream

page 254
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Proxy Chaining SSLi Overview

proxy server setup in a SSLi deployment along with a specific configuration example to handle both
explicit proxy +SSLi traffic and transparent proxy + SSLi traffic.

Guidelines for Configuring Explicit Proxy and SSLi Proxy Chaining

Follow the guidelines for ACOS_decrypt device:

1. It must contain an SLB server template for the proxy server that includes the upstream proxy’s ip
address and port.
2. In a SLB server policy template, replace forward-to-service-group with the forward-to-proxy CLI
command.
3. The virtual server template will specify the ACOS_decrypt IP address.
4. The virtual server template’s virtual port number must match that of the upstream proxy server
port.

Guidelines for Configuring Transparent Proxy and SSLi Proxy Chaining

Follow the guidelines for ACOS_decrypt device:

1. It must contain an SLB server template for the proxy server that includes the upstream proxy’s
port.
2. In a SLB server policy template, replace forward-to-internet with the forward-to-proxy CLI
command.
3. The virtual server template will have a wildcard VIP (0.0.0.0).

For ACOS_encrypt, the SLB server template must include the following from the upstream proxy

1. In SLB server template, the port of the upstream proxy sever must be specified.
2. In the virtual server template, bind the upstream proxy port (using the service group) with the vport
(ACOS_encrypt port).
3. Set no-dest-nat port-translation with ACOS_encrypt port in your slb virtual-server template.

Configuring SSLi Proxy Chaining for Explicit and Transparent Proxy

Follow the sample configurations for ACOS_decrypt and ACOS_encrypt.

page 255
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Proxy Chaining SSLi Overview FFee
e

ACOS_decrypt CLI configuration

1. Create a server template for the upstream proxy server (which is 192.168.90.71) and define its ser-
vice group for the ACOS_encrypt (port 8080) and port of the proxy server (port 3128). The IP
address for the upstream proxy server is required for handling explicit proxy and is not necessary
for transparent proxy.

slb server proxy 192.168.90.71

health-check-disable
port 8080 tcp
health-check-disable
port 3128 tcp
health-check-disable

slb service-group sg-proxy-8080 tcp

member proxy 8080
slb service-group sg-proxy-3128 tcp
member proxy 3128

2. Traffic will need to be distinguished between HTTP and HTTPS. A class-list of Aho-Corasick string
type is created to identify http traffic.
class-list HTTP ac
starts-with http://

3. Create a placeholder for ACOS_decrypt and service group for port 80.
slb server svr 2.2.2.2
health-check-disable
port 80 tcp
health-check-disable
slb service-group sg tcp
member svr 80

4. Create a policy template for explicit proxy or transparent proxy. This replaces the prior explicit
proxy template from the prior example (slb template policy Explicit_Proxy). Create two actions, act-
3128 and act-8080. To direct traffic to the upstream proxy server, the forward-to-proxy CLI com-
mand must be used to ensure the HTTP header remains intact. HTTP traffic is routed through port
3128 directly while HTTPS traffic is inspected through SSLi.
slb template policy EP-TP
forward-policy
action act-3128
forward-to-proxy sg-proxy-3128 snat Internet_Pool

page 256
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Proxy Chaining SSLi Overview

action act-8080
forward-to-proxy sg-proxy-8080 snat Internet_Pool
source src
match-any
destination class-list HTTP action act-3128 url priority 1
destination any action act-8080

5. Bind everything with the virtual server template VS_EP. With explicit proxy, provide the ACOS_de-
crypt ip address (10.10.1.30) and set the upstream proxy’s port (3128). The virtual port number in
VS_EP is configured to match the upstream explicit proxy port number. The original slb virtual-
server template (decrypt_VIP) changes to the following:
slb virtual-server VS_EP 10.10.1.30
port 3128 http
source-nat auto
service-group sg
template policy EP-TP
template dynamic-service DNS
template client-ssl SSLInsight_decrypt

6. With transparent proxy, we use the wildcard vip (0.0.0.0).

slb virtual-server VS_TP 0.0.0.0
port 3128 http
source-nat auto
service-group sg
template policy EP-TP
template dynamic-service DNS
template client-ssl SSLInsight_decrypt

ACOS_encrypt CLI configuration

1. A placeholder internal server, s1, is created to allow us to add the port and service group, sg-proxy-
server-port, for association with the upstream proxy server’s port (3128).
slb server s1 1.1.1.1
health-check-disable
port 3128 tcp
health-check-disable
slb service-group sg-proxy-server-port tcp
member s1 3128

2. The slb virtual-server encrypt_VIP will have a minor change made to the original configuration. The
port of the ACOS_encrypt device needs to be set (port 8080 http), so leave this as is. The service
group needs to be modified so that the HTTPS traffic that comes in with destination port 8080
leaves with the destination port of the upstream proxy server. This is accomplished by changing
service-group DG_SSL_SG to service-group sg-proxy-server-port, which has the upstream
proxy server’s port of 3128 to move traffic from the ACOS_encrypt device to the upstream proxy
server.

page 257
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
AAM for Transparent Proxy for SSLi FFee
e

slb virtual-server encrypt_VIP 0.0.0.0 acl 101

port 8080 http
no-dest-nat port-translation
service-group sg-proxy-server-port
template server-ssl SSLInsight_encrypt
port 0 tcp
no-dest-nat
service-group DG_TCP_SG
port 0 udp
no-dest-nat
service-group DG_UDP_SG
port 0 others
no-dest-nat
service-group DG_UDP_SG

AAM for Transparent Proxy for SSLi

Starting from ACOS 4.1.4, you can configure AAM for transparent proxy for SSLi. This feature is
applicable to HTTPS and HTTP sessions where AAM performs authentication and authorization
checking inside the SSL tunnel. For HTTPS, if the auth-session-mode is cookie-based, the deployment
requires an HTTPS server. The hostname of the HTTPS server must be configured in the redirect-
hostname command in the auth-template. When the client browser atttempts a proxy-auth against this
hostname, the hostname must be resolvable at the browser side.

The following are supported for transparent proxy for SSLi:

• Single sign-on including for cross-domains

• HTTP authentication logon and form-based logon

• IP-based and cookie-based auth-session tracking mode

• Kerberos WIA authentication

For Content Security Policy (CSP), this feature provides a new command called modify-content-secu-
rity-policy under the auth-template. When the command is enabled, ACOS checks all packets from
the server. If the packet contains a CSP header (keywords: Content-Security-Policy, X-Content-Security-
Policy and X-Webkit-CSP), ACOS inserts a redirect-url (from redreict-hostname or kerberos SPN) into
the 'default-src' field. If no CSP header is found, ACOS does nothing.

page 258
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring AAM for Transparent Proxy for SSLi

Configuring AAM for Transparent Proxy for SSLi

The following figure is an example topology for configuring AAM for SSLi and transparent proxy. This is
a cookie-based auth-session, so there is an HTTPS server connected to ACOS_decrypt. The
authorization server is LDAP-based and uses basic logon. Since the AAM authentication happens in the
SSL tunnel, there are no configuration changes required for ACOS_encrypt.

NOTE: Esnure that the CA is imported to the user browser.

The expected behavior of the deployment is as follows:

1. Clear the auth session.

2. Access HTTP page www.apple.com. User is asked for credentials.
3. Access HTTP page www.nokia.com which is another domain. User is not asked for credentials.
4. Clear the auth session.
5. Access HTTPS page https://www.google.com. User is asked for credentials.
6. Access HTTPS page https://github.com which is another domain. User is not asked for creden-
tials.

page 259
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring AAM for Transparent Proxy for SSLi FFee
e

FIGURE 29 Configuring AAM for SSLi with Transparent Proxy

Configuration for AAM for SSLi_decrypt is as follows:

1. Configure HTTP-authenticate logon with the profile name as BASIC.

ACOS_decrypt(config)# aam authentication logon http-authenticate BASIC
ACOS_decrypt(config-form-based auth logon:BASIC)# auth-method basic enable
ACOS_decrypt(config-form-based auth logon:BASIC)# exit

2. Configure an authentication-server profile for the LDAP server called LDAP_98_172.

ACOS_decrypt(config)# aam authentication server ldap LDAP_98_172
ACOS_decrypt(config-ldap auth server)# host 192.168.98.172
ACOS_decrypt(config-ldap auth server)# base ou=People,dc=lex-ldap,dc=com
ACOS_decrypt(config-ldap auth server)# admin-dn cn=Admin,dc=lex-ldap,dc=com
ACOS_decrypt(config-ldap auth server)# admin-secret encrypted
37O48xvi8uY8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn dn-attribute uid
ACOS_decrypt(config-ldap auth server)# exit

3. Configure an authentication template called BASIC_LDAP_C. Associate the logon profile BASIC and
LDAP server LDAP_98_172 with the authentication template. Modify the hostname as tp.10.com.
ACOS_decrypt(config)# aam authentication template BASIC_LDAP_C
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# logon BASIC
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# server LDAP_98_172
ACOS_decrypt(config-auth template:BASIC_LDAP_C)# redirect-hostname tp.a10.com

page 260
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring AAM for Transparent Proxy for SSLi

ACOS_decrypt(config-auth template:BASIC_LDAP_C)# modify-content-security-policy

ACOS_decrypt(config-auth template:BASIC_LDAP_C)# exit

4. Create a AAA policy called BASIC_LDAP_C and associate the authentication template.
ACOS_decrypt(config)# aam aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-aaa policy:1)# aaa-rule 10
ACOS_decrypt(config-aaa policy:1-aaa rule:10)# authentication-template BASIC_LDAP_C

5. Create a virtual server called TP_AAM. For port 80 HTTP and port 443 HTTPS, associate aaa-policy
BASIC_LDAP_C.
ACOS_decrypt(config)# slb virtual-server TP_AAM 0.0.0.0 acl 2
ACOS_decrypt(config-slb vserver)# port 80 http
ACOS_decrypt(config-slb vserver-vport)# aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-slb vserver-vport)# exit
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# aaa-policy BASIC_LDAP_C
ACOS_decrypt(config-slb vserver-vport)# exit

Consolidated Configuration
!
aam authentication logon http-authenticate BASIC
auth-method basic enable
!
!
aam authentication server ldap LDAP_98_172
host 192.168.98.172
base ou=People,dc=lex-ldap,dc=com
admin-dn cn=Admin,dc=lex-ldap,dc=com
admin-secret encrypted
37O48xvi8uY8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
dn-attribute uid
!
aam authentication template BASIC_LDAP_C
logon BASIC
server LDAP_98_172
redirect-hostname tp.a10.com
modify-content-security-policy
!
aam aaa-policy BASIC_LDAP_C
aaa-rule 10
authentication-template BASIC_LDAP_C
!
slb virtual-server TP_AAM 0.0.0.0 acl 2
port 80 http
aaa-policy BASIC_LDAP_C
port 443 https
aaa-policy BASIC_LDAP_C

page 261
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring AAM for Transparent Proxy for SSLi FFee
e

Authentication Flow for HTTP-authenticate Logon

The following workflow is for the authentication for HTTP-authenticate logon. User tries to access
www.apple.com. The redirectr hostname is tp.a10.com.

FIGURE 30 Workflow for Authentication Flow for HTTP-authenticate Logon

The authetication template has the following configuration:

ACOS_decrypt(config)# aam authentication template TP-AAM

ACOS_decrypt(config-auth template:TP-AAM)#redirect-hostname tp.a10.com
ACOS_decrypt(config-auth template:TP-AAM)# exit

page 262
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
AAM Support

AAM Support

Decrypt_VIP Support
If you configure ACOS SSLi with explicit proxy, you also can configure the decrypt_VIP with the AAM
features described in the Application Access Management Guide. However, the following limitations
apply:

When configuring AAM with an explicit proxy, the HTTP-basic, NTLM, and Kerberos logon methods are
supported for HTTP authentication. Form-based authentication is also supported. However, SAML
authentication is not supported.

Use the aam authentication logon http-authenticate command and its sub-commands to configure
HTTP authentication and its HTTP-basic, NTLM, and Kerberos logon methods. Use the aam authenti-
cation logon form-based command to configure form-based authentication.

Forward-Policy JWT (JSon Web Token) Authorization

For SSLi explicit and transparent proxy, AAM authorization policy can also be configured as the for-
ward-policy source matching criteria. Therefore, the ACOS can provide JWT authorization feature for
forward-policy.

For instructions on implementing JWT authorization for forward policy, refer to the Authorizing Forward
Policy with JWT section in the Application Access Management (AAM) Configuration Guide.

Related Information
For more information on explicit and transparent proxy, see the “HTTP Proxy” chapter of the Application
Delivery and Server Load Balancing Guide.

For more information on AAM, see the Application Access Management Guide.

For more information on SSL Proxy, see the "SSL Offload and SSL Proxy" chapter in the Application
Delivery and Server Load Balancing Guide.

RFC 7617, The 'Basic' HTTP Authentication Scheme

page 263
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

page 264
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi Sessions with ICAP Services

This chapter provides Information on configuring Internet Content Adaptation Protocol (ICAP) in a
static-port SSLi deployment. The following topics are provided:

• ICAP Applications

• ICAP Overview

• Configuring Basic ICAP on the Inside Partition/Device

• Configuring Basic ICAP on the Outside Partition/Device

• ICAP Show Commands

• ICAP Configuration Options

• Configuring ACOS Logging in ICAP Templates

• ICAP Usage Guidelines

• Related Information

ICAP Applications
• ICAP provides security services to HTTTP and HTTPS sessions. On traffic from the client to the
web server, ICAP typically serves to provide data loss prevention (DLP). Whereas, on traffic from
the Web server to the client, ICAP typically provides anti-virus (AV) services.
• ICAP services are frequently deployed in conjunction with forward proxy, such as SSLi to inter-
cept and inspect traffic as the man-in-the-middle.

NOTE: The ssli virtual port feature described in “Non-HTTP Static-Port Type
SSLi” on page 67, does not support ICAP.

ICAP Overview
Figure 31 below shows a sample ICAP topology. The numbers in the diagram show the messaging
steps described in the following section.

Feedback page 265

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
ICAP Overview FFee
e

ICAP REQMOD Message Exchange

When the ACOS device is configured as an ICAP client with Request Modification Process (REQMOD)
capability and is also configured as a forward proxy for an HTTP client, the ICAP message exchange
process follows these steps:

FIGURE 31 ICAP REQMOD Message Exchange

1. The web client sends an HTTP GET request to the Web server.
2. The ACOS device intercepts the request, processes the HTTP header, and forwards it to the ICAP
server in an ICAP REQMOD message to the ICAP server.
3. The ICAP server sends a REQMOD response to the ACOS device.
4. The ICAP REQMOD response and the actions taken by the ACOS device can be one or more of the
following:
• ICAP REQMOD response has Status Code 200 and contains an HTTP request.
The ACOS device sends the HTTP request contained in the ICAP response to the web server
(instead of the original intercepted HTTP request).
• ICAP REQMOD response has Status Code 204.
The ACOS device sends the original intercepted HTTP request to the web server.
• ICAP REQMOD response has Status Code 100.
The ACOS device the ACOS device needs to send more data to the ICAP server.
• ICAP REQMOD response has Status Code 200 contains an HTTP response.

page 266
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
ICAP Overview

The ACOS device does not send an HTTP request to the web server. Instead, it sends this HTTP
response back to client.
• ICAP REQMOD response has any other Status Code.
The ACOS device treats the ICAP response as if it were Status Code 204.

How ACOS Processes REQMOD Configuration Options

1. After HTTP header processing is done, ACOS checks the allowed methods and the minimum pay-
load size (if a payload exists). If both checks are passed, ACOS proceeds to the next step.
a. The allowed HTTP methods are specified by the allowed-http-methods command under tem-
plate reqmod-icap.

b. The minimum payload length is specified by the min-payload-size command under template
reqmod-icap.

2. When copying the request, if the include-protocol-in-uri command is configured, the server
URL is converted to an absolute URI with the protocol, host and port number in the URI. The user-
defined X- headers described in “ICAP Extensions, draft-stecher-icap-subid-00.txt” are used for this
purpose.
3. If secure ICAP is configured by the template server-ssl command, the TCP SSL callback routines
are used. But, if the template server-ssl command is not enabled, the regular ICAP handshake
proceeds.
4. The ICAP packet is built and sent to the ICAP server.
5. When the ICAP server responds, if the handshake is SSL, ACOS decrypts and calls the ICAP pro-
cessing code.
6. ACOS logs the ICAP transaction information.

ICAP RESPMOD Message Exchange

When the ACOS device is configured as an ICAP client with Response Modification Process (RESP-
MOD) capability and is also configured as a forward proxy for an HTTP client, the Web server’s HTTP
response is forwarded to the ICAP server. The ICAP message exchange follows these steps:

page 267
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
ICAP Overview FFee
e

FIGURE 32 Response Modification Process (RESPMOD) Example Topology

1. The web server sends back an HTTP response to the client.

2. The ACOS device intercepts the response and forwards it to the ICAP server in an ICAP RESPMOD
message.
3. The ICAP server sends a RESPMOD response to the ACOS device.
4. The ICAP response and the actions taken by the ACOS device can be one or more of the following:
• ICAP RESPMOD response has Status Code 200 and contains an HTTP response.
The ACOS device sends the HTTP response contained in the ICAP response to the client
(instead of the original intercepted HTTP response).
• ICAP RESPMOD response has Status Code 204.
The ACOS device sends the original intercepted HTTP response to the client.
• ICAP RESPMOD has Status Code 100.
The ACOS device sends more data to the ICAP server.
• ICAP RESPMOD has any other Status Code.
The ACOS device treats the ICAP response as if it were Status Code 204.

page 268
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Basic ICAP on the Inside Partition/Device

Configuring Basic ICAP on the Inside Partition/Device

NOTE: Although this example shows ICAP configured on the inside ACOS device virtual
port 443, it can alternatively be configured on the outside ACOS device on virtual
port 8080 that receives decrypted traffic. See “Configuring Basic ICAP on the Outside
Partition/Device” on page 272.

NOTE: This chapter refers to the outside and inside ACOS devices in the SSLi
configuration. Equivalent configurations can be provisioned on a single
ACOS device split into an inside and outside partitions. The inside parti-
tion performs decryption and is often called the decryption partition, while
the outside partition performs re-encryption and is often called the re-
encryption partition.

Using the CLI

This section describes how to add ICAP services to the SSLi example described in detail in “Reference
Configuration for Two-Device Static-HTTPS-Port SSLi” on page 48. This example configures ICAP on
the inside ACOS device.

1. First, configure the IP address of the ICAP server and create an ICAP service group to provide a
path to the ICAP server. This example assumes that the ICAP server is listening over port 1344.

ACOS-Inside(config)# slb server ICAP_server_1 10.1.260.11

ACOS-Inside(config-real server)# port 1344 tcp
ACOS-Inside(config)# slb service-group SG_ICAP tcp
ACOS-Inside(config-slb svc group)# member ICAP_server_1 1344

2. Create the ICAP REQMOD template. Include the ICAP service group and the URL of the ICAP REQ-
MOD service:
The template reqmod-icap command provisions the ICAP server for ICAP REQMOD messaging,
and the template respmod-icap command provisions the ICAP server for ICAP RESPMOD messag-
ing.

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd

ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:1344/reqmod

Optionally, the REQMOD connection can be secured by enabling SSL with an SSL-server tem-
plate, such as is shown in the following commands:

page 269
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Basic ICAP on the Inside Partition/Device FFee
e

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd

ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:11344/reqmod
ACOS-Inside(config-reqmod-icap)# template server-ssl ssl

3. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the ICAP
RESPMOD service:

ACOS-Inside(config)# slb template respmod-icap RESPMOD_abcd

ACOS-Inside(config-respmod-icap)# service-group SG_ICAP
ACOS-Inside(config-respmod-icap)# service-url icap://dlpserver:1344/respmod

Optionally, the RESPMOD connection can be secured by enabling SSL with an SSL-server tem-
plate, such as is shown in the following commands:

ACOS-Inside(config)# slb template reqmod-icap RESPMOD_abcd

ACOS-Inside(config-reqmod-icap)# service-group SG_ICAP
ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:11344/respmod
ACOS-Inside(config-reqmod-icap)# template server-ssl ssl

4. Bind the ICAP templates to the HTTPS virtual port of the wildcard VIP configured in the “Two-
Device Static-HTTPS-Port SSLi Configuration” on page 31. The binding command lines are high-
lighted.

ACOS-Inside(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Inside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS-Inside(config-slb vserver-vport)# no-dest-nat port-translation

NOTE: The order of packet processing for HTTP Layer 7 virtual ports is
described in the “Usage Guidelines” section of the port command (virtual
server configuration mode/level) in the Config Commands: SLB Virtual
Servers document.

5. When you bind an ICAP template to the HTTTP or HTTPS port of a virtual server, you are configur-
ing the ACOS device to operate as an ICAP client. This enables the ACOS device to forward
decrypted intercepted traffic to the ICAP servers specified in the template.

Using the GUI

Configure the RESPMOD and REQMOD templates.

page 270
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Basic ICAP on the Inside Partition/Device

1. Navigate to ADC >> Templates >> L7 Protocols

2. To begin the creation of the RESPMOD template, click the + Create button and select RESPMOD.
3. When the Create RESPMOD Template pop-up window appears, the only required field is the
Name of the template. In this example we configure the following fields:
a. The previously configured service group, SG_ICAP provides a path over which ACOS can con-
nect to the RESPMOD and REQMOD servers. Select SG_ICAP for the Service Group field.
b. The URL of the RESPMOD server is entered as service-url icap://dlpserver:1344/respmod.
4. Click the Create button to complete the creation of the RESPMOD template.
5. To begin the creation of the REQMOD template, click the + Create button and select REQMOD.
6. When the Create REQMOD Template pop-up window appears, the only required field is the
Name of the template. In this example we configure the following fields:
a. The previously configured service group, SG_ICAP provides a path over which ACOS can con-
nect to the RESPMOD and REQMOD servers. Select SG_ICAP for the Service Group field.
b. The URL of the REQMOD server is entered as service-url icap://dlpserver:1344/reqmod.
7. Click the Create button to complete the creation of the REQMOD template.

For a static-port SSLi configuration in which there is an inside virtual server and an outside virtual
server in separate partitions or configured on separate ACOS devices, the following steps bind the
RESPMOD and REQMOD templates to the inside VIP to enable ICAP RESPMOD and REQMOD services.

Bind the RESPMOD and REQMOD templates to the inside SSLi VIP.

1. Navigate to Security >> SSLi >> Services.

2. Assuming SSLi is already configured, click the Edit button of the inside VIP.
3. When the Update SSLi Service pop-up window appears, click the Edit button of the https 443
virtual port.
4. When the Update SSLi Service Port pop-up window appears, click More Options...
5. Notice that the client-ssl template that you previously configured on the inside SSLi virtual server
appears.
6. In the Templates field, select reqmod-icap from the drop-down list and then click the +Add but-
ton.
7. A new row should appear for the reqmod-icap template above the client-ssl row. For the Name of
the reqmod-icap template, select REQMOD_abcd which was created above. Click Apply to bind
the template to the port.
8. To bind the RESPMOD_abcd template to the port, select respmod-icap, and click +Add.
9. Select RESPMOD_abcd (also created above) and click Apply to bind the template to the port.

page 271
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Basic ICAP on the Outside Partition/Device FFee
e

Configuring Basic ICAP on the Outside Partition/Device

The following example shows ICAP configured on the outside ACOS device.

The ICAP templates (blue highlighted) are bound to virtual port 8080 because that is the port that
receives decrypted SSL traffic.

ACOS-Outside(config)# slb virtual-server Outside_VIP 0.0.0.0 acl 101

ACOS-Outside(config-slb vserver)# port 8080 http
ACOS-Outside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Outside(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS-Outside(config-slb vserver-vport)# template server-ssl SSLInsight_ServerSide
ACOS-Outside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Outside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Outside(config-slb vserver-vport)# exit

ICAP Show Commands

Use the show slb icap and show slb icap-http commands to view the ICAP counters and ICAP-HTTP
block counters.

The show slb icap command displays statistics that includes both blocked and not blocked traffic.

The show slb icap-http command displays the statistics specific to ICAP blocked traffic. When traffic
is blocked by the ICAP server, it sends the HTTP response to ACOS.

ICAP Configuration Options

The followi ng topics are covered in this section:

• Pre-Filtering Traffic Before ICAP

• Include Protocol and Port in HTTP URI

• ICAP Templates Configuration Options in the CLI

page 272
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
ICAP Configuration Options

Pre-Filtering Traffic Before ICAP

In some scenarios, you may wish to control what traffic you forward to ICAP and what traffic bypasses
ICAP. Filtered traffic bypasses ICAP.

• Allowed HTTP methods

The allowed-http-methods command is a REQMOD template option that specifies what HTTP traf-
fic methods are forwarded to ICAP servers. By default, all methods are forwarded. The GUI equiva-
lent field is Allowed HTTP Methods.
• Minimum payload size

The min-payload-size command is a REQMOD and RESPMOD template option that specifies the
smallest payload size that is forwarded to ICAP servers. By default, payloads that are smaller than
4096 bytes bypasses ICAP. The GUI equivalent field is Min Payload Size.

Include Protocol and Port in HTTP URI

When a connection request is forwarded through HTTPS transparent proxy (such as ACOS SSLi), ICAP
forwards the entire URL (including URL scheme and FQDN) of the site requested.

In the scenario where there is a web proxy with authentication, you can configure the web proxy to
relay the user information, and would configure ICAP on the outside ACOS device. (See Figure 33.) The
following example illustrates this scenario in two configuration steps.

FIGURE 33 ICAP Services in a Proxy Chain Topology

1. To provision the outside VIP to relay the original port and protocol that was changed during
decryption functions, the ICAP templates are configured with the include-protocol-in-uri com-
mand.

ACOS(config)# slb template reqmod-icap REQMOD_abcd

ACOS(config-reqmod-icap)# include-protocol-in-uri

page 273
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
ICAP Configuration Options FFee
e

ACOS(config)# slb template respmod-icap RESPMOD_abcd

ACOS(config-reqmod-icap)# include-protocol-in-uri

ACOS-Outside(config)# slb virtual-server Outside_VIP 0.0.0.0 acl 101

ACOS-Outside(config-slb vserver)# port 8080 http
ACOS-Outside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Outside(config-slb vserver-vport)# service-group DG_SSL_SG
ACOS-Outside(config-slb vserver-vport)# template server-ssl SSLInsight_ServerSide
ACOS-Outside(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
ACOS-Outside(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
ACOS-Outside(config-slb vserver-vport)# exit

2. To use the include-protocol-in-uri for ICAP on the outside ACOS device (or re-encrypt partition),
you also need to have the X-Protocol-Port header injected on the inside ACOS device (or decrypt
partition) via HTTP template.

ACOS-Inside(config)# slb template http insert_port

ACOS-Inside(config-http)# request-header-insert "X-Protocol-Port: https 443"

3. Apply the HTTP template under the virtual port 443 https of the inside ACOS device.

ACOS-Inside(config)# slb virtual-server Decrypt_VIP 0.0.0.0 acl 100

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS-Inside(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-slb vserver-vport)# template http insert_port

ICAP Templates Configuration Options in the CLI

The following REQMOD template options are described in detail in the “Config Commands: SLB REQ-
MOD ICAP Templates” chapter of the Command Line Interface Reference for ADC.

• allowed-http-methods - List of allowed HTTP methods

• fail-close - Mark the virtual port down when the template service group is down
• include-protocol-in-uri - Include the protocol and port in the HTTP URI sent to the ICAP server
• min-payload-size - Set the minimum payload size sent to the ICAP server
• preview - The number of bytes that ACOS forwards to the ICAP server at the beginning of a transac-
tion
• service-group - The names of the ICAP service groups
• service-url - The URLs of the ICAP servers
• template - ACOS logging, server-ssl, and tcp-proxy templates applied to this ICAP transactions

page 274
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring ACOS Logging in ICAP Templates

The following RESPMOD template options are described in greater detail in the “Config Commands:
SLB RESPMOD ICAP Templates” chapter of the Command Line Interface Reference for ADC.

• fail-close - Mark the virtual port down when the template service group is down
• include-protocol-in-uri - Include the protocol and port in the HTTP URI sent to the ICAP server
• min-payload-size - Set the minimum payload size sent to the ICAP server
• preview - The number of bytes that ACOS forwards to the ICAP server at the beginning of a transac-
tion
• service-group - The names of the ICAP service groups
• service-url - The URLs of the ICAP servers
• template - ACOS logging, server-ssl, and tcp-proxy templates applied to this ICAP transactions

Configuring ACOS Logging in ICAP Templates

The following steps provision ACOS logging in the ICAP templates, RESPMOD_abcd and REQMOD_abcd:

1. Create the logging template

ACOS-Inside(config)# slb template logging log-template
ACOS-Inside(config-logging)# local-logging 1

2. Bind the logging template to the ICAP template

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd

ACOS-Inside(config-reqmod-icap)# template logging log-template
!
ACOS-Inside(config)# slb template respmod-icap RESPMOD_abcd
ACOS-Inside(config-respmod-icap)# template logging log-template

3. Configure the ICAP service URL. You have two choices.

a. Use TCP port 1344 for a non-secure connection,

ACOS-Inside(config)# slb template reqmod-icap REQMOD_abcd

ACOS-Inside(config-respmod-icap)# service-url icap://dlpserver:1344/reqmod
!

b. or use TCP 11344 for a secure ICAP connection.

ACOS-Inside(config)# slb template reqmod-icap Secure_ICAP_Req

page 275
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
ICAP Usage Guidelines FFee
e

ACOS-Inside(config-reqmod-icap)# service-url icap://dlpserver:11344/reqmod

Example Logs
The following two logs provide an of an ICAP transaction between an ACOS TH5430 and a RESPMOD
server. Web logging is described in detail in the “Web Logging for HTTP and RAM Caching” section of
the Application Delivery and Server Load Balancing Guide.

CEF:1|A10|TH5430S|4.1.0|ES|Feb 01 2016 08:18:42|RESPONSE|2|src=40.36.1.176 spt=55906

dst=40.36.108.108 Status:200 user:(null) req="POST https://clients1.google.com:443/
tbproxy/af/query?client=Google%20Chrome HTTP/1.1 " 0 msg="RESPMOD"

CEF:1|A10|TH5430S|4.1.0|ES|Feb 01 2016 08:18:42|REQUEST|2|src=40.36.1.176 spt=55906

dst=40.36.108.108 Sent user:(null) req="POST https://clients1.google.com:443/tbproxy/af/
query?client=Google%20Chrome HTTP/1.1 " 0 msg="RESPMOD"

ICAP Usage Guidelines

ICAP with proxy chaining is not supported on the same ACOS device.

Related Information
ACOS supports Internet Content Adaptation Protocol (ICAP) services on HTTP and HTTPS sessions. In
other words, ACOS supports the configuration of ACOS devices to conform to the ICAP client recom-
mendations in RFC 3507.

RFC 3507, Internet Content Adaptation Protocol (ICAP)

• “SLB Show Commands”

The “Common Event Format (CEF)” section of the DC-Firewall and Gi-Firewall Configuration Guide.

page 276
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSL Certificate Management and Options

The following topics are covered in this chapter:

• SSL Certificate Management

• Managing CAs and CSRs

SSL Certificate Management

This chapter describes managing SSL certificates, private keys, and Certificate Revocation Lists
(CRLs). An ACOS device can offload SSL processing from servers or, for some types of traffic, can be
used as an SSL proxy.

This section presents the following topics:

• SSL Certificate Management Overview

• CA Certificate Versus SSL Certificate

• The SSL Process

• SSL Templates

• TLS Server Name Indication (SNI) Support

• TLS 1.3 Support for Software SSL

SSL Certificate Management Overview

Some types of client-server traffic need to be encrypted for security. For example, traffic for online
shopping must be encrypted to secure sensitive account information from being stolen.

Commonly, clients and servers use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to
secure traffic. For example, a client that is using a shopping application on a server will encrypt data
before sending it to the server. The server will decrypt the client’s data, then send an encrypted reply to
the client. The client will decrypt the server reply, and so on.

• SSL is an older version of TLS. The ACOS device supports the following SSL and TLS versions:

• SSL v3.0
• TLS v1.0 (the default)

Feedback page 277

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

• TLS v1.1
• TLS v1.2
• TLS v1.3
• ACOS supports RFC 3268, AES Cipher suites for TLS. For simplicity, elsewhere this document
and other ACOS user documents use the term “SSL” to mean both SSL and TLS.
• ACOS supports secure renegotiation of client-server TLS connections, as described in RFC 8446,
Transport Layer Security (TLS) Renegotiation Indication Extension. Support for the
renegotiation_info TLS extension is included. Secure TLS renegotiation allows ACOS to securely
renegotiate TLS connections with clients, using existing secure connections. RFC 8446 support
is automatically enabled for client-server TLS sessions.
• ACOS supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs. ACOS SSL
processing supports PEM format and RSA encryption.

CA Certificate Versus SSL Certificate

Although both terms, CA certificate and SSL certificate, refer to a certificates used in the SSL protocol,
ACOS reserves the term SSL certificate for self-signed certificates that are used to create proxied certif-
icates for SSL handshaking with clients in the SSLi, SSL Proxy or SSL offload applications. SSL certifi-
cates require a private key to be proxied

CA certificates are issued by publicly recognized certificate authorities. These certificates are used for
other purposes.

The SSL Process

SSL works using certificates and keys. Typically, a client will begin a secure session by sending an
HTTPS request to a VIP. The request begins an SSL handshake. The ACOS device will respond with a
digital certificate, to provide verification of the content server’s identity. From the client’s perspective,
this certificate comes from the server. Once the SSL handshake is complete, the client begins an
encrypted client-server session with the ACOS device.

Figure 34 shows a simplified example of an SSL handshake. In this example, the ACOS device is acting
as an SSL proxy for backend servers.

page 278
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

FIGURE 34 Typical SSL Handshake (simplified)

To begin, the client sends an HTTPS request. The request includes some encryption details such as the
cipher suites supported by the client.

The ACOS device, on behalf of the server, checks for a client-SSL template bound to the VIP. If a client-
SSL template is bound to the VIP, the ACOS device sends all the digital certificates contained in the
template to the client.

The client browser checks its certificate store (sometimes called the certificate list) for a copy of the
server certificate. If the client does not have a copy of the server certificate, the client will check for a
certificate from the Certificate Authority (CA) that signed the server certificate.

Certificate Chain
Ultimately, a certificate must be validated by a root CA. Certificates from root CAs are the most trusted.
They do not need to be signed by a higher (more trusted) CA.

page 279
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

If the CA that signed the certificate is a root CA, the client browser needs a copy of the root CA’s certifi-
cate. If the CA that signed the server certificate is not a root CA, the client browser should have another
certificate or a certificate chain that includes the CA that signed the CA’s certificate.

A certificate chain contains the “chain” of signed certificates that leads from the CA to the signature
authority that signed the certificate for the server. Typically, the certificate authority that signs the
server certificate also will provide the certificate chain. Figure 35 shows an example of a certificate
chain containing three certificates:

FIGURE 35 SSL Certificate Chain Example

-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReACOSQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReACOSQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReACOSQ=
-----END CERTIFICATE-----

The certificate chain file and the server certificate files are text files. Each certificate must begin with
the “-----BEGIN CERTIFICATE-----” line and end with the “-----END CERTIFICATE-----” line.

The certificate at the top of the certificate chain file is the root CA’s certificate. The next certificate is an
intermediary certificate signed by the root CA. The next certificate is signed by the intermediate signa-
ture authority that was signed the root CA.

A certificate chain in an SSL template must begin at the top with the root CA’s certificate, followed in
order by the intermediary certificates. If the certificate authority that signs the server certificate does
not provide the certificate chain in a single file, you can use a text editor to chain the certificates
together in a single file as shown in Figure 35.

page 280
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

Certificate Warning from Client Browser

After the client browser validates the server certificate, the client accepts the certificate and begins an
encrypted session with the ACOS device.

If the client can not validate the server certificate or the certificate is out of date, the client’s browser
may display a certificate warning. Figure 36 shows an example of a certificate warning displayed by
Internet Explorer.

FIGURE 36 Example of Certificate Warning

NOTE: It is normal for the ACOS device to display a certificate warning when an
admin accesses the ACOS management GUI. Certificates used for SLB
are not used by the management GUI.

CA-Signed and Self-Signed Certificates

Typically, clients have a certificate store that includes certificates signed by the various root CAs. The
certificate store may also have some non-CA certificates that can be validated by a root CA certificate,
either directly or through a chain of certificates that end with a root certificate.

Each certificate is digitally “signed” to validate its authenticity. Certificates can be CA-signed or self-
signed:

• CA-signed – A CA-signed certificate is a certificate that is created and signed by a recognized

Certificate Authority (CA). To obtain a CA-signed certificate, an admin creates a key and a Certifi-
cate Signing Request (CSR), and sends the CSR to the CA.The CSR includes the key.
The CA then creates and signs a certificate. The admin installs the certificate on the ACOS device.
When a client sends an HTTPS request, the ACOS device sends a copy of the certificate to the cli-
ent, to verify the identity of the server (ACOS device).

page 281
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

To ensure that clients receive the required chain of certificates, you also can send clients a certifi-
cate chain in addition to the server certificate. (See “Certificate Chain” on page 279.)
The example in Figure 34 on page 279 uses a CA-signed certificate.
• Self-signed – A self-signed certificate is a certificate that is created and signed by the ACOS
device. A CA is not used to create or sign the certificate.

CA-signed certificates are considered to be more secure than self-signed certificates. Likewise, clients
are more likely to be able to validate a CA-signed certificate than a self-signed certificate. If you config-
ure the ACOS device to present a self-signed certificate to clients, the client’s browser may display a
certificate warning. This can be alarming or confusing to end users. Users can select the option to trust
a self-signed certificate, in which case the warning will not re-appear.

SSL Templates
You can install more than one key-certificate pair on the ACOS device. The ACOS device selects the
certificate(s) to send a client or server based on the SSL template bound to the VIP. You can bind the
following types of SSL templates to VIPs:

• Client-SSL template – Contains keys and certificates for SSL-encrypted traffic between clients
and the ACOS device. A client-SSL template can also contain a certificate chain.
• Server-SSL template – Contains CA certificates for SSL-encrypted traffic between servers and
ACOS device.

NOTE: If you replace a certificate and key in a client-SSL or server-SSL template,

you must unbind the template from the virtual ports that use it, then
rebind the template to the virtual ports, to place the change into effect.

One Client SSL template can have two certificate-key pairs configured.
Thus, once one certificate-key pair is configured, certificate or key.
To update certificate or key, remove the old one and then add new one.

Client-SSL Template Configuration and Usage Guidelines

Use client-SSL templates for deployments in which traffic between clients and the ACOS device will be
SSL-encrypted. Client-SSL templates have the following options.

For the simple deployment example in Figure 34 on page 279, only the first option (Certificate) needs to
be configured. You may also need to configure the Certificate chain option.

A client-SSL template can contain up to 128 certificates or certificate chains.

• Certificate – Specifies the server certificate that the VIP will send to a client when configured for
SSL proxy, SSL offload, or SSLi operation. The client uses this certificate to validate the server’s

page 282
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

identity. The certificate can be generated on the ACOS device (self-signed) or can be signed by
another entity and imported onto the ACOS device.
Only one certificate can be associated with the client-SSL template. Use the show pki cert
command to show the list of certificates and private keys stored on the ACOS device.
• Key – Specifies the name of a private key for a server certificate. If the CSR used to request the
server certificate is generated on the ACOS device, the private key is automatically generated by
the ACOS device, and then the private key is used to create the public key sent to the CA in the
CSR. Otherwise, the key must be imported.
Only one key can be associated with the client-SSL template. Use the show pki cert command to
show the list of certificates and private keys stored on the ACOS device.
• Certificate chain – Specifies a named set of server certificates beginning with a root CA certifi-
cate, and containing all the intermediary certificates in the authority chain that ends with the
authority that signed the server certificate. (See “Certificate Chain” on page 279.)
• CA-Certificate – Specifies a CA certificate that the ACOS device can use to authenticate the iden-
tity of a client the requesting to connect to the ACOS device. If CA certificates are required, they
must be imported onto the ACOS device. The ACOS device is not configured at the factory to con-
tain a certificate store.
Multiple CA-certificate can be associated with the client-SSL template. Use the show pki ca-cert
command to show the list of ca-certificates.
• Certificate Revocation List (CRL) – Specifies a list of client certificates that have been revoked by
the CAs that signed them. This option is applicable only if the ACOS device will be required to val-
idate the identities of clients.
The CRL should be signed by the same issuer as the CA certificate. Otherwise, the client and ACOS
device will not be able to establish a connection.
• SSLv2 bypass – Redirects clients who request SSLv2 sessions to the specified service group.

• Client connection-request response – Specifies the ACOS response to connection requests from
clients. This option is applicable only if the ACOS device will be required to validate the identities
of clients. The response can be one of the following:
• ignore (default) – The ACOS device does not request the client to send its certificate.
• request – The ACOS device requests the client to send its certificate. With this action, the SSL
handshake proceeds even if either of the following occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want to the request to trigger an aFleX policy for further processing.
• require – The ACOS device requires the client certificate. This action requests the client to send
its certificate. However, the SSL handshake does not proceed (it fails) if the client sends a NULL
certificate or the certificate is invalid.

page 283
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

• Session cache size – Specifies the maximum number of cached sessions for SSL session ID
reuse.
• Session cache timeout – Sets the maximum number of seconds a cache entry can remain
unused before being removed from the cache. Cache entries age according to the ticket age
time. The age time is not reset when a cache entry is used.
• Session ticket lifetime – Sets the lifetime for stateless SSL session ticketing. After a client’s SSL
ticket expires, they must complete an SSL handshake in order to set up the next secure session
with ACOS.
• Close-notify – Specifies whether the ACOS device sends a close_notify message when an SSL
transaction ends, before sending a FIN. This behavior is required by certain types of applications,
including PHP cgi.
• SSL False Start – Specifies whether SSL False Start is enabled. SSL False Start is an SSL modifi-
cation used by the Google Chrome browser for web optimization.

NOTE: The following ciphers are not supported with SSL False Start:

SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5

If no other ciphers but these are enabled in the client-SSL template, SSL
False Start handshakes will fail.

• Cipher – Name of a cipher template containing a set of ciphers to use with clients. By default, the
client-SSL template’s own set of ciphers is used. (See “Cipher Template Configuration and Usage
Guidelines” on page 286.)
• Forward proxy options – Options that are used for SSL Insight.

• Authentication username attribute – Specifies the field to check in SSL certificates from clients,
to find the client name.
• Cipher Template – Specifies the cipher suites supported by the ACOS device. When the client
sends its connection request, it also sends a list of the cipher suites it can support. The ACOS
device selects the strongest cipher suite supported by the client that is also enabled in the tem-
plate, and uses that cipher suite for traffic with the client. For a list of supported ciphers, refer to
the slb template cipher command in the Command Line Interface Reference.

Server-SSL Template Configuration and Usage Guidelines

A server-SSL template is needed only if traffic between the ACOS device and real servers will be
encrypted using SSL. In this case, the ACOS device will be required to validate the identities of the serv-
ers.

page 284
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

• CA-Certificate – Specifies a CA certificate that the ACOS device can use to authenticate the iden-
tity of a server the ACOS device is connecting to. If CA certificates are required, they must be
imported onto the ACOS device. The ACOS device is not configured at the factory to contain a
certificate store.
Multiple CA-certificate can be associated with the client-SSL template. Use the show pki ca-cert
command to show the list of ca-certificates. If you need to use multiple CA certificates in a server-
SSL template, see “Multiple CA Certificate Support in Server-SSL Templates” on page 305.)
• Certificate – Specifies a client certificate that the ACOS device will send to a server when
requested for client authentication. In SSL proxy and SSL Insight, when a server requests a cli-
ent’s digital certificate, the ACOS device responds on behalf of the client. Following successful
authentication, the server and ACOS device communicates over an SSL-encrypted session.
In SSL Proxy, the client and ACOS device communicate over a non-encrypted session. From the
server’s perspective, the server has an encrypted session with the client.
In SSL Insight, the client and ACOS device communicate over an encrypted session. From the
client’s and the server’s perspective, the SSL session is fully encrypted.
• Key – Specifies a private key for the client certificate.

• SSL version – Highest (most secure) version of SSL/TLS to use. The ACOS device supports the
following SSL/TLS versions:
• SSL v3.0
• TLS v1.0 (the default)
• TLS v1.1
• TLS v1.2
• TLS v1.3
• Close notification – Specifies whether the ACOS device sends a close_notify message when an
SSL transaction ends, before sending a FIN. This behavior is required by certain types of applica-
tions, including PHP cgi.
The close notification option may not work if connection reuse is also configured on the same vir-
tual port. In this case, when the server sends a FIN to the ACOS device, the ACOS device will not
send a FIN followed by a close notification. Instead, the ACOS device will send a RST.
• Cipher template – Name of a cipher template containing a set of ciphers to use with servers. By
default, the server-SSL template’s own set of ciphers is used. (See “Cipher Template Configura-
tion and Usage Guidelines” on page 286.)
• Forward proxy – Enables support for capabilities required for SSL Intercept.

• Session cache size – Specifies the maximum number of cached sessions for SSL session ID
reuse.

page 285
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

• Session cache timeout – Sets the maximum number of seconds a cache entry can remain
unused before being removed from the cache. Cache entries age according to the ticket age
time. The age time is not reset when a cache entry is used.
• Session ticket lifetime – Sets the lifetime for stateless SSL session ticketing. After an SSL ticket
expires, the SSL handshake must be performed again in order to set up the next secure session
with ACOS.
• Cipher list – Specifies the cipher suites supported by the ACOS device. When the server sends its
connection request, it also sends a list of the cipher suites it can support. The ACOS device
selects the strongest cipher suite supported by the server that is also enabled in the template
and uses that cipher suite for traffic with the server. The same cipher suites supported in client-
SSL templates are supported in server-SSL templates, for CA certificates. Support for all of them
is enabled by default.

NOTE: For client certificates, the key length for SSL3_RSA_DES_40_CBC_SHA

and SSL3_RSA_RC4_40_MD5 must be 512 bits or less. The TLS1_RSA_-
EXPORT1024_RC4_56_MD5 and TLS1_RSA_EXPORT1024_RC4_56_-
SHA ciphers are not supported.

Cipher Template Configuration and Usage Guidelines

A cipher template contains a list of ciphers. A client or server who connects to a virtual port that uses
the cipher template can use only the ciphers that are listed in the template.

Optionally, you can assign a priority value to each cipher in the template. In this case, the ACOS device
tries to use the ciphers based on priority. If the client supports the cipher that has the highest priority,
that cipher is used. If the client does not support the highest-priority cipher, the ACOS device attempts
to use the cipher that has the second-highest priority, and so on.

Cipher priority can be 1-100. The highest priority (most favored) is 100. By default, each cipher has pri-
ority 1. More than one cipher can have the same priority. In this case, the strongest (most secure)
cipher is used.

Notes

• An SSL cipher template takes effect only when applied to a client-SSL template or server-SSL
template.
• When you apply (bind) a cipher template to a client-SSL or server-SSL template, the settings in
the cipher template override any cipher settings in that client-SSL or server-SSL template.
• Priority values are supported only for client-SSL templates. If a cipher template is used by a
server-SSL template, the priority values in the cipher template are ignored.

page 286
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

SSLi Connection Buffering During Certificate Fetching and Forging

In earlier SSLi deployments for new connections, when a server certificate fetch request was sent to a
server, the incoming new SSLi connection requests to the same server were either bypassed or reset
(based on configuration) till the time the server certificate was forged and ready.

However, this behavior may cause a security breach especially during initial connections when a cache
certificate expired and all subsequent connections were either reset or bypassed till a new forged
certificate was ready.

As a solution to this issue, there is a new configuration option available in the client-SSL template
where you are able to buffer all new connections to a server till the time the forged certificate is ready.
In case of an SSLi deployment with OSCP and CRL implemented, the new connections are buffered till
a verification result response is received from the server.

NOTE: The default option for this SSLi configuration is to bypass all new
connections. Hence, in order to buffer the new connections from a
server, the SSLi connection buffer option must be enabled either through
the ACOS CLI or ACOS GUI.

For the certificate not ready option, the following is the output of the help command.

ACOS_decrypt(config-client ssl)#forward-proxy-cert-not-ready-action ?

bypass bypass the connection(default)

reset reset the connection

intercept wait for cert and then inspect the connection

Enabling SSLi Connection Buffering in ACOS CLI

To enable SSLi connection buffering in CLI, perform the following steps:

1. Configure the client SSL template called SSLInsight_DecryptSide by running the following
commands:
ACOS_decrypt(config)# slb template client-ssl SSLInsight_DecryptSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS_decrypt(config-client ssl)# forward-proxy-enable

2. Enable the option for intercept for the certificate not ready stage.
ACOS_decrypt(config-client ssl)# forward-proxy-cert-not-ready-action intercept

3. Save the configuration.

page 287
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

Enabling SSLi Connection Buffering in ACOS GUI

For SSLi, perform the following steps:

1. Navigate to Security > SSLi > Templates > +Create.

The Create Client SSL template page is displayed.
2. Enter the name of the template.
3. Select Forward Proxy Enable.
4. Under SSLi Forward Proxy, select the CA cert and Key.
5. Under Advanced, select Intercept for Forward Proxy Cert Not Ready Action.
6. Click Create to create the template.

For ADC, perform the following steps:

1. Navigate to ADC >> Templates >> SSL >> Create >> Client SSL.
The Create Client SSL template page is displayed.
2. Enter the name of the template.
3. Select Intercept for Forward Proxy Cert Not Ready Action.
4. Continue with the other fields to create the template.

TLS Server Name Indication (SNI) Support

The ACOS device supports the Server Name Indication (SNI) extension for Transport Layer Security
(TLS). The SNI extension enables servers that manage content for multiple domains at the same IP
address to use a separate server certificate for each domain. One use case for this feature is support-
ing a web hosting services. The device supports Static and Dynamic SNI extension support.

To support SNI extensions, the ACOS device allows you to add multiple certificates to a single client-
SSL template, and map individual certificates to their domain names.

Default Certificate and Key

The client-SSL template must contain one certificate and private key pair that is not mapped to a
domain. The unmapped certificate and key are the default certificate and key for the template. The
ACOS device uses the default template for negotiating the SSL session with the client.

If the client includes the SNI extension in its hello message, the ACOS device uses the certificate that is
mapped to the domain requested by the client. Otherwise, the ACOS device uses the default certificate.

page 288
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

SNI Extension Support

This section describes available SNI extension support methods: Static and Dynamic. SNI Extension.
When an SNI extension matches multiple entities, the selection is based on the following precedence:

1. SNI extension matches static mapping configured with server-name command.

2. SNI extension matches static mapping configured with server-name-regex command.
3. SNI extension matches dynamic mapping.

When an SNI extension does not match any of these entities or the client-hello does not contain an SNI
extension, the default cert-key pair is used.

Static SNI Extension Support

You can configure up to 1024 certificate-to-domain mappings in a client-SSL template. Each mapping
is configured using the server-name or the server-name-regex command at the configuration level for
the client-SSL template.

Dynamic SNI Extension Support

When dynamic SNI extension support is enabled, a certificate-to-domain mapping is created when a
cert and key whose file names include the domain name specified by the client “hello” field of an
inbound packet. The number of extensions that can be dynamically support on each virtual port is lim-
ited only by hardware restrictions.

SNI extensions use the default certificate and key when a “hello” field contains a domain name for
which the device does not contains certificate and key with matching file name.

Dynamic SNI extension support is enabled by using the server-name-auto-map command.

Partition Support
This feature is supported in both the shared partition and L3V private partitions.

Configuring TLS Server Name Indication

Configuring TLS Server Name Indication (GUI Procedure)

Before creating the certificate-domain mappings, import the server certificates onto the ACOS device.

The configuration page for client-SSL templates has a Server Name Indication section. In this section,
to create a certificate-domain mapping:

1. Enter the domain name in the Server Name field.

2. Select the certificate from the Server Certificate drop-down list.

page 289
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

3. Select the certificate’s private key from the Server Private Key drop-down list.
4. Click Add.
5. Repeat for each mapping.

Configuring Static TLS Server Name Indication (CLI Procedure)

To map a certificate to a domain, use the server-name command at the configuration level for the cli-
ent-SSL template:

Configuring Dynamic SNI Extension Support (CLI Procedure)

To enable dynamic SNI extension support, use the server-name-auto-map command at the configura-
tion level for the client-SSL template:

TLS SNI Support on vThunder

ACOS provides support for the Server Name Indication (SNI) extension to vThunder models. The SNI is
an extension to Transport Layer Security (TLS) that allows a single IP address to host multiple domain
names, with a separate certificate for each domain.

The client-SSL template bound to the virtual port can contain multiple certificates. When you add a cer-
tificate and key to a client-SSL template, you can specify the domain name (“server name”) that the cer-
tificate and key belong to. When a client sends an SSL session setup request to the VIP, ACOS sends
the server certificate for the requested domain name, based on the configuration in the client-SSL tem-
plate.

In addition to certificates and keys for individual domain names, a client-SSL template also can contain
one “default” certificate and key. If the template does not have a certificate for the domain name
requested by the client, ACOS sends the default certificate instead.

• ACOS 2.7.2 adds SNI support to vThunder models. Previous releases support the feature on
hardware models but not on vThunder models.
• The ACOS configuration does not contain any SLB server certificates by default. The “default”
certificate and key in a client-SSL template must be imported or generated in ACOS, then added
to the template. If you add them to the template without associating them with a domain name,
then they become the default certificate and key for the template.
• SSL Intercept, a feature on certain hardware models that uses SNI support, is not supported on
vThunder devices. This enhancement does not provide SSL Intercept support on vThunder
models.

Configuring an SSL VIP TLS SNI (CLI Procedure)

The commands in this section configure an SSL VIP that serves the following domains:

• www.example.com

page 290
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSL Certificate Management

• www.example2.com

• mail.example.com

This configuration allows the ACOS device to set up secure SSL sessions with a client who sends
requests to 192.168.2.69:443. ACOS selects a server certificate to send to the client based on the
domain name requested by the client.

This example assumes the certificates and keys were already imported into or generated in ACOS.

The slb template client-ssl cssl command configures the client-SSL template and places the CLI in
template configuration mode where the following commands are available:

• The cert and key commands add the default certificate and key.

• The server-name commands add the certificates and keys for specific domain names.

The “cert2” and “cert3” certificates are used for SSL session setup requests to domains
www.example2.com and mail.example.com, respectively.
The “def_cert” certificate is used for requests to any other domain name, such as www.exam-
ple.com.

Configuring an SSL VIP TLS SNI (CLI Example)

These commands bind the client-SSL template to the SSL virtual port:

ACOS(config)# slb virtual-server example 192.168.2.69

ACOS(config-slb vserver)# port 443 ssli
ACOS(config-slb vserver-vport)# template client-ssl cssl
ACOS(config-slb vserver-vport)# exit

TLS 1.3 Support for Software SSL

The TLS 1.3 protocol has universally replaced the TLS 1.2 protocol as TLS 1.3 is faster and more secure
in ACOS SSLi.

CLI to enable TLS 1.3 for Software SSL

By default ACOS SSLi only supports TLS 1.2.

• To enable SSL for TLS 1.3, use the commands:

slb common
ssl-module software-tls13
!

page 291
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSL Certificate Management FFee
e

• A new CLI is added under cipher template configuration to support TLS 1.3:
ACOS(config)# slb template cipher c1

• To configure cipher on ACOS. A new set of ciphers are available, all options with tls1_3
command:
ACOS(config-cipher)# tls1_3 TLS_AES_256_GCM_SHA384 priority 10

NOTE: Cipher is available under client and server SSL template as well.

If user is working on hardware SSL, TLS 1.3 cipher and version command
displays warning to notify that TLS 1.3 is only supported in software SSL
mode.

Configure Certificate Key pair

For client SSL template, new command is:

• certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>] [chain-cert

<chain-cert-name>]

For server-ssl template, the new command for certificate-key pair is:

• certificate <cert-name> key <key-name> [pass-phrase <pass-phrase-str>]

NOTE: When ACOS is upgraded, old certificate and key command

configurations are not converted to new certificate command.

New certificate commands will be lost if ACOS is downgraded.

One client-SSL template can have two certificate and key pairs
configured. Once one certificate /key pair configured, to update
certificate or key, remove the old one and configure the new pair.

page 292
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Managing CAs and CSRs

Installing SSL resources on the ACOS device enables the device to provide SSL services on behalf of
real servers. The following topics are covered in this section:

• Importing a Certificate and Key

• Generating an SSL Cert – Private Key File with a CSR

• Generating a Certificate Signing Request (CSR)

• Generating a Self-Signed Certificate and Key

• Certificate Installation Process

• Creating a Client-SSL or Server-SSL Template and Binding it to a VIP

• Multiple CA Certificate Support in Server-SSL Templates

• Support for Binding Server-SSL Templates to Individual Real Ports

• Configuring Email Notification for SSL Certificate Expiration

• SSL Certificate Notification via System Log Warnings

• Converting Certificates and CRLs to PEM Format

• Importing a Certificate Revocation List (CRL)

• SSL File Delete

• Exporting Certificates, Keys, and CRLs

• Importing a CA Cert and Private Key for SSLi

• Forward Proxy Alternate Signing Cert and Key

• Simple Certificate Enrollment Protocol (SCEP)

Importing a Certificate and Key

To import certificate and key files, place them on the PC that is running the ACOS GUI or CLI session, or
onto a PC or file server that ACOS can reach and fetch the files.

This section includes the following instructions:

• Importing Individual Files

• Bulk Import and Export of SSL Certificate and Key Files

page 293
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

Importing Individual Files

To import an SSL certificate CA certificate, certificate chain, or private key follow these instructions.

Importing Certificates (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.
2. Click Import to import a certificate or certificate chain.
a. In the File Name field, enter a name for the certificate.
b. In the Import field, select the item you want to import
c. In the Import Certificate from field, select Local to import from a local drive on your man-
agement PC, Remote to import from a remote location, or Text to import from the text box that
appears
d. In the SSL or CA Certificate field, select either SSL Certificate or CA Certificate.
If you are importing a CA-signed certificate for which you used ACOS to generate the CSR, you
do not need to import the key. The key is automatically generated by ACOS when you generate
the CSR.
e. In the Certificate Format field, select the file format of the certificate you are importing. Certif-
icate and private keys in a single file use the PFX format which is automatically chosen.
f. The Certificate Source field provides the location and other fields you need to import the
selected item.
g. Decide whether to enable or disable the Overwrite Existing File option.
3. Click Import.

Importing Certificates (CLI Procedure)

• Use the import cert command to import a certificate or certificate chain that you will be using
with its private key to create proxied certificates for SSL handshaking with clients in the SSLi, SSL
Proxy or SSL offload applications. If you import the cert and its key in a single file use the PFX
format.
An example of importing a cert for SSLi is found in “Importing a CA Cert and Private Key for SSLi”
on page 313.
• Use the import ca-cert command to import a certificate or a certificate chain for certificates for
verifying SSL servers and authenticating clients and other purposes. However the CA cert cannot
be used for creating proxied signed certificates for handshaking with clients.
NOTE: If you are importing a CA-signed certificate for which you used ACOS to generate the CSR,
you do not need to import the key. The key is automatically generated by ACOS when you generate
the CSR.
• Use the import cert-key command to import a private key.

page 294
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Bulk Import and Export of SSL Certificate and Key Files

You can import or export SSL files in bulk, as .tgz archives.

Bulk Import and Export of Certificate and Key Files (GUI Procedure)

The steps for importing or exporting SSL files are the same for individual files and for bulk archives.
(For information, see “To import an SSL certificate CA certificate, certificate chain, or private key follow
these instructions.” on page 294, the GUI online help.)

Bulk Import and Export of Certificate and Key Files (CLI Procedure)

To import a .tgz archive of SSL certificate files, key files, or CRL files, use the following commands:

• import cert – The archive contains only certificate files.

• import cert-key bulk – The archive contains both certificate and key files.

• import crl – The archive contains only CRL files.

• import key – The archive contains only key files.

Generating an SSL Cert – Private Key File with a CSR

The following procedures generates an SSL self-signed cert with private key and also generates a CSR
that you can send to a publicly recognized CA to register you self-signed SSL cert.

This process also creates a public key - private key pair. The public key is sent in the CSR. The private
key is used to encrypt the CSR and also to create the SSL proxied certificate used in the ACOS SSLi,
SSL-Offload, and SSL-Proxy applications.

Generating an SSL Cert – Private Key File with a CSR (GUI Procedure)
1. Navigate to ADC >> SSL Management >> SSL Certificates.
2. Click +Create. The Create SSL Certificates dialog window appears.
a. In the Create As field, select Certificate.
b. In the File Name field, type the name you certificate that will be generated.
c. Click the CSR Generate box to enable the creation of a CSR.
d. In the Cert Type field, select RSA or ECDSA depending on which cryptography standard you
want.
e. The Common Name field is required.

page 295
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

NOTE: If you need to create a request for a wildcard certificate, use an asterisk as the first part
of the common name. For example, to request a wildcard certificate for domain example.com
and it sub-domains, enter the following common name: *.example.com
f. The Division, Organization, Locality, State or Province, and Email fields are optional.
g. Enter a number the Valid Days (how many days the key will remain valid) and Key Size, or
accept the defaults 730 days and 1024 bytes.
3. Click OK.
4. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Certifi-
cates page. Check the matching Name and Common Name fields. The Type should be certifi-
cate/key, and the expiration should match the number of days the cert remains valid. See RFC
6125 for help in reading the Issuer field. The GUI does not display the CSR separately

Generating an SSL Cert – Private Key File with a CSR (CLI Procedure)
1. Use the pki create cert command in global configuration mode to generate a self-signed SSL
certificate and corresponding CSR. In this example, CSR file name is csr, CSR renewal file name is
Cert-CSR-both, the file transport protocol is FTP, and the URL specifying where the CSR is sent is
192.168.1.10.
ACOS(config)# pki create cert Cert-CSR-both certtype rsa csr-generate
input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64:Cert-CSR-both
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:
input Country, 2 characters: US
input email address, 0~64: [email protected]

• In the above example, the CSR is generated without the root CA extensions. The syntax for the
command that creates a CSR with root CA extensions follows:
ACOS(config)# pki create cert Cert-CSR-both certtype rsa rootca

• If you need to create a wildcard certificate, use an asterisk as the first part of the common
name. For example, to create a wildcard certificate for domain example.com and it sub-
domains, enter the following common name: *.example.com
2. Use show pki csr Cert-CSR-both detail to show the cert created.
3. Use show pki certificate Cert-CSR-both detail to show the CSR created.
ACOS(config)# show pki cert Cert-CSR-both detail
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13866059162969540330 (0xc06e2357db5986ea)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AF, CN= Cert-CSR-both
Validity

page 296
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Not Before: Jan 31 05:20:36 2017 GMT

Not After : Jan 31 05:20:36 2019 GMT
Subject: C=AF, CN=Cert-CSR-both
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:96:fc:1d:cc:63:ea:c1:a9:c7:1d:dd:c5:9c:72:
08:61:27:b7:67:1a:27:c7:f7:39:ca:9c:81:ac:f0:
f8:05:89:1a:66:25:cf:0b:1e:55:cc:cf:8b:89:91:
58:c5:e9:8c:b8:44:f1:d5:42:94:b1:e9:5a:a6:10:
05:28:0d:a2:84:a6:73:a8:64:66:e4:72:cc:c8:1b:
39:c9:4a:9c:a6:b3:67:e1:4a:d8:9d:a3:fa:bd:7c:
0e:ad:c1:35:6c:6f:54:68:0a:5f:54:67:61:fd:6a:
e2:55:2f:85:11:76:f3:96:c0:5c:55:11:63:a6:21:
41:65:6f:da:67:d5:e8:7e:ff
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
7d:ac:29:e8:a9:b5:2f:69:43:d2:a1:8b:7c:6d:8e:b5:21:f8:
30:cc:7a:4f:61:71:23:87:51:2c:da:ce:89:14:29:55:f3:81:
97:c0:2f:a7:e3:8a:4b:7d:d2:f7:cb:00:14:ce:91:db:1f:3a:
db:a0:a0:a9:90:b8:a1:b0:7a:16:e3:54:23:94:e2:48:fb:92:
36:0c:6d:c4:be:fd:79:77:41:6c:3a:19:3f:72:29:c6:95:f1:
c5:41:d8:a8:ed:18:2e:ca:66:1a:af:39:16:79:10:03:d6:f0:
95:10:93:1f:13:c8:96:70:c5:3f:97:8b:96:e1:d5:78:8d:b7:
c7:0c
SHA1 Fingerprint=D5:9A:B6:96:66:5D:B9:77:FE:1F:28:B4:BC:A9:3A:43:5D:2D:C7:98
-----BEGIN CERTIFICATE-----
MIIBxjCCAS+gAwIBAgIJAMBuI1fbWYbqMA0GCSqGSIb3DQEBBQUAMCUxCzAJBgNV
BAYTAkFGMRYwFAYDVQQDEw1DZXJ0LUNTUi1ib3RoMB4XDTE3MDEzMTA1MjAzNloX
DTE5MDEzMTA1MjAzNlowJTELMAkGA1UEBhMCQUYxFjAUBgNVBAMTDUNlcnQtQ1NS
LWJvdGgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJb8Hcxj6sGpxx3dxZxy
CGEnt2caJ8f3Ocqcgazw+AWJGmYlzwseVczPi4mRWMXpjLhE8dVClLHpWqYQBSgN
ooSmc6hkZuRyzMgbOclKnKazZ+FK2J2j+r18Dq3BNWxvVGgKX1RnYf1q4lUvhRF2
85bAXFURY6YhQWVv2mfV6H7/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAfawp6Km1
L2lD0qGLfG2OtSH4MMx6T2FxI4dRLNrOiRQpVfOBl8Avp+OKS33S98sAFM6R2x86
26CgqZC4obB6FuNUI5TiSPuSNgxtxL79eXdBbDoZP3IpxpXxxUHYqO0YLspmGq85
FnkQA9bwlRCTHxPIlnDFP5eLluHVeI23xww=
-----END CERTIFICATE-----

key size: 1024

ACOS(config)# show pki csr Cert-CSR-both detail
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AF, CN=Cert-CSR-both
Subject Public Key Info:

page 297
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)
Modulus:
00:96:fc:1d:cc:63:ea:c1:a9:c7:1d:dd:c5:9c:72:
08:61:27:b7:67:1a:27:c7:f7:39:ca:9c:81:ac:f0:
f8:05:89:1a:66:25:cf:0b:1e:55:cc:cf:8b:89:91:
58:c5:e9:8c:b8:44:f1:d5:42:94:b1:e9:5a:a6:10:
05:28:0d:a2:84:a6:73:a8:64:66:e4:72:cc:c8:1b:
39:c9:4a:9c:a6:b3:67:e1:4a:d8:9d:a3:fa:bd:7c:
0e:ad:c1:35:6c:6f:54:68:0a:5f:54:67:61:fd:6a:
e2:55:2f:85:11:76:f3:96:c0:5c:55:11:63:a6:21:
41:65:6f:da:67:d5:e8:7e:ff
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
7f:2e:82:ef:b8:ed:5d:bc:78:4a:8c:25:5e:df:46:69:11:21:
74:7e:1e:fa:29:08:d0:ea:27:1a:25:fa:4b:ae:e2:78:08:2a:
63:ed:c9:0b:8d:0b:f6:d7:1e:07:10:dc:12:2b:ff:b0:0f:4a:
d6:68:a0:e1:ac:80:8b:d7:bb:f2:a3:6e:e2:74:c6:31:6c:44:
cc:45:c3:f8:2c:85:58:cb:a9:dc:28:bb:3b:72:0f:38:95:68:
1d:f4:09:9b:08:0f:f4:49:a5:9d:4d:91:d1:df:82:6c:63:60:
b8:74:d6:13:67:dd:81:c1:a6:af:ee:fa:22:7b:b2:a4:1e:e3:
b6:3d
-----BEGIN CERTIFICATE REQUEST-----
MIIBZDCBzgIBADAlMQswCQYDVQQGEwJBRjEWMBQGA1UEAxMNQ2VydC1DU1ItYm90
aDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlvwdzGPqwanHHd3FnHIIYSe3
Zxonx/c5ypyBrPD4BYkaZiXPCx5VzM+LiZFYxemMuETx1UKUselaphAFKA2ihKZz
qGRm5HLMyBs5yUqcprNn4UrYnaP6vXwOrcE1bG9UaApfVGdh/WriVS+FEXbzlsBc
VRFjpiFBZW/aZ9Xofv8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAH8ugu+47V28
eEqMJV7fRmkRIXR+HvopCNDqJxol+kuu4ngIKmPtyQuNC/bXHgcQ3BIr/7APStZo
oOGsgIvXu/KjbuJ0xjFsRMxFw/gshVjLqdwouztyDziVaB30CZsID/RJpZ1NkdHf
gmxjYLh01hNn3YHBpq/u+iJ7sqQe47Y9
-----END CERTIFICATE REQUEST-----

Generating a Certificate Signing Request (CSR)

The following procedures generates a CSR that you can send to a server, so that the server can send
the CSR to a CA to request a new CA-signed certificate or renew an existing one.

This process also creates a public key - private key pair. The public key is sent in the CSR. The private
key used to encrypt the CSR.

page 298
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Generating a CSR (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.
2. Click +Create. The Create SSL Certificates dialog window appears.
a. In the Create As field, select CSR.
b. In the File Name field, type the name you certificate that will be provided by the CA.
c. In the Digest field, select the hashing algorithm used. The default is sha1.
d. In the Cert Type field, select RSA or ECDSA depending on which cryptography standard you
want.
e. The Common Name field is required.
To create a wild card certificate request, use an asterisk for the first part of the common name.
For example, to request a wild card certificate for domain example.com and it sub-domains,
enter *.example.com as the common name.
f. The Division, Organization, Locality, State or Province, and Email fields are optional.
g. Enter a number the Valid Days (how many days the key will remain valid) and Key Size, or
accept the defaults 730 days and 1024 bytes.
3. Click OK.
4. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Certifi-
cates page. Check the matching Name and Common Name fields. The Type should be key, and
the expiration should match the number of days the cert remains valid. See RFC 6125 for help in
reading the Issuer field.

Generating a CSR (CLI Example)

1. Use pki create csr command in global configuration mode to generate an RSA type of certificate
signing request (CSR). In this example, the CSR name is CSR1.
ACOS(config)# pki create csr CSR1 generate certtype rsa
input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64:CSR1
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:
input Country, 2 characters:US
input email address, 0~64:[email protected]
ACOS(config)#

To create wildcard certificates, use an asterisk as the first part of the common name. For exam-
ple, to create a wildcard certificate for domain example.com and it sub-domains, enter the fol-
lowing common name: *.example.com
2. Use show pki certificate csr1 detail to show the CSR created.

page 299
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

Generating a Self-Signed Certificate and Key

In the following procedure the certificate file also includes the corresponding private key.

See RFC 6125 for help in filling out some of the following fields.

Generating a Self-Signed Certificate and Key (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.
2. Click +Create. The Create SSL Certificates dialog window appears.
a. In the Create As field, select Certificate.
b. In the File Name field, type the name you certificate that will be generated.
c. Do not enable CSR Generate. This checkbox enable the creation of a CSR.
d. In the Cert Type field, select RSA or ECDSA depending on which cryptography standard you
want.
e. The Common Name field is required.
NOTE: If you need to create a request for a wildcard certificate, use an asterisk as the first part
of the common name. For example, to request a wildcard certificate for domain example.com
and it sub-domains, enter the following common name: *.example.com
f. The Division, Organization, Locality, State or Province, and Email fields are optional.
g. Enter a number the Valid Days (how many days the key will remain valid) and Key Size, or
accept the defaults 730 days and 1024 bytes.
3. Click OK.
4. Verify the newly created SSL cert appears in the ADC >> SSL Management >> SSL Certifi-
cates page. Check matching Name and Common Name fields. The Type should be certificate/
key, and the expiration should match the number of days the cert remains valid. See RFC 6125 for
help in reading the Issuer field.

Generating a Self-Signed Certificate and Key (CLI Example)

To generate a self-signed certificate, use the following command at the global configuration level of the
CLI:

The pki create certificate command generates and initializes a self-signed certificate and key.
When creating a self-signed certificate it must be pushed out to inside clients (clients on the internal
network). If the certificate is not pushed, the internal hosts get an SSL “untrusted root” error whenever
they try to connect.

The key length, common name, and number of days the certificate is valid are required. The other infor-
mation is optional. The default key length is 1024 bits. The default number of days the certificate is
valid is 730.

page 300
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

ACOS(config)# pki create certificate enterpriseABC-selfsignd certtype rsa

input key bits(1024,2048,4096) default 1024:
input Common Name, 1~64: enterpriseABC-selfsignd
input Division, 0~31:
input Organization, 0~63:
input Locality, 0~31:
input State or Province, 0~31:US
input Country, 2 characters:US
input email address, 0~64:
input valid days, 30~3650, default 730:
ACOS(config)#

To create a wildcard certificate, use an asterisk as the first part of the common name. For example, to
create a wildcard certificate for domain example.com and it sub-domains, enter the following common
name: *.example.com

Certificate Installation Process

To configure an ACOS device to perform SSL processing on behalf of real servers, you must install a
certificate on the ACOS device. This certificate is the one that the ACOS device will present to clients
during the SSL handshake. You also must configure a client-SSL template, add the key and certificate
to the template, and bind the template to the VIP that will be requested by clients.

You can install a CA-signed certificate or a self-signed certificate (described in “CA-Signed and Self-
Signed Certificates” on page 281).

This section gives an overview of the process for each type of certificate. Detailed procedures are pro-
vided later in this chapter.

Requesting and Installing a CA-Signed Certificate

To request and install a CA-signed certificate, use the following process. For detailed steps, see “Man-
aging CAs and CSRs” on page 293 and “Importing a Certificate and Key” on page 293.

1. Create an encryption key.

2. Create a Certificate Signing Request (CSR).
The CSR includes the public portion of the key, as well as information you enter when creating the
CSR.
You can create the key and CSR on an ACOS device or a server running openssl or a similar appli-
cation.
3. Submit the CSR to the CA.
If the CSR was created on the ACOS device, do one of the following:

page 301
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

• Copy and paste the CSR from the ACOS CLI or GUI onto the CSR submission page of the CA
server.
• Export the CSR to another device, such as the PC from which you access the ACOS CLI or GUI.
Email the CSR to the CA, or copy-and-paste it onto the CSR submission page of the CA server.
If the CSR was created on another device, email the CSR to the CA, or copy-and-paste it onto the
CSR submission page of the CA server.
4. After receiving a signed certificate and the CA’s public key from the CA, import them to the ACOS
device.
• If the key and certificate are provided by the CA in separate files (PKCS #7 format), import the
certificate. The key does not need be imported if the CSR was created on the ACOS device
because the key is already on the ACOS device. If the certificate is not in PEM format, specify
the certificate format (type) when importing it.
If the CSR was not created on the ACOS device, you do need to import the key also.
• If the key and certificate are provided by the CA in a single file (PKCS #12 format), specify the
certificate format (type) when you import it. If the CSR was not created on the ACOS device, you
need to import the key also. See “Converting SSL Certificates to PEM Format (Windows PC Pro-
cedure)” on page 309.
5. If applicable, import the certificate chain onto the ACOS device. The certificate chain must be a sin-
gle text file, beginning with a root CA’s certificate at the top, followed in order by each intermediate
signing authority’s certificate. (See “Certificate Chain” on page 279.)

Figure 37 shows the most common way to obtain and install a CA-signed certificate onto the ACOS
device. You also may need to install a certificate chain file.

page 302
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

FIGURE 37 Obtaining and Installing Signed Certificate from CA

NOTE: As an alternative to using a CA, you can use an application such as

openssl to create a certificate, then use that certificate as a CA-signed
certificate to sign another certificate. However, in this case, a client’s
browser is still likely to display a certificate warning to the end user.

Installing a Self-Signed Certificate

To install a self-signed certificate instead of a CA-signed certificate:

1. Create an encryption key.

2. Create the certificate.

See “Generating a Self-Signed Certificate and Key” on page 300.

page 303
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

Creating a Client-SSL or Server-SSL Template and Binding it to a VIP

After creating or importing certificates and keys on the ACOS device, you must add them to an SSL
template, then bind the template to a VIP, in order for them to take effect.

Creating an SSL Template (GUI Procedure)

1. Navigate to ADC >> Templates >> SSL.
2. Click Create, and:
• Select Client SSL to create a template for SSL traffic between the ACOS device (VIP) and
clients.
• Select Server SSL to create a template for SSL traffic between the ACOS device and servers.
3. Enter or select the configuration options; refer to the online help for information about the fields on
this GUI page.
4. When finished, click OK.

Creating an SSL Template (CLI Example)

Use one of the following commands at the global configuration level of the CLI:

• slb template client-ssl – creates template for SSL traffic between ACOS device (VIP) and cli-
ents.
ACOS(config)# slb template client-ssl TMPLT-C
ACOS(config-client ssl)# exit

• slb template server-ssl – creates template for SSL traffic between ACOS device and servers.
ACOS(config)# slb template server-ssl TMPLT-S
ACOS(config-server ssl)# exit

The command creates the template and changes the CLI to the configuration level for it. Use the com-
mands at the template configuration level to configure template parameters. (For information, see “SSL
Templates” on page 282 or the CLI Reference.)

Binding an SSL Template to a VIP (GUI Procedure)

1. Navigate to ADC >> SLB > Virtual Servers.
2. Click Create to create a new virtual server.
3. Enter the VIP name and IP address.
4. In the Port section, click Create. The Virtual Server Port page appears.
5. Click on “Templates” to expand the Templates section.
6. Select the template from the Client-SSL Template or Server-SSL Template drop-down list.

page 304
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Binding an SSL Template to a VIP (CLI Example)

Use one of the following commands at the configuration level for the virtual port on the VIP:

• template client-ssl – binds client SSL template to the VIP.

ACOS(config)# slb virtual-server VIP-1 10.10.1.1
ACOS(config-slb vserver)# port 80 ssl-proxy
ACOS(config-slb vserver-vport)# template client-ssl TMPLT-C
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

• template server-ssl – binds server SSL template to the VIP.

ACOS(config)# slb virtual-server VIP-2 10.10.2.1
ACOS(config-slb vserver)# port 80 ssl-proxy
ACOS(config-slb vserver-vport)# template server-ssl TMPLT-S
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

Use the same command on each port for which SSL will be used.

Multiple CA Certificate Support in Server-SSL Templates

If you need to add multiple certificates to a server-SSL template, this section describes how to
configure it. A server-SSL template can have multiple CA-signed certificates.

You can add the CA certificates to the server-SSL template in either of the following ways:

• As separate files (one for each certificate)

• As a single file containing multiple certificates

Adding multiple certificates in a single file can simplify configuration. For example, you can export the
CA certificates from a web browser into a single file, then import that file onto the ACOS device and add
it to a server-SSL template.

Previous releases allow a server-SSL template to have only a single CA-signed certificate.

NOTE: A CA-signed certificate is a certificate signed by a Certificate Authority

(CA).

Multiple Certificates in Single File – Preparing the File

You can create the multiple certificate file by exporting the certificates from a browser or you can
assemble the file by hand.

page 305
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

To export the certificates from Internet Explorer (IE) version 9:

1. Select Tools > Internet Options.
2. Click on the Content tab.
3. Click Certificates.
4. Click on the Trusted Root Certification Authorities tab.
5. Select all the certificates.
6. Click Export.
7. Click Next.
8. Select PKCS #12 format (PFX), if not already selected.
9. Click Next.
10.When prompted for a file password, enter a password to secure the certificate file, and click Next.
11.When prompted for a filename:
a. Click Browse to navigate to the save location for the file.
b. Enter the filename and click Save.
12.Click Next.
13.Click Finish.
14.On the ACOS device:
a. Import the certificate file as a PFX file.
b. Use the GUI or CLI to add the certificate file to a server-SSL certificate.
c. Bind the server-SSL certificate to the virtual port.

To create the file manually

1. Copy and paste each certificate to a text file. Make sure to include the "-----BEGIN CERTIFICATE-----
" and "-----END CERTIFICATE----- " lines for each certificate. For example:
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNr
RniZ96LtKIVjNzGs7SjANBg
kqhkiG9w0BAQUFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
U2lnbiwgSW5jLiAtIEZvciBhd
XRob3JpemVkIHVzZSBvbmx
5MUUwQwYDVQQDEzxW
-----END CERTIFICATE-----

page 306
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

2. Save the text file.

3. On the ACOS device:
a. Import the certificate file as a PEM file.
b. Use the GUI or CLI to add the certificate file to a server-SSL certificate.
c. Bind the server-SSL certificate to the virtual port.

Support for Binding Server-SSL Templates to Individual Real Ports

For additional flexibility, the ACOS device supports binding of server-SSL templates to individual real
ports. This configuration option is useful in cases where the real servers load balanced by a VIP have
different SSL settings.

If a server-SSL template is be bound to the virtual port instead, all the real servers load balanced by the
VIP must use the same SSL settings.

You can bind a server-SSL template to a real port and also to a virtual port that uses that real port. In
this case, the server-SSL template bound to the real port is used for traffic sent to that real port. If you
remove the server-SSL template from the real port, the template bound to the virtual port is used
instead.

Binding Server SSL Templates to Real Ports (GUI Procedure)

On the configuration page for the real server, in the Port section, select the template from the Server-
SSL Template drop-down list.

Binding Server SSL Templates to Real Ports (CLI Procedure)

To bind a server-SSL template to a real port, use the template server-ssl command at the configura-
tion level for the real port:

Binding Server SSL Templates to Real Ports (CLI Example)

The following commands import a CA-signed certificate and key:

ACOS(config)# import ca-cert CACert88.pem tftp:

Address or name of remote host []?192.168.52.254
File name [/]?CACert88.pem
.0 minutes 1 seconds
ACOS(config)# import key CAkey tftp:
Address or name of remote host []?192.168.52.254
File name [/]?CAkey88
.0 minutes 1 seconds

The following commands create a server-SSL template and add the certificate and key to the template:

page 307
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

ACOS(config)# slb template server-ssl server-ssl1

ACOS(config-server ssl)# ca-cert CACert88.pem key CAkey88
ACOS(config-server ssl)# certificate Cert123.pem key key123 pass-phrase Pass123
ACOS(config-server ssl)# exit

The following commands bind the server-SSL template directly to a port on a real server:

ACOS(config)# slb server rs88 10.8.8.8

ACOS(config-real server)# port 443 tcp
ACOS(config-real server-node port)# template server-ssl server-ssl1

NOTE: New certificate commands will be lost if downgrade one box to old
image that not support new commands.

Configuring Email Notification for SSL Certificate Expiration

The ACOS device can send email notification when an SSL certificate is about to expire. This feature
sends a daily email listing the certificates that are about to expire or that have recently expired.

By default, this feature is not configured. To configure email notification for certificate expiration, use
either of the following methods.

Configuring Email Notification for SSL Certificate Expiration (GUI Procedure)

1. Navigate to ADC >> SSL Management >> Expiration Mail.
2. In the SSL Expire Email Address, enter the email address (twice; both address must match) where
you want the notifications to be sent.
3. Configure the other fields on this screen as desired; refer to the GUI online help for more informa-
tion about the fields on this page.
4. Click Update.

Configuring Email Notification for SSL Certificate Expiration (CLI Procedure and Example)

To configure email notification for certificate expiration, use the slb ssl-expire-check command.

The following example enables certificate notifications to be sent to email address “admin1@exam-
ple.com”. Expiration notifications are sent beginning 4 days before expiration and continue for 3 days
after expiration.

ACOS(config)# slb ssl-expire-check email-address [email protected] before 4 interval 3

page 308
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

SSL Certificate Notification via System Log Warnings

When an SSL certificate expires or is near expiration, the ACOS device will automatically send a system
log warning, rather than a system log notice.

For information on enabling SNMP traps for SSL certificate events, refer to the System Configuration
and Administration Guide.

Converting Certificates and CRLs to PEM Format

The ACOS device supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs.

If a certificate or CRL you plan to import onto the ACOS device is not in PEM format, it must be con-
verted to PEM format.

You do not need to convert the certificate into PEM format before importing it. You can specify the for-
mat when you import the certificate. The ACOS device automatically converts the imported certificate
into PEM format. (See “Importing a Certificate and Key” on page 293.)

If you prefer to convert a certificate before importing it, see the following sections.

If you have certificates that are in Windows format, use the procedure in this section to convert them to
PEM format. For example, you can use this procedure to export SSL certificates that were created
under a Windows IIS environment, for use on servers that are running Apache.

This procedure requires a Windows PC and a Unix/Linux workstation. Perform step 1 through step 4 on
the Windows PC. Perform step 1 through step 4 on the Unix/Linux workstation.

Converting SSL Certificates to PEM Format (Windows PC Procedure)

1. Start the Microsoft Management Console (mmc.exe).
2. Add the Certificates snap-in:
a. Select File Add/Remove Snap-In. The Add/Remove Snap-In dialog appears.
b. Click Add. A list of available snap-ins appears.
c. Select Certificates.
d. Click Add.
A dialog appears with the following choices: My user account, Service account, and Computer
account.
e. Select Computer Account and click Next. The Select Computer dialog appears.
f. Select Local Computer and click Finish.

page 309
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

g. Click Close.
h. Click OK. The Certificates snap-in appears in the Console Root list.
3. Expand the Certificate folders and navigate to the certificate you want to convert.
4. Select Action > All Tasks > Export.
The Export wizard guides you with instructions. Make sure to export the private key too. The wiz-
ard will ask you to enter a passphrase to use to encrypt the key.

Converting SSL Certificates to PEM Format (Unix / Linux Workstation Procedure)

1. Copy the PFX-format file that was created by the Export wizard to a UNIX machine.
2. Use OpenSSL to convert the PFX file into a PKCS12 format:
$ openssl pkcs12 -in filename.pfx -out pfxoutput.txt

This command creates a PKCS12 output file, which contains a concatenation of the private key
and the certificate.
3. Use the vi editor to divide the PKCS12 file into two files, one for the certificate (.crt) and the other
for the private key.
4. To remove the passphrase from the key, use the following command:
$ openssl rsa -in encrypted.key -out unencrypted.key

Although removing the passphrase is optional, A10 Networks recommends that you remove the
passphrase for production environments where Apache must start unattended.

Converting CRLs from DER to PEM Format (Unix / Linux Workstation Procedure)

If you plan to use a Certificate Revocation List (CRL), the CRL must be in PEM format.

To convert Distinguished Encoding Rules (DER) format to PEM format, use the following command on
a Unix/Linux machine where the file is located:

openssl crl -in filename.der –inform der -outform pem -out filename.pem

Importing a Certificate Revocation List (CRL)

To import a CRL, place it on the PC that is running the GUI or CLI session, or onto a PC or file server that
can be locally reached over the network.

Importing a CRL (GUI Procedure)

1. Navigate to ADC >> SSL Management >> Cert Revocation List.
2. Click Import.

page 310
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

3. Complete the fields on this page to navigate to the location of the CRL.
4. Click Import.

Importing a CRL (CLI Procedure)

To import a CRL, use the import crl command at the Privileged EXEC or global Config level of the CLI:

Refer to the Command Line Interface Reference for detailed information about this command.

SSL File Delete

To delete SSL files, use either of the following methods.

SSL File Delete (GUI Procedure)

1. Navigate to one of the following:
• ADC >> SSL Management > SSL Certificates
• ADC >> SSL Management > Cert Revocation List
2. Select the files to delete.
3. Click Delete.

SSL File Delete (CLI Procedure)

Using the CLI, you can delete specific SSL files by name.

Use the pki delete command at the global configuration level of the CLI to delete SSL files.

Exporting Certificates, Keys, and CRLs

This section describes how to export SSL resources from the ACOS device to other devices.

Due to a limitation in Windows, it is recommended to use names shorter than 255 characters. Windows
allows a maximum of 256 characters for both the file name and the directory path. If the combination
of directory path and file name is too long, Windows will not recognize the file. This limitation is not
present on machines running Linux/Unix.

Exporting a Certificate and Key (GUI Procedure)

1. Navigate to ADC >> SSL Management >> SSL Certificates.
2. To export a certificate:
a. Select the certificate. (Click the checkbox next to the certificate name.)

page 311
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

b. Click Export.
If the browser security settings normally block downloads, you may need to override the set-
ting. For example, in Internet Explorer, hold the Ctrl key while clicking Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
3. To export a key:
a. Select the key.
b. Click Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.

Exporting a Certificate and Key (CLI Procedure)

To export a certificate and its key, use the following commands at the Privileged EXEC or global Config
level of the CLI:

• export cert
• export cert-key

Refer to the Command Line Interface Reference for detailed information about these commands.

Exporting a CRL (CLI Procedure)

To export a CRL, use the export crl command at the Privileged EXEC or global Config level of the CLI:

Exporting a CRL (GUI Procedure)

1. Navigate to ADC >> SSL Management >> Cert Revocation List.
2. Select the CRL. (Click the checkbox next to the CRL name.)
3. Click Export.
If the browser security settings normally block downloads, you may need to override the setting.
For example, in IE, hold the Ctrl key while clicking Export.
4. Click Save.
5. Navigate to the save location.
6. Click Save again.

page 312
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

Importing a CA Cert and Private Key for SSLi

Import a self-signed CA certificate and the certificate’s private key (CLI Example)

The following commands import a self-signed CA certificate trusted by the clients, and the certificate’s
private key:

ACOS-Inside(config)# import cert enterpiseABC-selfsignd scp:

Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?enterpiseABC-selfsignd.pem
ACOS-Inside(config)# import key enterpiseABC-key scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?enterpiseABC-key.pem

Configuring the client-SSL template to enable SSLi (CLI Example)

The following commands configure the client-SSL template to enable SSLi (forward-proxy). It also
specifies the certificate and private key that the inside ACOS device uses to dynamically create (and
cache) forged server certificates as clients request SSL sessions with external servers.

ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide

ACOS-Inside(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS-Inside(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS-Inside(config-client ssl)# forward-proxy-enable

Forward Proxy Alternate Signing Cert and Key

In the following example, the inside ACOS device is configured with a trusted CA list and an alternate
signing key. When a client requests connection to an external SSL server, the inside ACOS device deter-
mines whether the certificate of SSL site is signed by a trusted CA. If it is not in the trusted list, the
inside ACOS device signs the certificate with the alternate signing key. Because the alternate signing
key is not trusted, the client will be warned that the site is insecure.

Forward Proxy Alternate Signing Cert and Key (CLI Example)

1. Import the list of trusted list of CAs:
ACOS-Inside(config)# import cert ca-cert enterpiseABC-trusted-CAs scp:
...

2. Import the list of alternate certificate and signing key:

ACOS-Inside(config)# import cert alt-cert scp:

page 313
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

...
ACOS-Inside(config)# import key alt-key scp:
...

3. Bind the list of trusted CAs and the alternate signing key to the Client SSL template (which in turn
is bound to the SSLi virtual port of the inside ACOS device.)
ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS-Inside(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS-Inside(config-client ssl)# forward-proxy-enable
ACOS-Inside(config-client ssl)# forward-proxy-trusted-ca-list enterpiseABC-trusted-CAs
ACOS-Inside(config-client ssl)# forward-proxy-alt-sign cert alt-cert key alt-key

Simple Certificate Enrollment Protocol (SCEP)

SCEP is a part of the Public key infrastructure (PKI); it simplifies management of security certificates by
providing simplified installation and automated renewal of x.509 certificates. You can use SCEP certifi-
cates with the same ACOS features that support manually imported certificates. For example, SCEP
certificates are supported with SSL Insight (SSLi).

NOTE: This feature is not supported for HSM platforms, including Thunder
5630.

To configure a SCEP certificate, you need to specify the certificate name, a password, and the location
(URL) of the ES. ACOS handles the rest. Then, to use the certificate, add it to an SSL template and bind
the template to the virtual port in your application. There is no GUI support for configuring this feature.

SCEP Certificate Enrollment and Renewal Process (Procedure)

After you configure a SCEP certificate for enrollment, ACOS performs the following steps:

1. Generate a private key. In this step, an RSA key with the specified key length is generated for the
certificate.
2. Fetch CA certificates. ACOS queries the ES for its certificates. In this step, three certificates are
returned: 1 CA certificate and 2 ES certificates, and ES-encryption certificate and an ES-signature
certificate.
3. Generate Certificate Signing Request (CSR). The CSR includes the SCEP password you assign to
the SCEP certificate, and other parameters needed for the certificate.
4. Fetch the certificate. The CSR is encrypted using the public key of the ES-encryption certificate,
and forwarded to the ES.
The ES validates the CSR and forwards the request to the CA. The CA then returns the signed cer-
tificate. The certificate is signed using the ES-signature certificate.

page 314
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

5. Store the certificate. After successful verification of the response from the CA, ACOS accepts the
certificate and stores it in the following locations:
/a10data/cert/
/a10data/key/
SCEP certificates are stored in DER format. SCEP keys are stored in PEM format.
6. Schedule renewal. ACOS handles automatic renewal of the certificate when its about to expire.
ACOS checks the expiration dates of both the enrolled certificate and the issuing CA’s certificate.
ACOS then schedules renewal of the certificate, to occur at a specific time or periodically, depend-
ing on configuration. ACOS bases the new expiration date on the later of the expiration dates of the
enrolled certificate and the CA certificate.
7. Rotate and store files. After certificate renewal, the old certificate and key files are still stored for
any future reference. Old files are rotated and the new file replace the existing files. For example, a
certificate named “acos-cert” initially is stored in the following location: /a10data/cert/acos-cert.
After the certificate is renewed, it is moved to the following location: /a10data/cert/acos-cert#1.
The newly renewed certificate is moved to /a10data/cert/acos-cert. This step ensures that there is
no need to change the configuration for applications that use the SCEP certificates, because a
valid certificate with the correct name is always stored in the same location. The same applies for
private keys as well. ACOS stores up to 4 old certificate and key files for each SCEP certificate.

SCEP Configuration (CLI Procedure)

To configure SCEP using the CLI:

1. Use the pki scep-cert command to create the certificate and change the CLI to edit it.
2. Use the url command to specify the location of the ES. The user is the admin name required by the
ES to accept the request.
Use this command to specify the location of the ES. The user is the admin name required by the ES
to accept the request. The host is the ES IP address or hostname. The file is the path and filename
for the SCEP process on the ES. Example:
url http://192.168.230.101/certsrv/mscep/mscep.dll

3. Specify the password for the certificate. ACOS includes this password in enrollment and renewal
requests for the certificate.
4. (Optional) Configure additional parameters.
SCEP certificates have the following default settings:
• Interval – 5 seconds
• Log level – 1
• Maximum poll time – 180 seconds
• Method – GET

page 315
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

The other parameters are not set by default.

5. Use the enroll command to begin the enrollment process for the certificate.

Copying SCEP Files (CLI Procedure)

You can copy SCEP certificates and keys using the pki copy-cert and pki copy-key commands.

Refer to the Command Line Interface Reference for details.

Displaying SCEP Information (CLI Procedure)

To display SCEP information, use the show pki scep-cert command.

Refer to the Command Line Interface Reference for details.

SCEP Configuration (CLI Example)

The following commands configure an ACOS device as the inside device in an SSLi deployment. The
wildcard VIP on this device receives SSL-encrypted traffic from inside users, and decrypts the traffic
before sending it to the traffic inspector.

The deployment uses a certificate administered by an SCEP ES. Based on the configuration, ACOS
automatically renews the certificate on a monthly basis.

For brevity, this example shows only the inside device, where the SCEP configuration occurs, and uses
only one certificate. The certificate is used both as the root certificate and as a forward-proxy certifi-
cate, which uses SNI support.

On the outside device, the only required command related to SSLi is forward-proxy-enable, to enable
support for the SSLi feature on the device.

The following commands enroll the certificate. You need to enroll each certificate only once. After a
certificate is enrolled, ACOS uses SCEP to administer the certificate. This includes renewing the certifi-
cate before it expires. You do not need to manually administer the certificates after you enroll them.

ACOS(config)# pki scep-cert mycert

ACOS(config-scep cert:mycert)# url http://192.168.230.101/certsrv/mscep/mscep.dll
ACOS(config-scep cert:mycert)# password sample_password
ACOS(config-scep cert:mycert)# renew-every month 1

The following commands configure the client-SSL template:

ACOS(config)# slb template client-ssl ssl_int

ACOS(config-client ssl)# cert mycert
ACOS(config-client ssl)# key mycert
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# forward-proxy-ca-cert mycert
ACOS(config-client ssl)# forward-proxy-ca-key mycert

page 316
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Managing CAs and CSRs

The following shows the configuration the wildcard VIP. This includes configuration of the other
resources, in addition to the client-SSL template, that are required by the wildcard VIP: an ACL that
matches on the inside clients, the real server configuration, and the service group.

access-list 101 permit ip any 10.2.2.0 0.0.0.255 log

!
slb server rs1 10.3.3.1
health-check-disable
port 443 tcp
health-check-disable
!
slb service-group sg1-tcp tcp
member rs1:443
!
slb virtual-server vs1-v4 0.0.0.0 acl 101
extended-stats
port 8080 http
service-group sg1-tcp
template client-ssl ssl_int
no-dest-nat port-translation
!

The following commands show information about the certificate:

ACOS(config)# show pki cert

Name: mycert Type: certificate/key Expiration: Dec 8 22:23:48 2014 GMT [Expired, Bound]
SCEP Enrolled

ACOS(config)# show pki cert mycert

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:5b:42:30:00:00:00:00:24:8f
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=a10lab, CN=AD03-CA
Validity
Not Before: Dec 8 18:23:48 2014 GMT
Not After : Dec 8 22:23:48 2014 GMT
Subject: C=CH, O=Linux strongSwan, CN=AX1030
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:53:59:9C:EC:52:E3:58:6C:E5:84:11:E7:5C:F4:C9:FC:59:6B:A3
X509v3 Authority Key Identifier:
keyid:06:18:97:1C:58:B4:E4:95:5F:61:61:5D:DB:9C:1B:85:39:48:87:37

page 317
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Managing CAs and CSRs FFee
e

X509v3 CRL Distribution Points:

URI:ldap:///CN=AD03-
CA,CN=AD03,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com
?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Information Access:

CA Issuers - URI:ldap:///CN=AD03-
CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com?cACerti
ficate?base?objectClass=certificationAuthority
OCSP - URI:http://ad03.a10lab.com/ocsp

X509v3 Key Usage: critical

Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7.....E......+.......Ks...M......d...
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2
1.3.6.1.4.1.311.21.10:
0.0

page 318
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

OCSP Overview and SSLi OSCP Workflow

The Online Certificate Status Protocol (OCSP) is an IETF protocol that SSL clients, such as ACOS SSL,
can use to verify the state of a server’s certificate before enabling an SSL session with that server. The
Transport Layer Security Protocol (TLS) also provides SSL servers the option to staple their OCSP
current status information to their SSL/TLS handshake.

In ACOS SSLi, ACOS_decrypt uses its own certificate and private key to proxy certificates from the
outside server when acting as an SSL proxy. Without OCSP, ACOS cannot check whether the certificate
of the outside server has become invalid before the expiration date indicated by the Certificate
Authority (CA). The ACOS Server Certificate Verification for SSLi feature uses OCSP to dynamically verify
the server certification status, whether it is valid or expired.

The ACOS software verifies the current state of the server certification before proxying the session
certificates used in SSL proxy connections -- whether or not the CA expiration date has been reached.

ACOS does not support OCSP verification for HTTPS responder URIs in certificate extensions.
OCSP-stapling configuration is not applicable to SSLi. The internal SSLi receives and processes the
stapled responses.

After a TCP connection has been established between the ACOS device and the client, the server
certificate verification process begins.

Feedback page 319

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
FFee
e

FIGURE 38 ACOS Server Certificate Verification Process

page 320
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback

The follwing is the workflow:

1. ACOS_decrypt is configured with imported trusted CA certificates that it useS to verify the outside
server’s certificates. The CA certificates are imported prior to the beginning of the message
exchange process.
2. A client initiates an SSL connection to a website which is proxied or intercepted by ACOS_decrypt.
Assuming that ACOS has not already cached a proxied certificate that it can use to create the
requested SSL session, it opens an SSL session with the same outside server that the client is
attempting to reach.
3. If the outside server has enabled OCSP stapling, the server responds with a “Certificate Status”
SSL/TLS handshake message that tells the ACOS device whether or not the server certificate is
valid and the expiration date of that certificate if it is valid.
a. If the “Certificate Status” response contains a “good” stapled OCSP status, the certificate is
valid and ACOS_decrypt uses its private key to proxy a public certificate, which it sends to the
client. Assuming the client accepts the proxied certificate, an SSL session begins and SSL traf-
fic (for SSLi or SSL offload) is forwarded either to the inspection devices (in SSLi scenarios) or
to the outside server (in SSL offload scenarios).
b. If the server response contains a “revoked” staple OCSP status, the certificate is not valid, and
depending on the ACOS configuration, ACOS either drops the connection or bypasses SSL
proxy to allow the client to connect directly to the outside server.
c. If the server does not support OCSP stapling, the process continues with step 4.
4. ACOS_decrypt looks up the location of the OCSP server embedded within the AIA (Authority Infor-
mation Access) field in the certificate sent by the Internet Server. An OCSP request is sent to the
OCSP URL within the AIA field in each certificate inside the chain, for which ACOS_decrypt does
not already have an OCSP cache entry. If the OCSP URL is an HTTP URL, an HTTP connection is
initiated to that OCSP responder. If the OCSP URL is an HTTPs URL, the ACOS device will not con-
tinue with OCSP verification for that certificate/certificate chain.
5. If the OCSP server responds that the certificate is valid, ACOS_decrypt caches the certificate valid-
ity information with its expiration time expressed in seconds. If this OCSP entry expires while a
proxied certificate corresponding to it is still in the cache, then that proxied certificate is also aged
out. When a new client request comes to the ACOS device for the same website, the OCSP verifica-
tion and certificate proxying process repeats again.
6. If the OCSP server responds that the certificate is not valid then depending on the ACOS device
configuration, ACOS either drops the connection or bypasses SSL proxy to allow the client to con-
nect directly to the outside server.

The following are some guidelines for the process:

• When ACOS bypasses SSL traffic, it does not proxy the server certificate. It forwards the Server
Hello, Certificate, and other SSL handshake messages received from the outside server in
response to the client hello message, onto the client. The only changes made to these packets
would be at Layer 2, Layer 3, or Layer 4 as applicable for traffic forwarding.

page 321
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring ACOS Server Certificate Verification (CLI) FFee
e

• ACOS considers “revoked” or “unauthorized” responses from the OCSP responder as “not suc-
cessful”. If the OCSP server/responder is not reachable (connection time out), or responds with a
different status code or with a “tryLater” or “status unknown” message, then the client connec-
tions corresponding to these certificates are bypassed.

Concept topics:

• “Server-SSL Template Certificate Revocation List” on page 324

• “IP-less OCSP and CRL Requests for SSLi” on page 327

• “Customizable Message for Invalid Certificates” on page 328

• “Revoking Certificates From the Cache and Generating CRL” on page 329

Task topics:

• “Configuring ACOS Server Certificate Verification (CLI)” on page 322

• “Configuring Server-SSL Template Certificate Revocation List (CLI)” on page 325

• “Configuration Example for IP-Less OCSP and CRL Requests (CLI)” on page 327

• “Configuring a Customizable Message for Invalid Certifcates (CLI)” on page 328

• “Configuring a Customizable Message for Invalid Certifcates (GUI)” on page 329

• “Workflow for Certificate Revocation and CRL Generation (CLI)” on page 330

• “Revoking a Certificate and Generating CRL (GUI)” on page 332

Configuring ACOS Server Certificate Verification (CLI)

By default, ACOS server certificate verification is enabled. The forward-proxy-ocsp-disable command
disables OCSP verification. This feature applies to transparent SSLi for HTTPS sessions.

This section provides configuration instructions that enable ACOS server certificate verification for the
SSLi feature.

1. Configure the SSL client template.

The following SSL client template is enabled for SSL proxy through the following forward-proxy
commands.
ACOS_decrypt(config)#slb template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS_decrypt(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS_decrypt(config-client ssl)# forward-proxy-enable
ACOS_decrypt(config-client ssl)# forward-proxy-trusted-ca default_ca_bundle_jan_2018

page 322
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring ACOS Server Certificate Verification (CLI)

ACOS_decrypt(config-client ssl)# forward-proxy-trusted-ca windows_ca_bundle_jan_2018

ACOS_decrypt(config-client ssl)# enable-tls-alert-logging fatal
ACOS_decrypt(config-client ssl)# forward-proxy-verify-cert-fail-action drop
ACOS_decrypt(config-client ssl)# forward-proxy-cert-revoke-action drop
ACOS_decrypt(config-client ssl)# forward-proxy-cert-unknown-action drop

By default, ACOS drops connections to clients in which the certification of the outside server is
invalid. When server verification is configured using the forward-proxy-trusted-ca commands in
a client-SSL template, the action is to bypass client connections if the certification of the outside
server is invalid.
2. If you deploy SSLi and ACOS_decrypt is not provisioned with L3V partitions. the configuration of
port 443 https of the wildcard VIP on the client is not changed.
ACOS_decrypt(config)#slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)#port 443 https
ACOS_decrypt(config-slb vserver-vport)#no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)#service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)#template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-slb vserver-vport)#exit

3. If you deploy SSLi and ACOS_decrypt is provisioned with L3V partitions, the configuration of port
443 https of the wildcard VIP must include the route to the DNS server as shown in the following
command lines, and non-HTTP protocols must be bypassed:
ACOS_decrypt(config)#slb template dynamic-service DNS-FOR-OCSP
ACOS_decrypt(config-dynamic-service)#dns server 192.168.1.110
ACOS_decrypt(config-dynamic-service)#dns server 8.8.8.8
ACOS_decrypt(config-dynamic-service)#exit

The command creates an HTTP template named “non-http-bypass.” When this template is bound
the the HTTPS port, it redirects all non-HTTP traffic to the FW1_Inspect_SG service group. By
default, the ACOS device will drop non-HTTP requests that are sent to an HTTP port.
ACOS_decrypt(config)# slb template http non-http-bypass
ACOS_decrypt(config-http)# non-http-bypass service-group FW1_Inspect_SG
ACOS_decrypt(config-http)# exit

4. Bind both templates, non-http-bypass and d1, and the client-SSL template to the virtual server that
proxies for the SSL external server.
ACOS_decrypt(config)# slb virtual-server decrypt_VIP 0.0.0.0 acl 100
ACOS_decrypt(config-slb vserver)# port 443 https
ACOS_decrypt(config-slb vserver-vport)# no-dest-nat port-translation
ACOS_decrypt(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS_decrypt(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS_decrypt(config-slb vserver-vport)# template dynamic-service d1
ACOS_decrypt(config-slb vserver-vport)# template http non-http-bypass
ACOS_decrypt(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS_decrypt(config-slb vserver-vport)# exit

5. Whether or not ACOS_decrypt is L3V partitioned, the configuration of the wildcard ports of the VIP
is not changed:

page 323
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Server-SSL Template Certificate Revocation List FFee
e

ACOS_decrypt(config-slb vserver)#port 0 tcp

ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_TCP_SG
ACOS_decrypt(config-slb vserver-vport)#exit

ACOS_decrypt(config-slb vserver)#port 0 udp

ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)#exit

ACOS_decrypt(config-slb vserver)#port 0 others

ACOS_decrypt(config-slb vserver-vport)#no-dest-nat
ACOS_decrypt(config-slb vserver-vport)#service-group ALL_UDP_SG
ACOS_decrypt(config-slb vserver-vport)#exit
ACOS_decrypt(config-slb vserver)#exit

6. Enable source-NAT pool for use by the ACOS Server Verification Module (SVM) daemon. Source-
NAT is required to dynamically make the TCP connections between ACOS devices and the
resources that SVM OCSP needs to reach. In the following example, the TCP connection uses a
pool of source addresses reserved for OCSP connections.
ACOS_decrypt(config)#ip nat pool OCSP_NAT_vl_50 192.168.51.254 192.168.51.254 netmask /
24
ACOS_decrypt(config)#slb svm-source-nat pool OCSP_NAT_vl_50

7. Configure the IP address of a DNS server that ACOS_decrypt can reach to be able to look up the IP
address of the OCSP servers that the ACOS server certificate verification feature will use. The con-
figuration of a default route, interfaces, ports, and service groups that enable ACOS_decrypt to
connect to the DNS server are not shown.
ACOS_decrypt(config)#ip dns primary 8.8.8.8

8. Use the show slb ssl-ocsp cache command to view the status of the OSCP cache:

ACOS_decrypt#show slb ssl-ocsp cache

Total: 2
Common Name Status
-------------------------------------------------------------------
Company1 Internet Authority G2 Good
Company2 Root Certificate Authority - G2 Good

Server-SSL Template Certificate Revocation List

Certificate Revocation List (CRL) is an available option for the server-SSL template to validate the ser-
vice-side server. Each CRL must have a relevant certificate authority (CA) certificate configured in the
same SSL template in order to validate whether incoming certificates have been revoked. A maximum
of 128 files containing CA or CRL may be configured.

page 324
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Server-SSL Template Certificate Revocation List (CLI)

Specify the name of the Certificate Revocation List (CRL) to use for verifying whether server certificates
have been revoked. The CRL must be installed on the ACOS device first. The CA certificate relevant to
the CRL must also be specified.

Configuring Server-SSL Template Certificate Revocation

List (CLI)
When you add a CRL to a server-SSL template, the ACOS device checks the CRL to confirm whether or
not the servers’ certificates have been revoked or not by the issuing Certificate Authority (CA).

This section provides configuration instructions for adding CRL and CA certificates, viewing the CRL
and OCSP activity, and retrieving the CRL expiration status.

1. Add CRL and CA certificates to a server-SSL template named, SSL-Svr along with the import of CA
certificates. The CRL section is highlighted for clarity.
ACOS(config-server ssl)#slb template server-ssl SSL-Svr
ACOS(config-server ssl)#crl 10_ca.crt_crl.pem
ACOS(config-server ssl)#crl 20_ca.crt_crl.pem
ACOS(config-server ssl)#crl root-ca.pem.crl.pem
ACOS(config-server ssl)#ca-cert 10_ca_crt
ACOS(config-server ssl)# certificate Cert123 key Key123 pass-phrase Pass123
ACOS(config-server ssl)#ca-cert 20_ca.crt
ACOS(config-server ssl)#ca-cert root-ca.pem

2. Use the show slb ssl-cert-revoke-stats command to view both OSCP and CRL activity:
ACOS(config-client ssl)# show slb ssl-cert-revoke-stats

OCSP stapling response good: 0

Certificate chain status good: 0
Certificate chain status revoked: 0
Certificate chain status unknown: 0
OCSP requests: 0
OCSP responses: 0
OCSP connection errors: 0
OCSP URI not found: 0
OCSP URI https: 0
OCSP URI unsupported: 0
OCSP response status good: 0
OCSP response status revoked: 0
OCSP response status unknown: 0
OCSP cache status good: 0
OCSP cache status revoked: 0
OCSP cache miss: 0

page 325
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring Server-SSL Template Certificate Revocation List (CLI) FFee
e

OCSP cache expired: 0

OCSP other errors: 0
CRL requests: 0
CRL responses: 0
CRL connection errors: 0
CRL URI not found: 0
CRL URI https: 0
CRL URI unsupported: 0
CRL response status good: 0
CRL response status revoked: 0
CRL response status unknown: 0
CRL cache status good: 0
CRL cache status revoked: 0
CRL other errors: 0

3. Use the show slb ssl-crl command to view the retrieved CRL status for a specific virtual port. If
the certificate issuers have listed expiration dates for the certificates, then this command will
show you the issuer and the expired or not expired status.

ACOS_decrypt#show slb ssl-crl example_vip_name 443

Virtual server(example_vip_name : 443):

----Retrieved CRL----
Issuer: /O=AlphaSSL/CN=AlphaSSL CA - G2
Status: Expired

Issuer: /O=Cybertrust, Inc/CN=Cybertrust Global Root

Status: Not expired

Issuer: /O=Verizon Cybertrust Security/CN=Cybertrust SureServer EV OCSP CA

Status: Not expired

Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3

Status: Expired

Issuer: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

Status: Expired

4. You can disable CRL services for SSLi (forward-proxy) with the forward-proxy-crl-disable com-
mand. The following example shows how to disable CRL services in the client-SSL template
named ClientSide_vRouter.

ACOS_decrypt(config)#slb template client-ssl ClientSide_vRouter

ACOS_decrypt(config-client ssl)#forward-proxy-crl-disable

page 326
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuring Server-SSL Template Certificate Revocation List (CLI)

IP-less OCSP and CRL Requests for SSLi

SVM NAT pool is configured to fetch OCSP and CRL requests for normal SSLi setups. However, ACOS
also supports using the client IP address to fetch OCSP and CRL requests. This enables the ACOS
deployment to be used across different hardware systems as there is no requirement to configure an
IP address for OCSP and CRL requests.

Some of the important guidelines are:

• This feature is supported for IP-less Layer-2 SSLi.

• This feature is only applicable for static and dynamic SSLi. The SSLi virtual port does not support
this feature.
• In order to resolve the OCSP and CRL URLs, the ip dns primary configuration in the shared parti-
tion must be set. The ip dns primary configuration is required in the shared partition if the ACOS
encrypt and ACOS decrypt zones are in private partitions as it is a global configuration.
• The route for ip dns primary must also be configured as the default gateway of the manage-
ment IP.
• Unlike legacy SSLi, the feature does not need to configure svm-source-nat pool and dynamic-
service template on the shared and L3V partitions respectively.
• Instead of svm-source-nat pool IP, use the client IP address for sending OCSP and CRL requests.

Configuration Example for IP-Less OCSP and CRL Requests (CLI)

The following is a sample configuration of the shared partition of the ACOS system. The code in blue
highlight is with reference to the afore-mentioned configurartion guidelines.

ACOS# show running-config

!
! multi-ctrl-cpu 2
!The IP address used here is also used as the default gateway.
ip dns primary 192.168.1.50
!
partition test id 21
!
interface management
ip address 10.6.29.50 255.255.255.0
ip default-gateway 10.6.29.1
!
interface ethernet 1
!
interface ethernet 2
!
interface ethernet 3

page 327
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Customizable Message for Invalid Certificates FFee
e

!
interface ethernet 4
!
ip route 192.168.1.50 /32 10.6.29.1
!
end

Customizable Message for Invalid Certificates

An invalid certificate is defined as an origin certificate that has issues, such as CN mismatch, self-
signed, unknown CA, revoked certificate, expired certificate, broken trust chain, OCSP issues, and so on.
When certificate validation fails or OCSP validation fails, the SSLi log includes a unique ID that is refer-
enced by the customizable web page displayed to the user.

In case of a certificate verification failure, a certificate revocation, or an unknown certificate, SSLi

enables you to either drop, bypass, or continue the connection. In addition to the three actions, you can
also use the block option that enables you to display an error page with a customizable message.

Task Topics:

• “Configuring a Customizable Message for Invalid Certifcates (CLI)” on page 328

• “Configuring a Customizable Message for Invalid Certifcates (GUI)” on page 329

Configuring a Customizable Message for Invalid Certifcates (CLI)

You can configure a customizable message if you enable the block option for SSLi certificate errors.

Perform the following steps to configure a customizable error message:

1. Create the client SSL template.

ACOS(config)# slb template client-ssl clientssl

2. Configure the block option for a certificate verification failure.

ACOS(config-client ssl)# forward-proxy-verify-cert-fail-action block

3. Configure the block option for an unknown certificate failure.

ACOS(config-client ssl)# forward-proxy-cert-unknown-action block

4. Configure the block options for a certificate revocation.

ACOS(config-client ssl)# forward-proxy-cert-revoke-action block

5. Configure the message to display if SSLi encounters an invalid certificate

ACOS(config-client ssl)# forward-proxy-block-message “This website cannot be displayed
as there is a certificate issue.”

page 328
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Revoking Certificates From the Cache and Generating CRL

Configuring a Customizable Message for Invalid Certifcates (GUI)

You can configure a customizable message if you enable the block option for SSLi certificate errors.
You must edit the SSLi client certificate.

1. Navigate to Security >> SSLi >> Templates.

2. Select the SSLi client template you wish to modify and click Edit.
The Update Client SSL Template window is displayed.
3. Click the Advanced tab.
4. For any or all of the options below, select Block from the drop-down menu.
• Forward Proxy Verify Cert Fail Action
• Forward Proxy Cert Revoke Action
• Forward Proxy Cert Unknown Action
5. In the Forward Proxy Block Message field, enter your custom message.
6. Click Update.

Revoking Certificates From the Cache and Generating

CRL
ACOS supports revoking certificates generated by SSLi if the certificates are leaked. Revoked certifi-
cates are identified by their serial numbers. If a certificate is revoked from the cache, a CRL is gener-
ated and provided to the clients connected to SSLi providing information about the revoked certificates.

The following is some important information regarding revoked certificates:

• A certificate, if revoked, cannot be restored.

• When the CRL is generated, the list is read, put into CRL format, and signed by using the forward-
proxy-ca-key.
• The CRL is generated manually and then exported to a location reachable by the clients.

• The feature is supported both in ACOS GUI and ACOS CLI.

Related Tasks:

• “Workflow for Certificate Revocation and CRL Generation (CLI)” on page 330

• “Revoking a Certificate and Generating CRL (GUI)” on page 332

page 329
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Revoking Certificates From the Cache and Generating CRL FFee
e

Workflow for Certificate Revocation and CRL Generation (CLI)

The workflow is as follows, some commands may be different for static port SSLi and dynamic port
SSLi:

Step 1: Checking the Certificate Serial Number (CLI)

Step 2: Revoking a Certificate (CLI)

Step 3: Generating a CRL (CLI)

Step 4: Displaying the CRL (CLI)

Step 5: Clearing Revoked Certificates and Deleting the CRL (CLI)

Step 1: Checking the Certificate Serial Number (CLI)

Follow the steps below to obtain the server certificate serial number, depending on the type of SSLi
configured for your system.

• Static Port SSLi

• Dynamic Port SSLi

Static Port SSLi

The command syntax for checking the certificate serial number for static SSLi vport is:

ACOS(config)# show slb ssl-forward-proxy-cert vip_name vport_number ipaddress server_ip_ad-

dress server_name

For static port SSLi, the following is an example:

ACOS(config)# show slb ssl-forward-proxy-cert internet 443 ipaddress 10.10.10.1 www.exam-

ple.com

Output similar to the following is displayed, the certificate serial number is in blue higlight:

Virtual server port internet: 443

----Start One Certificate---

Real Server : 10.10.10.1 :443 tcp
Servername: www.example.com
ALPN Protocol: ALPN NONE
state: ready
hash index : 5864
hit times : 1
idle time : 33 seconds

page 330
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Revoking Certificates From the Cache and Generating CRL

timeout after 3567 seconds

expires after 604758 seconds
version : 3

[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is 1

Dynamic Port SSLi

The command syntax for checking the certificate serial number for dynamic port SSLi is:

ACOS(config)# show slb ssl-forward-proxy-cert vip_name 0 ip server_ip_address port_number

server_name

The port number is the port on which traffic is running. For static port SSLi, the following is an example:

ACOS(config)# show slb ssl-forward-proxy-cert inside 0 ip 10.10.10.1 443 www.example.com

Output similar to the following is displayed, the certificate serial number is in blue higlight:

----Start One Certificate---

Real Server : 10.10.10.1 :443 tcp
Servername: www.example.com
ALPN Protocol: ALPN NONE
state: ready
hash index : 5864
hit times : 1
idle time : 33 seconds
timeout after 3567 seconds
expires after 604758 seconds
version : 3

[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is 1

Step 2: Revoking a Certificate (CLI)

The following is the syntax for revoking a certificate:

ACOS(config)# pki ssli revoke vip_name vport_number certificate_serial_number_hex

For a static port SSLi configuration where the VIP is called internet and the certificate serial number is
0123e2, run the following command to revoke the certificate:

ACOS(config)# pki ssli revoke internet 443 0123e2

page 331
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Revoking Certificates From the Cache and Generating CRL FFee
e

Step 3: Generating a CRL (CLI)

The following is the syntax for generating a CRL:

ACOS(config)# pki ssli generate crl vip_name vport_number

Run the following command to generate the CRL for a static port SSLi configuration:

ACOS(config)# pki ssli generate crl internet 443

Step 4: Displaying the CRL (CLI)

The following is the syntax for displaying the generated CRL:

ACOS(config)# show pki crl

The following is a sample output:

Output similar to the following is displayed:

name: internet-443.crl
Issuer: /O=Example Inc, Inc./OU=IT SSLi/[email protected]/L=San Jose/ST=CA/C=US/
CN=A10_Intermediate_CA_SHA256

Step 5: Clearing Revoked Certificates and Deleting the CRL (CLI)

The following is the syntax for clearing the list of revoked certificates and deleting the CRL:

ACOS(config)# clear slb ssl-forward-proxy-revoked vip-name vport_number

The following is an example:

ACOS(config)# clear slb ssl-forward-proxy-revoked internet 443

Revoking a Certificate and Generating CRL (GUI)

Perform the steps below to revoke a certificate associated with an SSLi service and generate a CRL in
ACOS GUI:

1. Navigate to Security >> SSLi >> Services.

The list of servcies are displayed.
If the port has forward proxy cert enabled, the Revoke and Generate CRL links are displayed.
2. To revoke a certificate, click the Revoke link.
The Revoke Certificate window is displayed.
More than one certificate may be associated with the virtual port and all are displayed.

page 332
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Revoking Certificates From the Cache and Generating CRL

3. Click the Revoke link under Actions to revoke a certificate.

A message indicating the status of the operation is displayed.
4. To revoke more than one certificate, you must click the Revoke link associated with each certifi-
cate.
5. Click Close.
6. To generate a CRL, click the Generate CRL link.
A message indicating the status of the operation is displayed.

Perform the steps below to revoke an SSli certificate and generate a CRL in ACOS GUI:

1. Navigate to Security >> SSLi >> Reports >> SSLi Certs.

A list of certificates is displayed.
2. To revoke a certificate, click the Revoke link.
A message indicating the status of the operation is displayed.
3. To revoke more than one certificate, you must click the Revoke link associated with each certifi-
cate.

To generate a CRL, click the Generate CRL link.

A message indicating the status of the operation is displayed.

page 333
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Revoking Certificates From the Cache and Generating CRL FFee
e

page 334
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSL Insight VRRP-A

The following topics are covered:

• VRRP-A SSLi Configuration Example

• Related Information

This chapter helps you understand SSL Insight in a VRRP-A deployment.

Feedback page 335

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

VRRP-A SSLi Configuration Example

The following sections describe the configuration steps needed to create an example SSL Insight
VRRP-A deployment. Figure 39 is the topology of this example.

page 336
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

FIGURE 39 SSL Insight Topology Example

page 337
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

CLI Configuration Steps

The commands in this section configure the inside ACOS devices in Figure 39.

Inside Primary ACOS device

Hostname Configuration
ACOS(config)# hostname ACOS-Inside-Primary

Layer 2/3 Configuration

Enter the following commands to configure the VLANs:

ACOS-Inside-Primary(config)# vlan 10
ACOS-Inside-Primary(config-vlan:10)# untagged ethernet 20
ACOS-Inside-Primary(config-vlan:10)# router-interface ve 10
ACOS-Inside-Primary(config-vlan:10)# exit
ACOS-Inside-Primary(config)# vlan 15
ACOS-Inside-Primary(config-vlan:15)# untagged ethernet 1
ACOS-Inside-Primary(config-vlan:15)# router-interface ve 15
ACOS-Inside-Primary(config-vlan:15)# exit
ACOS-Inside-Primary(config)# vlan 16
ACOS-Inside-Primary(config-vlan:16)# untagged ethernet 2
ACOS-Inside-Primary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Primary(config-vlan:16)# exit
ACOS-Inside-Primary(config)# vlan 99
ACOS-Inside-Primary(config-vlan:99)# untagged ethernet 18
ACOS-Inside-Primary(config-vlan:99)# router-interface ve 99
ACOS-Inside-Primary(config-vlan:99)# exit

The following commands assign IP addresses to the VEs (router interfaces) that are configured on the
VLANs. Since VE 10 is connected to the clients, promiscuous VIP mode is enabled on this VE. The other
VEs do not use promiscuous VIP mode in this deployment.

ACOS-Inside-Primary(config)# interface ve 10
ACOS-Inside-Primary(config-if:ve10)# ip address 10.1.1.2/24
ACOS-Inside-Primary(config-if:ve10)# ip allow-promiscuous-vip
ACOS-Inside-Primary(config-if:ve10)# exit
ACOS-Inside-Primary(config)# interface ve 15
ACOS-Inside-Primary(config-if:ve15)# ip address 10.1.240.2/24
ACOS-Inside-Primary(config-if:ve15)# exit
ACOS-Inside-Primary(config)# interface ve 16
ACOS-Inside-Primary(config-if:ve16)# ip address 10.1.250.2/24
ACOS-Inside-Primary(config-if:ve16)# exit

page 338
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Inside-Primary(config)# interface ve 99
ACOS-Inside-Primary(config-if:ve99)# ip address 55.1.1.1/24
ACOS-Inside-Primary(config-if:ve99)# exit

The following commands configure static routes to the network on the side of the outside ACOS
devices that connects to the Internet. The next-hop IP address of each route is the floating IP address
of a VRID on the outside ACOS devices. Specifically, these are the floating IP addresses that belong to
the VRIDs for the VLANs that contain the security devices.

ACOS-Inside-Primary(config)# ip route 20.1.1.0 /24 10.1.240.11

ACOS-Inside-Primary(config)# ip route 20.1.1.0 /24 10.1.250.11

SSL Configuration

The following commands import the root CA-signed certificate used by the content servers, and the
certificate’s private key:

ACOS-Inside-Primary(config)# import cert ca.cert.pem scp:

Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
ACOS-Inside-Primary(config)# import key private-key ca.key.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem

The following commands configure the client-SSL template:

ACOS-Inside-Primary(config)# slb template client-ssl SSLInsight_ClientSide

ACOS-Inside-Primary(config-client SSL template)# forward-proxy-enable
ACOS-Inside-Primary(config-client SSL template)# forward-proxy-ca-cert ca.cert
ACOS-Inside-Primary(config-client SSL template)# forward-proxy-ca-key ca.key
ACOS-Inside-Primary(config-client SSL template)# exit

Path Configuration

The following commands configure the paths through the security devices:

ACOS-Inside-Primary(config)# slb server PSG1_Path 10.1.240.11

ACOS-Inside-Primary(config-real server)# port 0 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 0 udp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit

page 339
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

ACOS-Inside-Primary(config-real server)# port 8080 tcp

ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# exit
ACOS-Inside-Primary(config)# slb server PSG2_Path 10.1.250.11
ACOS-Inside-Primary(config-real server)# port 0 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 0 udp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# port 8080 tcp
ACOS-Inside-Primary(config-real server-node port)# health-check-disable
ACOS-Inside-Primary(config-real server-node port)# exit
ACOS-Inside-Primary(config-real server)# exit

ACOS-Inside-Primary(config)# slb service-group LB_Paths_UDP udp

ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Primary(config-slb svc group)# exit
ACOS-Inside-Primary(config)# slb service-group LB_Paths_TCP tcp
ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Primary(config-slb svc group)# exit
ACOS-Inside-Primary(config)# slb service-group SSL tcp
ACOS-Inside-Primary(config-slb svc group)# member PSG1_Path 8080
ACOS-Inside-Primary(config-slb svc group)# member PSG2_Path 8080
ACOS-Inside-Primary(config-slb svc group)# exit

The following commands configure the wildcard VIP to intercept all outbound traffic that originates
from the inside network:

ACOS-Inside-Primary(config)# access-list 100 permit ip any any vlan 10

ACOS-Inside-Primary(config)# slb virtual-server outbound_wildcard 0.0.0.0 acl 100
ACOS-Inside-Primary(config-slb vserver)# port 0 tcp
ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out
ACOS-Inside-Primary(config-slb vserver-vport)# service-group LB_Paths_TCP
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Primary(config-slb vserver-vport)# exit
ACOS-Inside-Primary(config-slb vserver)# port 0 udp
ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out_UDP
ACOS-Inside-Primary(config-slb vserver-vport)# service-group LB_Paths_UDP
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Primary(config-slb vserver-vport)# exit
ACOS-Inside-Primary(config-slb vserver)# port 443 https

page 340
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Inside-Primary(config-slb vserver-vport)# name Inside1_in_to_out_443

ACOS-Inside-Primary(config-slb vserver-vport)# service-group SSL
ACOS-Inside-Primary(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS-Inside-Primary(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside-Primary(config-slb vserver-vport)# exit
ACOS-Inside-Primary(config-slb vserver)# exit

VRRP-A Configuration

The following commands specify the VRRP-A device ID for this ACOS device, add the ACOS device to
VRRP-A set 1, and enable VRRP-A on the device:

ACOS-Inside-Primary(config)# vrrp-a common

ACOS-Inside-Primary(config-common)# device-id 1
ACOS-Inside-Primary(config-common)# set-id 1
ACOS-Inside-Primary(config-common)# enable
ACOS-Inside-Primary(config-common)# exit

The following commands configure the VRID for the inside ACOS devices’ interface with the client net-
work:

ACOS-Inside-Primary(config)# vrrp-a vrid 0

ACOS-Inside-Primary(config-vrid:0)# floating-ip 10.1.1.1
ACOS-Inside-Primary(config-vrid:0)# blade-parameters
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# priority 200
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 2 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 20 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:0-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:0)# exit

The following commands configure the VRID for the VLAN that contains the first security device
(PSG1):

ACOS-Inside-Primary(config)# vrrp-a vrid 15

ACOS-Inside-Primary(config-vrid:15)# floating-ip 10.1.240.1
ACOS-Inside-Primary(config-vrid:15)# blade-parameters
ACOS-Inside-Primary(config-vrid:15-blade-parameters)# priority 200
ACOS-Inside-Primary(config-vrid:15-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface ethernet 2 prior-
ity-cost 60

page 341
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# interface ethernet 20 pri-

ority-cost 60
ACOS-Inside-Primary(config-vrid:15-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:15-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:15)# exit

The following commands configure the VRID for the VLAN that contains the second security device
(PSG2):

ACOS-Inside-Primary(config)# vrrp-a vrid 16

ACOS-Inside-Primary(config-vrid:16)# floating-ip 10.1.250.1
ACOS-Inside-Primary(config-vrid:16)# blade-parameters
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# priority 200
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# tracking-options
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface ethernet 2 prior-
ity-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# interface ethernet 20 pri-
ority-cost 60
ACOS-Inside-Primary(config-vrid:16-blade-parameters-track...)# exit
ACOS-Inside-Primary(config-vrid:16-blade-parameters)# exit
ACOS-Inside-Primary(config-vrid:16)# exit

The following command configures the VRRP-S interface that connects this ACOS device to its VRRP-
A peer:

ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18

ACOS-Inside-Primary(config-ethernet:18)# vlan 99

Inside Secondary ACOS device

The configuration on the inside secondary ACOS device is the same as the configuration on the inside
primary ACOS device, except for the following device-specific parameters:

• Hostname – The hostname is configured with a unique value to make it simpler to identify the
device.
• VRRP-A device ID – The ID must be unique in the set of ACOS devices that are backed up by
VRRP-A (the VRRP-A set).
• Interface IP addresses – The VLAN IDs are the same on both ACOS devices, but the router inter-
face on each VLAN has a unique IP address. The IP address is unique on each ACOS device.
• Priority values of the VRIDs – To specify the ACOS device’s default VRRP-A role (active or
backup), each VRID on this ACOS device is configured with a lower priority value than the same
VRID on the inside primary ACOS device.

page 342
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

Hostname Configuration
ACOS(config)# hostname ACOS-Inside-Secondary

Layer 2/3 Configuration

ACOS-Inside-Secondary(config)# vlan 10
ACOS-Inside-Secondary(config-vlan:10)# untagged ethernet 20
ACOS-Inside-Secondary(config-vlan:10)# router-interface ve 10
ACOS-Inside-Secondary(config-vlan:10)# exit
ACOS-Inside-Secondary(config)# vlan 15
ACOS-Inside-Secondary(config-vlan:15)# untagged ethernet 1
ACOS-Inside-Secondary(config-vlan:15)# router-interface ve 15
ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Inside-Secondary(config)# vlan 16
ACOS-Inside-Secondary(config-vlan:16)# untagged ethernet 2
ACOS-Inside-Secondary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Inside-Secondary(config)# vlan 99
ACOS-Inside-Secondary(config-vlan:99)# untagged ethernet 18
ACOS-Inside-Secondary(config-vlan:99)# router-interface ve 99
ACOS-Inside-Secondary(config-vlan:99)# exit

ACOS-Inside-Secondary(config)# interface ve 10
ACOS-Inside-Secondary(config-if:ve10)# ip address 10.1.1.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve10)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-if:ve10)# exit
ACOS-Inside-Secondary(config)# interface ve 15
ACOS-Inside-Secondary(config-if:ve15)# ip address 10.1.240.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve15)# exit
ACOS-Inside-Secondary(config)# interface ve 16
ACOS-Inside-Secondary(config-if:ve16)# ip address 10.1.250.3 255.255.255.0
ACOS-Inside-Secondary(config-if:ve16)# exit
ACOS-Inside-Secondary(config)# interface ve 99
ACOS-Inside-Secondary(config-if:ve99)# ip address 55.1.1.2 255.255.255.0
ACOS-Inside-Secondary(config-if:ve99)# exit
ACOS-Inside-Secondary(config)# ip route 20.1.1.0 /24 10.1.240.11
ACOS-Inside-Secondary(config)# ip route 20.1.1.0 /24 10.1.250.11

SSL Configuration
ACOS-Inside-Primary(config)# import cert ca.cert.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********

page 343
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

File name [/]?ca-cert.pem

ACOS-Inside-Primary(config)# import key private-key ca.key.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
ACOS-Inside-Secondary(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside-Secondary(config-client SSL template)# forward-proxy-enable
ACOS-Inside-Secondary(config-client SSL template)# forward-proxy-ca-cert ca.cert
ACOS-Inside-Secondary(config-client SSL template)# forward-proxy-ca-key ca.key
ACOS-Inside-Secondary(config-client SSL template)# exit

Path Configuration
ACOS-Inside-Secondary(config)# slb server PSG1_Path 10.1.240.11
ACOS-Inside-Secondary(config-real server)# port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 0 udp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# exit
ACOS-Inside-Secondary(config)# slb server PSG2_Path 10.1.250.11
ACOS-Inside-Secondary(config-real server)# port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 0 udp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)# health-check-disable
ACOS-Inside-Secondary(config-real server-node port)# exit
ACOS-Inside-Secondary(config-real server)# exit

ACOS-Inside-Secondary(config)# slb service-group LB_Paths_UDP udp

ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path 0
ACOS-Inside-Secondary(config-slb svc group)# exit
ACOS-Inside-Secondary(config)# slb service-group LB_Paths_TCP tcp
ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 0
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path:0
ACOS-Inside-Secondary(config-slb svc group)# exit

page 344
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Inside-Secondary(config)# slb service-group SSL tcp

ACOS-Inside-Secondary(config-slb svc group)# member PSG1_Path 8080
ACOS-Inside-Secondary(config-slb svc group)# member PSG2_Path 8080
ACOS-Inside-Secondary(config-slb svc group)# exit

ACOS-Inside-Secondary(config)# access-list 100 permit ip any any vlan 10

ACOS-Inside-Secondary(config)# slb virtual-server outbound_wildcard 0.0.0.0 acl 100
ACOS-Inside-Secondary(config-slb vserver)# port 0 tcp
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group LB_Paths_TCP
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Secondary(config-slb vserver-vport)# exit
ACOS-Inside-Secondary(config-slb vserver)# port 0 udp
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out_UDP
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group LB_Paths_UDP
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Inside-Secondary(config-slb vserver-vport)# exit
ACOS-Inside-Secondary(config-slb vserver)# port 443 https
ACOS-Inside-Secondary(config-slb vserver-vport)# name Inside1_in_to_out_443
ACOS-Inside-Secondary(config-slb vserver-vport)# service-group SSL
ACOS-Inside-Secondary(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS-Inside-Secondary(config-slb vserver-vport)# no-dest-nat port-translation
ACOS-Inside-Secondary(config-slb vserver-vport)# exit

VRRP-A Configuration
ACOS-Inside-Secondary(config)# vrrp-a common
ACOS-Inside-Secondary(config-common)# device-id 2
ACOS-Inside-Secondary(config-common)# set-id 1
ACOS-Inside-Secondary(config-common)# enable
ACOS-Inside-Secondary(config-common)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 0
ACOS-Inside-Secondary(config-vrid:0)# floating-ip 10.1.1.1
ACOS-Inside-Secondary(config-vrid:0)# blade-parameters
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 20 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:0-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:0)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 15

page 345
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

ACOS-Inside-Secondary(config-vrid:15)# floating-ip 10.1.240.1

ACOS-Inside-Secondary(config-vrid:15)# blade-parameters
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# interface ethernet 20
priority-cost 60
ACOS-Inside-Secondary(config-vrid:15-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:15-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:15)# exit
ACOS-Inside-Secondary(config)# vrrp-a vrid 16
ACOS-Inside-Secondary(config-vrid:16)# floating-ip 10.1.250.1
ACOS-Inside-Secondary(config-vrid:16)# blade-parameters
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# priority 180
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# tracking-options
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# interface ethernet 20
priority-cost 60
ACOS-Inside-Secondary(config-vrid:16-blade-parameters-track...)# exit
ACOS-Inside-Secondary(config-vrid:16-blade-parameters)# exit
ACOS-Inside-Secondary(config-vrid:16)# exit
ACOS-Inside-Secondary(config)# vrrp-a interface ethernet 18
ACOS-Inside-Secondary(config-ethernet:18)# vlan 99

Outside Primary ACOS device

The following commands access the configuration level of the CLI and change the hostname:

ACOS>enable
Password:********
ACOS# config
ACOS(config)# hostname ACOS-Outside-Primary

Layer 2/3 Configuration

The following commands configure the VLANs:

ACOS-Outside-Primary(config)# vlan 15
ACOS-Outside-Primary(config-vlan:15)# untagged ethernet 1
ACOS-Outside-Primary(config-vlan:15)# router-interface ve 15

page 346
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Outside-Primary(config)# vlan 16
ACOS-Outside-Primary(config-vlan:16)# untagged ethernet 2
ACOS-Outside-Primary(config-vlan:16)# router-interface ve 16
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Outside-Primary(config)# vlan 20
ACOS-Outside-Primary(config-vlan:20)# untagged ethernet 20
ACOS-Outside-Primary(config-vlan:20)# router-interface ve 20
ACOS-Inside-Secondary(config-vlan:20)# exit
ACOS-Outside-Primary(config)# vlan 99
ACOS-Outside-Primary(config-vlan:99)# untagged ethernet 18
ACOS-Outside-Primary(config-vlan:99)# router-interface ve 99

The following commands assign IP addresses to the VEs (router interfaces) that are configured on the
VLANs.

ACOS-Outside-Primary(config-vlan:99)# interface ve 15
ACOS-Outside-Primary(config-if:ve15)# ip address 10.1.240.12 255.255.255.0
ACOS-Outside-Primary(config-if:ve15)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-vlan:15)# exit
ACOS-Outside-Primary(config)# interface ve 16
ACOS-Outside-Primary(config-if:ve16)# ip address 10.1.250.12 255.255.255.0
ACOS-Outside-Primary(config-if:ve16)# ip allow-promiscuous-vip
ACOS-Inside-Secondary(config-vlan:16)# exit
ACOS-Outside-Primary(config)# interface ve 20
ACOS-Outside-Primary(config-if:ve20)# ip address 20.1.1.2 255.255.255.0
ACOS-Inside-Secondary(config-vlan:20)# exit
ACOS-Outside-Primary(config)# interface ve 99
ACOS-Outside-Primary(config-if:ve99)# ip address 99.1.1.1 255.255.255.0
ACOS-Outside-Primary(config-if:ve99)# exit

Promiscuous VIP mode is enabled on the VEs that are in the VLANs that contain the security devices.
The other VEs do not use promiscuous VIP mode in this deployment.

The following commands configure static routes to the network on the client side of the inside ACOS
devices. The next-hop IP address of each route is the floating IP address of a VRID on the inside ACOS
devices. Specifically, these are the floating IP addresses that belong to the VRIDs for the VLANs that
contain the security devices.

ACOS-Outside-Primary(config)# ip route 10.1.1.0 /24 10.1.240.1

ACOS-Outside-Primary(config)# ip route 10.1.1.0 /24 10.1.250.1

SSL Configuration

The following commands configure the server-SSL template:

page 347
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

ACOS-Outside-Primary(config)# slb template server-ssl SSLInsight_ServerSide

ACOS-Outside-Primary(config-server SSL template)# forward-proxy-enable
ACOS-Outside-Primary(config-server SSL template)# exit

Path Configuration

The following commands configure the paths through the security devices to the router on the client
network:

ACOS-Outside-Primary(config)# slb server server-gateway 20.1.1.253

ACOS-Outside-Primary(config-real server)# port 0 tcp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# port 0 udp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# port 443 tcp
ACOS-Outside-Primary(config-real server-node port)# health-check-disable
ACOS-Outside-Primary(config-real server-node port)# exit
ACOS-Outside-Primary(config-real server)# exit

ACOS-Outside-Primary(config)# slb service-group SG_TCP tcp

ACOS-Outside-Primary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Primary(config-slb svc group)# exit
ACOS-Outside-Primary(config)# slb service-group SG_UDP udp
ACOS-Outside-Primary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Primary(config-slb svc group)# exit
ACOS-Outside-Primary(config)# slb service-group SG_443 tcp
ACOS-Outside-Primary(config-slb svc group)# member server-gateway 443
ACOS-Outside-Primary(config-slb svc group)# exit

The following commands configure the wildcard VIP to intercept all outbound traffic that originates
from the inside network:

ACOS-Outside-Primary(config)# access-list 100 permit ip any any vlan 15

ACOS-Outside-Primary(config)# access-list 100 permit ip any any vlan 16
ACOS-Outside-Primary(config)# slb virtual-server outside_in_to_out 0.0.0.0 acl 100
ACOS-Outside-Primary(config-slb vserver)# port 0 tcp
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_TCP
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Primary(config-slb vserver-vport)# exit
ACOS-Outside-Primary(config-slb vserver)# port 0 udp
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_UDP
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# no-dest-nat

page 348
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Outside-Primary(config-slb vserver-vport)# exit

ACOS-Outside-Primary(config-slb vserver)# port 8080 http
ACOS-Outside-Primary(config-slb vserver-vport)# name ReverseProxy_Wildcard
ACOS-Outside-Primary(config-slb vserver-vport)# service-group SG_443
ACOS-Outside-Primary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)# template server-ssl outside-intercept
ACOS-Outside-Primary(config-slb vserver-vport)# exit
ACOS-Outside-Primary(config-slb vserver)# exit

VRRP-A Configuration

The following commands specify the VRRP-A device ID for this ACOS device, add the ACOS device to
VRRP-A set 2, and enable VRRP-A on the device:

ACOS-Outside-Primary(config)# vrrp-a common

ACOS-Outside-Primary(config-common)# device-id 3
ACOS-Outside-Primary(config-common)# set-id 2
ACOS-Outside-Primary(config-common)# enable
ACOS-Outside-Primary(config-common)# exit
ACOS-Outside-Primary(config)#

The following commands configure the VRID for the interface with the client network:

ACOS-Outside-Primary(config)# vrrp-a vrid 0

ACOS-Outside-Primary(config-vrid:0)# floating-ip 20.1.1.1
ACOS-Outside-Primary(config-vrid:0)# blade-parameters
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 2 prior-
ity-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# interface ethernet 20 pri-
ority-cost 60
ACOS-Outside-Primary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Outside-Primary(config-vrid:0-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:0)# exit

The following commands configure the VRID for the VLAN that contains the first security device
(PSG1):

ACOS-Outside-Primary(config)# vrrp-a vrid 5

ACOS-Outside-Primary(config-vrid:5)# floating-ip 10.1.240.11
ACOS-Outside-Primary(config-vrid:5)# blade-parameters
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# tracking-options
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60

page 349
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface ethernet 2 prior-

ity-cost 60
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# interface ethernet 20 pri-
ority-cost 60
ACOS-Outside-Primary(config-vrid:5-blade-parameters-track...)# exit
ACOS-Outside-Primary(config-vrid:5-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:5)# exit

The following commands configure the VRID for the VLAN that contains the second security device
(PSG2):

ACOS-Outside-Primary(config)# vrrp-a vrid 6

ACOS-Outside-Primary(config-vrid:6)# floating-ip 10.1.250.11
ACOS-Outside-Primary(config-vrid:6)# blade-parameters
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# priority 200
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# tracking-options
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface ethernet 1 prior-
ity-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface ethernet 2 prior-
ity-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# interface ethernet 20 pri-
ority-cost 60
ACOS-Outside-Primary(config-vrid:6-blade-parameters-track...)# exit
ACOS-Outside-Primary(config-vrid:6-blade-parameters)# exit
ACOS-Outside-Primary(config-vrid:6)# exit

The following command configures the VRRP-A interface that connects this ACOS device to its VRRP-
A peer:

ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18

ACOS-Inside-Primary(config-ethernet:18)# vlan 99

Outside Secondary ACOS device

The configuration on the outside secondary ACOS device is the same as the configuration on the out-
side primary ACOS device, with the exception of the following device-specific parameters:

• Hostname

• VRRP-A device ID

• Interface IP addresses

• Priority values of the VRIDs

Hostname Configuration
ACOS(config)# hostname ACOS-Outside-Secondary

page 350
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

Layer 2/3 Configuration

The following commands configure the VLANs:

ACOS-Outside-Secondary(config)# vlan 15
ACOS-Outside-Secondary(config-vlan:15)# untagged ethernet 1
ACOS-Outside-Secondary(config-vlan:15)# router-interface ve 15
ACOS-Outside-Secondary(config-vlan:15)# exit
ACOS-Outside-Secondary(config)# vlan 16
ACOS-Outside-Secondary(config-vlan:16)# untagged ethernet 2
ACOS-Outside-Secondary(config-vlan:16)# router-interface ve 16
ACOS-Outside-Secondary(config-vlan:16)# exit
ACOS-Outside-Secondary(config)# vlan 20
ACOS-Outside-Secondary(config-vlan:20)# untagged ethernet 20
ACOS-Outside-Secondary(config-vlan:20)# router-interface ve 20
ACOS-Outside-Secondary(config-vlan:20)# exit
ACOS-Outside-Secondary(config)# vlan 99
ACOS-Outside-Secondary(config-vlan:99)# untagged ethernet 18
ACOS-Outside-Secondary(config-vlan:99)# router-interface ve 99
ACOS-Outside-Secondary(config-vlan:99)# exit
ACOS-Outside-Secondary(config)# interface ve 15
ACOS-Outside-Secondary(config-if:ve15)# ip address 10.1.240.13 255.255.255.0
ACOS-Outside-Secondary(config-if:ve15)# ip allow-promiscuous-vip
ACOS-Outside-Secondary(config-vlan:15)# exit
ACOS-Outside-Secondary(config)# interface ve 16
ACOS-Outside-Secondary(config-if:ve16)# ip address 10.1.250.13 255.255.255.0
ACOS-Outside-Secondary(config-if:ve16)# ip allow-promiscuous-vip
ACOS-Outside-Secondary(config-vlan:16)# exit
ACOS-Outside-Secondary(config)# interface ve 20
ACOS-Outside-Secondary(config-if:ve20)# ip address 20.1.1.3 255.255.255.0
ACOS-Outside-Secondary(config-vlan:20)# exit
ACOS-Outside-Secondary(config)# interface ve 99
ACOS-Outside-Secondary(config-if:ve99)# ip address 99.1.1.2 255.255.255.0
ACOS-Outside-Secondary(config-if:ve99)# exit
ACOS-Outside-Secondary(config)# ip route 10.1.1.0 /24 10.1.240.1
ACOS-Outside-Secondary(config)# ip route 10.1.1.0 /24 10.1.250.1

SSL Configuration
ACOS-Outside-Secondary(config)# slb template server-ssl SSLInsight_ServerSide
ACOS-Outside-Secondary(config-server SSL template)# forward-proxy-enable
ACOS-Outside-Secondary(config-server SSL template)# exit

page 351
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
VRRP-A SSLi Configuration Example FFee
e

Path Configuration
ACOS-Outside-Secondary(config-client ssl)# slb server server-gateway 20.1.1.253
ACOS-Outside-Secondary(config-real server)# port 0 tcp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# port 0 udp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# port 443 tcp
ACOS-Outside-Secondary(config-real server-node port)# health-check-disable
ACOS-Outside-Secondary(config-real server-node port)# exit
ACOS-Outside-Secondary(config-real server)# exit

ACOS-Outside-Secondary(config)# slb service-group SG_TCP tcp

ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Secondary(config-slb svc group)# exit
ACOS-Outside-Secondary(config)# slb service-group SG_UDP UDP
ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 0
ACOS-Outside-Secondary(config-slb svc group)# exit
ACOS-Outside-Secondary(config)# slb service-group SG_443 tcp
ACOS-Outside-Secondary(config-slb svc group)# member server-gateway 443
ACOS-Outside-Secondary(config-slb svc group)# exit

ACOS-Outside-Secondary(config)# access-list 100 permit ip any any vlan 15

ACOS-Outside-Secondary(config)# access-list 100 permit ip any any vlan 16
ACOS-Outside-Secondary(config)# slb virtual-server outside_in_to_out 0.0.0.0 acl 100
ACOS-Outside-Secondary(config-slb vserver)# port 0 tcp
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_TCP
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)# exit
ACOS-Outside-Secondary(config-slb vserver)# port 0 udp
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_UDP
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)# exit
ACOS-Outside-Secondary(config-slb vserver)# port 8080 http
ACOS-Outside-Secondary(config-slb vserver-vport)# name ReverseProxy_Wildcard
ACOS-Outside-Secondary(config-slb vserver-vport)# service-group SG_443
ACOS-Outside-Secondary(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)# template server-ssl outside-intercept
ACOS-Outside-Secondary(config-slb vserver-vport)# exit

page 352
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
VRRP-A SSLi Configuration Example

ACOS-Outside-Secondary(config-slb vserver)# exit

VRRP-A Configuration
ACOS-Outside-Secondary(config)# vrrp-a common
ACOS-Outside-Secondary(config-common)# device-id 4
ACOS-Outside-Secondary(config-common)# set-id 2
ACOS-Outside-Secondary(config-common)# enable
ACOS-Outside-Secondary(config-common)# exit
ACOS-Outside-Secondary(config)# vrrp-a vrid 0
ACOS-Outside-Secondary(config-vrid:0)# floating-ip 20.1.1.1
ACOS-Outside-Secondary(config-vrid:0)# blade-parameters
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# interface ethernet 20
priority-cost 60
ACOS-Outside-Secondary(config-vrid:0-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:0-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:0)# exit
ACOS-Outside-Secondary(config)# vrrp-a vrid 5
ACOS-Outside-Secondary(config-vrid:5)# floating-ip 10.1.240.11
ACOS-Outside-Secondary(config-vrid:5)# blade-parameters
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# interface ethernet 20
priority-cost 60
ACOS-Outside-Secondary(config-vrid:5-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:5-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:5)# exit
ACOS-Outside-Secondary(config)# vrrp-a vrid 6
ACOS-Outside-Secondary(config-vrid:6)# floating-ip 10.1.250.11
ACOS-Outside-Secondary(config-vrid:6)# blade-parameters
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# priority 180
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# tracking-options
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface ethernet 1 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface ethernet 2 pri-
ority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# interface ethernet 20

page 353
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Related Information FFee
e

priority-cost 60
ACOS-Outside-Secondary(config-vrid:6-blade-parameters-track...)# exit
ACOS-Outside-Secondary(config-vrid:6-blade-parameters)# exit
ACOS-Outside-Secondary(config-vrid:6)# exit

ACOS-Inside-Primary(config)# vrrp-a interface ethernet 18

ACOS-Inside-Primary(config-ethernet:18)# vlan 99

Related Information
The basic reference configuration of SSLi is found in the Static-Port Type HTTPS SSLi chapter.

page 354
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

Miscellaneous SSLi Features

Topics in this chapter:

• File Inspection

• Using SSLi Source NAT

• Redirecting Clients from Server Sites Using Self-Signed Certificates

• Persistent Proxied Certificates for SSL Insight

• Configuration Option Supporting the Chrome Browser

• Global SSL Configuration Commands

• References

Unless otherwise stated, the features described in this chapter apply to both static-port SSLi and
dynamic-port SSLi configurations.

NOTE: For more information about the commands used in the configuration
examples, see Command Line Interface Reference for ADC.

File Inspection
File inspection is an ACOS feature that uses an internal Cylance file inspection engine to examine files
in HTTP data streams. The Cylance engine is implemented through an internal ICAP server and detects
malware on the basis of millions of file signatures. The internal assigns a score to inspected files that
ACOS uses as file management criteria. Files can be passed to their final destination, dropped, or
referred to an external ICAP server for further inspection.The external server can be any ICAP based
AMP. The feature supports inspecting client side download files.

Refer to the Command Line Interface Reference for ADC for more information about commands used in
this section.

Feedback page 355

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
File Inspection FFee
e

Configuring File Inspection

Verifying the Device has a Cylance License

File inspection requires an enabled Cylance license. The show license-info displays licenses enabled on
a device. The following example indicates that an enabled Cylance license is installed on the device.

ACOS# show license-info | sec CYLANCE

CYLANCE 21-August-2018
ACOS#

Creating a File Inspection Template

To use file inspection, the feature must be enabled globally and on each individual port where files are
to be inspected. The file-inspection service enable command enables file inspection on the device.

This command enables file inspection globally on the device:

ACOS(config)# file-inspection service enable

This command disables file inspection globally. Virtual ports that are bound to a file-inspection tem-
plate does not invoke Cylance inspection while the feature is globally disabled.

ACOS(config)# no file-inspection service enable

The show process system command indicates the status of the a10fi (file inspection) process. Use this
command to verify the file-inspection process is running.

ACOS# show process system | sec a10fi

a10fi is not running
ACOS#

Creating a File Inspection Template

File inspection templates are assigned to HTTP virtual ports to specify the device action upon files that
are inspected. The file-inspection template command creates a template and places the device in file-
inspection template mode for modifying template parameters. When the command specifies an extant
template, the subsequent commands edit that template.

Commands that configure the template include:

• Inspect downloads – enables file inspection for ports upon which the template is bound; also
specifies the data streams that are inspected and the ICAP server that inspects the files.
• downloads bad – specifies the action for files that are evaluated as “bad”. Valid actions include
allowing the file to pass, dropping the file (default), or resetting the TCP connection.

page 356
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
File Inspection

• downloads good – specifies the action for files that are evaluated as “good”. Available actions
include allowing the file to pass (default), dropping the file, or resetting the TCP connection.
• downloads suspect – specifies the action for files that are evaluated as “suspect”. Available
actions include allowing the file to pass (default), dropping the file, resetting the TCP connection,
or submitting the file to an external ICAP server for addition evaluation

These CLI commands create a file inspection template and configures it to 1) allow good files to pass;
2) dropping bad files; and 3) sending suspect files to an external ICAP server; and 4) enables the port
for inspecting downloaded client files.

ACOS(config)# file-inspection template FLOW_A

ACOS(config-file-inspection)# downloads bad drop log
ACOS(config-file-inspection)# downloads good reset no-log
ACOS(config-file-inspection)# downloads suspect external-inspect SERVER-1 log
ACOS(config-file-inspection)# inspect downloads
ACOS(config-file-inspection)# exit

These CLI commands implement an external ICAP server for inspecting files

ACOS(config)# slb template respmod-icap SERVER-1

ACOS(config-respmod-icap)# service-url icap://10.10.2.2/c-server
ACOS(config-respmod-icap)# exit

Binding the File Inspection Template to a Port

To implement file inspection, bind a file-inspection template to a HTTP virtual port. These command
create a virtual port and configures that port to utilize the internal Cylance server for download files.

ACOS(config)# slb virtual-server VIP-1 10.1.1.1

ACOS(config-slb vserver)# port 80 HTTP
ACOS(config-slb vserver-vport)# template file-inspection FLOW_A
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

Importing a Cylance BW List

Cylance maintains a global black and white list that contains files that were determined to be either
good or bad by qualification means that are outside the machine learning algorithm. The import file-
inspection-bw-list and import-period file-inspection-bw-list commands access this file from Cylance and
installs it into the internal Cylance engine.

Refer to the Command Line Interface Reference for instructions on using the import and import-periodic
commands.

page 357
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Using SSLi Source NAT FFee
e

Implementing File Inspection on Application Delivery Partitions (ADP)

In addition to the shared partition, file inspection is available in L3V and service partitions. The following
guidelines are applicable to implementing file inspection on private partitions:

• File-inspection service is enabled using a global command in the shared partition.

• Viewing file-inspection statistics requires a file-inspection logging command in the shared parti-
tion.
• Since file-inspection implementation is only available to downloaded content, applying file-
inspection templates to the SSLi re-encrypt partition is recommended
• A10 file-inspection only applies to downloaded content that follows the Http content-disposition
header.

Refer to the Configuring Application Delivery Partitions Guide for information about Application Delivery
Partitions.

Using SSLi Source NAT

In some applications of SSLi, it is important to choose the source IP address. For example, when SSLi
is configured for transparent HTPP proxy chaining, SSLi source NAT allows the network administrator
to specify source IP addresses on a client-initiated FETCH session. The source NAT addresses can be
used by the chained upstream HTTP proxy server to differentiate the fetched traffic from all other traf-
fic. It can then apply different policies to the fetched traffic from the policies it applies to all other traf-
fic.

Example Configuration SSLi Static Source NAT

This section provides detailed steps for configuring SSLi source NAT with statically specified IP
addresses from a NAT address pool. For information on auto-SSLi source NAT, see the forward-proxy-
source-nat command in the Command Line Interface Reference for ADC.

Configuration of the Inside ACOS device

The blue highlighted sections of this configuration show the commands required to enable SSLi
static source NAT.

• The ip nat pool p199 and ip nat pool p1 commands configure the IP address pools that pro-
vide the IP addresses referred to in the forward-proxy-source-nat and source-nat pool com-
mands, respectively.

page 358
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Using SSLi Source NAT

• The forward-proxy-source-nat pool p199 command in the client-SSL configuration enables

SSLi static-source NAT and specifies that NAT pool p199 is used for client-initiated FETCH
authentication sessions.
• The source-nat pool p1 command under virtual port configurations, enable source NAT and
specifies the NAT pool p1 is used for normally authenticated SSL sessions.

ACOS-Inside# show running-config

!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS-Inside
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
ip nat pool p199 192.168.2.100 192.168.2.101 netmask /24
ip nat pool p1 192.168.2.102 192.168.2.103 netmask /24
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0

page 359
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Using SSLi Source NAT FFee
e

!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
forward-proxy-source-nat pool p199
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
source-nat pool p1
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat port-translation
port 0 tcp
source-nat pool p1
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
port 0 others
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
!
end

Configuration of the Outside ACOS device

No changes to the configuration of the outside ACOS device are needed to support SSLi source NAT.

Example Configuration SSLi Auto Source NAT

This section provides detailed steps for configuring SSLi source NAT with automatically-acquired IP
addresses matching the IP address of the ACOS interface facing the SSL Server.

The configuration example in this section is identical to “Example Configuration SSLi Static Source
NAT” on page 358 except that SSLi auto source NAT is enabled on the virtual server.

page 360
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Using SSLi Source NAT

Configuration of the Inside ACOS device

The blue highlighted sections of this configuration show the commands required to enable SSLi auto
source NAT. There are no other differences in the configuration of this example and the reference con-
figuration in the ““Example Configuration SSLi Static Source NAT” on page 358.”

• The ip nat pool p1 command configures the IP address pool that provides the IP addresses
referred to in the source-nat pool command.
• The forward-proxy-source-nat pool auto command in the client-SSL configuration enables
SSLi auto-NAT provides IP address(es) on the ACOS interface connected to the real server for cli-
ent-initiated FETCH authentication sessions. See “Configuration of the Outside ACOS device” on
page 362.
• The source-nat pool p1 command under virtual port configurations, enable source NAT and
specifies the NAT pool p1 is used for normally authenticated SSL sessions.

ACOS-Inside# show running-config

!
access-list 100 permit ip any any vlan 10
!
vlan 10
tagged ethernet 1
router-interface ve 10
!
vlan 15
tagged ethernet 1
router-interface ve 15
!
hostname ACOS-Inside
!
interface ethernet 1
enable
!
interface ve 10
ip address 10.10.1.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 10.15.1.2 255.255.255.0
!
ip nat pool p1 192.168.2.102 192.168.2.103 netmask /24
!
slb server FW1_Inspect 10.15.1.12
port 8080 tcp
health-check-disable
port 0 tcp
health-check-disable

page 361
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Using SSLi Source NAT FFee
e

port 0 udp
health-check-disable
!
slb service-group ALL_TCP_SG tcp
member FW1_Inspect 0
!
slb service-group ALL_UDP_SG udp
member FW1_Inspect 0
!
slb service-group FW1_Inspect_SG tcp
member FW1_Inspect 8080
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
forward-proxy-source-nat auto
!
slb virtual-server Decrypt_VIP 0.0.0.0 acl 100
port 443 https
source-nat pool p1
service-group FW1_Inspect_SG
template client-ssl SSLInsight_ClientSide
no-dest-nat port-translation
port 0 tcp
source-nat pool p1
service-group ALL_TCP_SG
no-dest-nat
port 0 udp
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
port 0 others
source-nat pool p1
service-group ALL_UDP_SG
no-dest-nat
!
end

Configuration of the Outside ACOS device

No changes to the configuration of the outside ACOS device are needed.

However, this sections shows the configuration of the real server, Default_Gateway, and its interface
address, 20.1.1.10, because this IP address is used by SSLi auto source NAT in fetched SSL sessions.

page 362
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Using SSLi Source NAT

ACOS-Outside# show running-config

...
slb server Default_Gateway 20.1.1.10
port 443 tcp
health-check-disable
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
...

Example Configuration Displaying Priority of SSLi Source NAT

For SSLi implementations, you can specify source NAT for the forwarding traffic either in the SLB policy
template or in the client SSL template. If you have configured source NAT in both templates, the source
NAT configuration in the SLB policy template has higher precedence than that of the client SSL tem-
plate. This is the default behavior.

You can bypass this precedence so that ACOS uses the source NAT configuration defined in the client
SSL template by using the precedence option in the forward-proxy-source-nat command.

The following is a sample configuration of the ACOS_decrypt. In the configuration example:

• The ip nat pool command configures the IP address pool for source NAT. In this example, p1, p2,
and p3 are the three source NAT pools created.
• The forward-proxy-source-nat pool command in the client-SSL configuration provides IP
address(es) on the ACOS interface connected to the real server for client-initiated FETCH authen-
tication sessions.
• This example uses statically configured source NAT IP addresses. For dynamically configured IP
addresses for source NAT, you can use the forward-proxy-source-nat auto command with the
precedence option.

ip nat pool p1 10.105.1.88 10.105.1.88 netmask /24

ip nat pool p2 10.105.5.100 10.105.5.100 netmask /24

ip nat pool p3 10.105.5.101 10.105.5.101 netmask /24

page 363
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Using SSLi Source NAT FFee
e

ip nat alg pptp enable

ip route 10.105.2.0 /24 10.105.5.2

ip route 10.106.0.0 /16 10.105.5.2

slb template dynamic-service DNS

dns server 10.105.1.140

slb server gw1 10.105.5.2

health-check-disable

port 0 tcp

health-check-disable

port 0 udp

health-check-disable

port 8080 tcp

health-check-disable

slb service-group gw1_tcp_0 tcp

member gw1 0

slb service-group gw1_tcp_8080 tcp

member gw1 8080

slb service-group gw1_udp_0 udp

member gw1 0

slb template client-ssl c-ssl2

forward-proxy-ca-cert ssli2

forward-proxy-ca-key ssli2

forward-proxy-enable

page 364
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Redirecting Clients from Server Sites Using Self-Signed Certificates

forward-proxy-source-nat pool p3 precedence

!The precedence option provides priority for the source NAT configured here.

slb template policy EP1

forward-policy

action Permit_to_Internet

forward-to-internet gw1_tcp_8080 snat p2

! In absence of the precedence option, SNAT p2 is used to fetch the server certificate; oth-
erwise, snat p3 configured in the client-ssl template is used to fetch the server certifi-
cate.

log

source any

match-any

destination any action Permit_to_Internet

slb virtual-server vs_ep 10.105.1.16

port 8080 http

service-group gw1_tcp_8080

template policy EP1

template dynamic-service DNS

template client-ssl c-ssl2

no-dest-nat port-translation

Redirecting Clients from Server Sites Using Self-Signed

Certificates
A self-signed certificate is one in which the subject and issuer fields are the same. Because a self-
signed certificate is a security risk, the ACOS device does not forward traffic to the self-signed certifi-
cate site.

page 365
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Redirecting Clients from Server Sites Using Self-Signed Certificates FFee
e

NOTE: For the context of the example, use the either the static-port configura-
tion of the inside ACOS device found on “Reference Configuration for
Two-Device Static-HTTPS-Port SSLi” on page 48 or “Example Configura-
tion: Dynamic-Port SSLi” on page 93.

Example Configuration of Redirecting Clients from Self-Signed Certs

To redirect clients from sites using self-signed certificates, enter the forward-proxy-selfsign-redir
command in the configuration of the Client-SSL template. The ACOS device will redirect traffic away
from the self-signed site and to a warning page in which the client sees, “The page you have tried to
reach uses an untrusted certificate, please contact your administrator.’

Static-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-inside(config)# slb template client-ssl SSLInsight_ClientSide

ACOS-inside(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS-inside(config-client ssl)# forward-proxy-ca-key enterpiseABC-selfsignd
ACOS-inside(config-client ssl)# forward-proxy-enable
ACOS-inside(config-client ssl)# forward-proxy-selfsign-redir

Dynamic-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-inside(config)# slb template client-ssl Client-SSL

ACOS-inside(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS-inside(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS-inside(config-client ssl)# forward-proxy-enable
ACOS-inside(config-client ssl)# forward-proxy-selfsign-redir
ACOS-inside(config-client ssl)# non-ssl-bypass service-group Outbound_TCP

Show Running-Config of Example Configuration

Static-Port SSLi: Inside ACOS device SLB SSL Client Template
ACOS-Inside# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl SSLInsight_ClientSide
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-selfsignd
forward-proxy-enable
forward-proxy-selfsign-redir

page 366
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Persistent Proxied Certificates for SSL Insight

Dynamic-Port SSLi: Inside ACOS device SLB SSL Client Template

ACOS-Inside# show running-config slb template client-ssl
!Section configuration: 330 bytes
!
slb template client-ssl Client-SSL
forward-proxy-ca-cert enterpiseABC-selfsignd
forward-proxy-ca-key enterpiseABC-key
forward-proxy-enable
forward-proxy-selfsign-redir
non-ssl-bypass service-group Outbound_TCP
!

Persistent Proxied Certificates for SSL Insight

When an ACOS device restarts, or the forward-proxy process restarts, the cache of proxied certificates
is emptied.

To save a group of proxied certificates that will be automatically re-installed after a restart, you need to
configure a persistent forward-proxy class list and bind that class list to the client-SSL template.

Because the saved file of proxied certificates is periodically refreshed, it is possible that some proxied
certificates will not persist if they were cached just before the system reset.

NOTE: Every unique SSLi virtual port needs a separate client-ssl template. This
requirement only applies to virtual ports enabled for SSLi and does not
apply to SSL offload or SSL proxy.

Example: Create a Persistent Forward-Proxy Class List

This example shows how to create the persistent forward-proxy class list and bind it to a client-SSL
template:

1. To create or change persistent forward-proxy class list, use the class-list command with the ac
option.
The class-list command creates a class list and gives it a name. The file option saves the list
as a file that you can export. Without this option, the class list entries are saved in the configura-
tion file instead. The ac option is required for the persistent certificates feature. and specifies that
the list type is Aho-Corasick.
If an SNI in a certificate matches an entry in this class list, it is retained; otherwise, it is dropped.

page 367
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Persistent Proxied Certificates for SSL Insight FFee
e

ACOS-Inside# configure
ACOS-Inside(config)# class-list persist-servers-CL ac
ACOS-Inside(config-class list)# contains jsmith.com
ACOS-Inside(config-class list)# contains EnterpriseABC.com
ACOS-Inside(config-class list)# equals UofKgmc.edu/admissions

2. Bind the new or changed class list to the client-SSL template:

ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide

ACOS-Inside(config-client ssl)# forward-proxy-cache-persistence class-list persist-
servers-CL
ACOS-Inside(config-client ssl)# forward-proxy enable
ACOS-Inside(config-client ssl)# forward-proxy-ca-cert cert1
ACOS-Inside(config-client ssl)# forward-proxy-ca-key key1

3. Commit the changes to ACOS memory.

ACOS-Inside(config)# write memory

4. Use the show class-list command to display the persist-servers-CL class-list.

Example: Binding a Separate Client-SSL Template to Each Unique SSLi

VPort
The following example illustrates the requirement of this feature that a separate client-SSL template
must be bound to each unique SSLi virtual port (port 443 https):

ACOS-Inside(config)# slb virtual-server vip1 0.0.0.0 acl 1

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template client-ssl test1
ACOS-Inside(config-slb vserver-vport)# exit
ACOS-Inside(config-slb vserver)# exit

ACOS-Inside(config)# slb virtual-server vip2 0.0.0.0 acl 2

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# template client-ssl test2

page 368
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Configuration Option Supporting the Chrome Browser

Configuration Option Supporting the Chrome Browser

The Chrome browser is popular and so are Google services, such as search and Gmail. Many enterprise
customers want to inspect this Google traffic. However, the Chrome browser can use the QUIC proto-
col instead of standard HTTPS. To inspect Google traffic, enforce the use of HTTPS by denying QUIC
messages with an ACL to deny the destination port 443 udp traffic as shown in the configuration exam-
ple below.

access-list 103 deny udp any any eq 80

access-list 103 deny udp any any eq 443
access-list 103 permit ip any any
!
interface ethernet 2
enable
access-list 103 in
ip address 172.16.1.1 255.255.255.0
ip allow-promiscuous-vip

Global SSL Configuration Commands

The following SSL commands apply to options are described in greater detail in the “Config Com-
mands: Server Load Balancing” chapter of the Command Line Interface Reference for ADC.

AX5100(config)# slb ssl?

ssl-cert-revoke Show ssl-cert-revoke-stats
ssl-expire-check SSL certificate expiration check
ssl-forward-proxy-stats SSL forward proxy stats info

References
For detailed information on the load-balancing servers that enable SSLi and other applications, see the
Application Delivery and Server Load Balancing Guide.

page 369
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
References FFee
e

page 370
Feedback ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide

SSLi Logging

ACOS supports logging of all states of the SSL handshake in the system log. Both the client and server
SSL logs for successful and failed events are recorded.

By default, ACOS supports SSLi logging only for errors. However, the CLI command ssli logging all
enables logging of all events. The logging output also displays information such as web category, cer-
tificate valid status, session duration, log id, and so on, in session start, end, bypass, or error case.

There are two logging levels used for SSLi:

• Error—An event is categorized as an error when there is a failure.

• Information (Info)—An event is categorized as info for intercept and bypass actions.

All the logs are generated in the CEF standard format. A log message compliant with CEF follows a
specific format. The information before “[Extension]” is mandatory and called a CEF header as shown in
the following sample:

Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Device

Event Class ID|Name|Severity|[Extension]

The following is an example log for an SSLi inspection bypass event:

Log level is info.

ACOS# show log

Nov 19 2017 21:31:12 Info [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi
554313289585131522|Inspection Bypassed|6|src=13.13.13.20 dst=23.23.23.20 spt=53318
dpt=443 act=bypassed dhost=www.hello.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type

Three types of SSLi logging is supported, based on SSLi events:

• Inspection successsful event—This has two types of logs, one for the start of inspection and
the other for the completion of inspection. The log for these events include session statistics.
The following is an example log for an SSLi inspection start event, log level is info:
May 15 2018 21:27:19 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440836|Inspection Start|6|src=10.105.11.97 dst=10.105.22.94 spt=52214
dpt=443 act=inspected dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP name cs2=https
cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs4=AES256-GCM-SHA384 cs4La-
bel=Cipher suite cs6=VALID cs6Label=Certificate Validity status cn1=443 cn1Label=VIP
port cn2=16 cn2Label=Log ID

The following is an example log for an SSLi inspection successful event, log level is info:

Feedback page 371

ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Configuring SSLi Logging (CLI) FFee
e

May 15 2018 21:27:24 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi

486706518616440833|Inspection Successful|6|src=10.105.11.97 dst=10.105.22.94 spt=52214
dpt=443 act=inspected dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP name cs2=https
cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs4=AES256-GCM-SHA384 cs4La-
bel=Cipher suite cs6=VALID cs6Label=Certificate Validity status cn1=443 cn1Label=VIP
port cn2=8 cn2Label=FWD Packets cn3=1769 cn3Label=REV Packets cn4=6 cn4Label=Duration
seconds cn5=26 cn5Label=Log ID cn6=962 cn6Label=FWD Bytes Transferred cn7=11 cn7La-
bel=REV Bytes Transferred

• Inspection failure event—The log for this event does not include session statistics.

The following is an example log for an SSLi error event, log level is error:
May 15 2018 21:25:56 Error [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440835|Inspection Failed|3|src=10.105.11.97 dst=10.105.22.94 spt=52210
dpt=443 act=dropped dhost=s94 cs1=vs-wildcard-internal cs1Label=VIP name cs2=https
cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs6=INVALID cs6Label=Certificate
Validity status cs7=CERT Fetch, Validation Error cs7Label=Error type cn1=443 cn1La-
bel=VIP port cn2=2 cn2Label=Log ID

• Inspection bypass event—The log for this event does not include session statistics.

The following is an example log for an SSLi bypass event, log level is info:
May 15 2018 21:24:11 Info [SSL]: ssli99 CEF:0|A10|ADC|4.1.4-P2|SSLi
486706518616440834|Inspection Bypassed|6|src=10.105.11.97 dst=172.217.164.110 spt=59644
dpt=443 act=bypassed dhost=google.com cs1=vs-wildcard-internal cs1Label=VIP name
cs2=https cs2Label=VIP protocol cs3=TLSv1.2 cs3Label=SSL version cs5=Search Engines
cs5Label=Web Category cs6=UNKNOWN cs6Label=Certificate Validity status cn1=443 cn1La-
bel=VIP port cn2=6 cn2Label=Log ID

Configuring SSLi Logging (CLI)

SSLi logging is enabled by default for capturing SSL errors. To enable SSLi logging for all events, run
the following commands:

ACOS(config)# slb template client-ssl clientssl

ACOS(config-client ssl)# ssli-logging all

To disable SSLi logging, run the following commands:

ACOS(config)# slb template client-ssl clientssl

ACOS(config-client ssl)# ssli-logging disable

page 372
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Inspection Failure Event Error Codes

SSLi Inspection Failure Event Error Codes

The following table lists the error codes and their associated explanations.

TABLE 7 SSLi Inspection Failure Event Error Codes and Descriptions

Error
Code Error Zone Description Error Message
1 ACOS_decrypt Origin certificate fetch failed due to SSL handshake Cert fetch, fatal alert: 0
failure with fatal alert.
2 ACOS_decrypt Origin certificate fetch failed due to SSL handshake Cert fetch, TCP FIN/RST: 0
failure with TCP FIN/RST.
3 ACOS_decrypt Origin certificate was rejected due to certification val- Cert fetch, Validation error:
idation error. 0
4 ACOS_decrypt A certificate is in cache but an SSL handshake with a Client SSL, Fatal Alert: 0
client failed with SSL fatal alert.
5 ACOS_decrypt A certificate is in cache but an SSL handshake with a Client SSL, TCP FIN/RST: 1
client failed with TCP FIN/RST. This can happen
when the client application pins a certificate.
6 ACOS_decrypt An SSL session failed due to TCP FIN/RST from the SSL Session, TCP FIN/RST:
origin server. This can happen when the SSLi decrypt 0
zone does not support a cipher suite of the origin
server.
7 ACOS_encrypt An SSL handshake with a server failed with SSL fatal Server SSL, Fatal alert: 0
alert.
8 ACOS_encrypt An SSL handshake with a server failed with TCP FIN/ Server SSL, TCP FIN/RST:
RST. 0
9 ACOS_decrypt Internal SSL error. Client SSL, internal error: 1
10 ACOS_encrypt Internal SSL error. Client SSL, unknown error:
0
11 ACOS_decrypt Unknown SSL error. Server SSL, internal error: 0
12 ACOS_encrypt Unknown SSL error. Server SSL, unknown error:
0

SSLi Inspection Failure Error Codes Examples

NOTE: For a list of SSLi error counters, which are similar to the SSLi error logs,
refer to SLB CLI Reference Guide for the command show slb ssl stats.

The following section describes the SSLi error codes discussed in the previous table in more details.

Cert fetch, fatal alert

This counter is incremented during the SSL handshake between ACOS_decrypt and the server, and
ACOS_decrypt receives a SSL fatal alert from the server.

page 373
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
SSLi Inspection Failure Event Error Codes FFee
e

Log level is Error.

Log sample is as follows:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type cs3= CERT Fetch, SSL Fatal Alert cs3Label=Error type cs4=0
cs4Label=Reason for SSL fatal alert

Cert fetch, TCP FIN/RST

This counter is incremented during the SSL handshake between ACOS_decrypt and the server, and a
TCP FIN/RST is received by ACOS_decrypt.

Log level is Error.

Log sample is as follows:

Nov 20 2017 17:14:37 Error [UNKOWN]: ACOS CEF:0|A10|CFW|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=172.168.6.5 dst=172.168.1.159 spt=47765
dpt=443 act=dropped dhost=(null) cs1=vs1 cs1Label=VIP name cs2=client-ssl cs2Label=SSL
template type cs3=CERT Fetch, TCP FIN/RST cs3Label=Error type

Cert fetch, Validation error

This counter is incremented during the SSL handshake between ACOS_decrypt and the server, and
ACOS_decrypt is unable to validate the server certificate.

Log level is Error.

Log sample is as follows:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type cs3=CERT Fetch, Validation Error cs3Label=Error type

Client SSL, fatal alert

This counter is incremented during the SSL handshake between ACOS_decrypt and the client, and
ACOS_decrypt receives a fatal alert from the client.

Log level is Error.

Log sample is as follows:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type cs3= Client SSL, SSL Fatal Alert cs3Label=Error type cs4=0
cs4Label=Reason for SSL fatal alert

page 374
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
SSLi Inspection Failure Event Error Codes

Client SSL, TCP FIN/RST

This counter is incremented during the SSL handshake between ACOS_decrypt and the client, and
ACOS_decrypt receives or sends a TCP FIN/RST to the client.

Log level is Error.

Log sample is as follows:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type cs3= Client SSL, TCP FIN/RST cs3Label=Error type

SSL Session, TCP FIN/RST

This counter is incremented during the SSLi session setup, and a session fails because of a TCP FIN/
RST from the original server. This can happen when ACOS_decrypt does not support a cipher from the
original server.

Log level is Error.

Log sample is as follows:

Nov 20 2017 16:52:53 Error [UNKOWN]: ACOS CEF:0|A10|CFW|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=172.168.6.5 dst=172.168.1.159 spt=47754
dpt=443 act=dropped dhost=(null) cs1=vs1 cs1Label=VIP name cs2=client-ssl cs2Label=SSL
template type cs3=SSL Session, TCP FIN/RST cs3Label=Error type.

Server SSL, fatal alert

This counter is incremented when the SSL handshake with ACOS_encrypt fails with a SSL fatal alert.

Log level is Error.

Sample log on ACOS_encrypt:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw_internal cs1Label=VIP name
cs2=server-ssl cs2Label=SSL template type cs3= Server SSL, SSL Fatal Alert cs3La-
bel=Error type cs4=0 cs4Label=Reason for SSL fatal alert

Server SSL, TCP FIN/RST

This counter is incremented during the SSL handshake between ACOS_encrypt and the server, and
ACOS_encrypt receives or sends a TCP FIN/RST to the client.

Log level is Error.

page 375
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Generic SSLi Failure Logs FFee
e

Log sample is as follows:

Nov 20 2017 03:22:38 Error [UNKOWN]: ACOS CEF:0|A10|CFW|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=172.168.6.10 dst=172.168.1.159 spt=2074
dpt=8080 act=dropped dhost=172.168.1.159 cs1=vs1 cs1Label=VIP name cs2=server-ssl cs2La-
bel=SSL template type cs3=Server SSL, TCP FIN/RST cs3Label=Error type

Client SSL, internal error

This counter is incremented whenever there is an internal error during the SSL handshake on the client-
ssl template on ACOS_decrypt.

Log level is Error.

Sample log is as follows:

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw cs1Label=VIP name cs2=client-ssl
cs2Label=SSL template type cs3= Client SSL, Internal error cs3Label=Error type cs5= no
shared cipher cs5Label= Reason for internal error

Server SSL, internal error

This counter is incremented whenever there is an internal error during the SSL handshake on the sever-
ssl template on AOCS_encrypt.

Log level will be Error.

Nov 19 2017 22:34:22 Error [UNKOWN]: AX2600-1 CEF:0|A10|ADC|4.1.4|SSLi

554313289585131523|Inspection Failed|3|src=13.13.13.20 dst=23.23.23.20 spt=53320
dpt=443 act=dropped dhost=www.tbserver.com cs1=vipw_internal cs1Label=VIP name
cs2=server-ssl cs2Label=SSL template type cs3= Server SSL, Internal error cs3Label=Error
type cs5= sslv3 alert handshake failure cs5Label= Reason for internal error

Generic SSLi Failure Logs

The ACOS_decrypt device in an SSLi configuration, generates a system log if SSLi fails. The log
includes the SNI, IP address of the outside server that the client was attempting to connect to, and the
reason for failure.

• An SSL log is generated if the ACOS_decrypt device cannot retrieve the server certificate during
the SSL handshake with client.
• SSL Insight can also fail for other reasons such as the SSLi bypass, or abrupt connection closure
by server FIN due to malformed packet, and other . In such cases, an SSLi failure log is generated
that includes the following reason codes:

page 376
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
Generic SSLi Failure Logs

• Can't Sign Cert

• Can't Verify Cert
• Crypto Error
• Handshake Failure
• Internal
• None
• OCSP Revoked
• OCSP Stapling
• OCSP Unknown
• TCP Error
• Unknown
• Unsupported SSL Version
• The SSLi failure log messages are only seen by the inside ACOS device.

NOTE: No CLI configurations are required to turn logging on or off.

Example: SSLi Bypass Logs

The following example shows logs generated when the SSLi is bypassed or otherwise fails. Client auth
bypass will be treated as handshake failure:

ACOS-Inside# show log | include SSL intercept failed

...
Nov 10 2016 16:02:03 Info [SYSTEM]:SSL intercept failed. server (null) (Src
port: 43461 Src IP: 61.61.61.61 Dst port: 47873 Dst IP: 51.51.51.51) reason:
Can't verify Cert - Decrypted
...

Example: SSL CA Verification Failure Log

The following example shows a log generated when the outside server’s certificate fails verification:

ACOS# show log | include CA Verification Failed

Nov 10 2016 16:02:03 Info [SSL]:SSL Server CA Verification Failed with

Host Name: (null) and Destination IP: 51.51.51.51

page 377
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
Generic SSLi Failure Logs FFee
e

Example of a Failure
In this example, "SSLVerifyClient require" and "SSLVerifyDepth 10" is set up on APACHE ssl.conf, on the
server. The following log shows there was an SSLi failure when retrieving the certificate because no cli-
ent-side authentication has been configured.

As a result, the following log is generated:

ACOS# show log

Log Buffer: 30000
Aug 08 2016 11:44:23 Info [SYSTEM]:<l3v1> SSL intercept failed, server example.com
(ip 10.10.10.101) reason: Crypto Error – bypassed
ACOS#

Additional Example Logs of SSLi Failures

[SYSTEM]:SSL intercept failed, server vast.bp3871200.btrll.com (ip Src port: 53161 Src IP:
172.17.20.242 Dst port: 443 Dst IP: 162.208.20.178) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host Name:
vast.bp3871200.btrll.com and Destination IP: 162.208.20.178
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server
vast.bp3862928.btrll.com (ip Src port: 53149 Src IP: 172.17.20.242 Dst port: 443 Dst IP:
162.208.20.178) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host Name:
vast.bp3862928.btrll.com and Destination IP: 162.208.20.178
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src port:
53018 Src IP: 172.17.1.145 Dst port: 443 Dst IP: 64.4.54.253) reason: Unknown - Bypass
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server settings-
win.data.microsoft.com (ip Src port: 53017 Src IP: 172.17.1.145 Dst port: 443 Dst IP:
64.4.54.253) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host Name:
settings-win.data.microsoft.com and Destination IP: 64.4.54.253
Feb 10 2017 18:16:20 Info [SYSTEM]:SSL intercept failed, server settings-
win.data.microsoft.com (ip Src port: 56019 Src IP: 172.17.3.165 Dst port: 443 Dst IP:
64.4.54.253) reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:20 Info [SSL]:SSL Server CA Verification Failed with Host Name:
settings-win.data.microsoft.com and Destination IP: 64.4.54.253
Feb 10 2017 18:16:19 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src port:
53016 Src IP: 172.17.1.145 Dst port: 443 Dst IP: 64.4.54.254) reason: Unknown - Bypass
Feb 10 2017 18:16:19 Info [SYSTEM]:SSL intercept failed, server vortex-win.data.mic-
rosoft.com (ip Src port: 53015 Src IP: 172.17.1.145 Dst port: 443 Dst IP: 64.4.54.254)
reason: Can't verify Cert - Rejected
Feb 10 2017 18:16:19 Info [SSL]:SSL Server CA Verification Failed with Host Name:
vortex-win.data.microsoft.com and Destination IP: 64.4.54.254
Feb 10 2017 18:16:07 Info [SYSTEM]:SSL intercept failed, server (null) (ip Src port:
51633 Src IP: 172.17.1.245 Dst port: 443 Dst IP: 40.77.228.92) reason: Unknown - Bypass
Feb 10 2017 18:16:07 Info [SYSTEM]:SSL intercept failed, server watson.teleme-
try.microsoft.com (ip Src port: 51632 Src IP: 172.17.1.245 Dst port: 443 Dst IP:
40.77.228.92) reason: Can't verify Cert - Rejected

page 378
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback
CEF Error Logs

CEF Error Logs

A sample CEF error log is as follows, the error code is in blue highlight:

Oct 23 2018 11:59:04 Error [SSL]:<ssli_in> vmThSSLi01 CEF:0|A10|ADC|4.1.4-P2|SSLi

486706518616440835|Inspection Failed|5|src=10.5.131.120 dst=72.30.3.61 spt=57008
dpt=443 act=dropped dhost=geo.yahoo.com cs1=SSLi_in_ingress cs1Label=VIP name cs2=https
cs2Label=VIP protocol cs6=VALID cs6Label=Certificate Validity status cs7=Client SSL, SSL
Fatal Alert cs7Label=Error type cn1=443 cn1Label=VIP port cn2=629 cn2Label=Log ID cn3=47
cn3Label=Reason for SSL fatal alert

The error descriptions are explained here: “SSLi Inspection Failure Event Error Codes” on page 373.

The following is a list of CEF error codes.

For more information, refer to:

https://tools.ietf.org/html/rfc5246#appendix-A.3

https://www.ietf.org/rfc/rfc3546.txt

TABLE 8 List of CEF Errors

Error Message Error Code
SSL3_AD_CLOSE_NOTIFY 0
SSL3_AD_UNEXPECTED_MESSAGE 10
SSL3_AD_BAD_RECORD_MAC 20
SSL3_AD_DECOMPRESSION_FAILURE 30
SSL3_AD_HANDSHAKE_FAILURE 40
SSL3_AD_NO_CERTIFICATE 41
SSL3_AD_BAD_CERTIFICATE 42
SSL3_AD_UNSUPPORTED_CERTIFICATE 43
SSL3_AD_CERTIFICATE_REVOKED 44
SSL3_AD_CERTIFICATE_EXPIRED 45
SSL3_AD_CERTIFICATE_UNKNOWN 46
SSL3_AD_ILLEGAL_PARAMETER 47
TLS1_AD_DECRYPTION_FAILED 21
TLS1_AD_RECORD_OVERFLOW 22
TLS1_AD_UNKNOWN_CA 48
TLS1_AD_ACCESS_DENIED 49
TLS1_AD_DECODE_ERROR 50
TLS1_AD_DECRYPT_ERROR 51
TLS1_AD_EXPORT_RESTRICTION 60
TLS1_AD_PROTOCOL_VERSION 70

page 379
ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
FeedbackFF
ACOS Event-based Logging FFee
e

Error Message Error Code

TLS1_AD_INSUFFICIENT_SECURITY 71
TLS1_AD_INTERNAL_ERROR 80
TLS1_AD_INAPPROPRIATE_FALLBACK 86
TLS1_AD_USER_CANCELLED 90
TLS1_AD_NO_RENEGOTIATION 100
/* codes 110-114 are from RFC3546 */
TLS1_AD_UNSUPPORTED_EXTENSION 110
TLS1_AD_CERTIFICATE_UNOBTAINABLE 112
TLS1_AD_UNRECOGNIZED_NAME 113
TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 114
TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 115
TLS1_AD_UNKNOWN_PSK_IDENTITY 116

ACOS Event-based Logging

ACOS support sending SSLi event logs over the ACOS event-based logging infrastructure. This provides
a centralized logging infrastructure where applications generate and send logs through a common
interface.

Refer to the Event Logging System chapter in the System Configuration and Administration Guide for
instructions on implementing Event-based Logging.

page 380
 ACOS 5.0.0-P1 SSL Insight (SSLi) Configuration Guide
Feedback

page 381
 CONTACT US
a10networks.com/contact

ACOS 5.0.0-P1 SSL INSIGHT (SSLI) CONFIGURATION GUIDE 18 MAY 2020